Sub-processors

This page lists all third parties (Sub-processors) that Pulse Analytics engages to provide the Service. We update this list whenever a Sub-processor is added, removed, or replaced. Customers are notified at least 14 days in advance of any change by email and through the dashboard, in line with Section 6 of the Data Processing Agreement.

If you wish to receive change notifications by email, please ensure your account email is current.

Active Sub-processors

Hetzner Online GmbH

• Role: Hosting, compute, storage, networking
• Country / Region: Germany and Finland (EEA)
• Personal Data accessed: All event data, hashed visitor identifiers, account data, backups
• Transfer mechanism: Intra-EEA, no transfer mechanism required
• Address: Industriestr. 25, 91710 Gunzenhausen, Germany
• Privacy / DPA: https://www.hetzner.com/legal/privacy-policy

Planned Sub-processors (not currently active)

The following Sub-processors are scoped for activation when paid plans launch. As of the date above, they do not process any Customer or Data Subject Personal Data. Pulse currently operates in free-only mode and no payment data is collected, transmitted or stored.

When any planned Sub-processor is activated, Pulse will (a) update this page to move the entry into the Active Sub-processors section above, (b) notify existing Customers by email at least 14 days in advance of activation, in line with DPA Section 6.3.

Merchant of Record — planned (provider to be named before activation)

• Planned role: Merchant of Record — payment processing, invoicing, tax compliance (EU VAT, US sales tax, GST, etc.)
• Country / Region: To be confirmed; the specific provider is named here before paid plans launch (EU-based options under evaluation).
• Personal Data that will be accessed when active: Customer billing data only — name, email, billing address, last 4 digits of payment instrument. No Data Subject Personal Data will be transferred to the Merchant of Record.
• Transfer mechanism (when active): Confirmed before activation — intra-EEA (no mechanism required) if the provider is EEA-based; otherwise an adequacy decision or Standard Contractual Clauses. Supplementary measure: data minimisation (no Data Subject data transferred).
• Privacy / DPA: Linked here once the provider is activated.
• Status as of 2026-05-29: Not active. No payment data collected.

Resources that are NOT Sub-processors

For transparency, the following are not Sub-processors because no Personal Data of Data Subjects or Customers is transferred to them in the course of Processing:

• DB-IP IP-to-City Lite and MaxMind GeoLite2 — geolocation databases distributed as offline .mmdb files. The files are installed on Pulse infrastructure; no request is made to DB-IP or MaxMind during a geolocation lookup.
• Favicon services — Pulse fetches and caches website favicons server-side from a fallback chain of public favicon endpoints: DuckDuckGo (icons.duckduckgo.com, primary) and Google (www.google.com/s2/favicons, fallback). Used purely to display a small icon next to the referring domain in the dashboard (e.g. show a Google logo when traffic comes from google.com). The Customer's Data Subjects' browsers never make requests to these services — Pulse fetches the icon once on the server, caches it, and serves it from /icon/:host. No Personal Data of Customers or Data Subjects is transmitted to any of these services; only the public hostname (e.g. wikipedia.org) is sent in the URL of the favicon request.
• Country flag services — Pulse fetches country flag images server-side from flagcdn.com (primary) and hatscripts.github.io/circle-flags (fallback). Same model as favicons: server-side fetch, cached locally, served from /flag/:cc. Only the 2-letter ISO country code (e.g. EE) is sent.
• exim4 — email delivery agent operated on Pulse-controlled infrastructure (Hetzner). No third-party email provider is used.

Change History

2026-05-29 — Merchant of Record reference made provider-neutral. The previously planned provider is no longer fixed while EU-based Merchant-of-Record options are evaluated; the specific provider will be named here at least 14 days before activation. Still not active — paid plans not yet launched.

2026-05-10 — Planned Merchant of Record updated to a UK-based provider. Transfer mechanism for the planned EU→UK billing data flow relied on the UK adequacy decision (Commission Implementing Decision (EU) 2021/1772); no Standard Contractual Clauses required. Not yet active — superseded by the 2026-05-29 provider-neutral update above.

2026-05-05 — Initial publication.

Contact

For any questions about Sub-processors, including objections to a new Sub-processor under Section 6.4 of the DPA:

Email: privacy@loovl.eu