-
Email
-
Phone
Last Updated: 3 Jun 2026 · Version 1.1
Kodwise OÜ uses carefully selected third-party service providers (“subprocessors”) to deliver its services. They process personal data only on our documented instructions under written Data Processing Agreements (DPAs) as required by Article 28 GDPR, and under confidentiality obligations. For transfers outside the EEA we rely on the EU Standard Contractual Clauses (SCCs) and, where a provider is certified, the EU–US Data Privacy Framework (DPF), together with supplementary measures and Transfer Impact Assessments.
| Provider | Purpose | Location | Transfer basis |
|---|---|---|---|
| Hosting & infrastructure | |||
| Neon (a Databricks company) | PostgreSQL database (account, education, billing) | EU — Frankfurt | Data residency EEA; SCCs (US contracting entity) |
| Hetzner | Application servers + object storage (recordings + communications attachments) | EU — Germany | Within EEA |
| Cloudflare | CDN/DNS + bot protection (Turnstile); object storage (R2) when enabled | Global (EU jurisdiction for stored assets) | SCCs |
| Upstash | Redis (rate-limiting) | EU — Frankfurt | Data residency EEA; SCCs |
| Payments | |||
| Stripe | Payment & subscription processing (no card data stored by us) | US | DPF / SCCs |
| AI | |||
| Anthropic | Kodmigo AI assistant (Claude) — child input PII-redacted; not used for model training | US | DPF / SCCs |
| OpenAI | Content moderation + hint-cache embeddings (PII-redacted); not used for model training | US | DPF / SCCs |
| Communications | |||
| Brevo | Transactional + marketing email/SMS | EU — France | Within EEA |
| Twilio | WhatsApp + voice (EN/ES markets) — parent phone, message/call content | US | SCCs |
| Verimor | Voice + IVR (Türkiye only) — adult parent phone/call; no child data | Türkiye (via TR intermediary) | Local; DPA in progress |
| Crisp | Live-chat support widget (consent-gated) | EU — France | Within EEA |
| Google (Gmail API) | Support mailbox sync | US | DPF / SCCs |
| Live lessons (video) & lesson summary | |||
| Zoom | Live online class delivery (child video/audio); data residence set to EEA | US (EEA data residence) | DPF / SCCs |
| Google Drive (Workspace) | Trial-lesson recording storage | US | Google Workspace CDPA |
| Spiky.AI | AI lesson-summary assistant — joins live classes, emails parents a summary (child audio/video + transcript); not used for model training. Its subprocessors: AWS, OpenAI, Recall. | US (AWS us-east-2) | SCCs |
| Analytics & monitoring | |||
| PostHog | Product analytics (consent-gated, pseudonymous, no IP in profiles) | EU Cloud | Within EEA |
| Sentry | Error & performance monitoring (PII redacted) | EU data region | DPF / SCCs for any US transfer |
| Advertising measurement (parents only) | |||
| Meta | Conversion measurement / remarketing — hashed parent identifiers only | US | DPF / SCCs |
| Google Ads | Conversion measurement — hashed parent identifiers only | US | DPF / SCCs |
| B2B (school) conversion measurement — hashed identifiers | US | DPF / SCCs | |
| CRM & lead handling | |||
| Kommo (being phased out → in-house Cortex) | Lead/CRM — parent + child lead fields | US | SCCs |
| Google (Sheets — under review) | Lead backup | US | DPF / SCCs |
| Authentication | |||
| OAuth sign-in | US | DPF / SCCs | |
| Apple | Sign in with Apple (email may be a private relay) | US | Apple Developer Program Licence Agreement |
No child personal data (name, age, date of birth) is sent to any advertising provider — only hashed parent/guardian identifiers and click identifiers. Advertising is directed at parents, not children. We do not sell personal data.
All subprocessors are bound by written agreements that include confidentiality, security, data minimisation, and restricted-purpose clauses, and provide at least the level of data protection required under the GDPR. When a subprocessor operates outside the EEA, we rely on:
• the EU Standard Contractual Clauses (SCCs) (and the EU–US Data Privacy Framework where certified);
• additional technical and organisational safeguards (encryption, access controls, pseudonymisation, and — for AI — removal of direct identifiers before processing);
• Transfer Impact Assessments (TIAs) for third countries.
We make no transfers to a country without an EU adequacy decision.
Subprocessors are granted only the minimum data necessary to perform their contracted duties. They are prohibited from using personal data for their own purposes, sharing it with additional third parties, or engaging further subprocessors without prior written authorisation from Kodwise OÜ.
We review subprocessors for compliance with our data-protection standards. Each is required to:
• implement appropriate technical and organisational measures (GDPR Art. 32);
• notify us without undue delay of any actual or suspected data breach;
• support us in fulfilling data-subject requests and incident responses.
We may update this list as our services or subprocessors change. Material updates are published here with a revised “Last Updated” date, and we give prior notice of a new subprocessor as required under our DPA. Contact legal@kodwise.org to receive notifications or request the current list. Concerns may also be raised with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) at https://www.aki.ee/en.
Kodwise OÜ
Ahtri tn 12, Kesklinna linnaosa, 15551 Tallinn, Harju maakond, Estonia
legal@kodwise.org · General: info@kodwise.org
