Sub-processors
Version 1.1 | Last Updated: 22 April 2026
What this page is for. Under GDPR, UK GDPR, LGPD, and similar laws, when a company (like SocialGryd) engages a third party to process personal data on its behalf, that third party is a "processor" or "sub-processor". This page lists all our sub-processors and the categories of data they handle. We update this page when we add, remove, or change a sub-processor, and we publish material additions at least 14 days in advance for users who subscribe to the change feed (email
privacy@socialgryd.com with subject "Subscribe: Subprocessors" to join).
1. Infrastructure, Hosting, and Firebase Services
| Sub-processor | Service | Data categories | Location |
|---|
| Google Cloud / Firebase (Google LLC and Google Ireland Ltd) | Firebase Auth, Firestore, Cloud Storage, Cloud Functions, Firebase Cloud Messaging (FCM), Firebase Analytics, Crashlytics, Performance Monitoring, App Check, Remote Config, Hosting, Dynamic Links | All Platform personal data except OAuth tokens of Creator-Hub-linked platforms (stored separately) | EU (multi-region) and US, per service configuration |
| Google Maps Platform | Maps SDK, Places API, Geocoding API, Distance Matrix | Location search queries, approximate/precise coordinates, IP address | Global (Google data centres) |
2. AI and Machine Learning
| Sub-processor | Service | Data categories | Location |
|---|
| Anthropic PBC | Claude family (currently Claude Haiku 4.5) for post categorisation | Post text (truncated to ~1,000 characters) and machine-generated media descriptions | US (with Zero Data Retention where enabled) |
3. Analytics and Product Telemetry
| Sub-processor | Service | Data categories | Location |
|---|
| Amplitude Inc. | Product analytics, funnels, A/B test measurement, cohort analysis | Event names, event properties, pseudonymous user ID, device metadata, IP (truncated) | US, with EU data residency where configured |
4. Email and Webhook Delivery
| Sub-processor | Service | Data categories | Location |
|---|
| Resend Inc. | Transactional and marketing email delivery | Email address, email subject and body, delivery events (opens, bounces, clicks) | US / Global (via AWS SES infrastructure) |
| Svix, Inc. | Webhook infrastructure for service-to-service events | Webhook payloads (varies by event), delivery status, retry metadata | US / Global |
5. Over-the-Air Code Delivery
| Sub-processor | Service | Data categories | Location |
|---|
| Shorebird | OTA Dart code-push for mobile apps | Installation ID, app version, patch version, OS, country (no identifying account data) | US / Global CDN |
6. Payments
Stripe acts as a sub-processor (processor) for card payments and Marketplace payouts. Apple (App Store) and Google (Google Play Billing) act as independent controllers (not sub-processors) for in-app purchases made on their respective platforms: they determine the purposes and means of processing (including receipt generation, fraud detection, refund handling, and tax invoicing) under their own storefront terms, and they share a minimal set of transaction metadata with us so we can recognise an active subscription. We list them here for transparency about where your subscription and purchase data flows, not because we treat them as our processors.
| Recipient | Role | Service | Data categories | Location |
|---|
| Stripe, Inc. and Stripe Payments Europe Ltd | Sub-processor (processor) | Subscription billing, Marketplace payouts, tax calculation, invoicing | Billing name, email, country, card metadata (last 4 / brand), transaction history | EU and US |
| Apple Inc. (App Store) | Independent controller | iOS in-app purchase and subscription billing | Apple original transaction ID, receipt, subscription status | US / Global |
| Google LLC (Google Play Billing) | Independent controller | Android in-app purchase and subscription billing | Play purchase token, subscription status | Global (Google data centres) |
7. Event Data Sources
| Sub-processor / Source | Service | Data categories | Location |
|---|
| Ticketmaster (Live Nation Entertainment) | Discovery API for public event metadata | We receive event metadata (not personal data). We do not send user data to Ticketmaster unless a user clicks through. | US / Global |
| Eventbrite, Inc. | Eventbrite API and public-page metadata scraping where terms permit | We receive event metadata. We do not send user data to Eventbrite unless a user clicks through. | US / Global |
8. Creator Hub — External Platforms You Authorise
These platforms become sub-processors only to the extent you connect them via OAuth. You authorise specific scopes at connection and can revoke at any time.
| Platform | Service | Data categories exchanged |
|---|
| YouTube / Google LLC | YouTube Data API | Channel metrics, video statistics, optional comments |
| TikTok (ByteDance) | TikTok for Developers | Public profile, video statistics, optional DMs (default-off) |
| Meta Platforms (Instagram, Facebook, Threads) | Meta Graph API | Business Account metrics, posts, optional DMs (default-off, Business Account only) |
| X Corp. | X API | Public profile, post metrics, optional DMs (default-off; subject to X API tier) |
| LinkedIn (Microsoft) | LinkedIn Marketing API | Basic profile, post statistics |
| Twitch / Amazon | Twitch Helix API | Channel information, stream analytics, optional chat logs |
| Snap Inc. (Snapchat) | Snap Kit | Public profile, post metrics |
| Pinterest, Inc. | Pinterest API | Public profile, pin and board statistics |
9. Internal Operations and Productivity (Business Contact Data Only)
These tools are used by the SocialGryd team for internal operations. They do not receive end-user Platform content except where a support ticket, investigation, or business contact requires.
| Sub-processor | Service |
|---|
| Google LLC (Google Workspace) | Business email, Drive, Docs, Meet |
| Linear Orbit, Inc. | Product issue tracking |
| Slack Technologies / Salesforce | Internal team communications |
| Notion Labs, Inc. | Internal documentation and knowledge base |
| GitHub / Microsoft | Source-code hosting |
10. Planned Services (Not Yet Routing Personal Data)
We will update this page, notify users where material, and obtain consent or offer objection where required, before routing personal data to any of the following in production.
- Amazon Web Services, Inc.: AWS Personalize (recommendations), AWS Rekognition (image/video moderation), AWS Comprehend (text moderation), AWS Neptune (graph analytics), AWS SageMaker (de-identified ML training), AWS S3 / CloudFront (media delivery), AWS MediaConvert (HLS transcoding) — region selection tentatively EU-West / Singapore / US-East.
- OpenAI / additional LLM providers: potential secondary or fallback AI provider — no data is routed today.
11. Transfer Safeguards and Transfer Impact Assessment
Where a sub-processor is located outside the EEA or UK, we rely on European Commission adequacy decisions (including the EU-US Data Privacy Framework for certified recipients), Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) with any necessary supplementary measures, and the UK IDTA or UK Addendum, as described in the Privacy Policy Section 19.
Consistent with the CJEU's judgment in Schrems II (C-311/18) and EDPB Recommendations 01/2020, we conduct a Transfer Impact Assessment ("TIA") before enabling any onward transfer to a third country, covering (i) the legal basis of the transfer, (ii) the destination country's law and practice relevant to government access, (iii) any supplementary technical (encryption, pseudonymisation), organisational, and contractual measures, and (iv) ongoing monitoring. The TIA is kept on record under Article 30 GDPR. A redacted summary covering the most significant transfers is available to business customers with a DPA on request at dpo@socialgryd.com.
12. How to Object to a Sub-processor
Business customers (partners, brands) with a DPA may object in writing within 14 days of notice of a new sub-processor by emailing privacy@socialgryd.com. If we cannot accommodate the objection, we will work with you in good faith to find an alternative, and failing that, either party may terminate the affected service under the DPA.
End users may object to particular processing activities under GDPR Article 21 and the Privacy Policy.
13. History of Changes
- 22 April 2026 (v1.0): initial publication. Added Amplitude, Svix, and Shorebird to the public list; consolidated all sub-processors in a single page.