leagues.shLegal

Sub-Processor List

Last updated: May 2026

leagues.sh, Inc. ("leagues.sh", "we", "us") engages the third-party sub-processors listed below to provide the leagues.sh platform. Each sub-processor is bound by a data-processing agreement and has been assessed for adequacy of technical and organisational measures under GDPR Art. 28 and CCPA §1798.140.

30-day notice commitment

We will provide 30 days' written notice before adding or materially changing any sub-processor (GDPR Art. 28(2) — controller right to object). Notices are sent to the primary admin email address on file for each organisation.

To object to a proposed sub-processor, contact [email protected] within 30 days of receiving notice.

Active sub-processors

Sub-processor	Purpose	Data categories	Transfer mechanism
Stripe, Inc. Privacy policy · DPA	Payment processing — card charges, refunds, invoicing	Payment card data, billing address, name, email	SCCs + US–EU DPF
Plaid Inc. Privacy policy	Bank account verification (ACH / direct-debit setup)	Bank account & routing numbers, name, email	SCCs + US–EU DPF
Twilio Inc. Privacy policy	SMS and voice notifications	Phone number, message content	SCCs + US–EU DPF
Firebase Cloud Messaging Google LLC Privacy policy	Android push notifications	Device push token, notification payload	SCCs + US–EU DPF
Apple Push Notification Service Apple Inc. Privacy policy	iOS push notifications	Device push token, notification payload	Apple STCs (EU adequacy)
Amazon SES Amazon Web Services, Inc. Privacy policy	Transactional email delivery	Email address, display name, message content	SCCs + US–EU DPF
Sentry Functional Software, Inc. Privacy policy	Backend and mobile crash reporting & error monitoring	Error stack traces, request metadata, device info, user ID (obfuscated)	SCCs + US–EU DPF
Expo Application Services (EAS) Expo, Inc. Privacy policy	Mobile build artifact hosting & OTA update distribution	App bundle artifacts, push credentials (no member PII at runtime)	US-only (no EU transfer of PII)

Pending: when avatar and attachment storage is migrated off local file storage to a cloud object-storage provider (e.g., AWS S3, Cloudflare R2), that provider will be added here with 30 days' advance notice.

Transfer mechanism glossary

SCCs: — EU Standard Contractual Clauses (Commission Decision 2021/914).
US–EU DPF: — US–EU Data Privacy Framework (adequacy decision, 10 July 2023).
Apple STCs: — Apple's own standard contractual terms, accepted as equivalent by EU DPA guidance.

Data Processing Agreement (DPA)

Organisations whose members are based in the EU, UK, or California may need a signed DPA with leagues.sh as data processor. To request a DPA, email [email protected] with the subject line "DPA request — [your organisation name]". We will respond within five business days.

Contact

Questions about this list or our data-processing practices?

Email: [email protected]
Security: [email protected]