Skip to main content
Clozo

Podmioty przetwarzające

Wersja rejestru 1.0 · Pobrano 18 lipca 2026 · Kanał RSS · JSON

Clozo (Andrei Diachenko, jednoosobowa działalność gospodarcza pod nazwą Clozo) korzysta z następujących podmiotów przetwarzających, aby świadczyć usługę. Ten rejestr jest publikowany na podstawie art. 28(2) RODO. Powiadamiamy z 30-dniowym wyprzedzeniem przed dodaniem nowego podmiotu przetwarzającego — zasubskrybuj poniżej, aby otrzymywać powiadomienia.

Pełen opis, jak wykorzystujemy Twoje dane osobowe, znajdziesz w naszej Polityce prywatności §6.

Podmiot przetwarzającyKrajUsługaKategorie danychMechanizm przekazywaniaPolityka prywatnościUmowa powierzenia
Stripe Payments Europe Ltd.Ireland (EU)Payment processing for Pro/Unlimited subscriptions and customer-paid invoices via Stripe Connect.Email, name, IP, payment method metadata (last4, brand), billing address, transaction amount and currency.EU/EEA only — no third-country transfer
Data processed in EU (Ireland). Stripe Connect routes between Stripe legal entities transparent to user.
Link ↗Link ↗
Cloudflare, Inc.USA (with EU edge)CDN, DDoS protection, Workers runtime hosting the frontend, R2 object storage for PDFs + uploaded logos.IP addresses (truncated at edge, hashed daily-rotated salt for click logging), user agent (browser family only), file uploads (logos, PDF invoices).USA — Standard Contractual Clauses (Commission 2021/914)
Standard Contractual Clauses signed (Cloudflare 2024 DPA). EU edge enabled — content delivery happens from EU PoPs.
Link ↗Link ↗
Functional Software, Inc. (Sentry)USAError monitoring and performance tracing for backend (Django) and frontend (Next.js).Stack traces, request paths, user-agent strings. PII scrubbing enabled via Sentry data-scrubbing rules. NO email or full request bodies sent.USA — Standard Contractual Clauses (Commission 2021/914)
Standard Contractual Clauses signed. Sentry-EU region used where available.
Link ↗Link ↗
PostHog Inc.USAProduct analytics, session replay (Pro+ only, opt-in), feature flags. Consent-gated — no events sent without explicit acceptance.Anonymous distinct_id, event names, properties (page paths, button clicks). User-linked only after authentication. Session replay PII-masked.USA — Standard Contractual Clauses (Commission 2021/914)
Standard Contractual Clauses signed. EU region in roadmap; current routing via US.
Link ↗Link ↗
Microsoft Corporation (Clarity)USAConsent-gated, marketing-only session analytics and heatmaps (Microsoft Clarity) on the public marketing pages. Loaded only after 'analytics' consent and NEVER on authenticated/app pages (dashboard, proposals, invoices, settings) — client and financial data are never recorded.Pages visited on the public marketing site, clicks/taps, scroll and pointer movement, referrer, UTM parameters, browser/device and OS family, approximate region (from IP at Microsoft's edge), and a pseudonymous Clarity session/user identifier. Financial and client PII is out of scope by design (Clarity is never loaded on app pages, and financial elements carry data-clarity-mask as defence-in-depth).USA — EU-US Data Privacy Framework (DPF)
Transfer to the USA under the EU-US Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795; Microsoft Corporation is DPF-certified — verifiable at dataprivacyframework.gov), supplemented by Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) under the Microsoft Products and Services DPA. Microsoft may process Clarity data for its own purposes per the Microsoft Clarity terms and the Microsoft Privacy Statement; Clozo's integration is consent-gated, marketing-only, and masks financial fields.
Link ↗Link ↗
Resend, Inc.USATransactional email delivery (welcome, OTP, password reset, invoice delivery, DSR confirmations, sub-processor change notices).Email address, subject line, HTML body. We do not store delivery logs beyond 30 days.USA — Standard Contractual Clauses (Commission 2021/914)
Standard Contractual Clauses signed.
Link ↗Link ↗
Crisp IM SASFrance (EU)Live-chat support widget on every page of useclozo.com.Email (only if user types it into chat), conversation transcript, IP, browser.EU/EEA only — no third-country transfer
EU-based provider, data hosted in EU (Nantes, France).
Link ↗Link ↗
Geoapify GmbHGermany (EU)Address autocomplete in account settings (street, postal code, city, country normalisation for e-invoice fields).Partial address strings typed into autocomplete. Not stored on Clozo side beyond live session.EU/EEA only — no third-country transfer
EU-based provider, processing in Germany (Linz HQ). No third-country transfer.
Link ↗Link ↗
Anthropic PBCUSAAI text expansion in proposal editor (Pro+ feature). Used as a core service feature under Art. 6(1)(b) GDPR — no per-user opt-in toggle (consistent with /tia page).Proposal description text + line item names. PII (client name, email, IBAN, currency amounts) is scrubbed before transmission. We do NOT send client list, billing data, or invoice totals.USA — Standard Contractual Clauses (Commission 2021/914)
Anthropic is NOT EU-US DPF certified — SCCs (Commission Implementing Decision 2021/914) are the sole transfer mechanism. Anthropic does NOT use API requests for model training (Anthropic Commercial Terms Section 4).
Link ↗Link ↗
Gotenberg (self-hosted)EU (Railway hosting)PDF rendering service for invoices and proposals. Runs as Clozo's own Railway service — open-source software (gotenberg/gotenberg).Proposal/invoice HTML payload passed in for PDF conversion. Stateless — no logs retained.EU/EEA only — no third-country transfer
Self-hosted in Clozo's own Railway environment (EU region). Not a third-party processor in the legal sense — listed for transparency only.
Link ↗

Ostatnie zmiany

  • 05 cze 2026 · Added · Microsoft Corporation (Clarity)
    Added: Microsoft Corporation (Clarity, US-DPF) — consent-gated, marketing-only session analytics / heatmaps. Never loaded on authenticated/app pages.
  • 16 maj 2026 · Updated · Anthropic PBC
    Updated: Anthropic PBC service description — removed the incorrect 'opt-in via Settings → AI' clause; aligned with /tia page (Schrems II summary) which correctly states no per-user opt-in is required (Art. 6(1)(b) core service).
  • 16 maj 2026 · Updated · Anthropic PBC
    Updated: Anthropic PBC service description — removed the incorrect 'opt-in via Settings → AI' clause; aligned with /tia page (Schrems II summary) which correctly states no per-user opt-in is required (Art. 6(1)(b) core service).
  • 13 maj 2026 · Added · Stripe Payments Europe Ltd.
    Initial sub-processor register published — 9 sub-processors disclosed (Stripe, Cloudflare, Sentry, PostHog, Resend, Crisp, Geoapify, Anthropic, Gotenberg).

Otrzymuj 30-dniowe wyprzedzenie o zmianach

Wyślemy e-mail 30 dni przed dodaniem, usunięciem lub zmianą podmiotu przetwarzającego. Podwójna weryfikacja — najpierw otrzymasz e-mail potwierdzający.

Powrót do logowania·Polityka prywatności·Umowa powierzenia przetwarzania danych·Warunki świadczenia usług·Nota prawna