Subprocessor and Transfers Notice

This notice identifies the third-party vendors engaged by Xblanc Sp. z o.o. in connection with GliminTor OS, their role under applicable data protection law, and the safeguards applied to international data transfers. It is published in compliance with GDPR Article 28 and the Data Processing Agreement. This list reflects vendors currently in production use. We provide at least 30 days advance notice of material additions or changes to this list. The current version is always available at glimintor.com/legal/subprocessors. Last updated: May 1, 2026.

Vendors may act as data processors (acting exclusively on our instruction), as independent data controllers (determining their own purposes), or in a dual/mixed role depending on the specific processing activity. The role determines the applicable legal instrument and disclosure obligation. Vendor Role Basis for classification Stripe, Inc. Processor and Controller — dual role Processor for payment execution on our instruction. Independent controller for fraud detection, KYC, AML, and Stripe's own regulatory compliance obligations. Clerk, Inc. Processor Processes authentication and session data exclusively on our instruction and configuration. Railway Corp. Processor Infrastructure provider with no independent processing purpose. All data processed on our instruction. Cloudflare, Inc. Processor and Controller — partial Processor for CDN, routing, DNS, and email routing on our instruction. Independently determines purposes for network-level security data and threat intelligence. Resend, Inc. Processor Delivers transactional email exclusively on our instruction. OpenRouter, Inc. Processor Routes AI language model API requests on our instruction. Downstream model providers are sub-processors of OpenRouter under OpenRouter's own terms. We do not have a direct contractual relationship with downstream model providers through this routing. fal.ai, Inc. Processor Generates AI image, video, audio, and 3D assets on our instruction. Cloudflare R2 Processor Object storage for media assets on our instruction. Data residency configurable to EU or US regions.

Stripe's role varies by the specific processing activity and must be understood accordingly: Activity Stripe's role Governing instrument Payment execution — processing subscription charges and checkout transactions Processor acting on our instruction Stripe Data Processing Agreement Fraud detection and payment risk assessment (Stripe Radar) Independent controller — Stripe determines its own purposes Stripe Privacy Policy (stripe.com/privacy) Financial regulatory compliance — KYC, AML, sanctions screening Independent controller — Stripe fulfils its own regulated obligations Stripe Privacy Policy Subscription management and invoice generation Processor acting on our instruction Stripe Data Processing Agreement For Stripe's independent controller activities, our Privacy Policy directs users to Stripe's own Privacy Policy. We do not instruct or control these activities.

Vendor Country Processing purpose Data categories processed Transfer basis Stripe, Inc. USA Payment processing and subscription billing Name, email, billing address, tokenised payment data EU SCCs Module 2 (C2P) for processor activities Clerk, Inc. USA User authentication and session management Name, email, authentication tokens, device identifiers EU SCCs Module 2 (C2P) Railway Corp. USA Cloud infrastructure, application hosting, PostgreSQL database, Redis, worker processes All platform data — account data, workspace content, credits ledger, analytics EU SCCs Module 2 (C2P) Cloudflare, Inc. USA/Global CDN, DDoS protection, DNS management, email routing IP addresses, request metadata, email routing headers EU SCCs Module 2 (C2P) for processor activities Resend, Inc. USA Transactional and notification email delivery Email address, name, email content EU SCCs Module 2 (C2P) OpenRouter, Inc. USA AI language model routing and inference for text generation and analysis features User prompts, brand context inputs, generated text outputs EU SCCs Module 2 (C2P) fal.ai, Inc. USA AI image, video, audio, and 3D asset generation User prompts, media inputs, generated asset outputs EU SCCs Module 2 (C2P) Cloudflare R2 USA / EU configurable Object storage for user-uploaded and AI-generated media assets Image, video, and audio files EU SCCs / EU data residency where EU region configured

When you connect third-party social media or messaging platforms, those platforms act as independent data controllers for their own platform data. GliminTor acts as an authorised processor on your instruction when accessing those platforms via their APIs. Each platform governs its own data under its own terms and privacy policies. Platform Data accessed on your instruction Platform controller Meta — Facebook, Instagram, Messenger, Threads Posts, DMs, page analytics, engagement data Meta Platforms, Inc. X (Twitter) Posts, DMs, account analytics X Corp. LinkedIn Posts, page analytics LinkedIn Corporation TikTok Posts, account analytics TikTok Ltd. YouTube / Google Videos, comments, channel analytics Google LLC WhatsApp Business Messages via WhatsApp Business API Meta Platforms, Inc. Telegram Messages via Telegram Bot API Telegram Messenger Inc. Discord Messages, server data Discord Inc. Gmail Email messages (read and send) Google LLC

CRM platforms are independent data controllers. Data is exchanged under your authorisation. GliminTor acts as an authorised intermediary on your instruction. Platform Location Data exchanged Slack USA Workspace messages and notification data Notion USA Workspace content and database entries ClickUp USA Task and project data HubSpot USA Contact and CRM records Asana USA Project and task data

Personal data transferred from the European Economic Area to processors located in the United States is transferred under Standard Contractual Clauses (SCCs) adopted by the European Commission in June 2021. We rely on Module 2 (Controller-to-Processor) SCCs for processor relationships. Transfer Impact Assessments are conducted and documented for US-based processors. For data of users in the UAE, KSA, and Egypt that is transferred to EU or US processors, appropriate contractual safeguards are applied. We do not represent that data is stored locally within any of these territories.

We will update this notice when subprocessors are added, removed, or their role materially changes. Subscribers will receive 30 days advance notice of material changes by email. After the notice period, if you object to a new subprocessor and we cannot accommodate your objection, you may terminate the affected services. Current notice always available at: glimintor.com/legal/subprocessors Contact for subprocessor enquiries: [email protected]