Sub-processors

Who touches your data, why, and where.

A short list of the third-party tools that may process your data when you use KindLoops. Updated the day any new tool is added. Questions: hello@kindloops.io.

Last updated: 2026-05-22

  • ElevenLabs

    Purpose
    Voice synthesis + speech-to-text for the Layla voice agent.
    Data
    Audio recordings, transcripts.
    Hosting
    US
    Data-protection posture
    No-training contract; 90-day audio retention.
    When it's triggered
    Only after consent in the Layla modal.

  • AI language model provider

    Purpose
    Conversation logic for the Layla voice agent.
    Data
    Transcript snippets sent for inference.
    Hosting
    US
    Data-protection posture
    Zero-data-retention / no-training contract.
    When it's triggered
    Only after consent in the Layla modal.

  • Cal.com

    Purpose
    Scheduling — booking the 15-min discovery call.
    Data
    Name, email, time-slot, any notes you add to the booking.
    Hosting
    US
    Data-protection posture
    GDPR-aligned. Per-booking only — no broader data exposure.
    When it's triggered
    When you book a strategy session (manually or via Layla).

  • Workflow orchestration (internal)

    Purpose
    Routes the booking from the voice agent into the scheduling tool and our CRM.
    Data
    Booking metadata (name, email, time-slot, source).
    Hosting
    Canadian-hosted where supported by the underlying tool.
    Data-protection posture
    Encrypted at rest. No data persisted beyond what the booking requires.
    When it's triggered
    On any booking event.

  • Email service provider

    Purpose
    Sends booking confirmations, the readiness diagnosis, and (with consent) marketing emails.
    Data
    Email address, name, the message content.
    Hosting
    US
    Data-protection posture
    CASL-compliant. Unsubscribe processed within 24 hours.
    When it's triggered
    When we email you.

  • Plausible Analytics

    Purpose
    Privacy-friendly site analytics. No personal data collected.
    Data
    Aggregate page views, country, referrer. No cookies set.
    Hosting
    EU
    Data-protection posture
    No personal data; no cookies; GDPR-friendly by design.
    When it's triggered
    On every page visit.

  • Cloudflare

    Purpose
    DNS, CDN, basic security (WAF, bot-fight).
    Data
    IP address, request metadata.
    Hosting
    Edge — closest PoP, typically Canadian for Canadian visitors.
    Data-protection posture
    No content retention beyond standard CDN cache windows.
    When it's triggered
    On every page visit.

We list only sub-processors that may touch your data. Internal tools that don't touch client data (our accounting, bookkeeping, password manager, etc.) are not enumerated here.