Skip to main content
Clozo

Subencargados del tratamiento

Versión del registro 1.0 · Obtenido 18 de julio de 2026 · Canal RSS · JSON

Clozo (Andrei Diachenko, autónomo operando bajo el nombre comercial Clozo) utiliza los siguientes subencargados para prestar el servicio. Este registro se publica conforme al artículo 28(2) del RGPD. Avisamos con 30 días de antelación antes de añadir un nuevo subencargado — suscríbete a continuación para recibir notificaciones.

Para la descripción completa de cómo usamos tus datos personales, consulta nuestra Política de Privacidad §6.

SubencargadoPaísServicioCategorías de datosMecanismo de transferenciaPolítica de privacidadEncargo
Stripe Payments Europe Ltd.Ireland (EU)Payment processing for Pro/Unlimited subscriptions and customer-paid invoices via Stripe Connect.Email, name, IP, payment method metadata (last4, brand), billing address, transaction amount and currency.EU/EEA only — no third-country transfer
Data processed in EU (Ireland). Stripe Connect routes between Stripe legal entities transparent to user.
Link ↗Link ↗
Cloudflare, Inc.USA (with EU edge)CDN, DDoS protection, Workers runtime hosting the frontend, R2 object storage for PDFs + uploaded logos.IP addresses (truncated at edge, hashed daily-rotated salt for click logging), user agent (browser family only), file uploads (logos, PDF invoices).USA — Standard Contractual Clauses (Commission 2021/914)
Standard Contractual Clauses signed (Cloudflare 2024 DPA). EU edge enabled — content delivery happens from EU PoPs.
Link ↗Link ↗
Functional Software, Inc. (Sentry)USAError monitoring and performance tracing for backend (Django) and frontend (Next.js).Stack traces, request paths, user-agent strings. PII scrubbing enabled via Sentry data-scrubbing rules. NO email or full request bodies sent.USA — Standard Contractual Clauses (Commission 2021/914)
Standard Contractual Clauses signed. Sentry-EU region used where available.
Link ↗Link ↗
PostHog Inc.USAProduct analytics, session replay (Pro+ only, opt-in), feature flags. Consent-gated — no events sent without explicit acceptance.Anonymous distinct_id, event names, properties (page paths, button clicks). User-linked only after authentication. Session replay PII-masked.USA — Standard Contractual Clauses (Commission 2021/914)
Standard Contractual Clauses signed. EU region in roadmap; current routing via US.
Link ↗Link ↗
Microsoft Corporation (Clarity)USAConsent-gated, marketing-only session analytics and heatmaps (Microsoft Clarity) on the public marketing pages. Loaded only after 'analytics' consent and NEVER on authenticated/app pages (dashboard, proposals, invoices, settings) — client and financial data are never recorded.Pages visited on the public marketing site, clicks/taps, scroll and pointer movement, referrer, UTM parameters, browser/device and OS family, approximate region (from IP at Microsoft's edge), and a pseudonymous Clarity session/user identifier. Financial and client PII is out of scope by design (Clarity is never loaded on app pages, and financial elements carry data-clarity-mask as defence-in-depth).USA — EU-US Data Privacy Framework (DPF)
Transfer to the USA under the EU-US Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795; Microsoft Corporation is DPF-certified — verifiable at dataprivacyframework.gov), supplemented by Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) under the Microsoft Products and Services DPA. Microsoft may process Clarity data for its own purposes per the Microsoft Clarity terms and the Microsoft Privacy Statement; Clozo's integration is consent-gated, marketing-only, and masks financial fields.
Link ↗Link ↗
Resend, Inc.USATransactional email delivery (welcome, OTP, password reset, invoice delivery, DSR confirmations, sub-processor change notices).Email address, subject line, HTML body. We do not store delivery logs beyond 30 days.USA — Standard Contractual Clauses (Commission 2021/914)
Standard Contractual Clauses signed.
Link ↗Link ↗
Crisp IM SASFrance (EU)Live-chat support widget on every page of useclozo.com.Email (only if user types it into chat), conversation transcript, IP, browser.EU/EEA only — no third-country transfer
EU-based provider, data hosted in EU (Nantes, France).
Link ↗Link ↗
Geoapify GmbHGermany (EU)Address autocomplete in account settings (street, postal code, city, country normalisation for e-invoice fields).Partial address strings typed into autocomplete. Not stored on Clozo side beyond live session.EU/EEA only — no third-country transfer
EU-based provider, processing in Germany (Linz HQ). No third-country transfer.
Link ↗Link ↗
Anthropic PBCUSAAI text expansion in proposal editor (Pro+ feature). Used as a core service feature under Art. 6(1)(b) GDPR — no per-user opt-in toggle (consistent with /tia page).Proposal description text + line item names. PII (client name, email, IBAN, currency amounts) is scrubbed before transmission. We do NOT send client list, billing data, or invoice totals.USA — Standard Contractual Clauses (Commission 2021/914)
Anthropic is NOT EU-US DPF certified — SCCs (Commission Implementing Decision 2021/914) are the sole transfer mechanism. Anthropic does NOT use API requests for model training (Anthropic Commercial Terms Section 4).
Link ↗Link ↗
Gotenberg (self-hosted)EU (Railway hosting)PDF rendering service for invoices and proposals. Runs as Clozo's own Railway service — open-source software (gotenberg/gotenberg).Proposal/invoice HTML payload passed in for PDF conversion. Stateless — no logs retained.EU/EEA only — no third-country transfer
Self-hosted in Clozo's own Railway environment (EU region). Not a third-party processor in the legal sense — listed for transparency only.
Link ↗

Cambios recientes

  • 05 jun 2026 · Added · Microsoft Corporation (Clarity)
    Added: Microsoft Corporation (Clarity, US-DPF) — consent-gated, marketing-only session analytics / heatmaps. Never loaded on authenticated/app pages.
  • 16 may 2026 · Updated · Anthropic PBC
    Updated: Anthropic PBC service description — removed the incorrect 'opt-in via Settings → AI' clause; aligned with /tia page (Schrems II summary) which correctly states no per-user opt-in is required (Art. 6(1)(b) core service).
  • 16 may 2026 · Updated · Anthropic PBC
    Updated: Anthropic PBC service description — removed the incorrect 'opt-in via Settings → AI' clause; aligned with /tia page (Schrems II summary) which correctly states no per-user opt-in is required (Art. 6(1)(b) core service).
  • 13 may 2026 · Added · Stripe Payments Europe Ltd.
    Initial sub-processor register published — 9 sub-processors disclosed (Stripe, Cloudflare, Sentry, PostHog, Resend, Crisp, Geoapify, Anthropic, Gotenberg).

Recibe avisos con 30 días de antelación

Te enviaremos un correo 30 días antes de añadir, eliminar o modificar un subencargado. Doble opt-in — primero recibirás un correo de confirmación.

Volver al inicio de sesión·Política de Privacidad·Contrato de encargo del tratamiento·Condiciones de uso·Aviso legal