GDPR Compliance

Mixpanel strongly believes that customers should be able to control their data and trust that information is protected when stored in its servers. To support this, Mixpanel holds itself to strict data security and privacy standards, including compliance with the General Data Protection Regulation (GDPR).

The following information serves as an overview of the key information about the GDPR and the services that Mixpanel provides that align with the regulation. View this page to see the formal statement of Mixpanel's approach to the GDPR.

GDPR FAQ

This 2-page PDF answers the following questions: 

  • What is the GDPR?
  • How does GDPR impact Mixpanel and its customers?
  • Is Mixpanel collecting data?
  • Does GDPR require data to stay in the EU or to be stored in the EU?
  • Will Mixpanel be compliant with GDPR?
  • Will Mixpanel enter into a Data Processing Agreement (“DPA”) with me?
  • Does Mixpanel have publicly available information about its security program?

Supporting Data Subject Rights

As controllers of personal data, Mixpanel and its customers must uphold certain rights stated by the GDPR, including:

Right to Access and Data Portability

Mixpanel will support individuals’ right to access and right to portability of their personal data through individual export requests. Any Mixpanel account holder will be able to request an export of one’s own personal data, as well as the personal data of their own end-users. The form for submitting end user personal data export requests and for submitting account holder data export requests is available through the Privacy portal in Account settings. 

Right to Erasure

We support individuals’ right to erasure through a permanent deletion of personal data upon request. Deletion API is available to all users.

Right to Object

Our customers control what data is sent to Mixpanel, and may decide to halt the sending of personal data at any time. To assist with supporting individuals’ right to object to the collection of one’s personal data, Mixpanel also has built dedicated methods for our client-side SDKs that can be used to opt end users out of tracking.

Mixpanel collects information about how customers use the product, and uses this data to identify product gaps and improve existing products. While this information is useful, Mixpanel recognizes the importance of an individuals right to object.  Mixpanel has therefore streamlined opt-out systems for its customers, who can opt out of tracking through simple controls, located in the Privacy portal in their Account settings.

Privacy by Design

Mixpanel builds products with privacy and security central in its design. See the information below for more details about the safeguards that Mixpanel puts in place to protect customer data.

Security White Paper

This 13-page PDF is an overview of the Mixpanel Security Program and Practices, including:

  • Data Collection
  • Physical Security
  • Employee Security Awareness
  • Incident Response  
  • Security features and functionality
  • Application and Network Architecture

Security Questionnaire 

This 4-page PDF contains 24 questions and detailed answers covering:

  • Data Center Features
  • Data Retention and Deletion
  • Data Security and Management
  • Encryption and Password Management
  • HR/Corporate Policies
  • Audits
  • Threat and Vulnerability Management

Data Retention Policy

As processors of its customers’ data and to protect the privacy of information it stores, Mixpanel holds data no longer than is needed to provide its services. To further support this, Mixpanel is implementing a data retention policy starting May 25th:

  • Events received over 5 years ago are automatically deleted on an ongoing basis from all projects.
  • People data is retained indefinitely. Customers are given the ability to delete profiles using the Engage API.

This policy includes projects that were deleted or reset through the Project Settings -- deleting a project through the Project Settings triggers a soft deletion, and the data in the deleted or reset project will remain stored in Mixpanel according to event and people data retention policies.

Custom data retention windows can be set for people data by sending regular deletion requests to the Engage API. For more questions about setting custom data retention windows, contact our support team.

Additional Information and Resources

Data Processing Addendum

Mixpanel has updated its DPA to ensure compliance with all GDPR-specific requirements. This supplements Mixpanel's Terms of Use and provides contractual safeguards to its customers for the processing of personal data sent through Mixpanel. The DPA enables Mixpanel's customers comply with the GDPR.

Data Protection Officer

Mixpanel has a dedicated Data Protection Officer (DPO), along with a team of privacy and security professionals dedicated to our compliance and to helping you maintain your compliance when using Mixpanel.

If you would like to reach our DPO or have or have follow-up questions please reach out to us at compliance@mixpanel.com.

Relevant links

Is this article helpful?
35 out of 54 found this helpful

Comments

0 comments

Please sign in to leave a comment.