Sub-processors
A sub-processor is a third party that Shand Enterprises LLC ("Clyro", "we", "us") engages to process data on our behalf in order to provide the Clyro platform, dashboard, and the funnels our customers ("operators") publish through us (together, the "Service"). Each sub-processor is bound to protect the data and to use it only to provide its service to us.
This page is the authoritative, current list referenced by our Privacy Policy and our Data Processing Addendum. Under the DPA, Clyro will give operators notice before adding or replacing a sub-processor that processes funnel-visitor data, and operators may object on reasonable grounds. See Change notifications below for how to subscribe.
Infrastructure and hosting
These providers host the Service, store its data, deliver it over the network, and help us keep it running.
| Sub-processor | Purpose | Data processed | Location |
|---|---|---|---|
| Railway | Cloud hosting, application database, and cache | All Service data (at rest) | United States |
| Cloudflare | CDN, DNS, secure tunnel ingress, TLS and custom-domain SSL, and edge caching; also the source of the visitor IP address | Traffic metadata and visitor IP addresses | Global (edge) |
| Cloudflare R2 | Object storage for media, fonts, and AI web-capture artifacts | Operator media and related artifacts | Global |
| Sentry | Error and performance monitoring | Diagnostic data (cookies and authentication tokens are stripped) | United States |
Operator account and communications
These providers support operator sign-in, billing, transactional email, and the in-app AI assistant. They primarily process operator account data, for which Clyro is the controller under the Privacy Policy.
| Sub-processor | Purpose | Data processed | Location |
|---|---|---|---|
| Shand Pay | Clyro subscription billing (affiliated billing service of Shand Enterprises LLC; wraps the Authorize.Net processor) | Operator billing details and payment-method tokens (no full card number reaches Clyro) | United States |
| Resend | Transactional and notification email | Operator email addresses and message content | United States |
| Operator sign-in (Sign in with Google) | Authentication identifiers | Global | |
| Apple | Operator sign-in (Sign in with Apple) | Authentication identifiers | Global |
| Anthropic | Powers the in-app AI assistant (Claude) | Funnel content and brand settings, and aggregated analytics; NO raw visitor contact details are sent | United States |
Operator media processing (video)
These providers process video an operator uploads to the Service — for hosting, streaming, transcription, and chapter generation. They process the content the operator uploads; what that content contains is up to the operator.
| Sub-processor | Purpose | Data processed | Location |
|---|---|---|---|
| Mux | Video upload, transcoding, and streaming | Operator-uploaded video | United States |
| Deepgram | Speech-to-text transcription of operator videos | Operator video audio | United States |
| Google (Generative AI) | Generates video chapters from transcripts | Video transcript text | United States / Global |
Funnel-visitor data (processed on operators' behalf)
These providers process funnel-visitor data on behalf of the operator who runs the funnel. For this data the operator is the controller and Clyro is the processor; the terms are set out in the DPA.
| Sub-processor | Purpose | Data processed | Location |
|---|---|---|---|
| FingerprintJS Pro | Device identification and fraud/bot risk signals on published funnels | Visitor device and network signals | Global |
| ZeroBounce | Email validation / lead-quality enrichment of submitted leads | Submitted email addresses | United States |
| Twilio | Phone line-type and risk enrichment of submitted leads | Submitted phone numbers | United States / Global |
Operator-controlled third parties (not Clyro sub-processors)
Operators can connect or embed their own third-party services into their funnels. When they do, those services receive data at the operator's direction — the operator is the controller of that data and chooses those services, so they are not Clyro sub-processors and are not covered by this list. They typically fall into three groups:
- Funnel payment providers the operator connects to collect money from their own visitors — for example Stripe, Fanbasis, and Whop. Card details are handled by the operator's chosen provider and never reach Clyro's servers.
- Connected marketing and CRM integrations the operator enables — for example GoHighLevel, PostHog, Meta Pixel, TikTok Pixel, Google Analytics 4, Google Ads, and outbound webhooks.
- Third-party tracking the operator pastes into their funnel via custom code — for example Trakyo, Google Tag Manager, and Hotjar.
These destinations send and receive data at the operator's direction. The operator — not Clyro — is the controller of those onward transfers and is responsible for disclosing them and obtaining any required consent. See How we share information in the Privacy Policy.
Two special cases
Change notifications and contact
We may update this list as our infrastructure evolves. The "Last updated" date at the top of this page reflects the most recent change. Under the DPA, before we add or replace a sub-processor that processes funnel-visitor data, we will give operators advance notice and an opportunity to object on reasonable grounds.
To request change notifications, raise an objection, or ask any question about this list, contact Shand Enterprises LLC at team@clyro.io.