Sub-processors
What this page is for. Under GDPR, UK GDPR, LGPD, and similar laws, the third parties that handle personal data on our behalf fall into two distinct legal roles: sub-processors (Sections 1-4, 6, 8, and 9) act only on our documented instructions under a data-processing agreement and cannot use the data for their own purposes; independent controllers (Section 5) determine their own purposes and means of processing under their own terms once data is shared with them. We list both here for full transparency. Section 7 (event data sources) describes inbound data we receive from third parties for which we are the controller. We update this page when a sub-processor is added, removed, or materially changed, and we publish material additions at least 30 days in advance for users who subscribe to the change feed (email privacy@socialgryd.com with subject "Subscribe: Subprocessors" to join).
1. Infrastructure, Hosting, Media Delivery, and Firebase Services
| Sub-processor | Service | Data categories | Location |
|---|---|---|---|
| Google Cloud / Firebase (Google LLC and Google Ireland Ltd) | Firebase Auth, Firestore, Cloud Storage, Cloud Functions, Firebase Cloud Messaging (FCM), Firebase Analytics, Crashlytics, Performance Monitoring, App Check, Remote Config, Hosting, Dynamic Links. Operates under the Google Cloud Data Processing Addendum as our processor; "Google signals", ads-personalisation joins, and similar controller-side enrichment features are disabled on our project. | All Platform personal data except OAuth tokens of Creator-Hub-linked platforms (stored separately) and Maps queries (which flow to Google Maps Platform as an independent controller — see Section 5). | EU (multi-region) and US, per service configuration |
| Mux, Inc. | Video infrastructure for user-uploaded video: ingest, encoding/transcoding, adaptive HLS packaging, a 480p MP4 static rendition, automated thumbnail/poster generation, and CDN-backed playback delivery. New video uploads route to Mux; videos uploaded before the migration continue to be served from Google Cloud Storage and our Cloud Run transcoding pipeline (dual-read). Mux acts only on our documented instructions under the Mux Data Processing Addendum (updated 1 April 2025); it may not use the content for its own purposes and does not sell it. We do not use Mux Data (Mux's viewer-analytics product) — no analytics SDK is integrated — so no playback analytics beyond the request logs inherent to CDN delivery are collected by Mux on our behalf. Retention: the encoded video and its derivatives are stored at Mux for as long as the associated post is available on the Platform; when a post or account is deleted, the corresponding Mux asset is deleted as part of our deletion process (see Privacy Policy Section 20). | The uploaded video file and its machine-generated derivatives (HLS renditions, the MP4 preview, the poster image). This is user-generated content that may itself contain personal data (for example faces, voices, or location cues visible in the footage). A post identifier is sent so the asset links back to the post. On playback, Mux's delivery network necessarily receives standard request metadata (viewer IP address and device/user-agent). No account identifiers (name, username, email, profile photo, user ID) are sent to Mux. | United States, with global CDN edge delivery. Mux is certified under the EU-US Data Privacy Framework and offers EU Standard Contractual Clauses and the UK International Data Transfer Addendum for transfers. Mux's own sub-processors (cloud hosting and content-delivery providers) are listed in Exhibit 3 of the Mux DPA. |
2. AI and Machine Learning
| Sub-processor | Service | Data categories | Location and retention |
|---|---|---|---|
| Anthropic PBC | Claude family (currently Claude Haiku 4.5) for post categorisation | Post text (truncated to ~1,000 characters) and machine-generated media descriptions. No account identifiers (name, username, email, profile photo, user ID) are sent with the request. | United States. Under Anthropic's Commercial Terms, Anthropic is prohibited from using customer API inputs or outputs to train its foundation models. Anthropic's standard Trust & Safety retention of up to 30 days applies to API inputs and outputs on the Anthropic side; Zero Data Retention is configured per-account and is not currently enabled on SocialGryd's account. In addition, the inbound post text and the AI-generated category label are written to Google Cloud Logging (our processor under the Firebase DPA) for up to 30 days as part of routine Cloud Functions diagnostics, and the assigned category labels themselves are stored on the post for its lifetime. |
| Google LLC | Google Cloud Vision API (SafeSearch image moderation) for automated content checks on event cover photos and Page cover photos uploaded by hosts. The result is a "adult / violence / racy" likelihood label used to flip flagged images into our admin moderation queue; no human reviews the image unless flagged. | Cover-image bytes (≤ 5MB JPEG/PNG/WebP) uploaded by the host. No account identifiers (uid, email, display name) are sent with the request — the image-storage path includes the uploader's UID but that is not transmitted to Vision; only the image bytes are. | Processing region: us-central1 (the same Google Cloud region as our Firestore + Cloud Functions, under our existing Google Cloud customer agreement and DPA). Google's published Cloud Vision data-use policy applies: no use of customer image data to train Google's models, transient processing only, no human review in normal operations, no long-term retention of submitted images beyond the synchronous API call. |
3. Analytics and Product Telemetry
| Sub-processor | Service | Data categories | Location |
|---|---|---|---|
| Amplitude Inc. (planned) | Product analytics, funnels, A/B test measurement, cohort analysis. Not yet routing personal data in production. | Event names, event properties, pseudonymous user ID, device metadata, IP (truncated) | US, with EU data residency where configured |
4. Email Delivery
| Sub-processor | Service | Data categories | Location |
|---|---|---|---|
| Resend Inc. | Transactional and marketing email delivery. Inbound delivery-event webhooks from Resend are signed using the Svix webhook-signature standard; we verify those signatures locally. Svix-the-company is Resend's sub-processor for webhook delivery, not ours — see Resend's own privacy stack for that disclosure. | Email address, email subject and body, delivery events (opens, bounces, clicks) | US / Global (via AWS SES infrastructure) |
5. Independent Controllers (Not Sub-Processors)
The recipients listed in this section are not our sub-processors. Once data flows to them — whether through your use of a Platform feature, your authentication choice, your purchase, or the operating system's push-delivery machinery — they determine the purposes and means of processing under their own terms and act as independent data controllers in their own right. They may use the data they receive for their own service-improvement, fraud-prevention, security, billing-integrity, abuse, and analytics purposes, subject to their own privacy policies and the applicable law of the country where they are established. We list them here for transparency so you understand where your data flows; we do not control what they do with it once the API call or OS-level event reaches them.
| Recipient | Role we use them for | Data they receive | Their terms / privacy policy |
|---|---|---|---|
| Google LLC and Google Ireland Ltd (Google Maps Platform) | Maps SDK, Places API, Geocoding API, Distance Matrix — used to render maps, autocomplete place searches, and look up coordinates | IP address, search queries you type into a place picker, approximate or precise coordinates when you use a location-dependent feature, device and browser identifiers | Google Maps Platform Terms of Service and the Google Privacy Policy. Google is a controller for Maps queries under the Maps Platform Controller-Controller Data Protection Terms; the Google Cloud DPA that governs our Firebase relationship does not apply to Maps API calls. |
| Apple Inc. (Sign in with Apple) | OAuth identity-provider for authentication on iOS, macOS, and the web | Authentication request, Apple ID-derived stable user identifier, optional name and (private or relayed) email, sign-in events for Apple's account-security and abuse-detection systems | Sign in with Apple agreement and the Apple Privacy Policy. |
| Google LLC (Google Sign-In) | OAuth identity-provider for authentication on Android, iOS, and the web | Authentication request, Google account-derived stable user identifier, name, email, profile photo URL, sign-in events for Google's account-security and abuse-detection systems | Google Privacy Policy and the Google APIs Terms of Service. |
| Apple Inc. (Apple Push Notification service, APNs) | Push-notification delivery on iOS | APNs device token, notification payload at delivery time, delivery feedback (token validity, unregistered state). We do not send personally identifying content in the payload by default; safety, proximity, and service notifications may include short text the recipient already has access to. | Apple Privacy Policy and the Apple Developer Program Licence Agreement. Apple controls APNs infrastructure. |
| Apple Inc. (App Store / In-App Purchase) | iOS in-app purchase and subscription billing | Apple original transaction ID, receipt, subscription status, purchase events for fraud-detection and tax purposes | App Store Terms and Apple Privacy Policy. |
| Google LLC (Google Play Billing) | Android in-app purchase and subscription billing | Play purchase token, subscription status, purchase events for fraud-detection and tax purposes | Google Play Terms of Service and Google Privacy Policy. |
6. Payments (Sub-Processors)
Stripe processes card payments on our documented instructions under the Stripe Data Processing Agreement and applicable Standard Contractual Clauses.
Status: Stripe is pre-launch. As of this version, SocialGryd is not processing live payments through Stripe (neither subscription billing nor Marketplace payouts). The Stripe integration is built but not active in production. We will update this page before routing live payment data to Stripe.
| Sub-processor | Service | Data categories | Location |
|---|---|---|---|
| Stripe, Inc. and Stripe Payments Europe Ltd | Subscription billing, Marketplace payouts, tax calculation, invoicing | Billing name, email, country, card metadata (last 4 / brand), transaction history | EU and US |
7. Event Data Sources
| Sub-processor / Source | Service | Data categories | Location |
|---|---|---|---|
| Ticketmaster (Live Nation Entertainment) | Discovery API for public event metadata | We receive event metadata (not personal data). We do not send user data to Ticketmaster unless a user clicks through. | US / Global |
| Eventbrite, Inc. | Eventbrite API and public-page metadata scraping where terms permit | We receive event metadata. We do not send user data to Eventbrite unless a user clicks through. | US / Global |
8. Creator Hub: External Platforms You Authorise
These platforms become sub-processors only to the extent you connect them via OAuth. You authorise specific scopes at connection and can revoke at any time.
| Platform | Service | Data categories exchanged |
|---|---|---|
| YouTube / Google LLC | YouTube Data API | Channel metrics, video statistics, optional comments |
| TikTok (ByteDance) | TikTok for Developers | Public profile, video statistics, optional DMs (default-off) |
| Meta Platforms (Instagram, Facebook, Threads) | Meta Graph API | Business Account metrics, posts, optional DMs (default-off, Business Account only) |
| X Corp. | X API | Public profile, post metrics, optional DMs (default-off; subject to X API tier) |
| LinkedIn (Microsoft) | LinkedIn Marketing API | Basic profile, post statistics |
| Twitch / Amazon | Twitch Helix API | Channel information, stream analytics, optional chat logs |
| Snap Inc. (Snapchat) | Snap Kit | Public profile, post metrics |
| Pinterest, Inc. | Pinterest API | Public profile, pin and board statistics |
9. Internal Operations and Productivity (Business Contact Data Only)
These tools are used by the SocialGryd team for internal operations. They do not receive end-user Platform content except where a support ticket, investigation, or business contact requires.
| Sub-processor | Service |
|---|---|
| Google LLC (Google Workspace) | Business email, Drive, Docs, Meet |
| Linear Orbit, Inc. | Product issue tracking |
| Slack Technologies / Salesforce | Internal team communications |
| Notion Labs, Inc. | Internal documentation and knowledge base |
| GitHub / Microsoft | Source-code hosting |
10. Planned Services (Not Yet Routing Personal Data)
We will update this page, notify users where material, and obtain consent or offer objection where required, before routing personal data to any of the following in production.
- Amazon Web Services, Inc.: AWS Personalize (recommendations), AWS Rekognition (image/video moderation), AWS Comprehend (text moderation), AWS Neptune (graph analytics), AWS SageMaker (de-identified ML training); region selection tentatively EU-West / Singapore / US-East. (Media hosting, HLS transcoding, and video delivery for new uploads is now provided by Mux — see Section 1 — superseding the previously-planned AWS S3 / CloudFront / MediaConvert media path.)
- OpenAI / additional LLM providers: potential secondary or fallback AI provider; no data is routed today.
11. Transfer Safeguards and Transfer Impact Assessment
Where a sub-processor is located outside the EEA or UK, we rely on European Commission adequacy decisions (including the EU-US Data Privacy Framework for certified recipients), Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) with any necessary supplementary measures, and the UK IDTA or UK Addendum, as described in the Privacy Policy Section 19.
Consistent with the CJEU's judgment in Schrems II (C-311/18) and EDPB Recommendations 01/2020, we conduct a Transfer Impact Assessment ("TIA") before enabling any onward transfer to a third country, covering (i) the legal basis of the transfer, (ii) the destination country's law and practice relevant to government access, (iii) any supplementary technical (encryption, pseudonymisation), organisational, and contractual measures, and (iv) ongoing monitoring. The TIA is kept on record under Article 30 GDPR. A redacted summary covering the most significant transfers is available to business customers with a DPA on request at dpo@socialgryd.com.
12. How to Object to a Sub-processor
Business customers (partners, brands) with a DPA may object in writing within 30 days of notice of a new sub-processor by emailing privacy@socialgryd.com. If we cannot accommodate the objection, we will work with you in good faith to find an alternative, and failing that, either party may terminate the affected service under the DPA.
End users may object to particular processing activities under GDPR Article 21 and the Privacy Policy.
13. History of Changes
- 30 May 2026 (v1.6): added Mux, Inc. as a media hosting and video-delivery sub-processor (Section 1). New user-uploaded videos are encoded, packaged as adaptive HLS plus a 480p MP4, thumbnailed, and delivered via Mux's CDN; videos uploaded before the migration continue to be served from Google Cloud Storage / our Cloud Run pipeline (dual-read). This supersedes the previously-planned AWS S3 / CloudFront / MediaConvert media path, which is removed from Section 10. Mux is certified under the EU-US Data Privacy Framework and processes under the Mux DPA; we do not use Mux Data viewer analytics. No change to AI, payments, or other data flows.
- 22 May 2026 (v1.4 revision): corrected listing of Shorebird and Svix, neither of which is actually a SocialGryd sub-processor in production. (a) Shorebird (over-the-air code delivery) was disclosed as a sub-processor from v1.0 onward; on audit we confirmed that the
shorebird_code_pushSDK is not integrated in the deployed app and no patches have ever been delivered, so Shorebird has never received personal data from SocialGryd. The Shorebird entry and the entire former Section 5 ("Over-the-Air Code Delivery") are removed. (b) Svix (webhook infrastructure) appeared in Section 4 (Email and Webhook Delivery) but on audit is Resend's sub-processor for webhook delivery, not ours — we only use the open-source Svix npm library to verify the signature of inbound webhooks Resend sends us. Svix-the-company sees no SocialGryd data. The Svix entry is removed and Section 4 renamed "Email Delivery". Sections 6-14 renumbered to 5-13. No new sub-processor added; no change to data flows. - 21 May 2026 (v1.4): structural rewrite to correctly distinguish sub-processors from independent controllers. Google Maps Platform moved out of "Infrastructure" into a new Section 6 ("Independent Controllers (Not Sub-Processors)") together with Apple Sign-In, Google Sign-In, Apple Push Notification service (APNs), Apple App Store, and Google Play Billing — each of which acts under its own terms once data reaches it. Stripe split into its own Section 7 ("Payments (Sub-Processors)") for clarity. Anthropic disclosure updated to explicitly state that Zero Data Retention is not currently enabled on our account and that post text plus AI category labels are written to Google Cloud Logging for up to 30 days for routine Cloud Functions diagnostics. Objection window for business customers extended from 14 to 30 days to align with industry norm.
- 25 April 2026 (v1.3): correction. Restored Anthropic to live status. The v1.2 entry incorrectly flagged Anthropic as planned; in fact
onPostCategorizehas been deployed and routing post text to Claude Haiku 4.5 since the Phase 2 rollout. Amplitude remains genuinely planned (vendored but not integrated). Stripe Marketplace payouts remain pre-launch. - 22 April 2026 (v1.2): flagged Amplitude and Stripe (Marketplace payouts) as pre-launch; the Anthropic flag in this version was incorrect and is corrected in v1.3.
- 22 April 2026 (v1.0): initial publication. Added Amplitude, Svix, and Shorebird to the public list; consolidated all sub-processors in a single page.