Sub-processor Disclosure
Effective date: 2026-06-12
Effective date:
Version: subprocessors_v2_2
Pilotium - Sub-processor Disclosure
This page lists every sub-processor that Digital Technologies OÜ ("Pilotium") engages to process personal data on behalf of its customers (gym owners, as data controllers). This disclosure satisfies Article 28(2) GDPR and the DPA executed between Pilotium and each customer.
| # | Sub-processor | Country of establishment | Service provided | Categories of personal data | Transfer mechanism |
|---|---|---|---|---|---|
| 1a | WhatsApp Ireland Limited | Ireland (EEA) | WhatsApp Business Cloud API for EEA-established businesses. The gym is the WhatsApp Business; Pilotium is the Tech Provider acting as processor on the gym's behalf under the WhatsApp Business Solution Terms and the Tech Provider Program Terms. | Conversation content, phone numbers, WABA metadata. | Intra-EEA - no transfer mechanism required. |
| 1b | WhatsApp LLC | United States | WhatsApp Business Cloud API for non-EEA businesses and backend infrastructure for the WhatsApp Business Platform globally, as sub-sub-processor of WhatsApp Ireland Limited for EEA traffic. | Conversation content, phone numbers, WABA metadata. | EU-U.S. Data Privacy Framework (Meta self-certification) + Standard Contractual Clauses 2021/914 Module 3 as belt-and-braces. |
| 2 | Meta Platforms Ireland Limited | Ireland (EEA) | Facebook, Instagram and Meta Lead Ads delivery for EEA-established advertisers; Custom Audience matching. | Hashed identifiers (SHA-256 email, phone), ad engagement events. | Intra-EEA - no transfer mechanism required. |
| 3 | Meta Platforms, Inc. | United States | Advertising-platform backend infrastructure; ad delivery for non-EEA advertisers. | Hashed identifiers, ad engagement events. | EU-U.S. Data Privacy Framework + Standard Contractual Clauses 2021/914 Module 3. |
| 4 | Anthropic, PBC | United States | Conversational AI inference (Claude API), copy generation, and audience analysis. Anthropic's commercial API terms apply: no training on customer data; a limited trust-and-safety retention window operated by Anthropic. | Conversation content decrypted in-process, prompts, and responses. | Standard Contractual Clauses 2021/914 Module 3. EU-U.S. Data Privacy Framework will be added only if Anthropic self-certifies on the Department of Commerce list. |
| 5a | Google Ireland Limited | Ireland (EEA) | Google Gemini API, paid tier (creative generation and automated content screening of the gym's uploaded and Instagram media); Google Ads delivery for EEA-established advertisers; Google Places API for gym address verification; Google OAuth for sign-in where used. | Prompts, brand assets, and gym media submitted for screening or generation - including Instagram photos and videos that may show identifiable persons at the gym; hashed identifiers for Customer Match; ad engagement events; place data. | Intra-EEA - no transfer mechanism required. |
| 5b | Google LLC | United States | Advertising-platform backend infrastructure; ad delivery for non-EEA advertisers; Customer Match matching infrastructure. | Hashed identifiers, ad engagement events. | EU-U.S. Data Privacy Framework + Standard Contractual Clauses 2021/914 Module 3. |
| 6 | TikTok Inc. | United States; data may be accessible to TikTok Pte. Ltd. (Singapore) and ByteDance personnel located in the PRC under group-level access controls. | TikTok Ads delivery and audience matching. | Hashed identifiers, ad engagement events. | Standard Contractual Clauses 2021/914 Module 3 + supplementary measures per documented Transfer Impact Assessment. |
| 7 | Hetzner Online GmbH | Germany (EEA) | Hosting of production application servers, primary database, file storage, and self-hosted software including Pilotium and Metabase software. No data flow to Metabase Inc. | All personal data processed by Pilotium at rest. | Intra-EEA - no transfer mechanism required. |
| 8 | Cloudflare, Inc. | United States, with EU points of presence. | DNS, CDN, DDoS protection, WAF. | IP addresses, request headers, request paths; no message content. | EU-U.S. Data Privacy Framework + Standard Contractual Clauses 2021/914 Module 3. EU traffic is served from EU PoPs as a supplementary technical measure. |
| 9 | Stripe Payments Europe Ltd. | Ireland (EEA); United States for ancillary Stripe, Inc. services. | Subscription payments, wallet top-ups, payment-method storage, PCI-DSS scope. Card-PAN data is held by Stripe, never by Pilotium. | Payment identifiers, last-4 card digits, billing addresses, payer name. | Intra-EEA for primary processing; EU-U.S. Data Privacy Framework + SCC 2021/914 Module 3 for US ancillary services. |
| 10 | Sendinblue SAS (trading as Brevo) | France (EEA) | Transactional and, where consent is given, marketing email delivery. | Email addresses, names, transactional content, delivery and open events. | Intra-EEA for primary processing. Brevo's own US sub-processors are covered under Brevo's published sub-processor disclosure and DPA. |
| 11 | Resend Inc. | United States | Developer-facing transactional email delivery, backup channel, and system notifications. | Email addresses, names, transactional content. | Standard Contractual Clauses 2021/914 Module 3. EU-U.S. Data Privacy Framework will be added only if active certification is confirmed. |
| 12 | Telegram Messenger Inc. | British Virgin Islands / United Arab Emirates | Internal operational alerting to Pilotium's operations team (service-health and incident notifications). Alert payloads are sanitised before dispatch: lead names, phone numbers, e-mail addresses and message content are redacted at source. | Pseudonymised operational event metadata (event type, club identifier, timestamps). No message content. | Data minimisation (redaction at source) so that payloads do not contain directly identifying personal data; treated as a restricted transfer with SCC 2021/914 Module 3 where residual personal data cannot be excluded. |
| 13 | Madis sp. z o.o. | Poland (EEA) | Software development, maintenance and technical support of the Pilotium platform under a written development agreement and Article 28 data processing agreement. Production access is limited to what is necessary for development, debugging and support; development and testing use anonymised or synthetic data where feasible. | All personal data processed by Pilotium, accessible during development and support work. | Intra-EEA - no transfer mechanism required. |
Gym-controlled endpoints (not Pilotium sub-processors)
- The gym's own WhatsApp Business Account (WABA) is a controller-owned messaging account that Pilotium administers under the BISU token issued by the gym during Meta Embedded Signup. The gym remains the WhatsApp Business and Pilotium acts on the gym's behalf.
- Where the gym operates WhatsApp Coexistence, the gym's WhatsApp Business App running on a gym-controlled device is also a gym-controlled endpoint. Messages echo to Pilotium via Meta's infrastructure; Pilotium does not access or administer the device.
Planned or conditional sub-processors
The following providers are not currently active and will be added with 30-day notice if and when adopted:
- Snap Inc. (US) - Snapchat Ads delivery. To be added when Snapchat Ads goes live in Pilotium.
- OpenAI, L.L.C. (US) - possible future vector embeddings or narrow model usage. To be added only if Pilotium adopts an OpenAI service for any personal-data-touching purpose.
- Functional Software, Inc. d/b/a Sentry (US) - error-tracking SaaS. To be added if and when self-hosted error tracking migrates to sentry.io.
Change-notice policy
Pilotium will notify customers of any addition, removal, or substitution of a sub-processor at least 30 calendar days before the change takes effect. Notice is given by email to the billing contact of each affected customer, by publication on this page with the new effective date, and by RSS feed at pilotium.cc/legal/subprocessors.rss. Customers retain the right under Article 28(2) GDPR to object to a new sub-processor; the objection right survives the 14-day reply deadline in the notice email. An unresolved objection entitles the customer to terminate the contract under the conditions set out in the DPA.
Emergency replacement of a sub-processor for security or continuity reasons may take effect on shorter notice with concurrent post-hoc notification; affected customers retain the objection right.
Sub-sub-processors and flow-down
Where Pilotium acts as processor, addition or substitution of a sub-processor is conditional on the new sub-processor being bound by data-protection obligations materially equivalent to those imposed on Pilotium under the DPA (Art. 28(4) GDPR). Pilotium remains fully liable to the customer for the performance of those obligations by the sub-processor.
Government-access notification
Each sub-processor outside the EEA is contractually required, to the maximum extent permitted by law, to notify Pilotium of legally binding public-authority requests, challenge such requests where lawful grounds exist, provide the minimum information permissible, and maintain a transparency-report capability. Pilotium will inform affected controllers without undue delay.
Schrems-III / DPF-invalidation contingency
If Implementing Decision (EU) 2023/1795 (EU-U.S. Data Privacy Framework) is invalidated or suspended, Pilotium will suspend new DPF-based transfers within 30 days of the operative judgment and complete transition to Standard Contractual Clauses 2021/914 with supplementary measures within 90 days, with customer status updates at days 30, 60 and 90.
TikTok / PAFACA contingency
If TikTok Inc. ceases operations in the United States by reason of US legislation, including Pub.L. 118-50 PAFACA, Pilotium will terminate all transfers to TikTok Inc. and notify customers within 5 business days.
Transfer Impact Assessment
For each transfer of personal data to a sub-processor established outside the EEA, Pilotium has documented a Transfer Impact Assessment in accordance with EDPB Recommendations 01/2020, version 2.0 of 18 June 2021, Schrems II, and Commission Implementing Decision (EU) 2021/914.
Supplementary measures
Supplementary technical measures include TLS 1.2+ in transit with PFS cipher suites, AES-256 authenticated encryption at rest for stored credentials and tokens with keys held in server configuration outside the database on EU infrastructure, pseudonymisation of identifiers before transmission to advertising platforms, strict purpose limitation at the API gateway, least-privilege scoped credentials, append-only audit logging, and no-training / limited-retention contractual commitments where offered by the sub-processor.
Supplementary contractual and organisational measures include government-access transparency reporting, challenge-of-access obligations under SCC Clause 15(2), onward-transfer restrictions under SCC Clause 8.7, internal law-enforcement request policy, annual sub-processor compliance review, and an EU-resident DPO contact channel at [email protected].
A redacted copy of each TIA is available to customers under NDA on written request.
Re-transfers controller-to-controller within the gym network
Where the customer (gym) is established outside the EEA, or instructs Pilotium to share lead data with a CRM or PMS controller outside the EEA, the customer is itself the data exporter and is responsible for executing SCC Module 1 with the receiving controller. Pilotium will make available a Module 1 template on written request.
Corporate representative for service of process in Estonia
Magrat OÜ (reg. 11730730, Tallinn, Estonia) is the corporate-services representative of Digital Technologies OÜ on the Estonian Äriregister. Magrat OÜ does not process personal data on behalf of Pilotium and is not a sub-processor; this disclosure is made for transparency under § 631 of the Estonian Commercial Code and Impressum requirements.