Under the GDPR, Gloam is a processor acting on the instructions of its customers (the controllers). This is the list of sub-processors we engage to deliver the service, maintained in accordance with Article 28(2) of the GDPR and the Data Processing Agreement.
We notify active subscribers by email at least thirty days before adding or replacing a sub-processor, giving the customer the opportunity to object. The date of any change is recorded in the change log at the foot of this page.
Services that do not process personal data (public content APIs for sports scores, movie metadata, translation of non-personal titles, and search engine indexing) are not listed here because they fall outside the scope of Article 28.
Clerk: user authentication, account management, session handling, and billing administration. Processes: email addresses, names, profile images, user identifiers, authentication tokens. Servers: United States. Certified under the EU-U.S. Data Privacy Framework. International transfers rely on SCCs and the DPF.
Vercel: application hosting, edge delivery, serverless functions, and deployment artefacts. Processes: request metadata, application logs, server-side rendering output. Servers: global edge network with EU and US regions.
Supabase: managed PostgreSQL database and authentication. Processes: user profiles, settings, favourites, watch history, subscription metadata, billing events. Region: European Union (Frankfurt).
Upstash Redis: distributed rate limiting. Processes: IP-based rate limit counters and request timestamps. Servers: customer-selectable region (AWS or GCP).
Stripe (via Clerk Billing): payment processing and card tokenisation. Processes: card authorisation, charges, refunds, disputes, billing addresses. Servers: European Union (Irish entity, Stripe Technology Company Limited) and United States (Stripe LLC). Gloam holds a token referencing the card; Stripe holds the card.
Sensapay (SensaInvoices): alternative payment gateway, currently dormant. Activated only when BILLING_PROVIDER is set to sensapay. Processes: customer names, email addresses, phone numbers, payment amounts, subscription data. Servers: configured via SENsapay_BASE_URL. GDPR compliance status: under review. We will not route EU customer data through Sensapay until a DPA and adequate transfer safeguards are in place.
Sentry: error tracking, crash reporting, and performance monitoring. Processes: error logs (which may include stack traces with user identifiers), browser and device information, IP addresses for session context. Servers: United States (ingest.us.sentry.io). EU region is available and may be configured in future. International transfers rely on SCCs. Sentry offers a DPA.
Google Analytics (Google Ireland): aggregated, pseudonymous usage analytics on the marketing site. Processes: a pseudonymous client identifier, page views, session duration, and referrer. IP addresses are anonymised via anonymize_ip. No personal viewing data is sent to Google Analytics. Consent is requested before the analytics tag loads, per the cookie consent drawer. Servers: Google global infrastructure, EU data routed through EU servers.
Vercel Analytics and Speed Insights: first-party, privacy-preserving performance and traffic metrics. Processes: page views, Core Web Vitals, device capabilities. No cross-site tracking, no personal identifiers. Consent-gated alongside Google Analytics.
Chatwoot: customer support inbox and live chat widget. Processes: support conversations, user email and name (if provided), session information, browser context. Self-hosted at support.gloam.tv on Fly.io. Data stays on infrastructure under Gloam’s control.
Activation Panel: IPTV line provisioning and trial account creation. Processes: provisioned credentials (username, password), subscription data, expiration dates. Servers: configured via ACTIVATION_PANEL_URL. We are reviewing the GDPR compliance posture of this provider and will not route EU customer data through it until adequate transfer safeguards are confirmed.
Xtream Codes provider: IPTV content source and stream URL resolution. Processes: provider credentials and stream URLs. Server location: configured via PROVIDER_HOST.
Several sub-processors above are located outside the European Economic Area (Clerk, Sentry, Google Analytics, Vercel edge nodes in US regions). Transfers to these providers rely on one or more of the following safeguards: an adequacy decision under Article 45 of the GDPR (e.g. the EU-U.S. Data Privacy Framework for certified providers), Standard Contractual Clauses adopted by the European Commission under Article 46, or Binding Corporate Rules.
The current list of transfer mechanisms for each sub-processor is available on request from privacy@gloam.tv.
You may object to a new sub-processor by writing to privacy@gloam.tv within the thirty-day notice period. If the objection is upheld and we cannot reasonably accommodate it (for example, by routing your data away from the new sub-processor), you may terminate the affected services without penalty. We will provide a pro-rata refund for the unused portion of your subscription.
Where we cannot accommodate the objection and you choose not to terminate, the sub-processor will be engaged on the terms set out in the Data Processing Agreement.
2 July 2025: initial publication of this list, expanded to include all identified sub-processors.