The German version is legally binding. This English text is for convenience only.

LEGAL · SUBPROCESSORS · STAND 04/27/2026

Subprocessors

— SUBPROCESSORS

This list covers every processor (GDPR Art. 28) Collavo GmbH uses to operate the platform. Changes are versioned and communicated via the privacy policy.

Name	Purpose	Data categories	Legal basis	Location	Status
Auth0 (Okta)	Identity, session, authentication	Email, auth tokens, profile data	Art. 6(1)(b) GDPR — Contract performance	USA (EU Standard Contractual Clauses)	Active
Twilio SendGrid	Transactional emails	Recipient email, content, metadata	Art. 6(1)(b) GDPR — Contract performance	USA (EU Standard Contractual Clauses)	Active
OpenAI OpCo	AI text generation (captions, briefs, best-time)	Prompt text incl. campaign context	Art. 6(1)(a) Consent + Art. 6(1)(b) Contract performance	USA (EU Standard Contractual Clauses)	Active
Cloudflare R2	Asset storage (videos, images, export archives)	Uploaded media files + metadata	Art. 6(1)(b) GDPR — Contract performance	EU (Frankfurt region preferred)	Active
Vercel Inc.	Application hosting, TLS termination, request routing	HTTP requests, IP addresses, user agent	Art. 6(1)(f) GDPR — Legitimate interest	USA (EU Standard Contractual Clauses) / EU edge	Active
Stripe Payments Europe Ltd.	Payment processing (SEPA debit + card), invoice delivery	IBAN, mandate reference, account holder, card data (tokenized), invoice data	Art. 6(1)(b) Contract performance + Art. 6(1)(c) §147 AO	Ireland (EU)	ActiveActive since 04/25/2026
TikTok Inc. (ByteDance)	Publishing creator videos and captions, retrieving insights	Video content, captions, OAuth tokens, audience demographics	Art. 6(1)(b) GDPR — Contract performance	USA + China (SCC; China transfer requires separate legal assessment — DRAFT)	DRAFT — pending legal review
YouTube / Google LLC	Publishing videos and metadata, channel and audience insights	Video content, titles/descriptions/tags, OAuth tokens, audience demographics	Art. 6(1)(b) GDPR — Contract performance	USA (SCC / Google DPA)	DRAFT — pending legal review
Expo / EAS (Expo, dann APNs/FCM)	Delivery of mobile push notifications	Device push token, notification title and body	Art. 6(1)(b) GDPR — Contract performance	USA (Expo/EAS), then Apple (APNs) / Google (FCM) (SCC)	DRAFT — pending legal review
Sentry (Functional Software, Inc.)	Error monitoring — only active when SENTRY_DSN is configured	User ID, organization ID, request path, exception details	Art. 6(1)(f) GDPR — Legitimate interest	USA unless an EU DSN is configured (SCC — DRAFT)	DRAFT — pending legal review

The German version is legally binding. This English text is for convenience only.

LEGAL · SUBPROCESSORS · STAND 04/27/2026

Subprocessors

— SUBPROCESSORS

This list covers every processor (GDPR Art. 28) Collavo GmbH uses to operate the platform. Changes are versioned and communicated via the privacy policy.

Name	Purpose	Data categories	Legal basis	Location	Status
Auth0 (Okta)	Identity, session, authentication	Email, auth tokens, profile data	Art. 6(1)(b) GDPR — Contract performance	USA (EU Standard Contractual Clauses)	Active
Twilio SendGrid	Transactional emails	Recipient email, content, metadata	Art. 6(1)(b) GDPR — Contract performance	USA (EU Standard Contractual Clauses)	Active
OpenAI OpCo	AI text generation (captions, briefs, best-time)	Prompt text incl. campaign context	Art. 6(1)(a) Consent + Art. 6(1)(b) Contract performance	USA (EU Standard Contractual Clauses)	Active
Cloudflare R2	Asset storage (videos, images, export archives)	Uploaded media files + metadata	Art. 6(1)(b) GDPR — Contract performance	EU (Frankfurt region preferred)	Active
Vercel Inc.	Application hosting, TLS termination, request routing	HTTP requests, IP addresses, user agent	Art. 6(1)(f) GDPR — Legitimate interest	USA (EU Standard Contractual Clauses) / EU edge	Active
Stripe Payments Europe Ltd.	Payment processing (SEPA debit + card), invoice delivery	IBAN, mandate reference, account holder, card data (tokenized), invoice data	Art. 6(1)(b) Contract performance + Art. 6(1)(c) §147 AO	Ireland (EU)	ActiveActive since 04/25/2026
TikTok Inc. (ByteDance)	Publishing creator videos and captions, retrieving insights	Video content, captions, OAuth tokens, audience demographics	Art. 6(1)(b) GDPR — Contract performance	USA + China (SCC; China transfer requires separate legal assessment — DRAFT)	DRAFT — pending legal review
YouTube / Google LLC	Publishing videos and metadata, channel and audience insights	Video content, titles/descriptions/tags, OAuth tokens, audience demographics	Art. 6(1)(b) GDPR — Contract performance	USA (SCC / Google DPA)	DRAFT — pending legal review
Expo / EAS (Expo, dann APNs/FCM)	Delivery of mobile push notifications	Device push token, notification title and body	Art. 6(1)(b) GDPR — Contract performance	USA (Expo/EAS), then Apple (APNs) / Google (FCM) (SCC)	DRAFT — pending legal review
Sentry (Functional Software, Inc.)	Error monitoring — only active when SENTRY_DSN is configured	User ID, organization ID, request path, exception details	Art. 6(1)(f) GDPR — Legitimate interest	USA unless an EU DSN is configured (SCC — DRAFT)	DRAFT — pending legal review