Sub-Processors
Last updated: April 15, 2026
In accordance with GDPR Article 28, Foxx – Verein zur Förderung einer zukunftsorientierten Lebenskultur (“oneBot”) uses the following sub-processors to provide the service. Each sub-processor processes personal data only to the extent necessary for the purposes described below.
We will update this page when sub-processors are added or changed. Material changes will be communicated to registered users via email.
Infrastructure & Hosting
| Sub-Processor | Location | Purpose | Data Categories | Data Retention |
|---|---|---|---|---|
| Hetzner Online GmbH | Germany (EU) | Platform hosting, data storage, server infrastructure | Account data, bot data (messages, memory, settings), technical data (IP, device info), usage metadata | Duration of service |
AI Model Providers
| Sub-Processor | Location | Purpose | Data Categories | Data Retention |
|---|---|---|---|---|
| OpenRouter, Inc. | USA | AI model routing layer — routes bot requests to selected AI models | Prompt/response content (transient), request metadata (model selection, token counts) | Metadata only (no prompt/response storage by default) |
| Anthropic, PBC | USA | AI model provider (Claude) | Prompt/response content, request metadata | 7 days (API logs), up to 2 years if flagged for abuse |
| OpenAI, Inc. | USA | AI model provider (GPT-4o, o3, o1, etc.) | Prompt/response content, request metadata | 30 days (abuse monitoring), then deleted |
| Google LLC | USA | AI model provider (Gemini); Google API Services (Calendar, Drive, Contacts, etc.) | Prompt/response content, calendar/contact/drive data (if connected by user), request metadata | Per Google API Terms; no training on API data |
Payment Processing
| Sub-Processor | Location | Purpose | Data Categories | Data Retention |
|---|---|---|---|---|
| Stripe, Inc. | USA | Payment processing, invoicing | Name, email, billing address, payment method details, transaction history | Per Stripe’s data retention policy; financial records as required by law |
Transfer Mechanisms
Where personal data is transferred to sub-processors located outside the European Economic Area (EEA), such transfers are protected by:
- Standard Contractual Clauses (SCCs) adopted by the European Commission pursuant to GDPR Article 46(2)(c)
- Adequacy decisions where applicable (e.g., UK under EU adequacy decision)
- Additional technical and organisational safeguards, including encryption in transit and at rest
No data is transferred to a third country without an appropriate transfer mechanism in place.
Contact
Foxx – Verein zur Förderung einer zukunftsorientierten Lebenskultur
ZVR-Zahl: 1151789182
Canavalstraße 7/143
5020 Salzburg, Österreich
Email: hello@onebots.ai