Legal
Subprocessors
Last updated: July 9, 2026
This page lists the subprocessors Glassline uses to provide the Glassline photo gallery service where they process Customer Personal Data on our behalf. Payment and invoicing providers, such as Polar.sh, are described in the Privacy Policy because they process billing and subscription data for Glassline's controller activities.
Current Subprocessors
| Subprocessor | Purpose | Data involved | Location | Transfer mechanism |
|---|---|---|---|---|
| Supabase | Authentication and database services | Account identifiers, gallery metadata, access records | Selected EU project region | Signed Supabase DPA and SCCs for non-EEA processing |
| Amazon Web Services | Photo and file storage | Uploaded photos, files, image metadata | EU region | AWS DPA and SCCs for non-EEA processing |
| Amazon CloudFront | Global image delivery | Image requests, IP address, user agent, requested file path | Global edge network | AWS DPA, SCCs, and supplementary measures |
| Vercel | Website and app hosting | Request metadata and application runtime data | United States/global | Vercel DPA and SCCs where applicable |
| PostHog | Analytics, feedback, error diagnostics, performance monitoring | Usage events, diagnostic data, feedback, technical context | EU data center | PostHog DPA and SCCs where applicable |
| Resend | Transactional and service emails | Email address, message metadata, service-email content | United States | Resend DPA, SCCs, and supplementary measures |
Changes
Glassline provides at least 30 days' prior notice before adding or replacing a subprocessor that processes Customer Personal Data. Customers may object on reasonable data protection grounds as described in the Data Processing Agreement.