Subprocessor Disclosure Page
Last updated: 17 June 2026
This page lists third-party processors and service providers used or planned by TalesNTokens. It should be read with the Privacy Policy, UK GDPR Compliance Statement, and Security Policy.
Definitions
"Subprocessor" means a third party that processes personal data for TalesNTokens.
"Independent controller" means a third party that determines its own processing purposes for some data.
"Processing location" means the region where the provider may store or process data, based on provider configuration and legal terms.
Scope
This disclosure covers subprocessors used for hosting, database, authentication, storage, payments, email, analytics, DNS, edge security, WebSockets, marketplace operations, support, and legal compliance.
Current And Planned Subprocessors
| Provider | Purpose | Data categories | Processing role | Typical location | Transfer mechanism |
|---|---|---|---|---|---|
| Supabase | Authentication, Postgres database, storage, logs | Account email, user IDs, room data, maps, tokens, character sheets, notes, uploads, sandbox records, transaction metadata | Processor; may be independent controller for service usage data | Configured Supabase region and provider infrastructure | DPA, SCCs/UK addendum or other provider transfer terms |
| Stripe | Payments, checkout, refunds, chargebacks, fraud checks, tax/payment compliance | Buyer email, payment metadata, billing details, transaction IDs, dispute data | Processor and independent controller depending on context | Global Stripe infrastructure | Stripe DPA, SCCs/UK addendum, provider transfer terms |
| Resend | Transactional email delivery | Recipient email, email content, delivery metadata | Processor | Global email infrastructure | Resend DPA and transfer terms |
| Fly.io | WebSocket/socket server hosting, bridge sessions, transient logs | Room IDs, user IDs, WebSocket events, IP/user-agent logs, bridge IDs | Processor | Configured Fly.io regions | Fly.io DPA and transfer terms |
| Cloudflare | DNS, CDN, DDoS/security, edge caching, logs | IP address, request metadata, cached content where configured | Processor; may be independent controller for some security data | Global edge network | Cloudflare DPA, SCCs/UK addendum, provider transfer terms |
| Google Analytics | Analytics and page view measurement | Page path, device/browser metadata, IP-derived location, analytics identifiers | Processor or independent controller depending on configuration | Global Google infrastructure | Google data processing terms and transfer terms |
| Google Fonts | Font delivery | IP address, request metadata | Independent controller or provider under Google terms | Global Google infrastructure | Google terms |
| Discord | Community invite and user community interactions | Discord username if submitted, Discord account data if user joins | Independent controller | Discord infrastructure | Discord terms |
| Roll20 and Foundry integrations | Optional bridge functionality controlled by users | Bridge IDs, scene snapshots, token/map data selected by user | Independent third-party platforms; TalesNTokens processes imported bridge data when uploaded | Third-party and TalesNTokens infrastructure | Third-party terms plus TalesNTokens processor controls |
| Vercel or deployment provider, if used | Nuxt/Nitro hosting and deployment | Request logs, build logs, environment metadata | Processor | Configured deployment regions | Provider DPA and transfer terms |
Subprocessor Changes
TalesNTokens will update this page before adding a material new subprocessor where practicable. For material changes, TalesNTokens may provide notice through the Platform, email, or this page.
Users who object to a new subprocessor may stop using the relevant feature, delete content, or request account deletion under the Account Deletion Policy.
User Obligations
Users must not use third-party integrations to import or upload data they are not allowed to process. Creators and buyers must comply with third-party terms that apply to payment, marketplace, Discord, Roll20, Foundry, or other integrations.
Platform Obligations
TalesNTokens will:
- perform reasonable vendor review;
- maintain data processing agreements where required;
- publish material subprocessors;
- assess international transfers;
- limit processor access to necessary data;
- respond to subprocessor incidents where required.
Contact Procedures
Subprocessor questions: privacy@talesntokens.com
Enforcement Procedures
If a subprocessor creates unacceptable risk, TalesNTokens may suspend the integration, change provider, restrict affected processing, notify users, or update retention and transfer controls.
Appeals Process
Users may raise objections or concerns by contacting privacy@talesntokens.com. Where the concern relates to a data rights decision, the GDPR Data Rights Policy applies.