UK GDPR · Art. 28 Controller: Yondry Ltd Last updated: 15 June 2026 Version: 1.0

Sub-processors

Yondry Ltd engages the following third-party sub-processors to provide its services. All sub-processors are bound by Data Processing Agreements that impose data protection obligations no less stringent than those in our Privacy Policy. This page is updated whenever a new sub-processor is added or an existing engagement materially changes.

At a glance

8 sub-processors 3 US entities (SCCs) 3 EU entities (UK adequacy) 1 UK entity (domestic) 1 conditional / opt-in only
Sub-processor Purpose Data processed Country Transfer basis Status
Anthropic
Anthropic, PBC
 AI plan generation; natural language intent extraction from user queries Plan request text, saved place names, stated preferences. No account identifiers transmitted. USA SCCs (UK IDTA) Active
Google Places API
Google LLC
 Location data enrichment; place search and metadata (name, address, hours, photos) Place search queries; geographic coordinates USA SCCs (UK IDTA)
EU–US DPF 		Active
Google Sign-In
Google LLC
 OAuth 2.0 authentication — Sign in with Google Email address, display name, Google account ID USA SCCs (UK IDTA)
EU–US DPF 		Active
Google Analytics 4
Google LLC
 Pseudonymous usage analytics; app performance measurement (IP anonymisation enabled) Pseudonymous device identifiers; in-app events; anonymised IP USA SCCs (UK IDTA)
EU–US DPF 		Active
Railway
Railway Corp
 Cloud hosting — backend application server and PostgreSQL database All personal data stored in the application (account details, saved places, plan history) USA SCCs (UK IDTA) Active
OpenWeatherMap
OpenWeather Ltd
 Weather data lookup for contextual plan generation (e.g. rain-appropriate indoor alternatives) Geographic coordinates only; no personal identifiers transmitted United Kingdom Domestic (UK) Active
BetterStack
BetterStack, s.r.o.
 Uptime monitoring; application log aggregation and alerting Request metadata; application log events (personal data minimised at source) Czech Republic (EU) UK adequacy (EU) Active
Apify
Apify Technologies s.r.o.
 Social content extraction — processes URLs shared by a user to extract place information from Instagram and YouTube (opt-in feature; activated only with explicit user consent) Social post URLs submitted by the user; no credentials or session tokens transmitted Czech Republic (EU) UK adequacy (EU) Conditional
We update this page whenever a sub-processor is added, removed, or materially changed. If you are a hotel partner and require advance notification of sub-processor changes as part of your DPA, please contact us at account@yondry.app to arrange this.

Notes

Transfer mechanisms

Transfers to US sub-processors rely on Standard Contractual Clauses (SCCs) supplemented by the UK International Data Transfer Addendum (IDTA). Google also participates in the EU–US Data Privacy Framework (DPF).

Conditional sub-processors

Apify is engaged only when a user explicitly shares a social media URL. It is not activated by default.

Data minimisation

Where possible, requests to sub-processors carry no account identifiers. Anthropic, Google Places, and OpenWeatherMap receive functional data only (text queries or coordinates), not user IDs or email addresses.

Questions & DPAs

Hotel partners and enterprise customers may request a copy of our Data Processing Agreement or raise sub-processor questions at account@yondry.app. We aim to respond within 5 business days.