Sub-Processors
Last updated: 20 June 2026
Hillory uses the following third-party sub-processors to deliver the service. Each processor has been assessed for GDPR compliance and data protection adequacy.
| Provider | Purpose | Data | Location | Legal Basis |
|---|---|---|---|---|
| OVH (OVHcloud) | Application hosting (VPS) | All user data (encrypted at rest) | Gravelines, France | DPA, EU-based |
| OVH (Database) | PostgreSQL database (self-hosted on VPS) | All user data (encrypted at rest via LUKS) | Gravelines, France | DPA, EU-based |
| OVH Object Storage (S3) | FIT file storage, photos, data exports, backups | Encrypted activity files & media | Gravelines & Strasbourg, France | DPA, EU-based |
| Bunny.net | CDN, DDoS protection, DNS | IP addresses, request headers (transient) | EU edge nodes (Slovenia-based) | DPA, EU-based |
| Brevo | Transactional email delivery | Email addresses, message content | France (EU) | DPA, EU-based |
| Strava | Activity sync (user-initiated OAuth) | Activity data via user authorisation | US | User consent (Art. 6(1)(a)) |
| Bunny.net Stream | Exercise video CDN & streaming | Video files (no PII) | EU edge nodes | DPA, EU-based |
Changes to Sub-Processors
We will update this page when sub-processors change. Material changes (new processors handling personal data) will be communicated via email to registered users with at least 14 days' notice.
Contact
Questions about our sub-processors? Contact ollie@hillory.run.