Subprocessors — WhiteKnight Academy
Scope — where this applies. This document covers WhiteKnight Academy as a whole: both the public website at whiteknight.academy and the learning platform at analytics.whiteknight.academy. Where it refers to "the Site", "the Service", or "the Platform", it means both unless a specific one is named.
Effective date: 2026-07-02
What is a sub-processor?
A sub-processor is a third-party service that handles personal data on our behalf while we run WhiteKnight Academy. We remain responsible for what our sub-processors do with your data: each one is bound by a written Data Processing Agreement (DPA), uses your data only on our instructions, and cannot repurpose it.
We (TheBroda sp. z o.o.) act as the data controller. Our sub-processors below act as data processors.
Current sub-processor list
Last updated: 2026-07-02.
| Sub-processor | Role | Region | Data categories it processes | DPA | EU/UK transfer safeguard |
|---|---|---|---|---|---|
| Supabase, Inc. | Authentication, database, file storage, edge functions (incl. AI-proxy to OpenAI) | United States (US East / Virginia) | All account, coaching, chess, billing metadata | supabase.com/legal/dpa | EU SCCs (Commission Implementing Decision 2021/914) incorporated in Supabase DPA |
| Hostinger International Ltd. | Static site hosting; KVM VPS that runs the Node.js API + Stockfish batch-analysis worker; transactional SMTP for system emails | Lithuania / global | Chess games and positional analysis (VPS), account email + system-mail body (SMTP), static SPA bundle | hostinger.com/legal/data-processing-agreement | Processor DPA + SCCs for any non-EU processing |
| Stripe Payments Europe Ltd. (EU) / Stripe, Inc. (US) | Payment processing, billing, invoicing | Ireland + United States | Email, name, Stripe customer ID, subscription metadata, card data (tokenised) | stripe.com/legal/dpa | EU SCCs via Stripe DPA; EU-issued cards processed intra-EU |
| Daily.co (Pluot Inc.) | Live video rooms; cloud recording storage (only when recording is explicitly triggered) | United States | Live lesson audio/video only during the session; recordings stored 30 days then auto-deleted (see Privacy Policy § 7.3) | daily.co/legal/dpa | EU SCCs via Daily.co DPA |
| OpenAI OpCo LLC | Large-language-model provider used directly via API for AI-coach chat and insights | United States | Aggregated chess performance statistics, recent game summaries, AI-chat conversation content (no name, email, date of birth, payment) | openai.com/policies/data-processing-addendum — no training on API content per Enterprise API terms | EU SCCs via OpenAI DPA; EU-US Data Privacy Framework certification |
| Google LLC (OAuth) | OAuth identity provider — only when a user chooses "Sign in with Google" | United States + global | Email, profile name, avatar URL received once at sign-in | cloud.google.com/terms/data-processing-addendum | EU SCCs; EU-US Data Privacy Framework certification |
| Google LLC (Google Analytics 4) | Web analytics on public marketing pages + adult-authenticated dashboards — only when the user grants analytics consent via the cookie banner; never for child accounts (see Cookie Policy § 3.5) | United States + global | Anonymised IP, page URLs, device/OS/browser family, session events, GA4 client ID | business.safety.google/adsprocessorterms/ | EU SCCs via Google DPA; EU-US Data Privacy Framework certification; GA4 consent-mode v2 enforced |
| Google LLC (Google Tag Manager) | Tag management container (GTM-5TF7QK4N) that loads the other analytics and advertising tags based on consent state |
United States + global | Page load events, dataLayer events (consent state, page path, content_group) — GTM itself does not set tracking cookies | cloud.google.com/terms/data-processing-addendum | Covered by the Google Cloud DPA + SCCs; EU-US DPF |
| Google LLC (Google Ads) | Conversion tracking and remarketing-audience membership for our paid-acquisition campaigns — only when the user grants advertising consent | United States + global | Conversion events, Google advertising ID (when applicable), page URL | business.safety.google/adsprocessorterms/ | EU SCCs; EU-US DPF |
| Meta Platforms Ireland Ltd. (Facebook / Instagram Ads) | Meta Pixel conversion tracking and custom-audience measurement for our campaigns on Facebook and Instagram — only when the user grants advertising consent | Ireland + United States | Meta browser ID (_fbp), conversion events, coarse page/URL data, hashed event parameters |
business.facebook.com/legal/customcontrollerterms / Meta Business Data Processing Terms | EU SCCs via Meta DPA; EU-US DPF |
| TikTok Technology Ltd. (TikTok for Business) | TikTok Pixel conversion tracking and custom-audience measurement for our TikTok-Ads campaigns — only when the user grants advertising consent | Ireland + global | TikTok Pixel ID (_ttp), conversion events, coarse page/URL data |
ads.tiktok.com/i18n/official/policy/data-processing-agreement | EU SCCs via TikTok DPA |
| X Corp. (X Ads, formerly Twitter Ads) | X Pixel conversion tracking for our X-Ads campaigns — only when the user grants advertising consent | United States | X advertising ID (muc_ads, personalization_id), conversion events, coarse page/URL data |
business.x.com/en/help/ads-policies/general-guidelines-and-policies/x-data-processing-addendum | EU SCCs via X DPA |
| Cloudflare, Inc. (Turnstile) | Bot challenge / human-verification widget on the parent-registration form — protects against mass account-creation. Triggered only when an unauthenticated user opens the parent-with-child registration page | United States + global edge | Source IP, browser fingerprint signals (User-Agent, screen size, language), Turnstile challenge token. No persistent identifier is set when widget runs in "managed" mode without challenge; if a visible CAPTCHA is required, a short-lived cf_chl_ cookie may be set on challenges.cloudflare.com. Discarded after the verification round-trip; not stored on our side beyond the resulting success: true response |
cloudflare.com/cloudflare-customer-dpa | EU SCCs via Cloudflare DPA; EU-US Data Privacy Framework certification |
Notes
(a) AI provider — OpenAI only. All AI features (coach chat, insights) call the OpenAI API directly from our Supabase Edge Functions. We do not use OpenRouter, Anthropic, DeepSeek, or any other LLM provider. No child or user data is transferred to the People's Republic of China.
(b) Session-replay and behaviour-watching — not used. We do not use Hotjar, Clarity, FullStory, LogRocket, or any similar session-replay service. We do not use the advanced product-analytics class of tools (Amplitude, Mixpanel, Heap, PostHog, Segment) either.
(c) Analytics and advertising off for children. Google Analytics 4 and every advertising pixel above are configured to skip any page served to a logged-in Child account, enforced at the tag-management layer (see Cookie Policy § 3.5). Children's behaviour is not aggregated, profiled, retargeted, or sent to any ad or analytics provider.
(d) No sale or share under CCPA/CPRA. The retargeting and conversion-tracking above is conducted under each platform's data-processor terms; it is not a "sale" or "share" of personal information as defined in California Civil Code §1798.140(ad).
External services we integrate with (not sub-processors)
These services are accessed only on the user's request, are not given access to data they did not already possess, and are not our sub-processors:
- Chess.com public API (United States) — we read the linked user's public game archive using the chess.com username the user supplied. We send no personal data beyond that username.
- Lichess public API (France / global) — same pattern with Lichess usernames.
Notice of change
When we add a new sub-processor, or change the scope of an existing one, we will:
- Update this page with the new row at least 30 days before the new processing begins;
- Email every active account holder at the registered address; and
- For changes that materially expand processing of children's data, obtain fresh parental consent (COPPA 16 CFR §312.5(a)(2)).
How to object
If you object to a new sub-processor, you may request to have your account suspended or deleted before the new processing begins, without penalty. Write to privacy@whiteknight.academy within 30 days of the change notice. If you are a data subject in the EU/EEA, you may also lodge a complaint with your supervisory authority (see Privacy Policy § 17).
Version history
2026-07-02— v1 (initial publication; accompanies Privacy Policy v1).
Contact
- Privacy questions: privacy@whiteknight.academy
- General: contact@whiteknight.academy
- Post: TheBroda sp. z o.o., ul. Wierna 12, Warszawa, Poland