Saltar al contenido principal
AgenticRelay

Sub-processors & Data Processing

Effective: June 14, 2026 — Last updated: June 14, 2026

1. Overview

AgenticRelay is operated by SoundsWire LLC(“we”, “us”, or “our”), the platform available at agenticrelay.app (the “Service”). To provide the Service we engage a small number of third-party sub-processors. A sub-processor is a third party that processes personal data on our behalf. This page lists each sub-processor, the purpose it serves, and the category of data it processes, together with how we handle personal data, retention, deletion, security, and your data-protection rights.

This page is maintained as our authoritative sub-processor list. We will update it before engaging a new sub-processor that processes personal data. Each sub-processor processes data only as needed for its stated purpose and under its own data processing terms.

2. Personal Data We Process

Depending on how you use the Service, we may process the following categories of personal data:

  • Account profile — name, email address, avatar, and the Google OAuth identifier associated with your sign-in
  • Workspace and organization data — workspace details, membership, and roles
  • Agent and RAG configuration — agent settings and the knowledge-base documents you upload
  • Conversation content — chat messages, including WhatsApp messages and anonymous website-widget visitor conversations
  • WhatsApp connection data — connected WhatsApp business numbers and their access tokens (stored encrypted)
  • Billing data — Stripe customer identifier, plan, and usage/credit records (we do not store card numbers)
  • Audit logs and activity feed — records of significant actions taken in your workspace
  • API keys — keys you provide for connected services, stored encrypted
  • IP addresses — used transiently for rate limiting and abuse prevention

We do not use your knowledge-base documents or conversation content to train AI models, and we do not permit our AI sub-processors to do so.

3. Infrastructure & Platform

These sub-processors are always in the data path because they host and store the Service.

Sub-processorPurposeData processedLocation
Cloudflare, Inc.Application hosting (Workers), global edge network, object storage (R2), SQLite (D1), key-value cache (KV), vector embeddings (Vectorize), database connection pooling (Hyperdrive), and stateful chat sessions (Durable Objects).All Service data in transit; stored files and uploaded documents (R2), vector embeddings of knowledge-base content (Vectorize), rate-limiting and abuse-prevention counters (D1/KV), and chat session state (Durable Objects).Cloudflare global edge network
Neon, Inc.Managed PostgreSQL — the primary application database.Account and workspace data, agent and RAG configuration, conversation records, billing and usage records, audit logs and activity feed, and encrypted secrets.United States (AWS US East / Ohio, us-east-2)
Stripe, Inc.Payment processing, subscriptions, invoicing, and credit top-ups.Billing contact details, payment-method tokens, transaction and invoice records. Full card numbers are handled by Stripe and are never stored by us.United States (global processing)

4. Communication Channels & Sign-in

These sub-processors handle authentication and the channels through which you and your end-users communicate with your agents.

Sub-processorPurposeData processedLocation
Google LLC (Sign-in / OAuth)Google OAuth sign-in for account authentication.Google OAuth identifier and basic profile (name, email, avatar) returned during sign-in.United States
Meta Platforms, Inc. (WhatsApp Business Cloud API)Sending and receiving messages on the WhatsApp channel.WhatsApp conversation content and the connected WhatsApp business phone number. Access tokens for connected numbers are stored encrypted at rest by us.United States (global processing)
Transactional email providerDelivery of account and notification emails (sign-in, verification, billing, alerts).Recipient email address and the contents of the transactional or notification message.United States

5. Observability & Analytics

These sub-processors help us keep the Service reliable and understand how it is used. Analytics are gated behind your cookie consent (see Section 9).

Sub-processorPurposeData processedLocation
Functional Software, Inc. (Sentry)Application error monitoring and performance tracing.Error events, stack traces, and request/diagnostic context, which may include limited personal data.United States
PostHog, Inc.In-app product analytics and usage metrics.Product-usage events and metrics. Analytics cookies and collection load only after you grant consent.United States / EU (region-configurable)
Google LLC (Google Analytics)Aggregate traffic analytics on our marketing website (separate from the Google OAuth sign-in entry above).Aggregated usage and device data (pages viewed, browser/device type, approximate location). Consent-gated: loads only after you grant analytics consent.United States

6. AI Model Providers

AI providers are invoked only for the model you select, and only with the content of that request, to generate a response. Customer documents and data are not used to trainthese providers' models. When you bring your own API key (BYOK) for an AI provider, you contract with that provider directly under its terms, and we act solely as a conduit for that request.

Sub-processorPurposeData processedLocation
Cloudflare, Inc. (Workers AI)Inference using Cloudflare's Workers AI models.Prompt, retrieved context, and tool inputs for the turn.Cloudflare global edge network
OpenAI, L.L.C.Inference for the OpenAI models you select.Prompt, retrieved context, and tool inputs for the turn.United States
Anthropic, PBCInference for the Anthropic (Claude) models you select.Prompt, retrieved context, and tool inputs for the turn.United States
Google LLCInference for the Google (Gemini) models you select.Prompt, retrieved context, and tool inputs for the turn.United States
Mistral AI SASInference for the Mistral models you select.Prompt, retrieved context, and tool inputs for the turn.European Union
Cohere, Inc.Inference for the Cohere models you select.Prompt, retrieved context, and tool inputs for the turn.United States
xAI Corp.Inference for the xAI (Grok) models you select.Prompt, retrieved context, and tool inputs for the turn.United States

7. Lawful Bases for Processing

For users in the European Economic Area (EEA) and the United Kingdom, we process personal data under one or more of the following lawful bases of the GDPR and UK GDPR:

  • Contract performance— to provide the Service you have signed up for, including running your agents and channels
  • Legitimate interests— to operate, secure, and improve the Service, including rate limiting and abuse prevention
  • Legal obligation— to comply with applicable law, such as tax and accounting requirements
  • Consent— for non-essential cookies and analytics, which you can withdraw at any time

8. Data Retention

We retain personal data only as long as necessary for the purpose it was collected, or as required by law.

  • Anonymous widget / visitor conversations— purged after 90 days
  • Audit logs— kept approximately 90 days in the primary database, then archived to encrypted object storage for a total of 6 years, after which they are deleted
  • Soft-deleted agents— permanently purged after 90 days
  • Purchased credits— expire 1 year after purchase and are non-refundable
  • Account data— erased when you delete your account, as described in Section 10

9. Cookies

The Service uses a small set of cookies:

  • Authentication / session cookie(essential) — set by Better Auth to keep you signed in. This is required for core functionality and cannot be disabled without impairing the Service.
  • Locale cookie (functional) — NEXT_LOCALE, stores your language preference.
  • Consent-preference cookiear_cookie_consent, remembers your cookie choices.
  • Analytics cookies (PostHog) — load only after you grant consent and are not set by default.

10. Deletion & Erasure

You can delete your account from within the Service. Account deletion performs a GDPR-style erasure: it cancels your Stripe subscriptions, purges each owned workspace's external-store data — Vectorize embeddings, D1 chunk text, R2 files, and Durable Object chat state — and then cascades the deletion of the corresponding PostgreSQL records.

Account deletion is blocked until any active paid subscriptions are cancelled. Disconnecting a WhatsApp number deletes its stored encrypted access token. You may also exercise access or deletion rights by emailing legal@agenticrelay.app.

11. Security

We apply technical and organizational measures to protect your data, including:

  • AES-256-GCM envelope encryption for secrets at rest (WhatsApp tokens, API keys)
  • TLS / HTTPS encryption for data in transit
  • Strict per-workspace data isolation
  • Rate limiting and abuse prevention
  • HMAC-signed verification of inbound webhooks

No method of transmission or storage is completely secure. If you believe your account has been compromised, contact us at support@agenticrelay.app.

12. Data Location & International Transfers

The Service runs on Cloudflare's global edge network, so requests are processed at the edge location nearest to the user. Our primary database (Neon) and object storage are US-based (AWS US East / Ohio, us-east-2).

Because we and several sub-processors are based in the United States, personal data may be transferred outside your country of residence, including to the US. Where required for transfers from the EEA or UK, we rely on appropriate safeguards such as the EU-US Data Privacy Framework (where the sub-processor participates), the European Commission's Standard Contractual Clauses, and the UK International Data Transfer Agreement, as applicable.

13. Your Rights

EEA / UK users (GDPR / UK GDPR)

  • Right of access (Article 15)
  • Right to rectification (Article 16)
  • Right to erasure / “right to be forgotten” (Article 17)
  • Right to restriction of processing (Article 18)
  • Right to data portability (Article 20)
  • Right to object to processing (Article 21)
  • Right to withdraw consent at any time without affecting prior lawful processing

California users (CCPA / CPRA)

  • Right to know what personal information is collected
  • Right to delete personal information
  • Right to correct inaccurate personal information
  • Right to opt out of the sale or sharing of personal information (we do not sell or share your personal information)
  • Right to non-discrimination for exercising your rights

To exercise any of these rights, contact us at legal@agenticrelay.app. We will respond within the period required by applicable law.

14. Children's Privacy

The Service is not directed to children under 16 years of age (or 13 in jurisdictions where that age applies). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at legal@agenticrelay.app and we will promptly delete it.

15. Data Processing Agreement

A Data Processing Agreement (DPA) incorporating this sub-processor list is available to customers on request. To request our DPA or to ask about a specific sub-processor, contact legal@agenticrelay.app.

16. Changes & Notification

We may add or replace sub-processors as the Service evolves. Material additions affecting the processing of personal data will be reflected on this page, and we will revise the “Last updated” date above. Customers under a DPA may subscribe to change notifications by contacting legal@agenticrelay.app. For more on how we handle data, see our agenticrelay.app/privacy.

17. Contact

SoundsWire LLC

Privacy / Legal: legal@agenticrelay.app

Support: support@agenticrelay.app

Website: agenticrelay.app