This register explains the third-party providers EU Returns Hub may use to operate its website, business intake, digital product delivery, service-client workflows, storage, communications and logistics-related execution.
We prefer EU locations where feasible, apply data minimisation, and use contractual safeguards such as DPAs and SCCs where required. Service-layer processing applies only where a relevant service relationship or client instruction exists.
This page supports GDPR transparency for service clients, Operator Kit buyers, partners and business contacts.
Transparency register
Not every vendor is used for every relationship. Some providers support the website and digital product layer. Others apply only to approved service-client workflows or specific client instructions.
Providers used for hosting, contact forms, business email, account records and digital product communication.
Providers that may support return photos, reports, records, storage and client-specific service execution.
Logistics, forwarding or messaging providers may be used when requested or required for a specific workflow.
Some providers are listed for transparency but are not enabled until the relevant feature or service layer is activated.
Important: this page is a transparency register. It does not by itself activate any service workflow, data transfer or return-address access. Service-layer processing applies only where a relevant approved relationship, instruction or workflow exists.
Register identity
The applicable role depends on the relationship: website visitor, digital product buyer, business contact, affiliate, partner or approved service client.
Sub-processor register
The tables below list vendor categories, purposes, typical personal data, locations and safeguards.
| Vendor | Service / purpose | Typical personal data | Primary location | Safeguards | Status |
|---|---|---|---|---|---|
| Hostinger | Website hosting, domain-related infrastructure and static site delivery. | Technical logs, IP address, device/browser metadata, contact form routing metadata where applicable. | EU/EEA or provider-selected infrastructure, depending on hosting configuration. | Provider security controls, account access controls, HTTPS, limited administrative access. | Active |
| Google Workspace / Apps Script | Business intake, forms, operational sheets, administrative records, internal workflows and transactional communication logic. | Business contact details, company, inquiry type, plan/tier, referral code, operational form metadata and account notes. | EEA/region selection where available; limited cross-region processing may occur according to vendor design. | DPA/SCCs where applicable, encryption in transit/at rest, access controls, least-privilege internal access. | Active |
| Zoho Mail | Business email, written support, partner communication, service-client communication and product buyer communication. | Name, email address, company, message content, business context and attachments voluntarily provided by the sender. | EU/EEA region where configured and available; vendor infrastructure may vary by account settings. | Provider DPA where applicable, account controls, password/2FA controls, access limitation and data minimisation. | Active |
| Payhip | Digital product storefront, checkout, order processing, download delivery, affiliate tracking and product access management. | Buyer name, email, order ID, purchase details, affiliate/referral metadata and payment-status information. | Provider infrastructure; payment processing may involve Payhip payment providers and connected processors. | Provider terms, payment-security controls, data minimisation, access controls and contractual safeguards where applicable. | Active / product layer |
| Vendor | Service / purpose | Typical personal data | Primary location | Safeguards | Status |
|---|---|---|---|---|---|
| AWS Europe | Object storage or internal hosting for return photos, reports, operational files and service-client records where enabled. | Return photos, parcel identifiers, operational metadata, report files and account-specific return records. | EU region where configured, typically EU-based storage for service-layer records where used. | DPA, region restriction where configured, IAM least-privilege, encryption at rest/in transit and access logging where enabled. | Service-layer / when enabled |
| Approved warehouse / 3PL partner | Physical intake, inspection, photo capture, grading support, storage or execution where a partner warehouse is used for a specific client workflow. | Client REF, parcel data, return photos, product condition notes, operational status and limited shipping metadata. | EU/EEA or agreed operational location, depending on the approved workflow. | Written instruction, confidentiality, DPA or equivalent processing terms where required, data minimisation and access limitation. | As assigned |
| Vendor | Purpose | Typical personal data | Location | Safeguards | Status |
|---|---|---|---|---|---|
| Logistics and forwarding providers | Export to CN, intra-EU shipping, resale shipment, return forwarding or other client-instructed dispatch. | Shipment labels, sender/recipient details, tracking number, package metadata and customs/shipping data where necessary. | EU and non-EU, route-dependent. | Controller instruction, data minimisation, carrier terms, SCCs/DPAs where applicable and route-specific necessity. | As instructed |
| Tencent / WeChat / WeCom | Optional written communication channel when a client, buyer, affiliate or partner chooses this channel. | Business contact handle, messages and contact details voluntarily shared by the user. | China / global provider infrastructure. | User/client instruction, business communications only, avoid sensitive data, no buyer PII beyond what is necessary, no return photos via chat unless specifically agreed. | Optional channel |
| Stripe / PayPal or connected checkout processors | Card, wallet or online payment processing where used by Payhip or a direct checkout flow. | Payment details, payer identity, transaction ID, billing metadata and fraud-prevention signals handled by the payment provider. | Provider infrastructure; may include non-EEA processing under payment-provider terms. | PCI-DSS environment controlled by payment provider, provider DPA/terms, fraud controls and data minimisation. | Payment-dependent |
| Vendor / category | Purpose | Trigger and prerequisites | Status |
|---|---|---|---|
| Privacy-preserving product analytics | Website UX analytics, conversion analysis and product-page performance measurement. | Not enabled unless implemented with consent logic, cookie notice update and appropriate vendor review. | Not enabled |
| Customer support / ticketing system | Structured support inbox, service-client issue tracking and product buyer support. | Introduced only if message volume requires ticketing and after vendor review. | Planned if needed |
| Additional EU warehouse or logistics partners | Expanded intake, inspection, storage, resale or export capacity. | Used only after operational approval, client instruction, service terms and appropriate processing safeguards. | Capacity-dependent |
Governance
Sub-processor governance is built around necessity, access limitation, written records and client transparency.
For website visitors, business contacts, product buyers, affiliates and partners, EU Returns Hub may act as an independent controller for account, communication, purchase and relationship data.
For approved service-client workflows, the client may act as Controller and EU Returns Hub may act as Processor under the applicable DPA or service arrangement. The specific role depends on the actual relationship and data category.
Some providers may process data outside the EEA depending on vendor infrastructure, routing, communication channel, payment method, logistics destination or client instruction.
Where restricted transfers occur and GDPR applies, appropriate safeguards such as Standard Contractual Clauses, vendor transfer terms, data minimisation and necessity-based processing are used where applicable.
We aim to provide at least 15 days’ prior notice for material sub-processor changes that affect approved service-client processing. Notice may be given on this page, by email or through another appropriate written channel.
Material changes may include a new sub-processor, materially different processing purpose, significant location change or new category of service-layer processing.
Where the DPA applies, clients may object to a material sub-processor change on reasonable data-protection grounds by emailing denis@eureturnshub.eu.
If a reasonable objection cannot be resolved, the affected service may be adjusted or terminated according to the applicable service arrangement.
EU Returns Hub is not affiliated with Amazon, AliExpress, Temu, Shein, Shopify, Payhip or any other marketplace or commerce platform mentioned on this site. Platform names are used only for context, compatibility or business workflow explanation.
Operator Kit context
For Operator Kit buyers, this page shows how a returns-operations business can present sub-processor transparency and data-processing governance professionally.
Vendor transparency helps clients understand where data may be processed and why.
The register supports onboarding, DPA discussions and service-client confidence.
Questions about processing?
We keep vendor transparency written and traceable. For service-client, partner or product-related privacy questions, use the contact form or email us directly.
