Subprocessors
This page lists all third-party service providers ("sub-processors") that process personal data on behalf of Korely under the meaning of Article 28 of the General Data Protection Regulation (GDPR). It is published here for transparency and is updated whenever a sub-processor is added, removed, or materially changed.
Korely is operated by Massimiliano Martella (sole trader), based in Italy. Privacy contact: privacy@korely.ai.
Sub-processors in active use
| Provider | Purpose | Region | DPA / Privacy Policy |
|---|---|---|---|
| Google Gemini (Google LLC / Google Ireland Ltd) | LLM core: uploaded audio/video transcription, embeddings, AI chat, summaries, entity extraction | United States (EU SCC + adequacy) | DPA · Privacy |
| Deepgram (Deepgram, Inc.) | Real-time speech-to-text transcription (live in-app recordings) | European Union (api.eu.deepgram.com endpoint) |
DPA · Privacy |
| Groq (Groq, Inc.) | Inference on meeting-transcript text: speaker-name inference and meeting summaries | United States (EU SCC) | DPA · Privacy |
| Hetzner (Hetzner Online GmbH) | Primary infrastructure host: backend, PostgreSQL database (all user content), self-hosted inference service, scheduler | European Union (Germany) | DPA · Privacy |
| Cloudflare, Inc. | Pages hosting, R2 object storage (audio files, note mirrors, database backups; EU), and cookieless Pages Analytics | European Union + global edge | DPA · Privacy |
| Firebase Auth + FCM (Google LLC) | Authentication, magic-link login, push notifications | United States (EU SCC + adequacy) | DPA · Privacy |
| Polar (Polar Software, Inc.) | Payment processing, subscription management and billing, acting as Merchant of Record (seller of record for the transaction) | United States (EU SCC) | DPA · Privacy |
| Resend (Resend, Inc.) | Transactional email: magic-link, verification, password reset | United States (EU SCC) | DPA · Privacy |
| Loops (Loops, Inc.) | Waitlist contact storage and product-update emails to opted-in leads (email + signup timestamp + consent record) | United States (EU SCC) | DPA · Privacy |
| Sentry (Functional Software, Inc.) | Error tracking and observability (PII off, no session replays) | European Union (Germany) | DPA · Privacy |
| Microsoft Corporation (Microsoft Ireland Operations Ltd for EU customers) | Outlook calendar integration (optional, OAuth2 user opt-in) | EU / US per tenant | DPA · Privacy |
| Google Calendar API (Google LLC) | Google Calendar integration (optional, OAuth2 user opt-in) | United States (EU SCC) | DPA · Privacy |
| Telegram Bot API (Telegram FZ-LLC, Dubai) | Voice and text ingestion via @KorelyBot (optional, user opt-in) | Telegram global infrastructure | Privacy · Bot API ToS |
Services we explicitly do NOT use
For full transparency, the following services are commonly assumed to be in use by modern web applications but are not used by Korely:
- Google Tag Manager, Google Analytics — replaced by Cloudflare Pages Analytics (server-side, cookieless)
- Meta Pixel, Facebook ads — none
- Hotjar, FullStory, LogRocket, Mouseflow — no session replay tools
- Mailchimp, ActiveCampaign, ConvertKit — not used (the waitlist and product-update emails run on Loops, listed above)
- Intercom, Crisp, Drift, Zendesk — no third-party live chat or ticketing
- Anthropic Claude API direct — not used by Korely's core (Korely is exposed as an MCP server but does not consume Claude as an LLM provider)
- OpenAI API direct — not used by Korely user-facing services
Notification of changes
We will update this page whenever a sub-processor is added, removed, or materially changed (region, purpose, retention). Material changes affecting your personal data will also be reflected in our Privacy Policy with a new effective date.
For enterprise customers requiring formal notification, please contact us at privacy@korely.ai to subscribe to our sub-processor change notifications.
Contact
For privacy questions or to exercise your rights under GDPR (access, deletion, rectification, portability, objection): privacy@korely.ai.
Data Controller: Massimiliano Martella (sole trader), Via della Bastia, 40033 Casalecchio di Reno (BO), Italy.
A more comprehensive Data Processing Addendum is available to enterprise customers on request. The internal record of processing activities (RoPA) and Data Protection Impact Assessments (DPIAs) are maintained per Articles 30 and 35 GDPR and may be shared with supervisory authorities or under NDA.