Legal · Transparency
Sub-processors
Every external service that processes data on behalf of a controller using WWFC Kit Room.
Maintained under UK GDPR Article 28(4) and the DPA executed with each controller.
Last updated 28 June 2026 · Controllers receive at least 14 days' advance notice before any addition (concurrent notice for emergency service-continuity swaps).
Fly.io
In use since 2025-09-01
Application hosting and managed Postgres database.
- Processing region
- London (LHR), United Kingdom
- Data categories
-
- All Personal Data processed by the platform (at rest and in flight).
- Transfer mechanism
- UK adequacy — Fly.io processing occurs in the LHR region; no international transfer.
- Their DPA
- https://fly.io/legal/dpa/
Backblaze B2
In use since 2025-09-01
Encrypted off-site backup storage.
- Processing region
- EU Central (Amsterdam / Frankfurt)
- Data categories
-
- Encrypted database snapshots (restic-encrypted, AES-256, client-side).
- Transfer mechanism
- UK / EU adequacy. Backblaze sees only ciphertext — the encryption key is held by the platform operator independently of Backblaze.
- Their DPA
- https://www.backblaze.com/company/dpa.html
Anthropic, PBC
In use since 2026-02-15
Large language model for AI assistant queries and delivery-photo parsing.
- Processing region
- United States
- Data categories
-
- Pseudonymised tool results (names, jersey numbers, squads, sites and emails are tokenised before egress; see app/pseudonymise.py).
- User question text (typically operational, not identifying).
- Image content (delivery photos) where the user invokes the receive-by-photo flow.
- Transfer mechanism
- UK International Data Transfer Addendum / SCCs as applicable. For the AI assistant, the platform pseudonymises identifying fields in tool results BEFORE the request leaves the UK region — for those, the LLM provider receives tokens (e.g. PERSON-1, ITEM-7), not real names. Note: the optional receive-by-photo flow transfers the delivery-note image content un-pseudonymised, as the image cannot be tokenised; only upload a note where this transfer is acceptable.
- Their DPA
- https://www.anthropic.com/legal/dpa
Sentry (Functional Software, Inc.)
In use since 2025-09-01
Application error tracking and alerting.
- Processing region
- European Union (Frankfurt)
- Data categories
-
- Stack traces, request paths, user IDs, tenant IDs, request IDs.
- PII scrubbed at the SDK boundary before egress: a sensitive-key filter drops fields such as name, email, phone, address, password, token, pin, barcode and free-form notes, and frame locals + request bodies are removed entirely (see app/__init__.py:_sentry_before_send).
- Transfer mechanism
- EU adequacy via Sentry's Frankfurt region.
- Their DPA
- https://sentry.io/legal/dpa/
unpkg (Cloudflare, Inc.)
In use since 2025-09-01
Public CDN delivering the html5-qrcode browser library used by the camera scan screens (loaded with Subresource Integrity).
- Processing region
- Global edge network (nearest point of presence to the visitor).
- Data categories
-
- Browser request metadata only — IP address and user-agent of staff loading a scan page. No application or player data is sent to the CDN.
- Transfer mechanism
- Standard Contractual Clauses as applicable. The CDN serves a static, integrity-pinned script and receives no Personal Data beyond the connecting browser's network metadata. Self-hosting this library to remove the sub-processor entirely is a planned hardening step.
- Their DPA
- https://www.cloudflare.com/cloudflare-customer-dpa/
Browser push services (Apple, Google, Mozilla)
In use since 2026-02-15
Transport relay for web-push notifications to a staff member's own browser/device, where they have opted in.
- Processing region
- Operated by the relevant browser vendor; varies by recipient device.
- Data categories
-
- An opaque push endpoint URL registered by the recipient's browser.
- End-to-end-encrypted notification payload — the title and body are encrypted in the application (VAPID / aes128gcm via pywebpush) before transport; the relay forwards ciphertext only.
- Transfer mechanism
- The notification payload is encrypted client-side to keys held only by the recipient's browser before it leaves the platform; the push relay never sees plaintext content, only the encrypted blob and the recipient's own endpoint.
Microsoft (Graph API)
In use since 2025-09-01
Outbound email transport for the weekly digest and operational notifications.
- Processing region
- United Kingdom / European Union (primary); global Microsoft 365 infrastructure.
- Data categories
-
- Email content (operational summaries — typically counts and aggregates, not individual player data).
- Recipient email addresses.
- Transfer mechanism
- UK adequacy; Microsoft 365 tenant configured for UK / EU primary residency.
- Their DPA
- https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA
How to raise an objection
Per Article 28(2) UK GDPR and §8.3 of the executed DPA, a controller may object to any sub-processor on reasonable data-protection grounds within the notice window. Send objections in writing to the data-protection contact named in your DPA. If the objection cannot reasonably be resolved within 30 days, either party may terminate the affected processing without penalty.
Anthropic transfer — additional safeguard
For the AI assistant, the data Anthropic receives is pseudonymised. Names, jersey numbers, squads, sites and emails in the assistant's tool results are tokenised (replaced with non-identifying labels such as PERSON-1, ITEM-7, SQUAD-3) at the application boundary before any request crosses jurisdictions, and detokenised only on return inside the UK region. For those results, the LLM provider sees tokens, not real names. The pseudonymisation layer is documented at app/pseudonymise.py in the source code.
The optional receive-by-photo flow is the one exception: when a kitman uploads a photo of a paper delivery note, the image content is transferred to Anthropic un-pseudonymised, because an image cannot be tokenised. Delivery notes are operational documents (supplier, item descriptions, quantities) and should not contain player data — only upload a note where this transfer is acceptable.