Sub-processor List

The third parties that process personal data on behalf of Pyyrah Limited. Maintained to satisfy UK GDPR Article 28 and the equivalent obligation under our Data Processing Agreement.

Effective: 14 May 2026 Last updated: 14 May 2026 Version: 1.0 Slug: /sub-processors/

Starting template, not legal advice. Reflects general practice for a UK-registered digital-product company selling internationally. Have a solicitor review and customise before publishing for your specific operations and risk profile.

TL;DR · In plain English

These are the vendors we rely on to run Pyyrah+. Each has signed a data-protection contract no weaker than our DPA. We give at least 30 days’ notice before adding new ones.

Business customers with concerns about a specific Sub-processor: Privacy@pyyrahplus.com.

Contents

1.Current Sub-processors 2.Notification of changes 3.Objections 4.International transfers 5.Payment-card data 6.Cookies, tracking pixels and consent 7.Contact

Current Sub-processors

Pyyrah Limited engages the following Sub-processors to deliver the Pyyrah+ services. Each is engaged under a written contract with data-protection terms no less protective than those in our DPA. We give at least 30 days’ prior notice of changes on this page.

Sub-processor	Purpose	Region	Data categories
Stripe Payments Europe Ltdstripe.com/privacy ↗	Payment processing, fraud prevention, receipts, refunds, chargeback handling	Ireland (EU) US infra	Name, email, billing address, card data (held by Stripe, not by Pyyrah+), transaction metadata, IP
Shopify Inc.shopify.com/legal/privacy ↗	E-commerce platform, order delivery, digital-product fulfilment, customer accounts	Canada (HQ) Ireland (EU) US	Name, email, order data, account credentials, IP, device, browsing & purchase history
Automattic, Inc. (WordPress.com)automattic.com/privacy ↗	Website CMS, hosting, content delivery, comment management	US (HQ) Global CDN	IP, user-agent, request logs, session data, any data voluntarily submitted via site forms
Klaviyo, Inc.klaviyo.com/legal/privacy ↗	Email marketing, transactional email, segmentation, automated flows	US EU options	Name, email, subscription status, engagement metrics (opens, clicks), purchase history, segments
Google LLC (Workspace & Drive)policies.google.com/privacy ↗	Business email (Gmail), document and file storage (Drive), internal team productivity	US Global	Inbound email content, attachments, file metadata, calendar entries, any user data uploaded to Drive for internal processing
Google LLC (Analytics)policies.google.com/privacy ↗	Website analytics, audience & behaviour reporting, conversion measurement	US EU servers (GA4)	Pseudonymous client ID, IP-derived approximate location, device, browser, referrer, page-view & event data
Meta Platforms Ireland Ltd (Meta Pixel)facebook.com/privacy/policy ↗	Conversion tracking, retargeting, custom audience creation, ad performance measurement	Ireland (EU) US infra	Pseudonymous user IDs, IP, device, page views, conversion events, hashed email (if Advanced Matching enabled)
WhatsApp Ireland Ltdwhatsapp.com/legal/privacy-policy ↗	Customer support and communications via WhatsApp Business	Ireland (EU)	Phone number, profile name, message content, message metadata, media files (if shared)

The above reflects the current Sub-processor stack at the date of the most recent update. Vendors may be added, replaced, or removed; this page is updated whenever a change occurs.

Notification of changes

We give at least 30 days’ prior notice of changes on this page. The "Last updated" date at the top reflects the most recent change.

To receive an email notification of changes, business customers can request to be added to the Sub-processor notification list at Privacy@pyyrahplus.com.

Objections

Business customers under our DPA may object on reasonable data-protection grounds within 14 days of notification. If the parties cannot agree, the customer’s sole remedy is to terminate the affected services with a pro-rata refund of unused, prepaid fees.

International transfers

Where a Sub-processor is located outside the UK or EEA, we rely on one or more of: UK adequacy regulations, UK IDTA, UK Addendum to EU SCCs, or EU SCCs. The specific mechanism for each Sub-processor is available on request.

Payment-card data

Payment-card details are processed directly by Stripe on a Stripe-hosted checkout (and, for Shopify checkout flows, by Stripe via Shopify Payments). Pyyrah+ does not see, receive, or store full card details. The card metadata available to us is limited to: card brand, last 4 digits, expiry, country, and reference identifiers Stripe assigns.

Stripe is PCI-DSS Level 1 certified. See Stripe’s privacy policy.

Cookies, tracking pixels and consent

Sub-processors marked above that involve cookies or tracking pixels (specifically Google Analytics, Meta Pixel) are activated subject to user consent as required by the UK Privacy and Electronic Communications Regulations (PECR) and equivalent EU rules. See our Cookie Policy for the consent model and how to withdraw consent.

Contact

For questions about Sub-processors, transfer mechanisms, or to request a vendor due-diligence pack:

Email: Privacy@pyyrahplus.com
Or: Legal@pyyrahplus.com

Pyyrah+

Conducting vendor due diligence?

Business customers can request a security questionnaire and transfer-mechanism details from Privacy@pyyrahplus.com.

Contact the team → Back to Pyyrah+