How Mailneo processes personal data on your behalf under GDPR
This Data Processing Agreement ("DPA") forms part of the Mailneo Terms of Service (the "Agreement") between Mailneo, Inc. ("Mailneo", the "Processor") and the customer accepting the Agreement (the "Customer", the "Controller"). It applies whenever Mailneo processes personal data on the Customer's behalf that is subject to the EU General Data Protection Regulation (GDPR), the UK GDPR, or similar data protection laws. It is automatically incorporated into the Agreement — no signature is required. If you need a countersigned copy for your records, contact privacy@mailneo.co.
For personal data the Customer stores or processes in Mailneo — such as subscriber lists, contact records, and campaign recipients — the Customer is the controller and Mailneo is the processor. Mailneo processes this data only to provide the services described in the Agreement. For data about the Customer's own account (login details, billing information), Mailneo is an independent controller, as described in our Privacy Policy.
Mailneo will:
The Customer gives Mailneo general authorization to engage subprocessors to provide the services. The current list is published at mailneo.co/subprocessors. Mailneo will update that page and notify account owners by email at least 30 days before a new subprocessor processes customer personal data. If the Customer objects on reasonable data-protection grounds and Mailneo cannot offer a workaround, the Customer may terminate the affected subscription and receive a pro-rata refund of prepaid fees. Mailneo imposes data protection obligations on its subprocessors that are no less protective than this DPA and remains liable for their performance.
Mailneo's infrastructure is located in the United States. Where personal data protected by the GDPR is transferred to a country without an adequacy decision, the parties rely on the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914), Module Two (controller to processor), which are incorporated into this DPA by reference. For transfers subject to the UK GDPR, the UK International Data Transfer Addendum applies; for Swiss data, the clauses are read to include the Swiss FADP as required.
Mailneo will notify the Customer without undue delay — and in any event within 72 hours — after becoming aware of a personal data breach affecting customer personal data. The notification will describe the nature of the breach, the likely consequences, the measures taken or proposed, and a contact point for more information.
Mailneo implements technical and organizational measures appropriate to the risk, including:
More detail is available on our Security page.
The services include self-serve tools that let the Customer honor data subject requests directly: contacts can be exported (CSV/JSON), corrected, and permanently deleted from within the app, and unsubscribe requests are enforced automatically at send time. Where a request cannot be completed self-serve, Mailneo will assist within a reasonable time on request.
When a contact is permanently deleted, associated engagement records are deleted or anonymized. Suppression records (email addresses of people who unsubscribed or complained) are retained as a legal-obligation exception under GDPR Article 17(3)(b), solely to ensure those recipients are never emailed again. Upon termination of the Agreement, Mailneo deletes customer personal data within 30 days of account closure, with residual copies removed from backups within 90 days.
Mailneo will make available information reasonably necessary to demonstrate compliance with this DPA, including summaries of third-party audit reports for its infrastructure providers. Where required by law, the Customer may conduct an audit no more than once per year, on at least 30 days' written notice, during normal business hours, and without access to other customers' data.
This DPA is governed by the same law as the Agreement. If there is a conflict between this DPA and the Agreement regarding the processing of personal data, this DPA prevails; if there is a conflict between this DPA and the Standard Contractual Clauses, the Clauses prevail. Liability under this DPA is subject to the limitations of liability in the Agreement.
Questions about this DPA or our data protection practices: privacy@mailneo.co
Last updated: July 12, 2026