This page lists every third party Builderson Group Limited (“Fyncall,” “we”) uses to process personal data on behalf of our customers.
We update this list whenever we add or remove a subprocessor. Material changes are also announced via email to our merchants at least 30 days before they take effect, giving the merchant time to object as set out in our Data Processing Agreement.
Subprocessors used to deliver the Fyncall service
Cloud infrastructure
| Subprocessor | Purpose | Personal data processed | Location |
|---|---|---|---|
| Microsoft Corporation (Azure — virtual machines, Blob Storage, networking) | Hosting our application servers, database, file storage, and backups | All data Fyncall stores: customer profiles, conversation history, knowledge-base files, attachments, audit logs | Azure East US 2 (Virginia, USA) |
| Let’s Encrypt (Internet Security Research Group) | TLS certificate issuance for our domains | Domain names only — no customer data | USA |
AI / language model providers
| Subprocessor | Purpose | Personal data processed | Location |
|---|---|---|---|
| Microsoft Corporation (Azure OpenAI Service) | Primary AI inference engine — generates AI replies, performs intent classification, routes conversations | Customer message content, recent conversation history (last 5–15 messages), customer name and order context when available, knowledge-base snippets relevant to the query | Azure East US 2 (Virginia, USA) — <<TODO: confirm exact region from production env>> |
| OpenAI, L.L.C. | Fallback AI inference and text-embedding model (text-embedding-3-small) for knowledge-base search | Same as above (only when Azure OpenAI is unavailable, or for embeddings) | USA |
| Google LLC (Generative Language API — Gemini Files endpoint) | Used when knowledge-base files are first uploaded; processes the file content for indexing | Knowledge-base files uploaded by the merchant. Customer chat messages are not sent to Google. | USA |
AI provider data-handling commitments: Azure OpenAI does not use customer prompts to train Microsoft’s foundation models (Microsoft Data Protection Addendum, 2024). OpenAI does not train its models on data sent through the API by default (OpenAI Enterprise Privacy commitments). Google does not use Cloud / Workspace customer data for advertising or for training general-purpose models (Google Cloud DPA).
Messaging channels
| Subprocessor | Purpose | Personal data processed | Location |
|---|---|---|---|
| Twilio Inc. | WhatsApp Business and SMS message delivery | Customer phone number, message body, media URLs | USA (with global routing) |
| Meta Platforms, Inc. (WhatsApp Cloud API + Instagram Graph API) | WhatsApp and Instagram message delivery and webhook receipt | Customer phone number / Instagram-scoped sender ID, message content, attachments, story replies, comments | USA / Meta global infrastructure |
| Google LLC (Gmail API) | Reading and sending email through merchants’ connected Gmail accounts (when a merchant chooses to integrate Gmail) | Email sender/recipient addresses, message body, attachments, thread metadata | USA / EU (Google data residency depends on the Google account region) |
| Microsoft Corporation (Microsoft Graph API) | Reading and sending email through merchants’ connected Outlook / Exchange Online accounts | Email sender/recipient addresses, message body, attachments, thread metadata | USA / EU (Microsoft 365 data residency depends on the merchant’s tenant region) |
| Hostinger International Ltd. | Outbound transactional email (account verification, password reset, system notifications from Fyncall) — SMTP relay | Recipient email address, email subject and body | EU (Lithuania) |
Payments and billing
| Subprocessor | Purpose | Personal data processed | Location |
|---|---|---|---|
| Stripe, Inc. | Processing merchant subscription payments | Merchant email, billing address, payment method (raw card data is held by Stripe — Fyncall never sees full card numbers) | USA (with EU/UK data centres for EU merchants under Stripe’s standard architecture) |
| Shopify Inc. (Billing API) | Processing app subscription payments charged through the Shopify merchant’s Shopify bill | Merchant Shopify shop domain, plan name, charge amounts | Canada / USA |
Operations, monitoring, and developer tooling
| Subprocessor | Purpose | Personal data processed | Location |
|---|---|---|---|
| GitHub, Inc. (a Microsoft subsidiary) | Source-code hosting and CI/CD | Source code only — no customer or merchant data | USA |
| Self-hosted on the same Azure VM as production (Prometheus, Grafana, Loki, Promtail, Uptime Kuma, RAGFlow + MinIO) | Application metrics, log aggregation, uptime checks, knowledge-base index | Aggregate metrics; application logs (which may include customer IDs and message metadata, but not full message content); knowledge-base file content (RAGFlow only) | Azure East US 2 (same region as application data) |
All listed self-hosted tools run on the same Azure VM that hosts the application. They are not third-party services in the contractual sense, but they are listed here in the interest of full disclosure.
Optional / conditional subprocessors
| Subprocessor | When used | Personal data processed |
|---|---|---|
| LangChain, Inc. (LangSmith) | Only when the LANGCHAIN_TRACING_V2 flag is enabled on a Fyncall environment for debugging. Disabled in normal production operation. When enabled, full LLM prompts and responses (including customer message content) are sent to LangSmith’s USA-hosted servers for trace inspection. We disable this in production by default. | Full prompt/response content including customer messages |
This flag is controlled by Fyncall engineering. We will update this list and notify merchants if its production status changes.
Subprocessors NOT used in production
We’ve evaluated or have code references for the following but they are not active in production. They are listed here for transparency:
- Anthropic, PBC — code-present LLM provider; not currently routed.
- DeepSeek — code-present LLM provider; not currently routed.
We will update this list and notify merchants in advance if either becomes active.
How we vet subprocessors
Before engaging a subprocessor we require:
- A written Data Processing Agreement (or equivalent privacy addendum) between Fyncall and the subprocessor.
- EU Standard Contractual Clauses (SCCs) in the most recent EU Commission-approved form for any transfer of EU/UK personal data outside the EEA.
- Evidence of appropriate technical and organisational security measures — typically SOC 2 Type II, ISO 27001, or equivalent.
- A documented breach-notification commitment binding the subprocessor to inform Fyncall promptly of any incident affecting our data.
We periodically review the subprocessor list and remove vendors that no longer meet these standards.
Changes to this list
We may add or replace subprocessors as the service evolves. When we do:
- We update this page with the change and a new “Last updated” date.
- For material additions (new vendor categories, new data flows), we email the registered notification address on each merchant account at least 30 days before the change takes effect.
- Merchants who object to a new subprocessor can terminate their account before the change takes effect, as set out in §11 of our Data Processing Agreement.
Contact
Questions about subprocessors:
- Email:
privacy@fyncall.com - Mail: Builderson Group Limited —
<<TODO: confirm registered office address>>
Items marked <<TODO>> will be filled in when we confirm the relevant production configuration. The list as a whole is accurate to the best of our knowledge as of the “Last updated” date above.