Skip to content

Podpodmioty przetwarzające

Ostatnia aktualizacja: July 3, 2026

Ten dokument jest obecnie dostępny tylko w języku angielskim. Tłumaczenie jest w toku.

This page lists the third parties (sub-processors) that may process personal data on behalf of Sefaja in connection with the Saymail service. We update this list whenever a sub-processor is added, removed, or replaced.

Payment, licensing, and tax

Provider Purpose Location
Lemon Squeezy LLC Merchant of Record for license and credit purchases. Handles checkout, payment processing, sales tax / VAT collection and remittance, invoicing, license-key delivery, and machine-activation tracking. United States (EU–US Data Privacy Framework)

AI routing (Saymail Cloud only)

The provider below processes AI requests only when you choose Saymail Cloud credits. If you use a local model or your own API key (BYOK), Saymail does not route your data through any sub-processor — your traffic flows from your computer directly to the AI provider whose key you have supplied, under that provider's own terms and privacy policy.

Provider Purpose Location
OpenRouter, Inc. AI request routing for Saymail Cloud. We configure OpenRouter with the Zero Data Retention (ZDR) options enabled so that the underlying language-model provider does not retain your content after the request and does not use it to train models. The downstream providers OpenRouter may select on our behalf can include Anthropic, OpenAI, Google, and others; the ZDR configuration is enforced at the OpenRouter level for our traffic. United States (EU–US Data Privacy Framework)

The Zero Data Retention claim above applies only to Saymail Cloud traffic routed through OpenRouter. BYOK traffic is governed by the policies of the AI provider whose key you have configured, and we make no ZDR claim for it.

Diagnostics and analytics

Provider Purpose Location
Functional Software, Inc. (Sentry) Crash and error reporting for the desktop application. Events are redacted client-side (emails, bearer tokens, secret / cookie / auth field values, OS usernames in file paths, and long opaque tokens are replaced with placeholders; attachments are dropped) before transmission. United States (EU–US Data Privacy Framework)
PostHog, Inc. Pseudonymous product analytics. On the website (page views, funnel metrics), loaded only after explicit consent via the cookie banner. In the desktop application, usage events plus two server-side product events (trial started, llm call completed) keyed to a pseudonymous identifier, sent only when the user enables the in-app "Send usage data" setting. EU and United States (EU–US Data Privacy Framework)

Advertising and conversion measurement

The providers below are used on our website only, and only after you accept the Marketing cookie category in the cookie banner. If you reject or ignore the banner, no advertising script is loaded, no advertising cookie is set, and no data is sent to these providers.

Provider Purpose Location
Meta Platforms Ireland Limited (EU establishment) / Meta Platforms, Inc. (US) Advertising and conversion measurement via the Meta Pixel (client-side) and the Meta Conversions API (server-side). Loaded / sent on the website only after you accept the Marketing cookie category; used to measure ad-driven trial downloads and purchases and to reach relevant audiences. Data processed: online identifiers (the _fbp first-party cookie and, if you arrived from a Meta ad, the _fbc click identifier), IP address and browser/user-agent data, and — for the server-side Purchase event via the Conversions API — the purchase value and currency and a one-way SHA-256 hashed form of your email address. EU and United States (EU–US Data Privacy Framework; Standard Contractual Clauses as fallback)
Google Ireland Limited / Google LLC Advertising and conversion measurement (Google Ads tag, Google tag / gtag.js, Google Consent Mode v2). Loaded on the website only after you accept the Marketing cookie category, and used to measure ad-driven trial downloads and purchases. Data processed: online identifiers (including the Google click identifier gclid and the _gcl_aw first-party cookie), IP address, and conversion / measurement events. EU and United States (EU–US Data Privacy Framework; Standard Contractual Clauses as fallback)

Hosting and infrastructure

Provider Purpose Location
Netlify, Inc. Website hosting (saymail.eu) and serverless functions United States / EU edge (EU–US Data Privacy Framework)
Supabase, Inc. Backend edge functions and database for the website. Processes license/order registration and the Lemon Squeezy purchase webhook, trial validation, server-side advertising conversion uploads (Meta CAPI / Google Ads API), cookie-consent logging, and mobile-app lead capture. Data processed: email address, license/order identifiers, IP address, cookie-consent records (timestamped, under a random identifier), and the marketing identifiers passed at checkout (Section 2.1). EU (data stored in the EU; to the extent Supabase, Inc. (US) accesses data for support/maintenance: EU–US Data Privacy Framework, with Standard Contractual Clauses as fallback).

Data Processing Agreement

Business customers can request a Data Processing Agreement (DPA) by emailing privacy@saymail.eu.

Notifications

We will update this page when sub-processors change. Material changes that affect business customers under a signed DPA will additionally be notified by email.