Skip to content

International Data Transfers: GDPR Compliance Explained

What Are International Transfers? (The Basics)

Simple Definition

International data transfer means sending your family's data from one country to another - specifically from the UK/EU to countries outside the European Economic Area (EEA).

Simple analogy: Like mailing a package internationally. When you send something across borders, different countries have different rules about what can be sent and how it should be protected during transit.

Why This Matters for GDPR

GDPR (General Data Protection Regulation) says:

  • ✅ Your data is well-protected within the UK/EU (strict privacy laws)

  • ⚠️ Some countries have weaker privacy protections

  • 🚫 Companies can't just send your data anywhere

The concern: If a UK company sends your data to a country with weak privacy laws, your GDPR rights (access, deletion, portability) might not be honored.

Simple analogy: Like taking your car from a country where everyone drives on the left (UK) to one where they drive on the right. You need to make sure you can still drive safely with different rules.

Countries & Data Protection Levels

Three Categories

Category 1: Inside the EEA (No restrictions) 

✅ UK (post-Brexit, still GDPR-compliant)
✅ EU countries (27 member states)
✅ Iceland, Liechtenstein, Norway

Data flows freely between these countries.
No special permissions needed.
All have equivalent privacy protections.

Category 2: "Adequate" Countries (Safe transfers) 

✅ Countries EU considers to have adequate data protection:
   - Switzerland
   - Canada (commercial organizations)
   - Japan
   - New Zealand
   - Argentina
   - Israel
   - South Korea
   - UK (post-Brexit)

Data can be transferred with minimal paperwork.
These countries have strong privacy laws.

Category 3: Non-Adequate Countries (Special safeguards required) 

⚠️ Includes:
   - United States (not on adequacy list)
   - Australia (not on adequacy list)
   - China
   - India
   - Most other countries

Requires special legal mechanisms (see below).

Wait, the USA isn't "adequate"?

Correct. After the Schrems II court case (2020), the EU-US Privacy Shield was invalidated. The US doesn't have comprehensive federal privacy laws equivalent to GDPR, so transfers require extra safeguards.

How Tubara Handles International Transfers

Our Service Providers & Locations

Where Tubara's data lives:

Service Provider Data Location Country Transfer Type
Frontend Hosting Vercel Global CDN US-based company Non-adequate
Backend Hosting Variable UK/EU preferred Depends Adequate if UK/EU
Database Neon EU region option US-based company Can be EU-only
Payments Stripe EU servers US-based company Non-adequate
Email SendGrid EU region US-based company Non-adequate
YouTube API Google/YouTube Global US-based company Non-adequate

Key point: Most of Tubara's providers are US-based companies, even if they host data in EU regions.

Since most providers are US-based, we use these GDPR-approved transfer mechanisms:

1. Standard Contractual Clauses (SCCs)

What they are: Pre-approved contract templates from the European Commission that require data processors to protect EU data according to GDPR standards, even when operating in non-adequate countries.

Simple analogy: Like a rental agreement template that's been approved by the government - both parties sign it to ensure certain protections are in place.

Who we use SCCs with:

  • ✅ Stripe (payment processing)

  • ✅ SendGrid (email delivery)

  • ✅ Neon (database hosting)

  • ✅ Google (YouTube API)

What SCCs guarantee:

  • Your data is still subject to GDPR protections

  • The US company must honor your GDPR rights (access, deletion, etc.)

  • If they can't provide protections, they must tell us

  • We can terminate the contract if protections are inadequate

2. Adequacy Decision for Specific Processors

EU-US Data Privacy Framework (2023): The EU and US created a new framework to replace the invalidated Privacy Shield. Companies can self-certify compliance.

Status:

  • Some companies have certified under the framework

  • Still subject to legal challenges (may be invalidated like Privacy Shield)

  • We monitor this closely

Who might use this:

  • Google/YouTube

  • Stripe

  • Other US companies serving EU customers

Our approach: Even when providers have adequacy certification, we ALSO use SCCs as backup (belt and braces (USA-suspenders) approach).

3. Necessity Exceptions (Article 49)

Limited circumstances where transfers are allowed without SCCs:

Explicit consent:

  • You specifically agree to the transfer

  • You understand the risks

  • Example: "I consent to my payment being processed in the USA by Stripe"

Contract performance:

  • Transfer is necessary to provide the service you requested

  • Example: You asked to subscribe using Stripe (US company)

Our use: We rely on SCCs primarily, but these exceptions apply in specific contexts (like Stripe payment processing where you explicitly request the service).

What This Means for Your Family's Data

Data That Stays in UK/EU

✅ Stored in EU regions only:

  • Your email address

  • Your encrypted password

  • Child profiles (names and ages - encrypted)

  • Approved channel lists

  • Watch history

  • Screen time data

  • Subscription status

How:

  • Neon database configured for EU-only hosting

  • Backend server in UK/EU region

  • No replication to US servers

Data That Goes to US Companies

⚠️ Sent to US-based services:

To Stripe (Payment Processing):

  • Your email

  • Subscription tier selected

  • Payment timestamp

  • ❌ NOT sent: Card details (Stripe collects directly)

To Google/YouTube (Video API):

  • YouTube channel IDs you approve

  • Video IDs requested

  • ❌ NOT sent: Child names, ages, watch history

To SendGrid (Email Delivery):

  • Your email address

  • Password reset requests

  • Notification preferences

  • ❌ NOT sent: Child data, watch history

To Vercel (Frontend Hosting):

  • Your IP address (temporarily, for serving web pages)

  • Browser type and device info

  • ❌ NOT sent: Account data, child data

What "Sent to US" Really Means

Important clarification:

Scenario 1: Data stored in EU, company is US-based

  • Your data lives on servers in Ireland (EU)

  • The company that owns the servers is in California (USA)

  • Company employees COULD theoretically access it

  • SCCs require them not to (except for maintenance, with strict rules)

Scenario 2: Data processed in US

  • Your payment flows through Stripe's US systems

  • Processed and then discarded

  • Not permanently stored in US

  • Protected by SCCs

Scenario 3: Data replicated to US

  • Backups stored in both EU and US

  • We avoid this where possible

  • When unavoidable, requires strongest protections (SCCs + encryption)

Your Rights Regarding International Transfers

What You Can Do

✅ Right to be informed (this document)

  • We're telling you which providers transfer data

  • Where data is transferred

  • What safeguards are in place

✅ Right to object

  • You can object to transfers to specific countries

  • May limit service functionality (e.g., can't use Stripe = no paid subscriptions)

✅ Right to withdraw consent

  • If we rely on consent for transfers, you can withdraw

  • May affect service availability

✅ Right to lodge a complaint

  • UK: Information Commissioner's Office (ICO)

  • EU: Your national data protection authority

  • They investigate and can fine companies

How to Exercise Your Rights

To object to international transfers:

Email: privacy@tubara.world

Subject: Objection to International Transfers

Message:
"I object to my data being transferred to [country/provider].
Please confirm:
1. Which data will remain in UK/EU only
2. What functionality I will lose
3. Alternative options available"

We will respond within 30 days with:

  • Explanation of which transfers are essential

  • What services require international transfers

  • Alternative arrangements if possible

Example scenarios:

Scenario A: "I don't want any US transfers"

  • ❌ Cannot use Stripe (no paid subscriptions)

  • ❌ Cannot use SendGrid (no password reset emails)

  • ❌ Cannot use YouTube API (no videos)

  • ✅ Can export your data before closing account

Scenario B: "I don't want payment data in US"

  • ❌ Cannot upgrade to paid tiers (Stripe required)

  • ✅ Can use free tier (no payment processing needed)

  • ✅ All other features work normally

Standard Contractual Clauses (What They Require)

Data Processor Obligations:

1. Processing Instructions

  • Must only process data as we instruct

  • Cannot use data for their own purposes

  • Must delete when we request

2. Security Measures

  • Encryption in transit and at rest

  • Access controls (only authorized personnel)

  • Regular security audits

  • Incident response plans

3. Sub-processor Requirements

  • Must get our approval for sub-contractors

  • Sub-contractors must also sign SCCs

  • Chain of protection continues

4. Data Subject Rights

  • Must help us fulfill your GDPR requests (access, deletion, etc.)

  • Must respond within reasonable timeframes

  • Must provide data in portable format

5. Government Access Requests

  • Must notify us if government requests data

  • Can challenge unlawful requests

  • Must document all access

6. Data Breach Notification

  • Notify us within 24-72 hours

  • Provide full details

  • Help with breach investigation

7. Audit Rights

  • We can audit their security practices

  • Can request compliance documentation

  • Can terminate if non-compliant

Additional Safeguards We Implement

Beyond SCCs, we add:

1. Data Minimization

  • Only transfer absolutely necessary data

  • Example: Stripe gets email, NOT child names

2. Pseudonymization

  • Replace identifying data with codes

  • Example: "User 123" instead of "Carl Jung"

3. Encryption

  • All data encrypted in transit (HTTPS/TLS 1.3)

  • Sensitive data encrypted at rest (AES-256)

  • Encryption keys stored separately

4. Contractual Restrictions

  • Our contracts go beyond SCC requirements

  • Explicit prohibition on certain uses

  • Right to terminate immediately if violated

5. Regular Audits

  • Annual review of all data processors

  • Security compliance verification

  • SCC compliance checks

6. Monitoring

  • Alert systems for unusual data access

  • Logging of all international transfers

  • Quarterly transfer impact assessments

Schrems II (2020)

What happened:

  • European Court of Justice invalidated EU-US Privacy Shield

  • Said US surveillance laws (FISA 702, EO 12333) risk Europeans' privacy

  • Ruled SCCs alone might not be enough

Impact:

  • US companies can't claim "adequacy" without Privacy Shield

  • Must use SCCs + additional safeguards

  • Companies must assess if US law prevents them honoring SCCs

What we do:

  • Use SCCs with all US providers

  • Add extra encryption and access controls

  • Minimize data transferred

  • Regular risk assessments

EU-US Data Privacy Framework (2023)

What it is:

  • New agreement replacing Privacy Shield

  • US companies can self-certify compliance

  • Includes new redress mechanism for Europeans

Status:

  • Operational since July 2023

  • Already facing legal challenges (likely "Schrems III")

  • May be invalidated like Privacy Shield

Our approach:

  • Don't rely solely on this framework

  • Maintain SCCs as primary mechanism

  • Monitor legal developments closely

  • Prepared to adapt quickly

UK Post-Brexit (2021+)

UK GDPR:

  • Nearly identical to EU GDPR

  • UK not on EU adequacy list initially

  • EU granted adequacy to UK in 2021 (renewable)

What this means:

  • UK-EU transfers relatively easy

  • UK-US transfers same rules as EU-US

  • We treat UK and EU identically

UK-specific adequacy decisions:

  • UK has own process for deeming countries adequate

  • May diverge from EU over time

  • We monitor both UK and EU rules

Transparency: Our Transfer Assessment

Risk Analysis We Conduct

For each data processor, we assess:

1. What data is transferred?

  • Type: Contact info, payment info, usage data?

  • Volume: How much data?

  • Sensitivity: Includes children's data?

2. Why is it transferred?

  • Essential for service?

  • Alternative options available?

  • Can we minimize?

3. Where does it go?

  • Destination country?

  • Adequacy status?

  • Legal protections available?

4. How is it protected?

  • Encryption?

  • Access controls?

  • Contractual protections?

5. What are the risks?

  • Government surveillance?

  • Data breach potential?

  • Rights enforcement difficulty?

6. Can we mitigate?

  • Additional safeguards?

  • Data minimization?

  • Alternative providers?

Current Risk Assessment Summary

Stripe (Payment Processing): 

Risk Level: LOW-MEDIUM
- Essential for paid subscriptions
- Protected by SCCs
- Only processes transaction data
- No access to child data
- Certified under EU-US Data Privacy Framework
- Alternative: No equivalent EU payment processor with same capabilities

Mitigation:
✅ SCCs in place
✅ Data minimization (only email + transaction info)
✅ Free tier option (avoid Stripe entirely)

Google/YouTube (Video API): 

Risk Level: MEDIUM
- Essential for core service (videos)
- Protected by SCCs
- No child personal data transferred (only channel IDs)
- YouTube's privacy-enhanced mode reduces tracking
- Alternative: No equivalent platform for parent-curated YouTube content

Mitigation:
✅ SCCs in place
✅ youtube-nocookie.com (privacy mode)
✅ No child names/ages sent
✅ Only approved channel IDs transferred

Neon (Database Hosting): 

Risk Level: LOW
- Can configure EU-only hosting
- US company but data stays in EU
- Protected by SCCs
- Regular security audits
- Alternative: Self-hosted PostgreSQL (complex, expensive)

Mitigation:
✅ EU-only region selected
✅ SCCs in place
✅ Encryption at rest and in transit
✅ Limited employee access

Vercel (Frontend Hosting): 

Risk Level: LOW
- Temporarily processes requests (not stored)
- Global CDN (EU nodes serve EU users)
- No account or child data
- Only IP addresses and browser info
- Alternative: EU-based hosting (slower, more expensive)

Mitigation:
✅ No personal data stored
✅ SCCs in place
✅ GDPR-compliant hosting
✅ Can serve from EU nodes only

SendGrid (Email Delivery): 

Risk Level: LOW
- Only for transactional emails (password resets, etc.)
- Email addresses only (no child data)
- Protected by SCCs
- EU region available
- Alternative: EU email providers (less reliable)

Mitigation:
✅ EU region configured
✅ SCCs in place
✅ Only email addresses transferred
✅ No marketing use

What This Means in Practice

Scenario 1: UK Family Using Free Tier

Data flows: 

1. You register with email + password
   → Stored in Neon database (EU region)
   → No international transfer

2. You create child profiles
   → Names and ages encrypted, stored in Neon (EU)
   → No international transfer

3. You approve YouTube channels
   → Channel IDs sent to Google/YouTube API (US)
   ⚠️ International transfer (protected by SCCs)

4. Child watches video
   → Request goes to YouTube (US)
   ⚠️ International transfer (privacy-enhanced mode)
   → Watch history stored in Neon (EU)
   → No transfer of child data to US

5. You view analytics
   → Data retrieved from Neon (EU)
   → No international transfer

Summary:

  • Most data stays in EU

  • Only YouTube channel/video IDs go to US

  • No child names/ages leave EU

  • Protected by SCCs + privacy-enhanced embedding

Scenario 2: UK Family Upgrading to Paid Tier

Additional data flows: 

6. You click "Upgrade"
   → Redirected to Stripe checkout (US company, EU servers)
   ⚠️ International transfer to US company

7. You enter payment details
   → Goes directly to Stripe, NOT through Tubara
   → Protected by Stripe's PCI-DSS certification
   → Processed in EU region (if available)
   ⚠️ Stripe Inc. is US company (can access data)

8. Payment confirmed
   → Subscription status stored in Neon (EU)
   → Customer ID stored (just an ID, not payment details)
   → No international transfer of payment data

Summary:

  • Payment details go to US company (Stripe)

  • Protected by SCCs + PCI-DSS

  • Tubara never sees card details

  • Subscription status stays in EU

Scenario 3: Password Reset Email

Data flow: 

1. You request password reset
   → Email address sent to SendGrid (US company)
   ⚠️ International transfer

2. SendGrid sends email
   → Processed in EU region (if configured)
   → Delivered to your inbox

3. Email deleted from SendGrid after 30 days
   → Logs retained for legal compliance

Summary:

  • Email address temporarily transferred

  • Protected by SCCs

  • Processed in EU region when possible

  • No child data transferred

How to Minimize International Transfers

Options for Privacy-Conscious Families

Option 1: Free Tier Only

  • Avoid Stripe entirely (no paid subscription)

  • Still requires YouTube API (US transfer)

  • Still requires SendGrid for password resets (US transfer)

  • Minimizes transfers but doesn't eliminate

Option 2: EU-Only Email

  • Use ProtonMail or Tutanota (EU-based email providers)

  • Reduces email data outside EU

  • Still need YouTube API

Option 3: Data Export + Self-Hosting

  • Export your data

  • Host your own similar system (complex)

  • Full control but significant technical effort

Option 4: Accept Transfers with Safeguards

  • Use Tubara as designed

  • Trust SCCs and our safeguards

  • Most practical for typical families

Frequently Asked Questions

"Is my child's data safe if it goes to the US?"

Short answer: Yes, with appropriate safeguards.

Long answer:

  • Child names and ages NEVER leave the EU (encrypted in EU database)

  • Only YouTube channel IDs go to US (no personal data)

  • All transfers protected by Standard Contractual Clauses

  • We've minimized what data crosses borders

  • US companies contractually bound to GDPR compliance

Risk comparison:

Using Tubara with international transfers is safer than:

  • ❌ Direct YouTube access (massive tracking)

  • ❌ YouTube Kids (still Google, less control)

  • ❌ Unprotected browsing

"What if the US government demands my data?"

Legal reality:

  • US surveillance laws (FISA 702) allow government access

  • This is why Schrems II invalidated Privacy Shield

  • SCCs require companies to challenge unlawful requests

What we do:

  • Minimize what data US companies have

  • Use encryption (government can't decrypt)

  • Choose providers who challenge requests

  • Would notify you if legally permitted

Practical risk:

  • Your family data is not interesting to intelligence agencies

  • They target terrorism, national security threats

  • Mass surveillance exists but targets different data

Comparison:

  • UK also has surveillance laws (Investigatory Powers Act)

  • Data in UK still subject to government access

  • International transfers add one more jurisdiction

"Can I use Tubara without any US transfers?"

Technical answer: No, not currently.

Why:

  • YouTube API is essential for the service

  • YouTube is a US company (Google)

  • No equivalent EU-based video platform

Alternatives:

  • ❌ Don't use Tubara (defeats the purpose)

  • ❌ Use only EU video platforms (very limited content)

  • ✅ Accept the risk with our safeguards (most reasonable)

Future possibility:

  • We could add support for EU video platforms (Dailymotion, Vimeo)

  • Would significantly reduce content library

  • Not currently prioritized

"What happens if SCCs are invalidated (Schrems III)?"

If courts invalidate SCCs:

Immediate action (Day 1):

  • Assess which transfers are affected

  • Implement additional safeguards

  • Notify users of changes

Short-term (Weeks 1-4):

  • Evaluate alternative legal mechanisms

  • Consider EU-only service providers

  • May need to restrict features temporarily

Long-term (Months 1-6):

  • Migrate to EU providers where possible

  • Implement new legal frameworks

  • May need to limit service in certain jurisdictions

Worst case: - Service continues for UK users (UK rules may differ)

  • May suspend EU operations temporarily

  • Full data export available before any shutdown

Likelihood:

  • Schrems III legal challenge ongoing

  • We monitor closely

  • Have contingency plans prepared

"How is this different from data breaches?"

Important distinction:

Data Breach:

  • Unauthorized access

  • Security failure

  • Your data exposed to criminals

  • High risk of harm (identity theft, fraud)

International Transfer:

  • Authorized, controlled transfer

  • For legitimate service purposes

  • Your data goes to trusted partners

  • Protected by contracts and law

  • Low risk with safeguards

Simple analogy:

  • Breach = Someone stealing mail from your mailbox

  • Transfer = You sending mail via postal service to another country

"Do other apps I use have the same issue?"

Yes, virtually all do.

Examples:

Netflix (US company):

  • Transfers watch history to US

  • Protected by SCCs

  • Uses EU servers but US company owns them

Spotify (Swedish company, but US operations):

  • Similar transfer issues

  • Most data in EU but some US processing

WhatsApp (Facebook/Meta, US company):

  • Transfers messages metadata to US

  • Protected by SCCs

  • Major Schrems II concerns

Zoom (US company):

  • Video processed in US

  • Major privacy concerns raised

  • Now offers EU routing

Gmail (Google, US company):

  • Emails stored in US

  • Protected by SCCs

  • No truly EU-only option

Point: International transfers are industry-standard. What matters is:

  • ✅ Transparency (does company disclose it?)

  • ✅ Minimization (do they transfer minimum necessary?)

  • ✅ Safeguards (SCCs, encryption, etc.)

  • ✅ Your rights (can you object or export?)

Tubara scores well on all four.

Summary: Tubara's Approach

Our Commitments

1. Transparency

  • ✅ We tell you which providers transfer data

  • ✅ We explain where data goes

  • ✅ We document safeguards used

  • ✅ We update you on legal changes

2. Minimization

  • ✅ Only transfer essential data

  • ✅ Keep child data in EU (names, ages never transferred)

  • ✅ Anonymize/pseudonymize where possible

  • ✅ Regular audits to reduce transfers

3. Safeguards

  • ✅ Standard Contractual Clauses with all US providers

  • ✅ Encryption in transit and at rest

  • ✅ EU-region hosting where available

  • ✅ Additional contractual protections

4. Your Rights

  • ✅ Right to be informed (this document)

  • ✅ Right to object (email us)

  • ✅ Right to export data

  • ✅ Right to deletion

5. Continuous Improvement

  • ✅ Monitor legal developments

  • ✅ Evaluate EU-only alternatives

  • ✅ Update safeguards as needed

  • ✅ Prepare contingency plans

The Trade-Off

Benefits of international transfers:

  • 🌍 Access to best-in-class providers (Stripe, YouTube)

  • 💰 Cost-effective service delivery

  • 🚀 Faster innovation (global ecosystem)

  • 📈 Scalability (handle thousands of families)

Costs of international transfers:

  • ⚠️ Additional legal complexity

  • ⚠️ Potential government access (US surveillance)

  • ⚠️ Dependence on US companies

  • ⚠️ Legal uncertainty (Schrems III pending)

Our philosophy:

  • The benefits outweigh the risks when properly safeguarded

  • We mitigate risks through minimization and protection

  • We remain transparent about limitations

  • We give you control over your data

How to Learn More

Official Resources

EU GDPR Information:

  • European Commission: https://ec.europa.eu/info/law/law-topic/data-protection

  • European Data Protection Board: https://edpb.europa.eu/

UK GDPR Information:

  • UK Information Commissioner's Office: https://ico.org.uk/

  • UK GDPR Guidance: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/

International Transfers:

  • EU adequacy decisions: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions

  • Standard Contractual Clauses: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc

Tubara-Specific Information

Contact us:

  • General questions: privacy@tubara.world

  • Transfer objections: privacy@tubara.world

  • Data requests: privacy@tubara.world

Response time: 30 days (GDPR requirement)

Documentation:

  • Privacy Policy (full legal text)

  • Data Processing Agreement (for paid tiers)

  • List of Sub-processors (updated quarterly)

Conclusion

International data transfers are complex, but here's what matters:

Your child's most sensitive data (names, ages) stays in the EU

All international transfers are protected by legal safeguards (SCCs)

We minimize what data crosses borders

You have rights to object, access, and delete

We're transparent about risks and limitations

We continuously monitor and improve

The bottom line:

Using Tubara involves some international transfers (primarily to YouTube in the US), but these are:

  • Necessary for the service

  • Protected by strong safeguards

  • Less risky than direct YouTube access

  • Compliant with GDPR requirements

You can trust Tubara because:

  • We follow the law scrupulously

  • We go beyond minimum requirements

  • We put your family's privacy first

  • We're honest about limitations

Your family's safety and privacy matter to us. We've designed our system to give you YouTube's educational benefits while maximizing privacy protection, including thoughtful handling of international transfers.

Document Version: 1.0

Last Updated: November 2025

Next Review: Quarterly (or when laws change)

Legal Basis: GDPR Articles 44-50, UK GDPR equivalent provisions

Disclaimer: This document is for informational purposes and does not constitute legal advice. It reflects our current understanding and practices. For definitive legal interpretations, consult the official GDPR text and your legal counsel.