Sub-processors

Last updated: 2026-05-13

The short version. These are the third parties we rely on to run Playtcha. We keep the list current here, and for material additions we notify customers at least 14 days in advance when contract or law requires it.

1. What counts as a sub-processor

A sub-processor is a third party that processes personal data on our behalf when we provide Playtcha to customers. This page is the current public inventory for customer diligence and DPA review.

2. Current sub-processors

Provider	Purpose	Data categories	Region / transfer note
Supabase	Database, auth, stored procedures	Customer account records, project metadata, verification rows, masked IP prefixes, token hashes	EU-primary deployment. Standard Contractual Clauses apply where a cross-border transfer is involved.
Vercel	Web hosting, widget delivery, edge routing	HTTP request metadata, cached widget assets, API routing metadata, operational logs	Global edge delivery. Widget assets are cacheable static files; operational transfers are covered by contractual safeguards.
Brevo (Sendinblue)	Transactional email delivery	Customer email addresses and the contents of account or security notices	EU-based provider (France). Customer email contents stay within the EU.
Google LLC (Google Analytics 4)	Marketing-site pageview analytics. Scoped to `playtcha.com` marketing pages only; the dashboard and the embedded widget are NEVER instrumented.	Anonymized IP (last octet removed), pageview path, referrer. No ads signals, no user-level identifiers. Loaded ONLY after visitor consent.	US-based. Standard Contractual Clauses apply for any EU / UK visitor data. Visitor can withdraw consent any time via the “Cookie settings” footer link.
Stripe Payments Europe Ltd.	Subscription billing for paid Playtcha tiers (Starter, Business). Stripe-hosted Checkout + Customer Portal handle card capture and management.	Customer email, billing address, last 4 of payment card, Stripe customer + subscription IDs. Full card numbers are never sent to Playtcha — they live with Stripe.	EU entity (Ireland) for EU customers; US transfer covered by Standard Contractual Clauses. PCI DSS Level 1 scope handled by Stripe.
Functional Software, Inc. (Sentry)	Server- and browser-side error reporting for the marketing site, dashboard, and backend API. NOT instrumented on the embedded widget that runs on customer sites.	Stack traces, sanitized request URLs (sensitive query params + bodies stripped before transmission), browser / runtime metadata. `sendDefaultPii: false` so no automatic IP / cookie / email attachment.	EU region (DE / Frankfurt) for this account. Session Replay is disabled.

3. Changes to this list

We update this page when we add, remove, or materially change a sub-processor. For material additions, we aim to notify customer admins by email and dashboard notice at least 14 days before the change takes effect, unless a shorter window is required for a security or legal reason.

4. Change history

2026-05-13: added Stripe Payments Europe Ltd. (subscription billing) and Functional Software, Inc. (Sentry — error reporting). Both were already operational; this entry brings the published list current.
2026-05-12: added Google LLC (Google Analytics 4) for marketing-site pageview analytics; consent-gated.
2026-05-10: initial public publication of the sub-processor list.

5. Contact

Questions about sub-processors or transfer mechanisms: support@playtcha.com.

2. Current sub-processors

Provider	Purpose	Data categories	Region / transfer note
Supabase	Database, auth, stored procedures	Customer account records, project metadata, verification rows, masked IP prefixes, token hashes	EU-primary deployment. Standard Contractual Clauses apply where a cross-border transfer is involved.
Vercel	Web hosting, widget delivery, edge routing	HTTP request metadata, cached widget assets, API routing metadata, operational logs	Global edge delivery. Widget assets are cacheable static files; operational transfers are covered by contractual safeguards.
Brevo (Sendinblue)	Transactional email delivery	Customer email addresses and the contents of account or security notices	EU-based provider (France). Customer email contents stay within the EU.
Google LLC (Google Analytics 4)	Marketing-site pageview analytics. Scoped to `playtcha.com` marketing pages only; the dashboard and the embedded widget are NEVER instrumented.	Anonymized IP (last octet removed), pageview path, referrer. No ads signals, no user-level identifiers. Loaded ONLY after visitor consent.	US-based. Standard Contractual Clauses apply for any EU / UK visitor data. Visitor can withdraw consent any time via the “Cookie settings” footer link.
Stripe Payments Europe Ltd.	Subscription billing for paid Playtcha tiers (Starter, Business). Stripe-hosted Checkout + Customer Portal handle card capture and management.	Customer email, billing address, last 4 of payment card, Stripe customer + subscription IDs. Full card numbers are never sent to Playtcha — they live with Stripe.	EU entity (Ireland) for EU customers; US transfer covered by Standard Contractual Clauses. PCI DSS Level 1 scope handled by Stripe.
Functional Software, Inc. (Sentry)	Server- and browser-side error reporting for the marketing site, dashboard, and backend API. NOT instrumented on the embedded widget that runs on customer sites.	Stack traces, sanitized request URLs (sensitive query params + bodies stripped before transmission), browser / runtime metadata. `sendDefaultPii: false` so no automatic IP / cookie / email attachment.	EU region (DE / Frankfurt) for this account. Session Replay is disabled.

4. Change history

2026-05-13: added Stripe Payments Europe Ltd. (subscription billing) and Functional Software, Inc. (Sentry — error reporting). Both were already operational; this entry brings the published list current.
2026-05-12: added Google LLC (Google Analytics 4) for marketing-site pageview analytics; consent-gated.
2026-05-10: initial public publication of the sub-processor list.