Sub-processors
Effective 15 January 2026 · Version 2026-01-15
Arioon uses the following sub-processors to operate the platform. We've structured each section to give you the information you need for your own compliance work: what they do, what data they touch, where they're located, and the cross-border transfer mechanism we rely on.
We notify customers of additions or replacements at least 30 days before they take effect, via the dashboard and (for active accounts) by email. You may object on reasonable grounds, in which case we will work with you to find an acceptable resolution; if none is possible, you may terminate the affected services.
- Purpose
- Application hosting, managed Postgres, private networking
- Data
- All platform data while in operation
- Transfer
- Same-region storage; SCCs in place for any incidental EU↔US transfers via support tooling
- Purpose
- Image upload, storage (30-day retention by default), and on-the-fly resizing
- Data
- Face images submitted for analysis; image metadata
- Transfer
- SCCs / DPA executed with Cloudinary
- Purpose
- AI-generated skin analysis recommendations (text)
- Data
- Numerical parameter scores and tone-group labels (NO raw images sent to OpenAI)
- Transfer
- OpenAI API DPA; data not used for model training per OpenAI API policy
- Purpose
- Transactional and marketing email delivery
- Data
- Email addresses; email message contents (analysis results, invoices, etc.)
- Transfer
- SCCs / DPA executed with Resend
- Purpose
- Source code repository (no production data stored here)
- Data
- Source code only — no customer data
- Transfer
- GitHub DPA; production data is not stored in repositories
Future additions
The following are likely additions in the next 6 months. We list them here for transparency:
- Paystack / Stripe — when card-on-file billing is enabled; for processing card payments and recurring subscriptions
- An observability provider (e.g. Datadog or BetterStack) — for production error tracking
Questions: privacy@arioon.com