Arioon
Draft pending legal review. These pages reflect our current practices and the legal framework we're committing to. Final wording is being reviewed by counsel; expect minor changes before final adoption. Last review: 15 January 2026.

Sub-processors

Effective 15 January 2026 · Version 2026-01-15

Arioon uses the following sub-processors to operate the platform. We've structured each section to give you the information you need for your own compliance work: what they do, what data they touch, where they're located, and the cross-border transfer mechanism we rely on.

We notify customers of additions or replacements at least 30 days before they take effect, via the dashboard and (for active accounts) by email. You may object on reasonable grounds, in which case we will work with you to find an acceptable resolution; if none is possible, you may terminate the affected services.

EU (Frankfurt)
Purpose
Application hosting, managed Postgres, private networking
Data
All platform data while in operation
Transfer
Same-region storage; SCCs in place for any incidental EU↔US transfers via support tooling
US, EU
Purpose
Image upload, storage (30-day retention by default), and on-the-fly resizing
Data
Face images submitted for analysis; image metadata
Transfer
SCCs / DPA executed with Cloudinary
Purpose
AI-generated skin analysis recommendations (text)
Data
Numerical parameter scores and tone-group labels (NO raw images sent to OpenAI)
Transfer
OpenAI API DPA; data not used for model training per OpenAI API policy
Purpose
Transactional and marketing email delivery
Data
Email addresses; email message contents (analysis results, invoices, etc.)
Transfer
SCCs / DPA executed with Resend
Purpose
Source code repository (no production data stored here)
Data
Source code only — no customer data
Transfer
GitHub DPA; production data is not stored in repositories

Future additions

The following are likely additions in the next 6 months. We list them here for transparency:

  • Paystack / Stripe — when card-on-file billing is enabled; for processing card payments and recurring subscriptions
  • An observability provider (e.g. Datadog or BetterStack) — for production error tracking

Questions: privacy@arioon.com