This page identifies the principal third parties used by OneDiary Ltd to provide the OneDiary Platform and explains their usual data-protection role.
This list should be read with the OneDiary Platform Terms, including Schedule 1, and the OneDiary Privacy Policy.
1. Subprocessors
The following providers may process Business Personal Data on behalf of OneDiary when OneDiary acts as a processor for a Business.
| Provider | Service and purpose | Personal information commonly involved | Primary processing location and transfer information |
|---|---|---|---|
| Google Cloud | Application, database, file, storage, security and backup hosting | Account, Business, staff, Client, Appointment, content, technical and security information stored or generated through the Platform | OneDiary configures customer data at rest in United Kingdom and/or European Economic Area regions. Limited service metadata, support or security access may occur from other countries under Google’s contractual transfer safeguards |
| Brevo | Transactional email and SMS delivery, including invitations, confirmations, reminders, payment links, password resets and service notices | Recipient name, email address or telephone number, message content, template and delivery metadata | Primary database storage is in the European Union. Brevo may use international operations or onward providers under its data-processing and transfer safeguards |
| Expo | Push-notification routing | Push token or device token, notification content, app/device routing information and delivery status | Expo is a United States-based provider and routes notifications through Apple Push Notification service or Google Firebase Cloud Messaging. Processing may therefore occur outside the United Kingdom and European Economic Area under applicable contractual transfer safeguards. Notification content should be limited and should not contain unnecessary sensitive information |
OneDiary remains responsible to the relevant Business for the performance of these Subprocessors to the extent required by Schedule 1 to the Platform Terms.
2. Payment provider and independent controller
| Provider | Service and purpose | Usual role | Processing location and transfer information |
|---|---|---|---|
| Stripe | OneDiary subscriptions, connected-account onboarding, Client payments, refunds, disputes, fraud prevention, identity or business verification and compliance | Stripe may act as an independent controller for connected-account onboarding, payment processing, fraud prevention and legal compliance, and may act as a processor for limited activities under its own terms. Stripe is not a OneDiary Subprocessor where it acts as an independent controller | Stripe and its group companies operate internationally. Personal information may be processed in the United Kingdom, European Economic Area, United States and other countries under Stripe’s privacy, data-processing and international-transfer arrangements |
A Business and Client may be required to accept or receive Stripe’s own terms and privacy information as part of the onboarding or payment journey.
3. Downstream mobile-notification networks
Push notifications sent through Expo are delivered to devices using the relevant platform network, which may include:
- Apple Push Notification service (APNs) for Apple devices; and
- Google Firebase Cloud Messaging (FCM) for Android devices.
Those networks may process device tokens, routing data and notification content under their own terms and privacy information.
4. Supplier changes
OneDiary may update this list when a provider, service, processing purpose or material processing location changes.
Where Schedule 1 to the Platform Terms applies, OneDiary will normally give an affected Business at least 15 days’ advance notice before a new or replacement Subprocessor begins materially processing Business Personal Data. A Business may object during that period on reasonable, evidenced data-protection grounds in accordance with Schedule 1.
Questions about this list may be sent to support@onediary.co.uk.