Last updated: April 13, 2026. Companion to the Privacy Policy.
Under Article 28 GDPR, the controller must maintain a written list of processors that handle personal data on its behalf. This page is that list. SocialHuman is operated by Olli Airola (Helsinki, Finland), acting as controller. Each processor below handles a bounded category of personal data for a specific purpose and is bound by a data processing agreement.
If you want a current, machine-signed copy of any of the data processing agreements referenced below, email olli@socialhuman.dev.
| Processor | Category | Purpose | Data categories | Jurisdiction | Transfer mechanism | Links |
|---|---|---|---|---|---|---|
| Supabase | Core infrastructure | Managed Postgres, auth, storage, and edge functions for the SocialHuman backend. | All account and content data. Auth identifiers, profile, posts, comments, messages (ciphertext), consents, verification metadata. | EU (Frankfurt region) | Intra-EU. No transfer. | Privacy . DPA |
| Cloudflare R2 | Media storage | Object storage for photos, videos, avatars, story media, and exports. | Content media (image, video, thumbnail). IP addresses and request metadata handled at Cloudflare's edge. | EU jurisdictional configuration | Intra-EU for storage. Cloudflare acts as global edge; covered by its SCCs where applicable. | Privacy . DPA |
| Fly.io | Verification compute | Hosts the verification microservice that runs forensic analyzers on uploaded captures. | Raw sensor readings, raw video segments, EXIF, keystroke timings. Transient during analysis, not persisted by Fly. | EU (Stockholm region) | Intra-EU. No transfer. | Privacy . DPA |
| Sentry (Functional Software, Inc.) | Error monitoring | Crash and error reporting for the mobile client and verification service. sendDefaultPii is disabled. |
Stack traces, device model, OS version, app version, anonymised breadcrumbs. No user content. No IP address by default. | EU region endpoint (de.sentry.io, Frankfurt) |
Intra-EU (EU region). Fallback SCCs 2021/914 if any incident routing touches the US parent. | Privacy . DPA |
| RevenueCat | Subscription management | Handles Apple App Store and Google Play subscription entitlement for Founding Member. | App-specific user ID, subscription status, transaction receipts. No payment card details (handled by Apple or Google). | United States | SCCs 2021/914. DPF-certified where applicable. | Privacy . DPA |
| Expo (EAS + Expo Push) | Build pipeline and push notifications | Native builds, OTA JavaScript updates, and push notification delivery routing (falls through to Apple APNs and Google FCM). | Expo push tokens, build logs. | United States | SCCs 2021/914. | Privacy . Terms |
| Apple (Sign in with Apple, APNs) | Identity provider, push transport | Federated sign-in and push notification transport for iOS. | Apple user identifier (pseudonymous), device push token. | Ireland (EU) for data controller; US parent | Intra-EU for data handled by Apple Distribution International. SCCs where applicable. | Privacy |
| Google (Sign in with Google, FCM) | Identity provider, push transport | Federated sign-in and push notification transport for Android. | Google sub identifier (pseudonymous), device push token. | Ireland (EU) for data controller; US parent | SCCs 2021/914. DPF-certified. | Privacy |
| Vercel | Landing page hosting | Serves socialhuman.dev, the share bridge at /post/:id, and the waitlist pages. |
Visitor IP address, user-agent, request logs (Vercel edge defaults). | United States | SCCs 2021/914. DPF-certified. | Privacy . DPA |
/fonts/Inter-*.woff2 to avoid surfacing visitor IPs to a third-party CDN on every page load.When we add, remove, or replace a processor, we update this page within 14 days and note the change in the privacy policy changelog. Material changes also trigger an in-product notice for logged-in users.
Questions about this list, or about a specific processor's role in your data, go to olli@socialhuman.dev.