Subprocessors
Last updated: May 20, 2026
Current subprocessor list
The table below reflects the subprocessors we use as of May 20, 2026. The “Data accessed” column describes the data the subprocessor may receive in the course of providing its service.
| Vendor | Purpose | Data accessed | Region | Links |
|---|---|---|---|---|
| Twilio, Inc. | Voice call routing, phone-number provisioning, SMS delivery | Caller phone numbers, call audio (in transit), SMS content, call/message metadata | United States (global edge) | |
| Twilio SendGrid | Transactional email delivery (appointment confirmations, follow-ups) | Recipient email address, message content, delivery status | United States | |
| OpenAI, L.L.C. | Real-time voice-call processing — speech-to-text on caller audio, conversational response generation during the live call, and synthesized response audio for accounts not on the premium-voice add-on. Also per-call post-processing — summary and intent extraction, caller-facts extraction, lead-quality scoring, learning-signal extraction, and knowledge-base content classification — performed by the gpt-4o-mini model. | Caller audio (in real time), live-call conversation transcripts, post-call transcripts submitted for per-call post-processing, configured prompts, lead snapshots, and other content from the tenant workspace that is provided to the model in the course of handling the call or its immediate post-processing | United States | |
| Anthropic, PBC | Text-based language-model inference — weekly aggregated AI Insights narrative and action items, AI replies to inbound SMS, dashboard assistant, knowledge-base AI assistance (polish, conflict checking, content generation), lead action suggestions, and content generation (SMS / email template drafting, pronunciation suggestions) | Aggregated weekly call roll-ups (transcripts and metadata for the period), inbound and outbound SMS message content, knowledge-base content, lead snapshots, configured prompts, and other tenant-workspace content provided to the model in the course of these features | United States | |
| ElevenLabs Inc. | Text-to-speech synthesis and voice cloning, generally available only to tenants who enable the premium-voice add-on | Generated audio prompts and, when voice cloning is used, voice samples uploaded by the tenant | United States | |
| Clerk, Inc. | User authentication, session management, multi-factor authentication | Account email, name, password (hashed), session tokens, login metadata | United States | |
| Stripe, Inc. | Subscription billing, payment processing, invoicing | Billing name, address, payment-method details (Stripe-tokenized; we do not store card numbers), subscription metadata | United States (global) | |
| Supabase, Inc. | Primary database hosting (PostgreSQL), file storage, row-level-security tenant isolation | All operational tenant data: leads, bookings, call logs, transcripts, configuration | United States (US-East default; other regions on request for Enterprise) | |
| Vercel, Inc. | Web application (dashboard + marketing site) hosting, serverless function execution, CDN | HTTP request logs, IP addresses, user agents, anonymized page-view analytics | United States (global edge network) | |
| Railway Corp. | Hosting and execution of the EMOR voice runtime — the server that terminates Twilio media streams, bridges audio to and from AI inference providers in real time, and writes call data to Supabase. Voice audio passes through Railway compute in transit and is not persisted on Railway beyond the lifetime of the call. | Caller audio (in transit only), live call transcripts (in transit only), tenant identifiers, call metadata, application logs | United States | |
| Functional Software, Inc. (Sentry) | Error tracking, exception monitoring, performance telemetry | Error stack traces, request context, tenant identifier, user identifier (no payment data, no PHI) | United States | |
| Upstash, Inc. | Distributed rate limiting and abuse protection for dashboard and public API endpoints (per-IP and per-tenant counters) | IP addresses, tenant identifiers, request counters and timestamps (no message content, no call audio, no transcripts) | United States | |
| Google LLC (Places API) | Business lookup during onboarding (Google Places API) | Business name and location query (no caller data) | United States (global) | |
| Google LLC (Calendar API) | Check owner-connected Google Calendars for busy windows so the Service can avoid double-booking. Active only for tenants who connect a Google Calendar via OAuth. | OAuth tokens and calendar availability information (such as event times and busy/free status) for the calendars the owner authorizes | United States (global) | |
| Google LLC (Analytics 4) | Aggregate traffic analytics on the public EMOR Voice marketing website (page views, sessions, device and browser type, referral source). Loaded only for marketing-site visitors who accept analytics cookies; never runs on the signed-in dashboard or any tenant-facing surface. | Marketing-site visitor data only: IP address (anonymized), device and browser type, pages viewed, referral source. No tenant, call, SMS, lead, or billing data. | United States (global) | |
| Microsoft Corporation (Clarity) | Product analytics for the public EMOR Voice marketing website — heatmaps and session replay of marketing-page visits, used to find confusing layouts and broken flows. Loaded only for marketing-site visitors who accept analytics cookies; never runs on the signed-in dashboard or any tenant-facing surface. | Marketing-site visitor data only: IP address, device and browser type, pages viewed, and session-replay interaction data (mouse movement, scrolling, clicks, navigation; typed text is masked by default). No tenant, call, SMS, lead, or billing data. | United States (global) |
Notice of changes
We may add, remove, or replace subprocessors as our infrastructure evolves. For material changes — for example, adding a new subprocessor that processes call audio or transcripts — we will update this page and, where required by your contract or applicable law, notify customers in advance.
To receive change notifications by email, contact legal@emorai.com.
Third-party policies may change
The “Purpose,” “Data accessed,” and “Region” entries above summarize each subprocessor’s data-handling practices as of the “Last updated” date shown at the top of this page. Subprocessors may revise their own privacy policies, Data Processing Agreements, and operational practices independently of EMOR; we do not control the content of those documents. The current published documents at the linked URLs in the table above are the authoritative source for how each subprocessor handles data, and we encourage you to review them directly when current detail matters. We will update this page and the Privacy Policy to reflect material changes of which we become aware.
International data transfers
EMOR AI, LLC is based in the United States. Most of our subprocessors are also based in the United States or transfer data to the United States. Where personal data of individuals located in the European Economic Area, the United Kingdom, or Switzerland is transferred outside those jurisdictions, we and our subprocessors rely on Standard Contractual Clauses approved by the European Commission and other lawful transfer mechanisms.
Customer DPAs
Customers requiring a signed Data Processing Agreement, Business Associate Agreement (HIPAA), or Standard Contractual Clauses can request one from legal@emorai.com.
Contact
EMOR AI, LLC
563 NW 31st Avenue
Gainesville, FL 32609
Phone: (305) 582-0181
Email: legal@emorai.com