Skip to content
Install on Shopify

Transparency

The full list of who touches your data.

Arbyn uses a small number of third-party services to run. They are listed here, by name, with what they process and where. We update this page before adding anyone new.

Total subprocessors
10
Last updated
May 20, 2026
Change notice
30 days before
What is a subprocessor?

A subprocessor is any third-party service Arbyn uses to operate, where that service might touch your data along the way. GDPR Article 28 requires us to disclose them. It’s also just the honest thing to do. This page is the full list. Nobody else.

The list

Seven services. That’s it.

Each row shows what the vendor does, what they process, where they host it, and their security certifications. Every name links to their own privacy or data processing page so you can check them directly.

SubprocessorWhat we use them forWhat they processRegionLegal / trust
Infrastructure
Render
Render Services, Inc. · US
SOC 2 Type 2ISO 27001
Application hosting, database, background jobs. The servers Arbyn runs on.All Arbyn application data at rest and in transit.US (default)
EU available on request
AI / LLM inference
Deep Infra
Deep Infra, Inc. · US
No-training policy
Hosts the open-source AI models Arbyn uses for all reasoning, sales suggestions, and reply drafting.Your customers' message text and order details, sent so the AI can draft a reply. Not stored, not used for training.US
Commerce platform
Shopify
Shopify Inc. · CA
SOC 2 Type 2PCI-DSS
Source of order, customer, catalog, and policy data. Arbyn reads via Shopify API.All commerce data already lives there. Arbyn pulls, doesn't store duplicates long-term.Per store
Set by store owner
Billing & payments
Shopify Billing
via Shopify App charges · CA
PCI-DSS
All Arbyn subscriptions are charged through your Shopify admin. We never see your card.Subscription metadata. No card details ever touch Arbyn.Per Shopify
Transactional email
Resend
Resend, Inc. · US
SOC 2 Type 2
Sends emails to you (escalations, weekly digests, billing receipts). Not replies to your customers.Email addresses and message bodies for transactional sends only. No marketing lists.US
Postmark
ActiveCampaign LLC · US
SOC 2 Type 2HIPAA
Sends forwarding emails from Arbyn to your inbox. Used when a customer conversation needs to be relayed or escalated into your own email.Email addresses, message bodies, and conversation context routed through their service. Delivery logs kept per Postmark's policy. Not used for training.US
CDN & DDoS
Cloudflare
Cloudflare, Inc. · US
SOC 2 Type 2ISO 27001
DNS, CDN, and DDoS protection for the Arbyn dashboard and chat widget.HTTPS traffic in transit. Cached static assets only.Global edge
Website analytics
Microsoft Clarity
Microsoft Corporation · US
Consent-gatedText masked
Anonymized session replay and heatmaps on the arbyn.app marketing site. Loads only after the visitor grants the Session recording category.Masked page interactions (clicks, scrolls) on the marketing site. No form or message content, and never on the dashboard or chat.US
Website advertising
Meta Pixel
Meta Platforms, Inc. · US
Consent-gated
Measures Arbyn's own ad campaigns and conversions on the marketing site. Loads only after the visitor grants the Marketing category.Hashed email and conversion events for ad measurement, from the browser and the server-side Conversions API. Marketing-site visitors only.US
LinkedIn Insight Tag
LinkedIn Corporation · US
Consent-gated
Measures Arbyn's own LinkedIn ad campaigns on the marketing site. Loads only after the visitor grants the Marketing category.Ad-measurement identifiers for marketing-site visitors. Never on the dashboard or chat.US

If we add a new one, you find out first.

No surprise vendors. No “we updated our DPA, please re-read 38 pages.”

Subscribe to subprocessor change notices and we’ll email you whenever this list changes. Standard 30 days notice. Object in writing and we’ll work it out, or you can cancel and your data is deleted.

Subscribe to change notices
  • 01
    30 days before any new subprocessor is added, we email subscribers and update this page.
  • 02
    Any store owner on the notice list can object. If we can't address your objection, you can cancel.
  • 03
    If you cancel, your data is deleted within 30 days. We keep only the minimum logs the law requires.
Document version
v1.0 · May 20, 2026
This page is the source of truth. Earlier versions available on request.
Questions
privacy@arbyn.app
For privacy questions, data processing agreements, or GDPR requests.