Legal
cloudmarlin relies on the third-party service providers listed below ("Subprocessors") to operate the Service. Each is bound by a written agreement with appropriate data-protection terms (a Data Processing Addendum or equivalent), and processes personal data only on Cloudmarlin's instructions. This list reflects the current set of Subprocessors and will be updated when changes are made.
| Subprocessor | Purpose | Data processed | Region |
|---|---|---|---|
| Hetzner Online GmbH privacy policy |
Primary hosting and storage; this is where the Service runs and where uploaded PCAPs and reports are stored. | All data submitted to the Service. | Germany (EU) |
| Stripe, Inc. (and Stripe Payments Europe Ltd. for EU customers) privacy policy |
Payment processing for paid subscriptions. Card data is collected directly by Stripe and never reaches Cloudmarlin servers. | Billing email, billing name, payment method token, transaction metadata. | USA (with EU subsidiary for EU customers) |
| ActiveCampaign, LLC d/b/a Postmark privacy policy |
Transactional email delivery (verification, billing receipts, security notices). | Recipient email address and email body content. | USA |
| Google LLC privacy policy |
OAuth identity verification, only when a user chooses "Sign in with Google". | Google account ID, email address, name, profile-image URL (the OAuth scopes openid, email, profile). |
USA / global |
| Intuition Machines, Inc. (hCaptcha) privacy policy |
Bot detection on the signup form. | IP address, user-agent, mouse and keyboard interaction signals, hCaptcha cookies (set under hCaptcha's control). | USA |
We will update this page when we add or replace a Subprocessor. Customers on a paid plan who would like advance notice of Subprocessor changes can request to be notified by emailing privacy@cloudmarlin.com; objections will be considered in good faith and may, where unresolvable, allow termination of the affected subscription.
The following are services Cloudmarlin uses internally for its own operations but which do not have access to user-submitted PCAPs or report content: domain registration, source-code hosting, internal employee tooling. They are not listed here because they do not process personal data of Service users.