Sub-processors

These are the third-party services we use to deliver MyFootballJournal. Each is contractually bound by a Data Processing Agreement to protect your data and comply with UK GDPR.

Amazon Web Services (AWS)

Region: Ireland (eu-west-1)
Parent company: Amazon.com, Inc. (US)

AWS is our primary infrastructure provider. We use the following AWS services:

DynamoDB: Database — stores all user account data, child profiles, match records, and metadata.
S3: Object storage — stores match photos and voice recordings (before transcription).
Lambda: Serverless compute — runs the API that powers the app.
Cognito: Identity management — handles user authentication (signup, login, password reset).
SES: Email delivery — sends verification codes and password reset emails.
CloudFront: Content delivery — distributes the website (myfootballjournal.com) globally.
Route 53: DNS — routes your requests to the service.

Data processed: All user account data, parent and child profile information, match records, stats, photos, voice recordings (before transcription), session data, and logs.

Safeguards: AWS adheres to the AWS GDPR Data Processing Addendum (DPA). AWS is certified under the UK's Adequacy Decision, meaning the UK recognises their data protection practices as adequate.
Location: Your data lives exclusively in the Ireland region (eu-west-1), which is within the EU and UK.
Standard Contractual Clauses: Not required (AWS is in the EU), but our contract with AWS includes GDPR compliance clauses.

Stripe Payments Europe Ltd

Parent company: Stripe, Inc. (US)
Service: Payment processing and subscription management

Stripe is our payment processor. When you subscribe to the Stats or Reports tier, Stripe handles payment collection, billing, and subscription management.

Card processing: Your payment card details are never transmitted to MyFootballJournal. Stripe captures and processes them directly, encrypted with PCI-DSS standards. We never see your full card number.
Subscription metadata: We receive your Stripe customer ID and subscription ID, which we store to track which tier you're on and when to charge you.
Email address: We share your email address with Stripe so they can send you receipts and subscription notifications.

Data processed: Email address, payment card details (by Stripe only, not by us), subscription status, billing history, and invoice data.

Safeguards: Stripe maintains its own GDPR Data Processing Agreement and is certified under PCI-DSS Level 1 (the highest payment security standard).
International transfer: Stripe is US-based. Their processing of your data is covered by Standard Contractual Clauses (SCCs) and the UK's Adequacy Decision, which the UK recognises as providing equivalent protection to UK data protection law.

No other sub-processors

We currently use only these two sub-processors. We don't use analytics SDKs (no Google Analytics, Mixpanel, Hotjar, etc.), don't use third-party customer support platforms, and don't contract with other services to handle your data.

Future sub-processors

If we add a new sub-processor (e.g., for transcription, AI, or customer support), we'll:

Update this page.
Email existing users with details of the new processor, why we need it, and what data it will access.
Give you 30 days to object before activation. If you object, we'll find an alternative or delete your account.

Last updated: 11 May 2026