the full list

Sub-processors

Last updated: July 11, 2026

We tell people to ask every analytics vendor for its sub-processor list before writing "no US exposure" in a compliance document. That includes us. Here is ours, in full, with the distinction that actually matters: what touches your visitors' data, and what touches our own operations.

1. Your visitors' data: it never leaves the EU

Every analytics event we collect for you is stored and processed in Germany, on our own database engines. No US company holds it, and no transfer mechanism is needed for it.

ProviderWhat it doesWhere
Hetzner Online GmbHEUAll analytics data. We run our own database engines on these servers: no managed third-party database is in the path.Hosting (servers, ClickHouse, Postgres)Germany (EU)
Cloudflare, Inc.non-EUPassing traffic only (TLS termination, DDoS protection). No analytics data is stored there. Cloudflare is a data processor for the request metadata it necessarily sees.CDN and DNS in front of our domainsUS company, EU edge

2. Our own operations: yes, there are US vendors

Like every SaaS on earth, we bill customers and we send emails. These vendors see the email address of a Datalenk customer, never the data of that customer's visitors. Where a provider processes data outside the EU, we rely on the EU Standard Contractual Clauses. We would rather name them than let you discover them.

ProviderWhat it doesWhere
Stripe, Inc.non-EUThe billing details of Datalenk customers (not their visitors). Stripe never receives visitor data.Billing (our own subscriptions)US / Ireland
Amazon Web Services (SES)non-EUThe email address of a Datalenk customer, and the subject of the email we send them. Never visitor data.Transactional email relayUS / EU region
Brandfetchnon-EUA domain name (for example stripe.com) to fetch a logo, requested server-side. Your visitors' browsers never contact them, and no visitor data is sent.Brand logos in the dashboardSwitzerland / US
thum.ionon-EUA page URL, only if you switch the screenshot on. It is opt-in and off by default, precisely because it is the one place a page of yours would leave our infrastructure.Page screenshots behind heatmapsUS

What we do not use

No advertising network, no data broker, no analytics-on-our-analytics, no session-recording SaaS, and no LLM provider in the path of your data (the AI insights feature is off, and if we ever turn it on, this page says so first, and you get to say no).

Changes

We update this page before a new sub-processor starts handling data, not after. Questions, or a compliance review that needs more detail? Email [email protected]. See also our Data Processing Agreement and our Privacy Policy.