Legal · Data processing

Subprocessors & Data Processing.

Every third party that processes personal data on Alderframe LTD’s behalf, with purpose, hosting, and transfer safeguards. UK GDPR Art 28 compliant. Last updated: 27 June 2026.

When Alderframe LTD acts as a data controller, we use the third parties listed below to process personal data on our behalf as data processors or sub-processors. Each is contractually bound under UK GDPR Art 28 and an equivalent international framework where data is processed outside the UK. Our full Privacy Policy is at /privacy.html.

Current subprocessors

Stripe Payments UK Ltd (United Kingdom)

  • Purpose: Card and digital-wallet payment processing, fraud screening, payment receipts, recurring subscriptions (Growth Retainer), promotion code redemption.
  • Personal data: name, billing address, email, payment instrument metadata (last 4 digits, brand). Card numbers and CVVs are never seen by Alderframe.
  • Hosting: EU/UK with possible US transfer; UK adequacy / EU SCCs.
  • Regulator: FCA-authorised, FRN 752443.
  • Public DPA: stripe.com/legal/dpa

Tide Platform Ltd / ClearBank Ltd (United Kingdom)

  • Purpose: GBP business current account — receives Stripe payouts and direct bank transfers from clients.
  • Personal data: sender name and reference text on incoming Faster Payments.
  • Hosting: United Kingdom.
  • Regulator: ClearBank is FCA-authorised; Tide is FCA-authorised as an EMD agent.

Cloudflare, Inc. (United States, with EU/UK edge nodes)

  • Purpose: CDN, DNS, TLS, bot protection, DDoS mitigation, edge serving for alderframe.co.uk (Cloudflare Pages).
  • Personal data: IP address, browser headers, request paths, bot-management cookies (__cf_bm, cf_clearance).
  • Hosting: global edge; UK/EU edge nodes prioritised for UK traffic.
  • Transfer safeguard: Cloudflare’s UK IDTA and EU Standard Contractual Clauses; Data Privacy Framework certification.
  • Public DPA: cloudflare.com/cloudflare-customer-dpa

Supabase Inc. (United States, AWS eu-west-2 region for our project)

  • Purpose: Managed PostgreSQL backend for SaySpace (account, profile, content, interactions). Not used by alderframe.co.uk itself.
  • Personal data: account profile, posts, replies, voice notes, interactions, push notification tokens.
  • Hosting: AWS London (eu-west-2).
  • Transfer safeguard: EU SCCs / UK IDTA.
  • Public DPA: supabase.com/legal/dpa

Apple Inc. (United States and EU)

  • Purpose: Push notifications via APNs; Sign in with Apple identity service; App Store distribution; App Store Connect.
  • Personal data: device push tokens; user identifier and (optionally) private-relay email for Sign in with Apple.
  • Hosting: Apple’s global infrastructure; EU/UK datacentre presence for European users.
  • Transfer safeguard: Apple’s EU SCCs; UK Adequacy Decision.

Google LLC (United States)

  • Purpose: Google Fonts web-font delivery (Inter, Inter Tight, IBM Plex Mono) for alderframe.co.uk.
  • Personal data: IP address only, used to serve the font file. No cookies are set by Google Fonts since 2022; no logging is shared with Google Ads or Analytics.
  • Hosting: Google’s global CDN.
  • Transfer safeguard: Google’s Data Privacy Framework certification; EU SCCs.
  • Public position: developers.google.com/fonts/faq/privacy

GitHub, Inc. (United States, owned by Microsoft)

  • Purpose: Source code hosting for Alderframe’s repositories; deployment pipeline to Cloudflare Pages.
  • Personal data: only commit metadata (name, email of contributors). No client personal data is committed to repositories.
  • Hosting: United States; EU/UK data residency available for enterprise tiers.
  • Transfer safeguard: EU SCCs / UK IDTA; Data Privacy Framework certified.

Notification of changes

Material changes to this list — adding a new subprocessor with access to personal data — will be reflected on this page with the date of change. Where you are an active Build With Alderframe client and the change materially affects how your project data is processed, we will email you in advance.

Your rights & objection

Under UK GDPR Art 28, you may object to the use of a particular subprocessor on reasonable grounds. Object by emailing [email protected]; we will respond within 30 days, and may offer an alternative arrangement or, if no alternative is feasible, terminate the affected service with a pro-rata refund.

Standard Data Processing Addendum (DPA)

If you are a business buying from the Build With Alderframe catalog and require a signed UK GDPR / EU GDPR-compliant Data Processing Addendum, email [email protected] with the subject “DPA request” and your registered company details. Standard DPA template is available within 5 working days, no charge.

Solicitor-review note. This page is published in good faith and reflects current UK and EU data protection law as Alderframe LTD understands it on 27 June 2026. It is not legal advice. Have a qualified UK solicitor review this list before relying on it for any specific compliance situation.