Last updated 14 July 2026.
Merr Digital LTD uses the providers below to help operate CampHQ. They act as processors where Merr Digital LTD is the controller and as subprocessors where Merr Digital LTD processes organiser-controlled event information on a customer's behalf. Providers are subject to written confidentiality, security, and data-protection obligations.
| Provider | Service | Information | Location | Transfer basis |
|---|---|---|---|---|
| Cloudflare, Inc. | Authoritative DNS, reverse proxy, web application firewall, security, and R2 object storage | IP addresses; connection, request, and security metadata; customer content passing through the proxy; and files, objects, and associated metadata stored in R2 | Global edge network; R2 storage follows the configured bucket jurisdiction or location | Cloudflare DPA, including the UK Addendum to the EU Standard Contractual Clauses for restricted transfers |
| AC PM, LLC (Postmark) | Transactional service-email delivery and delivery-status processing; no marketing email | Recipient names and email addresses; event or organisation names; booking or account identifiers; standard transactional message content and headers; and delivery, bounce, and suppression metadata. No sensitive booking fields | United States and downstream locations published by Postmark | UK Extension to the EU-US Data Privacy Framework where certification applies; otherwise EU Standard Contractual Clauses with the UK Addendum under the Postmark DPA |
Changes To This Register
Customers receive reasonable advance notice of a new or replacement event-data subprocessor and may raise a reasoned data-protection objection through the process in the Data Processing Addendum.
International Processing
Some provider processing occurs outside the UK or EEA. Before making a restricted transfer, Merr Digital LTD uses the transfer basis shown in the register and verifies that the relevant contract, adequacy regulation, certification, or contractual safeguard applies. Where reliance is placed on the UK Extension to the EU-US Data Privacy Framework, certification must remain current and cover the recipient and transfer.
Cloudflare's edge network operates globally. R2 objects are stored according to the bucket's configured jurisdiction or location; a location hint is not treated as a guaranteed data-residency restriction. Postmark processes transactional email information in the United States and through its published downstream providers.
Transactional Email
Postmark is used only to send transactional service email. Messages may contain recipient details, an event or organisation name, a booking or account identifier, and ordinary administrative information. They never contain medical, medication, allergy, accessibility, dietary, emergency-contact, safeguarding, or precise-location information, and do not attach sensitive booking records. Authorised users must sign in to the booking system to view sensitive event information.
Provider Documents
Current provider information is available in the Cloudflare Data Processing Addendum, Cloudflare subprocessor list, Postmark Data Processing Addendum, and Postmark subprocessor list.
Questions
Contact [email protected] to request more information about provider security or contractual safeguards.