Legal / Subprocessors
Subprocessors
The third-party services that help us run Phantom.
Effective April 30, 2026
1. What's a subprocessor
A subprocessor is a third party we use to deliver part of Phantom — for example, the company that hosts our servers, or the database that stores your settings. Subprocessors process personal data on our behalf, under contractual obligations that mirror the protections in the Privacy Policy. We choose them carefully and review them regularly.
2. Current subprocessors
| Provider | Purpose | Data processed | Region |
|---|---|---|---|
| Discord, Inc. | Underlying chat platform; we run on top of it. Discord is also the source of every event the bot processes and the destination of every message it sends. | Discord IDs, channel/role/server metadata, message events, audit-log entries. | United States |
| Railway | Application hosting for the bot, the dashboard, and the supporting databases. Provides the underlying compute, networking, and storage. | Everything stored or processed by the application — encrypted at rest where applicable. | Primary region: US (with optional regional deployment as we expand). |
| PostgreSQL (managed by hosting provider) | Primary database for guild settings, moderation cases, automod rules, custom commands, levelling state, tickets, giveaways, error logs, and Custom Branding registrations. | All persistent data described in the Privacy Policy. Bot tokens for Custom Branding are stored encrypted (AES-256). | Same region as compute. |
| Email delivery provider | Sends transactional email — sign-in confirmations, security advisories, billing receipts (if and when paid plans launch). | Recipient email address, message body. We don't include personal data beyond what the message itself requires. | United States / EU depending on provider. |
| Cloudflare | Edge network and DDoS protection in front of the dashboard. Caches static assets and filters malicious traffic. | Request metadata (IP address, user-agent, requested path, response status). No request body inspection beyond what's needed for protection. | Global edge network. |
Where a subprocessor processes personal data of users in the EEA, UK, or Switzerland and is located outside an adequacy region, we rely on the European Commission's Standard Contractual Clauses (or the UK's IDTA / IDTA Addendum) for the transfer.
3. Updates and notice
This page is the canonical record of our subprocessors. When we add a new one — or change the role of an existing one in a way that materially changes the data they process — we update this page and refresh the "Effective" date. For business customers on a paid plan with a Data Processing Addendum (DPA) in place, we provide advance notice before adding new subprocessors as the DPA requires.
4. Data processing terms
If you operate a server with significant amounts of personal data of EU/UK residents and need a Data Processing Addendum to satisfy your own compliance obligations, open a ticket in the Phantom support server. Our standard DPA is based on the European Commission's Standard Contractual Clauses (Module 2: controller to processor) with reasonable additions reflecting how Phantom actually operates.
5. Contact
Subprocessor questions go to the Phantom support server.
Questions about this policy?
Reach us in the Phantom support server — open a ticket if it's a private matter (data request, safety report, takedown notice) so it goes straight to the team. Copyright takedowns follow the formal flow on the DMCA Policy page.