Sub-processor List
Transparency into the third-party service providers that process data on behalf of HeyDrop customers
Transparency into the third-party service providers that process data on behalf of HeyDrop customers
HeyDrop uses the following sub-processors to provide our services. We maintain this list in compliance with GDPR Article 28 and our commitment to transparency. We notify customers with active Data Processing Agreements (DPAs) of any changes to our sub-processor list with at least 30 days advance notice.
| Sub-processor | Purpose | Data Processed | Location | DPF Certified | Privacy Policy |
|---|---|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, data storage, authentication (Cognito, DynamoDB, KMS), backup & disaster recovery | All user data including business cards, contacts, profiles, usage logs | United States (us-east-1) | Yes | View Policy |
| RevenueCat | Subscription management, billing, and app receipts (mobile platforms) | User ID, subscription status, purchase history, transaction data | United States | Yes | View Policy |
| Paddle | Payment processing, subscription billing (web platform) | Name, email, billing address, payment method (tokenized) | United Kingdom | N/A* | View Policy |
| Intercom | Customer support, messaging, in-app communication | Name, email, phone, conversation history, support tickets | United States | Yes | View Policy |
| Amplitude | Product analytics, user behavior tracking, feature usage | Anonymized user events, device info, session analytics, usage patterns | United States | Yes | View Policy |
| PostHog | Product analytics, session recording, feature tracking | Anonymized user events, session recordings, product interaction data | European Union (EU hosting) | Yes | View Policy |
| Apple (App Store Connect) | App distribution, in-app purchase management, analytics | User ID, subscription data, app analytics, crash reports | United States | Yes | View Policy |
| Google (Analytics & Site Kit) | Website analytics, performance monitoring, marketing attribution | Anonymized browsing data, page views, referral data, cookies (analytics only) | United States | Yes | View Policy |
| Meta Platforms (Facebook) | Advertising analytics and pixel tracking | Anonymized conversion data via pixel, campaign attribution | United States | Yes | View Policy |
| Vercel | Web hosting, content delivery, serverless function deployment | IP addresses, HTTP request logs, performance metrics, usage data | United States | Yes | View Policy |
| CookieYes | Cookie consent management, GDPR compliance | Consent preferences, anonymized user IDs, cookie preferences | European Union | N/A** | View Policy |
*UK Adequacy Decision: Paddle is located in the United Kingdom, which has an independent adequacy decision under the UK GDPR and GDPR for transfers from the EEA.
**EU Hosting: CookieYes is hosted within the European Union and therefore does not require DPF or SCCs for EU data transfers. PostHog is also EU-hosted and additionally DPF-certified.
30-Day Advance Notice: When HeyDrop engages a new sub-processor or replaces an existing one, we notify all customers with active Data Processing Agreements (DPAs) at least 30 days in advance.
Right to Object: Upon receiving notification of a new sub-processor, customers may object within 14 days. If a customer objects and HeyDrop cannot resolve the concern, the customer may terminate the affected service without penalty.
To Receive Notifications: Contact [email protected] to ensure you receive sub-processor change notifications or to discuss any concerns about current sub-processors.
None. This is the initial publication of our sub-processor list (March 2026).
Questions about our sub-processors?
We're committed to transparency and compliance with data protection laws. If you have concerns about any sub-processor or need additional information, please contact us:
Email: [email protected]
DPO: [email protected]