Third-Party Subprocessors
Last updated: 21 October 2025
We use a small number of trusted service providers (“subprocessors”) to help us run and protect our service.
Because our app is used by children, we apply extra care to privacy, security, and data minimisation.
Each subprocessor only processes personal data needed for their specific task and is bound by a Data Processing Agreement (DPA).
Current Subprocessors
| Name | Purpose | Processing Regions | Data Handled |
|---|---|---|---|
| Cloudflare, Inc. | Content delivery network (CDN), DNS, DDoS protection, and web security services | Global network (including EU/UK; limited transfers may occur for security operations) | IP addresses, HTTP request metadata, and limited logs for security and performance. Retained briefly for protection and debugging. |
| Render, Inc. | Hosting and application infrastructure | Primarily EU (limited administrative access from other regions for support and continuity) | Application data (e.g., user records, logs, telemetry) stored and processed securely. Access limited to authorised personnel. |
| MailerSend (The Remote Company, SIA) | Transactional and notification email delivery | EU (primary data centres within the European Union) | User email addresses and message content (e.g., password resets, notifications). Compliant with GDPR and supports EU-only data storage. |
Safeguards
We ensure that all subprocessors:
- Use strong technical and organisational measures to protect data.
- Process data only under our written instruction.
- Are bound by GDPR-compliant Data Processing Agreements (DPAs).
- Transfer data outside the UK/EU only with appropriate safeguards such as Standard Contractual Clauses (SCCs).
Updates
We may add or replace subprocessors as our service grows.
When this happens, we’ll update this page and, if required by law, notify affected users in advance.