Data sub-processors
Effective: 2026-04-21
Published under GDPR Art. 28 transparency principle and the European Data Protection Board's guidance on processor disclosures (EDPB 07/2020).
JOLI d.o.o. (trading as Eluxena) is the controller of your personal data. To run the shop we use the processors listed below. Each one is bound by a written data processing agreement (DPA) that meets GDPR Art. 28(3). Where a processor is outside the European Economic Area, we transfer data under an adequacy decision or Standard Contractual Clauses.
This list is refreshed whenever we add, remove, or change a processor. We will re-prompt all visitors for consent when adding a new analytics or marketing processor.
Core shop infrastructure
| Processor | Purpose | Country | Safeguard |
|---|---|---|---|
| Shopify International Ltd. | Storefront hosting, order management, checkout, CDN | Ireland (EEA) | Within EEA |
| Shopify Inc. | Platform services, built-in analytics, Shop Pay | Canada | EU Commission adequacy decision (2001) for commercial sector |
| Cloudflare Inc. | DDoS protection and global CDN (via Shopify) | USA | Standard Contractual Clauses + technical measures |
Payments
| Processor | Purpose | Country | Safeguard |
|---|---|---|---|
| Shopify Payments (Stripe Technology Europe Ltd.) | Card acceptance, fraud screening, payouts | Ireland (EEA) | Within EEA |
| PayPal (Europe) S.à r.l. et Cie, S.C.A. | Alternative payment method (where offered) | Luxembourg (EEA) | Within EEA |
| Klarna Bank AB | Deferred payment (where offered) | Sweden (EEA) | Within EEA |
Logistics
| Processor | Purpose | Country | Safeguard |
|---|---|---|---|
| Pošta Slovenije d.o.o. | Parcel delivery (SI + EU small parcels) | Slovenia (EEA) | Within EEA |
| DHL Parcel (Slovenija) d.o.o. | Express EU delivery | Slovenia (EEA) | Within EEA |
| General Logistics Systems (GLS) Slovenia d.o.o. | EU ground parcel | Slovenia (EEA) | Within EEA |
Marketing & analytics (only loaded with your consent)
| Processor | Purpose | Country | Safeguard |
|---|---|---|---|
| Google Ireland Ltd. (Google Analytics 4, Google Ads) | Site analytics and ad attribution — only with consent, IP-anonymised | Ireland (EEA); sub-processors in USA | EU-US Data Privacy Framework + SCCs |
| Meta Platforms Ireland Ltd. (Facebook Pixel, Custom Audiences) | Ad targeting on Facebook and Instagram — only with consent | Ireland (EEA); sub-processors in USA | EU-US Data Privacy Framework + SCCs |
| TikTok Technology Ltd. (TikTok Pixel) | Ad targeting on TikTok — only with consent | Ireland (EEA); sub-processors outside EEA | SCCs + supplementary measures |
| Klaviyo Inc. | Email and SMS marketing CRM — only for subscribed customers | USA | Standard Contractual Clauses + EU-US Data Privacy Framework (certified) |
Reviews and UGC
| Processor | Purpose | Country | Safeguard |
|---|---|---|---|
| Judge.me Ltd. | Customer review collection, moderation, and display | Canada | EU Commission adequacy decision (2001) |
Support and operations
| Processor | Purpose | Country | Safeguard |
|---|---|---|---|
| Google Workspace (Google Ireland Ltd.) | Corporate email, document storage for internal operations only | Ireland (EEA) | Within EEA; EU-US Data Privacy Framework for support data |
Transfer safeguards in detail
- Adequacy decisions: Canada (commercial), UK, Switzerland, EEA countries, and several others. See the European Commission's current list.
- Standard Contractual Clauses (SCCs): Commission Implementing Decision (EU) 2021/914 is incorporated into the DPA with each non-adequate-country processor. We use Module Two (controller-to-processor).
- Supplementary measures: where transfers go to the United States we additionally rely on the EU-US Data Privacy Framework (applies only to certified recipients — check the DPF participant list) and on technical measures (encryption at rest and in transit, pseudonymisation, strict access control).
Your rights
You have the right to obtain a copy of the relevant DPA and SCCs for any specific processor. Send your request to hello@lemonabird.com with the processor name. We will respond within one month.
For a list of the cookies each processor may set on your device, see the Cookie Policy.
Changes
This page reflects our sub-processors as of the effective date above. Material changes are logged internally for at least 5 years. Significant additions (new analytics or marketing processor) will trigger a fresh consent prompt on the Site.