Legal
Sub-processors
Last revised: 2026-05-17 · ← back to privacy policy
What this is. Published under GDPR Art. 28(2) + (4). Every third party that processes Etymolt customer data is listed below — including infrastructure providers, payments processors, email providers, and the LLM endpoints that receive your candidate name. If we add or remove a sub-processor, this page is updated in the same release.
Hosting + infrastructure
| Processor | Purpose | Region | Reference |
|---|---|---|---|
| Railway | Application hosting for the API and the web app, plus the primary Postgres instance (verdicts, accounts, audit log). | US (us-west-2 / us-east-1 — see Railway dashboard for the active region) | railway.app/legal/privacy |
| Cloudflare | Edge proxy, DNS, Cloudflare Pages (the marketing site), Workers (inbox-parser, AEO meter), KV stores (anonymous quota hash, inbound mail), R2 (any static asset bundles), and Email Routing. | Global edge (data-at-rest in CF's encrypted KV / R2; no per-tenant key) | cloudflare.com/cloudflare-customer-dpa |
Payments
| Processor | Purpose | Region | Reference |
|---|---|---|---|
| Stripe | Primary payments processor. Handles card data, billing address, email, and the merchant-of-record relationship for paid plans + top-ups. Stripe's own sub-processors (Adyen, AWS, etc.) are listed on their site. | US (with EU data-residency available per Stripe DPA) | stripe.com/legal/dpa |
| Polar.sh | Secondary / merchant-of-record payments processor used for select Forge bundle paths and EU-preferred customers. Polar is a merchant-of-record and re-sells under its own VAT identity in many jurisdictions. | EU (Sweden) primary, with US replicas | polar.sh/legal/privacy |
Stripe and Polar are merchants-of-record for their respective transactions and maintain their own sub-processor lists. We link to each above; both publish a complete tree under their DPA.
| Processor | Purpose | Region | Reference |
|---|---|---|---|
| Resend | Transactional email — magic-link sign-in, billing receipts, verdict notifications, watch-digest mail. Receives recipient address + rendered email body. | US (with EU region available on request per Resend DPA) | resend.com/legal/dpa |
| Loops | Marketing / lifecycle email. Used only when the operator enables the Loops integration. Receives email + opt-in status + transactional triggers. | US | loops.so/dpa |
Analytics + error monitoring
| Processor | Purpose | Region | Reference |
|---|---|---|---|
| PostHog | Product analytics (events, funnels, retention). Cookieless on the marketing site (in-memory persistence only); identified profiles created server-side only after authenticated signup. Session-replay is disabled in our config; if it is ever re-enabled, masking is configured to redact all text and inputs (see /privacy for the configured masking rules). | Configurable via NEXT_PUBLIC_POSTHOG_HOST — set to eu.i.posthog.com for EU customers; defaults to us.i.posthog.com. | posthog.com/dpa |
| Sentry | Error monitoring. Stack traces, request IDs, and redacted breadcrumbs. Candidate names, magic-link tokens, session IDs, and email addresses are scrubbed in-process via the `before_send` and `before_breadcrumb` hooks before any event leaves our servers. | US (with EU region available — operator confirms via SENTRY_DSN host) | sentry.io/legal/dpa |
Trademark + naming data sources
| Processor | Purpose | Region | Reference |
|---|---|---|---|
| USPTO TSDR | US Patent & Trademark Office Trademark Status & Document Retrieval. Etymolt sends only the candidate name (no user identity) to the public TSDR endpoint. USPTO is a US government agency, not a private processor — listed here for transparency. Responses are public-record data. | US government (Alexandria, VA) | tsdr.uspto.gov |
| EUIPO eSearchplus | EU Intellectual Property Office. Candidate name only, no user identity. Public-register data. | EU (Alicante, ES) | euipo.europa.eu/eSearch |
| UKIPO | UK Intellectual Property Office. Candidate name only. | UK (Newport) | gov.uk/government/organisations/intellectual-property-office |
| WIPO Madrid | World Intellectual Property Organization Madrid system. Candidate name only. | International (Geneva, CH) | wipo.int/madrid |
| Apify | SERP scraping for the social + domain collision check. Receives candidate name only, no caller identity. | EU (Prague, CZ) | apify.com/privacy-policy |
| Dynadot | Domain registrar for Forge bundle domain purchases. Receives the registrant's name, billing address, and email when a customer opts to register a domain via Etymolt. | US (San Mateo, CA) | dynadot.com/policy/privacy |
USPTO, EUIPO, UKIPO, and WIPO are government registries — not private sub-processors in the strict GDPR sense. They are listed for transparency because Etymolt sends the candidate name to their public endpoints to compute trademark axes. The responses are public-record data.
LLM + MCP surfaces
| Processor | Purpose | Region | Reference |
|---|---|---|---|
| Anthropic | LLM round-trips for selected verdict explanation flows. Etymolt forwards the candidate name + a stripped contextual prompt; no account identifiers are sent. Anthropic does not train on API data. | US | anthropic.com/legal/commercial-terms |
| OpenAI | LLM round-trips for selected verdict explanation flows when the operator configures an OpenAI key. Candidate name + stripped contextual prompt; no account identifiers. | US | openai.com/policies/data-processing-addendum |
| Smithery | Hosts the public Etymolt MCP server registry entry. When a user invokes the MCP via Smithery, Smithery proxies tool calls to api.etymolt.com. Smithery sees the user's chosen client identity + the tool name + payload (which contains the candidate name). | US | smithery.ai/privacy |
| Cursor / Continue.dev / Windsurf / Claude Desktop / ChatGPT / Perplexity / Gemini / Copilot | End-user LLM clients. These are user-initiated installations of the Etymolt MCP server. When a user invokes a tool, the client forwards the candidate name + tool name to api.etymolt.com via the MCP protocol. The client itself is not an Etymolt sub-processor in the strict sense — the user is the controller of their own LLM client — but we list these for transparency since the candidate name passes through the client first. | Varies by client (mostly US-hosted) | etymolt.com/install — per-client install guides |
End-user LLM clients (Cursor, ChatGPT, Claude Desktop, etc.) are not Etymolt sub-processors — the user is the controller of their own client. We list them so you can see the complete path a candidate name takes when invoked via MCP: user-client → MCP transport → api.etymolt.com.
Communications + observability
| Processor | Purpose | Region | Reference |
|---|---|---|---|
| Twilio | Inbound SMS processing for select operator flows (incident alerts, magic-link delivery fallback). Receives the recipient phone number + message body when used. | US (San Francisco, CA) | twilio.com/legal/privacy |
| ElevenLabs | Voice TTS for the pronunciation axis explainer. Receives the candidate name when synthesis is triggered. | US | elevenlabs.io/privacy |
| Better Stack | Log retention + uptime monitoring. Receives Railway + Cloudflare log streams. Logs are scrubbed in-process for emails, tokens, and IPs before leaving our servers; Better Stack retains them for the configured window (default 30 days). | EU (Prague, CZ) | betterstack.com/legal/dpa |
| Microsoft Clarity | Session replay on the marketing site only (never the API or /account). Loaded with mask-all-text enabled. Honors DNT and Global Privacy Control — does not load when either is set. | US | privacy.microsoft.com/privacystatement |
| Google Analytics 4 | Aggregated traffic metrics. Loaded only when NEXT_PUBLIC_GA_MEASUREMENT_ID is set AND the user consents. IP anonymization enabled. | US | policies.google.com/privacy |
How to be notified of changes
We commit to publishing material sub-processor changes here with at least 30 days' notice for additions that meaningfully widen the data-flow surface (e.g. a new payments processor or a new region). Customers on the Platform / Enterprise tier may subscribe to a changelog feed by emailing privacy@etymolt.com.
For customers with an executed DPA, the DPA controls. The list here is published for transparency in addition to the contractual notification mechanism.
Object to a sub-processor
Under GDPR Art. 28(2), controllers can object to a new sub-processor. To object, email privacy@etymolt.com within 30 days of the change being published here. We will work in good faith to resolve the objection; if we cannot, you may terminate the affected service.
See also: Privacy policy · DPA · Terms