Legal
Last updated: 2026-05-19
The table below lists every third party (“subprocessor”) to which Teamly may disclose personal data in order to operate the Service. The list is published in addition to the categorical summary in § 5 of our Privacy Policy.
Each subprocessor processes personal data only on documented instructions from us and is bound by contractual confidentiality and data-protection obligations consistent with our Privacy Policy. We notify primary account contacts by email and bump the version stamp on this page when we add or remove a subprocessor. If you object to a new subprocessor your remedy is to terminate your subscription in line with our Terms of Service.
Categories that are not subprocessors but warrant disclosure for transparency: (i) external services you yourself connect via Integrations (Slack, Gmail, Stripe, etc., listed below in the Composio downstream toolkits section), where you remain the controller of the data shared with those services; and (ii) any “Bring Your Own Key” (BYOK) LLM provider for which you have supplied your own API credential, where Teamly acts only as a conduit.
| Subprocessor | Jurisdiction | Purpose | Data shared | Transfer basis |
|---|---|---|---|---|
| Anthropic, PBC | United States | Primary large language model (Claude family) used for agent inference. | Prompts, conversation context, file contents you reference, tool descriptions. | SCCs (Module 2) + EU–US Data Privacy Framework certification. |
| OpenAI, OpC, LLC | United States | Fallback / configurable large language model inference (GPT family). | Prompts, conversation context, file contents you reference, tool descriptions. | SCCs (Module 2) + EU–US Data Privacy Framework certification. |
| Google LLC (Generative AI) | United States | Large language model inference (Gemini family). | Prompts, conversation context, file contents you reference, tool descriptions. | SCCs (Module 2) + EU–US Data Privacy Framework certification. |
| OpenRouter Inc. | United States | Model-routing layer that forwards inference requests to multiple model providers. | Prompts, conversation context, model selection metadata. | SCCs (Module 2 via OpenRouter); user retains downstream-provider relationship. |
| MiniMax (Hailuo) | Singapore / China | Regional fallback large language model inference. | Prompts, conversation context. | Explicit consent at the point of model selection (GDPR Art. 49(1)(a)); use is opt-in. |
| Mimo / Xiaomi MiMo | China | Optional regional large language model inference (BYOK). | Prompts, conversation context, only when the user selects the model. | Explicit consent at the point of model selection (GDPR Art. 49(1)(a)); BYOK only. |
| Z.AI / Zhipu AI | China | Optional regional large language model inference (BYOK). | Prompts, conversation context, only when the user selects the model. | Explicit consent at the point of model selection (GDPR Art. 49(1)(a)); BYOK only. |
| Subprocessor | Jurisdiction | Purpose | Data shared | Transfer basis |
|---|---|---|---|---|
| Composio Tech Inc. | United States | Integration broker: stores encrypted OAuth tokens for the third-party services listed below, executes tool calls on the user's behalf. | Encrypted OAuth tokens, integration-specific request and response payloads (e.g. email bodies you draft, Sheets rows you read or write, Slack messages you post). | SCCs (Module 3). |
The following services may receive data from your Cell when you have connected the corresponding Integration and authorised an Agent to act on it. The relationship between you and each of these services is direct (under your own user / workspace account and subject to that service's own terms of service and privacy policy); Composio brokers the connection and Teamly orchestrates the calls but neither becomes a party to your relationship with the downstream service.
| Toolkit | Jurisdiction | Purpose | Data shared | Transfer basis |
|---|---|---|---|---|
| Google Gmail | US | Email integration. | Messages, drafts, recipients, attachments you send or read via the agent. | Governed by Google Workspace DPA. |
| Google Calendar | US | Calendar integration. | Events, attendees, descriptions, availability. | Governed by Google Workspace DPA. |
| Google Drive | US | File storage integration. | File contents, file metadata, folder structure you operate on. | Governed by Google Workspace DPA. |
| Google Docs | US | Document integration. | Document contents, comments, metadata. | Governed by Google Workspace DPA. |
| Google Sheets | US | Spreadsheet integration. | Cell values, formulas, sheet metadata, formatting. | Governed by Google Workspace DPA. |
| Google Slides | US | Presentation integration. | Slide contents, speaker notes, metadata. | Governed by Google Workspace DPA. |
| Google Tasks | US | Task integration. | Task titles, notes, due dates. | Governed by Google Workspace DPA. |
| Google Maps | US | Maps / Places lookups. | Search queries, place IDs. | Governed by Google Workspace DPA. |
| Google Analytics | US | Analytics property queries. | Analytics property IDs, query parameters. | Governed by Google Workspace DPA. |
| Google Ads | US | Ad account integration. | Campaign data, ad copy you draft. | Governed by Google Workspace DPA. |
| Google Photos | US | Photo library integration. | Image metadata, album structure (where invoked). | Governed by Google Workspace DPA. |
| Google Classroom | US | Education-platform integration. | Course metadata, roster information (where invoked). | Governed by Google Workspace DPA. |
| YouTube | US | Video metadata integration. | Video IDs, channel data, captions (where invoked). | Governed by Google DPA. |
| Microsoft Outlook | US | Email integration. | Messages, drafts, recipients, attachments. | Microsoft DPA. |
| Microsoft Teams | US | Channel / chat integration. | Messages, channels you post to. | Microsoft DPA. |
| Microsoft Excel | US | Spreadsheet integration. | Cell values, formulas. | Microsoft DPA. |
| Microsoft OneDrive | US | File storage integration. | File contents, file metadata. | Microsoft DPA. |
| Slack | US | Workspace messaging integration. | Channel names, message content, user mentions. | Slack DPA. |
| Discord | US | Server messaging integration. | Channel content, server metadata. | Discord DPA. |
| Telegram (Bot API) | United Arab Emirates (Telegram FZ-LLC, Dubai) / British Virgin Islands (Telegram Messenger Inc., infra) | Bot messaging integration. | Chat IDs, message content. | Telegram TOS; SCCs not available — used only with explicit user consent. |
| WhatsApp Business | Meta Platforms Ireland Ltd. (EU controller) / Meta Platforms Inc. (US infra) | Messaging integration. | Conversation content, recipient phone numbers. | Meta DPA (WhatsApp). Note Meta's standing CJEU adequacy issues for EU-US transfers. |
| Zoom | US | Meeting integration. | Meeting metadata, attendees, recordings (where invoked). | Zoom DPA. |
| Salesforce | US | CRM integration. | Account, contact, opportunity records. | Salesforce DPA. |
| HubSpot | US | CRM / marketing integration. | Contact, company, deal records. | HubSpot DPA. |
| Intercom | US | Customer messaging integration. | Conversation content, contact metadata. | Intercom DPA. |
| Zendesk | US | Support-ticket integration. | Ticket content, requester metadata. | Zendesk DPA. |
| Linear | US | Issue tracker integration. | Issue content, project metadata. | Linear DPA. |
| Jira | US / AU | Issue tracker integration. | Issue content, project metadata. | Atlassian DPA. |
| Asana | US | Task tracker integration. | Task content, project metadata. | Asana DPA. |
| ClickUp | US | Task tracker integration. | Task content, list metadata. | ClickUp DPA. |
| Monday.com | US | Work-OS integration. | Board content, item metadata. | Monday DPA. |
| Trello | US / AU | Board integration. | Card content, board metadata. | Atlassian DPA. |
| Notion | US | Knowledge-base integration. | Page content, database properties. | Notion DPA. |
| Confluence | US / AU | Knowledge-base integration. | Page content, space metadata. | Atlassian DPA. |
| Airtable | US | Database integration. | Record content, base metadata. | Airtable DPA. |
| Crowdin | Estonia | Localisation integration. | String content, project metadata. | Crowdin DPA. |
| GitHub | US | Source-control integration. | Repository content, issue / PR content, branch metadata. | Microsoft DPA. |
| GitLab | US | Source-control integration. | Repository content, issue / MR content. | GitLab DPA. |
| Bitbucket | US / AU | Source-control integration. | Repository content, issue / PR content. | Atlassian DPA. |
| Figma | US | Design-file integration. | File names, component metadata, comments. | Figma DPA. |
| Canva | AU | Design integration. | Design metadata, project content. | Canva DPA. |
| Stripe | US | Payment / billing integration (read-only recommended). | Customer records, transaction metadata, invoices (read-only where possible). | Stripe DPA. |
| QuickBooks | US | Accounting integration. | Ledger entries, customer records, invoices. | Intuit DPA. |
| Mailchimp | US | Email-marketing integration. | Audience contacts, campaign content. | Mailchimp DPA. |
| Gumroad | US | Commerce integration. | Product metadata, sales records. | Gumroad DPA. |
| Eventbrite | US | Event-management integration. | Event metadata, attendee data. | Eventbrite DPA. |
| Dub | US | Link-management integration. | Link metadata, click statistics. | Dub DPA. |
| Calendly | US | Scheduling integration. | Event types, invitee data, scheduled meetings. | Calendly DPA. |
| Cal.com | US / EU | Scheduling integration. | Event types, invitee data, scheduled meetings. | Cal.com DPA. |
| Box | US | File-storage integration. | File contents, file metadata. | Box DPA. |
| Dropbox | US | File-storage integration. | File contents, file metadata. | Dropbox DPA. |
| Supabase | US / EU | Database integration. | Database row content, schema metadata. | Supabase DPA. |
| DigitalOcean | US | Cloud-infrastructure integration. | Resource metadata, server logs. | DigitalOcean DPA. |
| Hugging Face | US / FR | Model and dataset integration. | Search queries, model identifiers. | Hugging Face DPA. |
The catalogue of integrations available through the Service evolves regularly. If a service you have connected does not appear in the table above, treat it as governed by the same general principle: you are the controller, the third party processes the data on your behalf, and the third party's own privacy policy applies.
| Subprocessor | Jurisdiction | Purpose | Data shared | Transfer basis |
|---|---|---|---|---|
| Clerk Inc. | United States | Authentication, identity, and session management. | Email address, name, OAuth identifiers, device-level session metadata, IP address, multi-factor secrets. | SCCs (Module 2) + EU–US Data Privacy Framework certification. |
| Svix Inc. | United States | Webhook delivery and signature verification (used by Clerk for user-event webhooks). | Webhook payloads originated by Clerk (user lifecycle events). | SCCs (Module 3). |
| Subprocessor | Jurisdiction | Purpose | Data shared | Transfer basis |
|---|---|---|---|---|
| Polar Software Inc. (Polar.sh) | United States (Delaware-incorporated) | Subscription billing, checkout, customer portal, invoicing, dunning. | Email address, name, billing address, plan and purchase metadata, payment-method tokens (no full card numbers retained by Teamly). | SCCs (Module 2); Polar.sh acts as merchant of record. |
| Stripe Payments Europe Ltd. (Polar.sh sub-processor) | Ireland (EU) | Card-network acquiring and payment-method processing for Polar.sh. | Payment-method data (cards, bank), transaction metadata. Teamly does not access raw card data. | SCCs where applicable; EU-resident processor. |
| Subprocessor | Jurisdiction | Purpose | Data shared | Transfer basis |
|---|---|---|---|---|
| Fly.io (Hydrobyte Inc.) | United States (primary region: sjc, San José, California) | Hosting of the Teamly platform and of per-user Cells (isolated VMs with their own filesystem volumes). | Cell volume contents (encrypted workspace state, installed skills, agent-execution scratch space), platform machine logs, network metadata. | SCCs (Module 2 / Module 3 depending on data category) + EU–US Data Privacy Framework certification. |
| Subprocessor | Jurisdiction | Purpose | Data shared | Transfer basis |
|---|---|---|---|---|
| AWS S3-compatible object storage (PSCloud, region configurable) | Configurable (current production: Kazakhstan-based provider PSCloud) | Backup and media-archive storage for Cell workspaces and uploaded files. | Encrypted tar.gz workspace backups, user file uploads, generated media assets. | Direct contractual confidentiality with the storage provider; data is encrypted at rest. |
| Subprocessor | Jurisdiction | Purpose | Data shared | Transfer basis |
|---|---|---|---|---|
| Convex Inc. | United States | Real-time application database (chat history, user profiles, sessions, billing records, audit logs). | All user records and chat content as listed in the Privacy Policy §§ 3.1–3.9. | SCCs (Module 2) + EU–US Data Privacy Framework certification. |
| Subprocessor | Jurisdiction | Purpose | Data shared | Transfer basis |
|---|---|---|---|---|
| Functional Software Inc. d/b/a Sentry | California, United States (Functional Software Inc.); data centre in Frankfurt, Germany (ingest.de.sentry.io) | Error tracking, performance monitoring, session replay on errors. | Error stack traces, sanitised request / response payloads, user context (Clerk user ID), release build identifiers. Sentry US personnel may have administrative access (support, billing, RBAC) under Sentry's sub-processor terms. | Storage is within the EU. Administrative access from the US is covered by SCCs (Module 3) and Sentry's EU–US DPF certification. |
| Subprocessor | Jurisdiction | Purpose | Data shared | Transfer basis |
|---|---|---|---|---|
| Google Analytics 4 (GA4) | United States | Site-wide analytics: page views, user journey, conversion events. | Page URLs, anonymised user ID, device data, GA client ID, purchase event metadata. | SCCs + Google Consent Mode v2 (subject to your consent state). |
| Google Tag Manager (GTM) | United States | Tag orchestration layer for analytics. | Page metadata, custom event parameters. | SCCs + Google Consent Mode v2. |
| GA Measurement Protocol (server-side) | United States | Server-side deduplication and validation of purchase events (called from the Polar.sh webhook). | Transaction ID, monetary value, currency, plan, anonymised user ID. | SCCs. |
| Subprocessor | Jurisdiction | Purpose | Data shared | Transfer basis |
|---|---|---|---|---|
| Resend, Inc. | United States | Transactional email (waitlist, onboarding, account notifications). | Recipient email address, recipient name, email subject and body. | SCCs (Module 2). |
| Subprocessor | Jurisdiction | Purpose | Data shared | Transfer basis |
|---|---|---|---|---|
| Cloudflare, Inc. | United States / global edge | DDoS mitigation, bot challenge, content delivery for static assets. | Request IP address, request headers, challenge tokens. | SCCs (Module 3) + EU–US Data Privacy Framework certification. |
We bump the “Last updated” date at the top of this page whenever the list changes. For material additions (a new subprocessor that processes personal data of customer end-users), we will additionally notify the primary email address on the account at least 14 days before the change takes effect, except where a shorter notice period is required by law.
Earlier versions of this list are available on request from privacy@teamly.to.
