Sub-processors
To run CruiseCtrl we rely on a small number of trusted third parties ("sub-processors") that process personal data on our behalf, under our instructions. We publish this list for transparency under Articles 13, 28 and 30 of the GDPR. Each sub-processor is bound by a written data-processing agreement (DPA), is permitted to use the data only to provide its service to us, and — where data leaves the EU/EEA — is covered by an appropriate transfer safeguard such as an adequacy decision or the EU Standard Contractual Clauses (SCCs).
Some entries below are marked [to confirm] while we finalise contracts and processing regions; we will update this page before any change takes effect.
1. Current sub-processors
| Sub-processor | Purpose | Data processed | Region | Safeguard |
|---|---|---|---|---|
| Hetzner Online GmbH | Cloud hosting of the application and database | All app data | EU (Germany) | DPA; EU hosting |
| Sightengine | Automated facial age estimation; moderation of public photos | Verification selfie; public profile photos | EU [to confirm endpoint] | DPA; SCCs if applicable |
| Resend | Transactional email (codes, confirmations, resets) | Email address, message content | US [to confirm] | DPA; SCCs |
| Twilio | SMS / phone one-time codes [if enabled] | Phone number | EU/US [to confirm] | DPA; SCCs |
| Cloudflare | DNS, CDN and edge security [if enabled] | Connection metadata (e.g. IP) | EU/global | DPA; SCCs |
| Apple & Google | App distribution, in-app billing, push delivery, "Sign in with" SSO | Account/device identifiers, purchase records, push token | EU/US | DPA / store terms; SCCs |
| Meta Platforms | "Continue with Facebook" SSO [if used] | Verified email / Facebook ID at sign-in | EU/US | Platform terms; SCCs |
| MapTiler | Map tiles for the live map [if used] | Approximate location request, IP | EU | DPA |
2. Hosting & data location
CruiseCtrl is hosted in the European Union. Where a sub-processor operates outside the EU/EEA, the transfer is protected by an EU adequacy decision or by the European Commission's Standard Contractual Clauses, together with additional technical and organisational measures where appropriate. You can ask us for more detail about a specific transfer.
3. Special-category data
Because CruiseCtrl is an LGBTQ+ dating service, some data may reveal your sexual orientation — a special category of data under Article 9 of the GDPR. We process it only on the basis of your explicit consent and to provide the service you asked for. We never sell it and never use it for advertising. Our age-verification selfie is processed for the single purpose of confirming you are 18+ and is deleted as described in our Age-Assurance Notice; we do not create or store a biometric template that could identify you.
4. Changes to this list
We keep this page as the live record of our sub-processors and update it before engaging a new processor that handles personal data. Material changes are also reflected in our Privacy Policy. If you have a contract with us that includes a right to object to new sub-processors, that right applies as written there.
5. Contact
Questions about our processors or data transfers: privacy@cruisectrl.eu, or our Data Protection Officer at dpo@cruisectrl.eu.
Privacy Policy · Cookie Policy · Age Assurance · Legal Notice