We believe in being open about who helps us run PrizeArena. As the data controller, we use a small number of trusted third-party providers (“sub-processors”) to operate the site. Each is bound by a written data-processing agreement requiring it to protect your data to a standard no lower than we owe you, and we remain responsible for their performance.
Current sub-processors
| Provider | Purpose | Location | Transfer safeguard |
|---|---|---|---|
| Supabase | Database, authentication and realtime for entrant accounts, entries, orders and winners | EU (AWS-backed) | DPA + UK IDTA / SCC Addendum |
| Cloudflare | Hosting, CDN, DNS, edge security (WAF/DDoS/bot mitigation) | Global edge (US-headquartered) | Cloudflare DPA + UK Addendum to the EU SCCs |
| Payment gateway (Cashflows or approved acquirer — TBC) | Processing entry payments. We store only a gateway-issued token — never card details. | UK / EEA | Gateway DPA; PCI DSS held by the gateway |
| Email provider (TBC) | Transactional email — entry confirmations, ticket numbers, winner notifications | UK / EEA | Provider DPA + UK transfer safeguards |
| Analytics (Google Analytics 4 — if enabled) | Aggregate, consent-based site analytics | US | Google DPA + EU-US DPF / UK Extension |
Payments
Entry payments are captured by our payment gateway under its own PCI DSS compliance. We never receive or store full card details — only a gateway-issued token that lets us match a payment to an entry.
How we notify changes
We'll update this page before we add or replace a sub-processor that handles personal data. Please check back periodically. For anything about this page, contact support@example.com.
Draft — final provider names, regions and safeguards to be confirmed once accounts (payment gateway, email) are chosen, and reviewed alongside the privacy policy before launch.