Buronia
English ▾

← GDPR & data protection

International data transfers

Most of your data never leaves the EU. A small set of sub-processors that operate globally (Anthropic, Google, Cloudflare) may, depending on the request, route data through US infrastructure. This page lists every such transfer and the GDPR Chapter V mechanism we rely on.

Effective 2026-04-30.

Default: EU-only processing

Application drafts, accounts, payment records, email content, and uploaded documents are processed and stored in the EU. Hetzner (Germany), Stripe (Ireland), Mailgun (Frankfurt), and Twilio (Ireland) are EU-based for the purposes of our contract.

Transfers that may leave the EU

Sub-processor Trigger Data crossing the border Mechanism (GDPR Ch. V) Supplementary safeguards
Anthropic PBC (US) AI draft generation when EU endpoint capacity is exhausted Wizard answers with sensitive fields tokenised; no national ID, IBAN, or exact income leaves the tokenisation boundary Standard Contractual Clauses (Module 2) + EU-US Data Privacy Framework certification check Field-level tokenisation; ZDR addendum (no model training, no log retention beyond 30 days); Anthropic SOC 2 Type II
Google LLC (US) Address autocomplete keystrokes Partial address text + IP, only while the address field is focused SCC + EU-US DPF API limited to Address-Autocomplete; no persistent identifiers issued by Buronia; Google Maps Platform terms
Cloudflare, Inc. (US) Edge serving of static assets / DDoS protection Request metadata + IP (no application data) SCC + EU-US DPF + Cloudflare EU Data Boundary commitment Static assets only; no cookies set; no application bodies cached

Transfer Impact Assessment (Schrems II)

For every transfer, we conducted an assessment of the destination country's surveillance regime, the practical access government authorities have to the data, the effectiveness of contractual safeguards, and the effectiveness of technical safeguards. Findings:

  • Risk profile: Low. The data leaving the EU is either non-sensitive (request metadata) or has had its sensitive components tokenised before transmission.
  • Government-access risk: US FISA 702 and EO 12333 are the relevant statutes. Our sub-processors are subject to them as electronic communication service providers; the field-level tokenisation in our pipeline means any data they could be compelled to disclose is stripped of national IDs and IBANs.
  • Effectiveness of safeguards: Sufficient given the data minimisation; we do not transfer special-category data outside the EU.

What we will never transfer outside the EU

  • National identifiers (Personalausweis, NIE, henkilötunnus, asmens kodas).
  • IBAN / payment account numbers.
  • Disability status or other Art. 9 special-category data.
  • Uploaded documents (response letters from authorities, ID scans).
  • Stripe payment data — Stripe handles this on EU infrastructure under their EU-Internal flag.

If you object to a transfer

Email dpo@buronia.com. We can route your account through EU-only paths (slightly slower draft generation; no third-party address autocomplete) on request.