Our sub-processors
We use the third-party services listed below to operate Heyy. Each one is a processor under GDPR Article 28 -- we remain the data controller and execute Data Processing Agreements with each vendor. This list is the source of truth and is updated whenever we add or remove a processor.
Last updated: May 20, 2026
Subscribe to our changelog feed for processor changes, or check this page periodically.
Cloudflare Inc.
Worldwide edge / United StatesPurpose: DNS, edge caching, DDoS protection in front of the origin VPS
Data processed: Standard request metadata (IP, user-agent, URL). No request bodies are stored.
Read their privacy policyAnthropic PBC
United StatesPurpose: Article generation, content analysis, translation (Claude API)
Data processed: Source article content (scraped from your configured sources), brand voice settings, target language
Read their privacy policyStripe Payments Europe Ltd.
Ireland (EU) / United StatesPurpose: Subscription billing, payment processing, invoicing
Data processed: Email, billing address, payment method tokens (we never see raw card data -- Stripe Elements iframe)
Read their privacy policyGitHub (Microsoft)
United StatesPurpose: OAuth sign-in -- when a user chooses 'Continue with GitHub'
Data processed: GitHub email + public profile (only fields you authorize on the consent screen)
Read their privacy policyGmail (Google Workspace)
United States / EUPurpose: Transactional emails (welcome, password reset, payment receipts)
Data processed: Recipient email, message body. Sent via SMTP from hello@heyy.blog.
Read their privacy policyGoogle LLC
United States / EUPurpose: OAuth sign-in (Google), Google Analytics 4 (only with analytics-cookie consent)
Data processed: Google email + profile for OAuth; anonymous page view events for GA4
Read their privacy policyPexels GmbH
Germany (EU)Purpose: Stock photography fallback for article hero images
Data processed: Article topic keywords (used as search queries -- no user PII)
Read their privacy policyUnsplash Inc.
CanadaPurpose: Stock photography fallback for article hero images
Data processed: Article topic keywords (no user PII)
Read their privacy policyQuestions?
Need a Data Processing Agreement (DPA) for your organisation, or a list of sub-processor changes from a specific date? Email privacy@heyy.blog and we'll respond within 5 business days.