Legal

Subprocessors

Last updated: 2026-04-11

Important notice. This list is a draft pending legal review. It identifies the third-party service providers (subprocessors) that ARPCLEAN (Nitro Cloud LTD) currently engages to provide the service. We will notify customers at least 30 days in advance of any intended changes and give them the opportunity to object on reasonable grounds within 14 days, as set out in our Terms of Service and Data Processing Agreement.

1. How to Read This List

For the purposes of the EU General Data Protection Regulation (GDPR), a "subprocessor" is a third party engaged by ARPCLEAN to process personal data on behalf of our customers. The list below only includes vendors that actually process personal data. Infrastructure components that ARPCLEAN operates itself (for example, PostgreSQL, Redis, MinIO, Stalwart Mail Server, Gotenberg and Qdrant, all self-hosted on EU infrastructure) are not subprocessors in the sense of Art. 28 GDPR and are therefore not listed here.

2. Data Processing Subprocessors

Infrastructure & Hosting

  • Nitro Cloud LTD — EU data center infrastructure
    Purpose: primary hosting of the ARPCLEAN platform, databases, object storage, cache, mail server, AI memory store and application containers.
    Location: European Union.
    Personal data processed: all customer data (hotel guests, employees, tasks, documents, images).
    Transfer mechanism: intra-EU, no third-country transfer.

Transactional Email

  • Resend (Resend Inc., United States)
    Purpose: delivery of transactional emails such as password resets, team invitations and system notifications.
    Location: United States.
    Personal data processed: recipient email address, sender name, email subject and body.
    Transfer mechanism: EU Standard Contractual Clauses (Module 2, Controller to Processor) and, where applicable, the EU-US Data Privacy Framework.

AI Services

  • OpenAI (OpenAI, L.L.C., United States)
    Purpose: large language model used for automated translation of task descriptions, photo description generation, and limited AI-assisted data import. OpenAI is configured with data retention disabled (no training on our data).
    Location: United States.
    Personal data processed: task descriptions, photo URLs (images themselves are hosted on ARPCLEAN infrastructure), limited text for translation.
    Transfer mechanism: EU Standard Contractual Clauses and EU-US Data Privacy Framework.
  • Anthropic (Anthropic, PBC, United States)
    Purpose: fallback large language model for the same purposes as OpenAI, used when OpenAI is unavailable or for specific tasks. Configured with zero data retention (no training on our data).
    Location: United States.
    Personal data processed: same as OpenAI.
    Transfer mechanism: EU Standard Contractual Clauses and EU-US Data Privacy Framework.

Authentication (Sign-In Providers)

When a user chooses to sign in with a third-party identity provider, ARPCLEAN receives the user's email address and basic profile (name, profile picture) from that provider. The identity provider acts as its own controller prior to the authentication event; we include it here for full transparency.

  • Google LLC (United States) — Sign in with Google. Transfer mechanism: EU Standard Contractual Clauses and EU-US Data Privacy Framework.
  • Microsoft Corporation (United States) — Sign in with Microsoft / Azure AD. Transfer mechanism: EU Standard Contractual Clauses and EU-US Data Privacy Framework.
  • Apple Inc. (United States) — Sign in with Apple. Transfer mechanism: EU Standard Contractual Clauses and EU-US Data Privacy Framework.

3. Services That Do Not Process Personal Data

For completeness, the following external APIs are used by the platform but only receive non-personal data such as country codes and year numbers. They are not subprocessors in the sense of Art. 28 GDPR:

  • Nager.Date — public holiday data (country code and year only).
  • Calendarific — fallback public holiday provider (country code and year only).

4. Notification of Changes

We will notify customers by email at least 30 days before we add a new subprocessor or replace an existing one. Within 14 days of such a notice, customers may object to the proposed change on reasonable grounds. If no good-faith solution can be reached, the customer is entitled to terminate the affected part of the service for good cause.

5. Contact

Questions about this list or our data processing practices can be addressed to:

Nitro Cloud LTD
Akad. Mihail Arnaudov 3, Et. 3
7005 Ruse, Bulgaria
Email: [email protected]

Your privacy, your choice

We use strictly necessary cookies to run this site. With your permission, we'd also like to use analytics to understand how the site is used. You can change your decision at any time from the footer. Read our Privacy Policy