Legal · Subprocessors
Subprocessors
A subprocessor is a third party that processes personal data on Vaely's behalf. This page lists every subprocessor Vaely uses, the data category each one handles, the location of processing, and the legal basis. The list is short on purpose.
Important distinction
The Vaely iOS App uses no subprocessors. The App does not transmit your journal entries, AI outputs, or any user content to Vaely or to any third party. The subprocessors below relate only to the website at vaelyai.web.app and to limited operational processing.
1. Subprocessors used for the website
| Subprocessor | Service | Data category | Processing location | Since |
|---|---|---|---|---|
| Google LLC | Firebase Hosting | HTTP request metadata (IP address, user-agent, requested URL, referrer) for delivering pages and mitigating abuse. | Global content delivery network; primary processing in the United States with regional edge caches. | 2026-05 |
| Cloudflare, Inc. | Cloudflare Web Analytics | Aggregate page-view counts; no cookies, no IP addresses logged into analytics records, no cross-site identifiers, no fingerprinting. | United States, with edge processing globally. | 2026-05 |
2. Subprocessors used for the App
None. The Vaely iOS App contains no third-party SDK other than the
open-source on-device vector index SQLiteVec, which performs storage and
retrieval operations entirely on your device and does not communicate with any third
party. The App makes no outbound HTTP requests in its inference path. There is no
analytics SDK, no crash-reporting SDK, no advertising SDK, no marketing SDK, no
attribution SDK, and no telemetry.
3. Apple's role
Apple Inc. is not a Vaely subprocessor; Apple is the platform provider with whom you have a direct relationship as an Apple device user and an App Store customer. Apple handles:
- App Store distribution — Apple delivers the App to your device and performs review on Apple's terms.
- StoreKit 2 payment processing — Apple processes your subscription payments. Apple, not Vaely, is the data controller of your payment information. Vaely receives only an obfuscated transaction identifier and entitlement period.
- HealthKit — Apple's health data store on your device. Apple is not a Vaely subprocessor for HealthKit data; HealthKit data stays on your device under Apple's HealthKit Guidelines.
- Foundation Models, Siri, NLEmbedding, LocalAuthentication, WatchConnectivity, AppIntents, ActivityKit, WidgetKit — Apple frameworks that the App invokes locally on your device. Apple performs the corresponding operations on the device, not on Vaely's behalf as a subprocessor.
- Push Notifications — not used by Vaely. The App schedules local notifications only.
Apple's privacy practices in connection with the App Store, HealthKit, Siri, and related services are governed by the Apple Privacy Policy, not by Vaely.
4. Email delivery (transactional only)
If you submit our contact form or correspond with us by email, we use a standard email service to deliver our reply. Email delivery uses commodity infrastructure of the Internet (SMTP through commercial providers under standard-practice contractual terms). The specific provider and configuration is operated by the engineer who deploys this site; this section will be updated when the configuration is finalized to identify the provider by name. As of the effective date, no email-delivery subprocessor has yet received any user data from Vaely because no contact form submissions have been transmitted; this entry exists in advance for transparency.
5. International data transfers
Routine website-traffic data may be processed in data centers in jurisdictions outside your country of residence as a function of how content delivery networks operate. Where personal data is transferred from the EEA, the United Kingdom, or Switzerland to a country not deemed adequate by the European Commission, the UK Government, or the Swiss Federal Data Protection and Information Commissioner, transfers are made under the European Commission's Standard Contractual Clauses (or the UK Addendum, or the Swiss equivalent) and supplementary measures where required. Both Google LLC and Cloudflare, Inc. publish their respective transfer-mechanism documentation on their own websites; we link to these on request.
6. Adding or changing a subprocessor
We commit to the following before adding any new subprocessor that processes personal data:
- Update this list in advance of the new subprocessor receiving any personal data.
- Where the new subprocessor handles a category of data not previously transmitted to any subprocessor, we will provide at least 14 days' notice on the website before the change takes effect.
- Where applicable law requires user consent for the new processing, we will obtain that consent.
Continued use of the Service after a subprocessors update constitutes your acceptance, except where applicable law requires more specific notice or consent, in which case we will provide it.
7. Removing a subprocessor
We commit to remove any subprocessor that materially breaches its data-protection commitments. Where removal would interrupt the Service, we will identify and onboard a replacement before removal is complete; where rapid removal is necessary, we will accept the interruption rather than the breach.
8. Data Processing Agreements
Each subprocessor listed in Section 1 has agreed to standard Data Processing Agreement terms appropriate to the category of personal data they process on Vaely's behalf. EU Standard Contractual Clauses, Article 28 GDPR commitments, and equivalent provisions under the UK GDPR and the Swiss FADP form part of those agreements. Copies are available to controllers, regulators, and data-subject representatives on written request to tezaapps@gmail.com.
9. Contact
For any question about this list, or to request a Data Processing Agreement under GDPR, write to tezaapps@gmail.com with the subject line "Subprocessors".
Effective 6 May 2026. Version 1.0.0. This is the first version of this list.
The architecture is the point.
The legal documents above describe what we do, what we never do, and the rights you have. The proof is in the App Store privacy label and the source code, not the paragraphs.