CrossBorder Data Transfers and Representatives
Version: 2026-05-09 Effective Date: 2026-05-09 Authoritative Privacy Policy: /legal/privacy-policy §10.4 and §11 This page documents the legal mechanisms that govern transfers of personal data from the European Economic Area ("EEA"), the United Kingdom, and Switzerland to the United States (where Koydo is established) and to Koydo's processors and sub-processors.
Plain-language summary
This section explains the categories of information involved and keeps the description focused on what users need to understand.
1. Transfer Mechanisms in Force
1.1 EEA → United States
Transfers from the EEA are made pursuant to the EU Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021 ("EU SCCs"). Koydo executes:
- Module 2 (Controller-to-Processor) — for transfers from Koydo (as controller) to a U.S. processor.
- Module 3 (Processor-to-Processor) — where applicable for sub-processor flows.
Koydo has performed Transfer Impact Assessments (TIAs) addressing FISA Section 702, Executive Order 12333, and the EU-US Data Privacy Framework. Supplementary technical, contractual, and organizational measures are applied per European Data Protection Board Recommendations 01/2020.
1.2 United Kingdom → United States
Transfers from the United Kingdom are made pursuant to the UK Addendum to the EU SCCs (B1.0, 21 March 2022) issued by the UK Information Commissioner's Office, executed alongside the EU SCCs above. The Addendum imports the EU SCCs into UK law for these transfers. Where executed separately with a particular processor, Koydo relies on the UK International Data Transfer Agreement (IDTA).
1.3 Switzerland → United States
Transfers from Switzerland rely on the EU SCCs as supplemented by the FADP-specific addendum recognized by the Swiss Federal Data Protection and Information Commissioner. Switzerland's adequacy assessment of the United States is followed where applicable.
Plain-language summary
Transfers from the EEA are made pursuant to the EU Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021 ("EU SCCs").
2. PerProcessor Transfer Inventory
| Processor | Transfer Mechanism | Module | Last Verified |
|---|---|---|---|
| Supabase | EU SCCs Module 2 + UK Addendum + FADP supplement | C2P | 2026-04-15 |
| OpenAI | EU SCCs Module 2 + UK Addendum (executed 2026-03-19 with DPA v.010126) | C2P | 2026-04-15 |
| Anthropic | Pending DPA; once executed, EU SCCs Module 2 + UK Addendum | C2P | 2026-04-15 |
| Google (Gemini API / Vertex AI) | Google Cloud's built-in EU SCCs + UK Addendum | C2P / P2P | 2026-04-15 |
| ElevenLabs | Pending DPA — and not applicable in practice (no User personal data flows; pre-generation only) | n/a | 2026-04-15 |
| Stripe | EU SCCs Module 2 + UK Addendum (Stripe's published DPA) | C2P | 2026-04-15 |
| RevenueCat | EU SCCs Module 2 + UK Addendum | C2P | 2026-04-15 |
| Vercel | EU SCCs Module 2 + UK Addendum | C2P | 2026-04-15 |
| Mixpanel | EU SCCs Module 2 + UK Addendum | C2P | 2026-04-15 |
| Sentry | EU SCCs Module 2 + UK Addendum | C2P | 2026-04-15 |
Plain-language summary
Koydo uses service providers only to operate the service, under contractual limits, and not for third-party advertising.
3. Requesting Copies
Executed copies of any transfer mechanism (or a redacted summary where the underlying contract is confidential) can be obtained by emailing privacy@koydo.app with subject "Transfer Mechanism Request." Koydo will provide the document within 30 days.
Plain-language summary
This section covers 3. requesting copies.
4. EU and UK Article 27 Representatives — STATUS: PENDING APPOINTMENT
Koydo has not yet appointed a representative under GDPR Article 27 (EU) or UK GDPR Article 27 (UK). Pending appointment, EEA and UK data subjects may contact Koydo's Privacy Team at privacy@koydo.app for all data-protection inquiries, requests, and complaints. EEA data subjects retain the right to lodge a complaint directly with the supervisory authority of their habitual residence; the European Data Protection Board maintains a list of national authorities at edpb.europa.eu. UK data subjects retain the right to lodge a complaint directly with the Information Commissioner's Office at ico.org.uk. When a representative is appointed, this section will be updated with the representative's legal name, postal address, and contact details, and the change will be recorded in Koydo's legal version history.
Plain-language summary
Koydo has not yet appointed a representative under GDPR Article 27 (EU) or UK GDPR Article 27 (UK).
5. Data Privacy Framework
Koydo is evaluating certification under the EU-US Data Privacy Framework and the UK Extension to the DPF. Certification status, when achieved, will be published here and at dataprivacyframework.gov.
Transfers v2026-05-09 — Effective May 9, 2026 — koydo.app/legal/transfers
Plain-language summary
This section explains the categories of information involved and keeps the description focused on what users need to understand.