Our Data Processors

Transparency about third-party services we use

Last Updated: August 19, 2025

Data Processing Transparency

As part of our commitment to data protection and GDPR compliance, we maintain transparency about the third-party services (sub-processors) we use to provide our services. Each processor listed below has been carefully selected based on their security practices and compliance standards.

All processors are bound by data processing agreements (DPAs) that ensure they handle your data in accordance with GDPR and other applicable data protection laws.

Convex

Database & Backend

DPA in place
Location:United States
Purpose:

Real-time database, authentication, and backend services

Data Types:
User accountsProperty dataInquiriesSaved properties
Security & Compliance:

SOC 2 compliant, encryption at rest and in transit

Learn more about Convex

Resend

Email Service

DPA in place
Location:United States
Purpose:

Transactional email delivery and email notifications

Data Types:
Email addressesNamesEmail content
Security & Compliance:

GDPR compliant, encrypted transmission

Learn more about Resend

Vercel

Hosting & CDN

DPA in place
Location:United States (with global CDN)
Purpose:

Website hosting, edge functions, and content delivery

Data Types:
IP addressesBrowser dataPerformance metrics
Security & Compliance:

SOC 2 compliant, DDoS protection, global CDN

Learn more about Vercel

Stripe

Payment Processing

DPA in place
Location:United States
Purpose:

Payment processing for property deposits and transactions

Data Types:
Payment informationBilling addressesTransaction history
Security & Compliance:

PCI DSS Level 1 certified, GDPR compliant

Note: If payment processing is implemented

Learn more about Stripe

Google Analytics

Analytics

DPA in place
Location:United States
Purpose:

Website analytics and visitor behavior tracking

Data Types:
IP addressesBrowser dataPage viewsUser behavior
Security & Compliance:

Google's Standard Contractual Clauses, IP anonymization enabled

Note: Only loaded with user consent

Learn more about Google Analytics

Cloudflare

Security & Performance

DPA in place
Location:United States (with global presence)
Purpose:

DDoS protection, WAF, and CDN services

Data Types:
IP addressesRequest dataSecurity logs
Security & Compliance:

SOC 2 Type II certified, GDPR compliant

Note: If Cloudflare is used

Learn more about Cloudflare

Your Rights Regarding Sub-Processors

Under GDPR, you have specific rights regarding how your data is processed by third parties:

  • You can request information about which sub-processors handle your data
  • You can object to specific sub-processors (we'll work with you to find alternatives)
  • You're notified of any changes to our sub-processors with 30 days notice
  • All sub-processors are contractually bound to protect your data

If you have concerns about any of our sub-processors or would like more information about their data practices, please contact our Data Protection Officer at dpo@pygrealestate.com

Sub-Processor Updates

We review and update this list regularly. When we add or remove sub-processors, we:

  • Update this page with the changes
  • Notify users via email if the change materially affects data processing
  • Provide at least 30 days notice for significant changes
  • Allow users to object to new sub-processors

To receive notifications about sub-processor changes, ensure you're subscribed to our privacy updates through your account settings.