We engage the following sub-processors. Each operates under a Data Processing Agreement (DPA). Where the entity is incorporated outside the EU but operates EU infrastructure, the transfer is covered by Standard Contractual Clauses (SCCs) under Chapter V of the GDPR.
Hosts our Postgres database, the Supabase Auth identity provider, and binary storage (when used). Holds account credentials, the hashed audit ledger, your consent records, and the transactional-email outbox.
Role: Application hosting, edge runtime, scheduled jobs
Serves gaether.app from EU edge regions, runs our scheduled jobs, and aggregates request logs (minimised — no request bodies, IPs hashed). Hosts only the application surface; user-data storage lives at Supabase.
Captures uncaught exceptions and stack traces in Sentry's EU (Frankfurt) region so we can identify and fix software defects affecting users. We send no user identity, suppress IP addresses, disable tracing and session replay, and run a server-side scrubber that removes any personal data from the payload before it leaves us. Cookieless — nothing is stored on your device. You may object to this processing at any time by contacting us using the address above.
Renders the cookie banner you saw on first visit and brokers your per-purpose consent choices. We store the resulting decisions in our own append-only ledger; Iubenda's role is the banner UI and the legal-text infrastructure.
Delivers the essential transactional emails we send you (signup confirmation, password reset, email change, magic-link sign-in, account notifications). Receives the recipient address and the rendered message body.
When you choose to verify a phone number, we ask Sinch to send you a one-time code and to confirm the code you enter. Sinch operates the verification exchange, so it — not we — holds your raw number, and only for as long as the check takes. We store only a keyed, irreversible hash of the number, never the number itself. Sinch processes in the EU (headquartered in Sweden).
Provides cookieless, aggregate page-view counts on our marketing pages. No per-user identity, no IP storage, no cross-site tracking. Permitted under the ePrivacy Directive's measurement carve-out.
When you search for an event venue, we send your search text to MapTiler to turn it into a map point. We don't send your account identity. The point is then matched to a public administrative area in our own data.
Machine-translates the platform's own interface text (buttons, labels, messages) into your language. In v1 we send only our own UI strings — never your messages, posts, or profile. DeepL processes in the EU (Germany).
Reviews — and, as a fallback, produces — the machine translation of our interface text, checking it against our glossary and brand voice. Like DeepL, only the platform's own UI strings are sent in v1, never your content. Mistral processes in the EU (France).
Maintains the NUTS/LAU geographic taxonomy we use as a reference dataset for region selection within Europe. Eurostat receives no user data from us — we ingest their public open data.
Publishes the Overture Maps Divisions dataset under an open licence. We import a snapshot quarterly. Overture receives no user data from us — we read their public open data.