Mixpanel strongly believes that customers should be able to control their data and trust that information is protected when stored in its servers. To support this, Mixpanel holds itself to strict data security and privacy standards, including compliance with the General Data Protection Regulation (GDPR).
The following information serves as an overview of the key information about the GDPR and the services that Mixpanel provides that align with the regulation. View this page to see the formal statement of Mixpanel's approach to the GDPR.
This 2-page PDF answers the following questions:
- What is the GDPR?
- How does GDPR impact Mixpanel and its customers?
- Is Mixpanel collecting data?
- Does GDPR require data to stay in the EU or to be stored in the EU?
- Will Mixpanel be compliant with GDPR?
- Will Mixpanel enter into a Data Processing Agreement (“DPA”) with me?
- Does Mixpanel have publicly available information about its security program?
Supporting Data Subject Rights
As controllers of personal data, Mixpanel and its customers must uphold certain rights stated by the GDPR, including:
Right to Access and Data Portability
Mixpanel will support individuals’ right to access and right to portability of their personal data through individual export requests. Any Mixpanel account holder will be able to request an export of one’s own personal data, as well as the personal data of their own end-users. The form for submitting end user personal data export requests and for submitting account holder data export requests is available through the Privacy portal in Account settings.
Right to Erasure
We support individuals’ right to erasure through a permanent deletion of personal data upon request. Requests for deletion of one’s own personal data or deletion of the personal data of end-users are accepted through a deletion API (available by request) and through the Privacy portal in Account settings. Each request will require a list of distinct_ids to delete, along with the project in which the data is stored.
Right to Object
Our customers control what data is sent to Mixpanel, and may decide to halt the sending of personal data at any time. To assist with supporting individuals’ right to object to the collection of one’s personal data, Mixpanel also has built dedicated methods for our client-side SDKs that can be used to opt end users out of tracking.
Mixpanel collects information about how customers use the product, and uses this data to identify product gaps and improve existing products. While this information is useful, Mixpanel recognizes the importance of an individuals right to object. Mixpanel has therefore streamlined opt-out systems for its customers, who can opt out of tracking through simple controls, located in the Privacy portal in their Account settings.
Privacy by Design
Mixpanel builds products with privacy and security central in its design. See the information below for more details about the safeguards that Mixpanel puts in place to protect customer data.
Security White Paper
This 13-page PDF is an overview of the Mixpanel Security Program and Practices, including:
- Data Collection
- Physical Security
- Employee Security Awareness
- Incident Response
- Security features and functionality
- Application and Network Architecture
This 4-page PDF contains 24 questions and detailed answers covering:
- Data Center Features
- Data Retention and Deletion
- Data Security and Management
- Encryption and Password Management
- HR/Corporate Policies
- Threat and Vulnerability Management
Data Retention Policy
As processors of its customers’ data and to protect the privacy of information it stores, Mixpanel holds data no longer than is needed to provide its services. To further support this, Mixpanel is implementing a data retention policy starting May 25th:
- Events received over 5 years ago are automatically deleted on an ongoing basis from all projects.
- People data is retained indefinitely. Customers are given the ability to delete profiles using the Engage API.
This policy includes projects that were deleted or reset through the Project Settings -- deleting a project through the Project Settings triggers a soft deletion, and the data in the deleted or reset project will remain stored in Mixpanel according to event and people data retention policies.
Custom data retention windows can be set for people data by sending regular deletion requests to the Engage API. For more questions about setting custom data retention windows, contact our support team.
Additional Information and Resources
Data Processing Addendum
Data Protection Officer
Mixpanel has a dedicated Data Protection Officer (DPO), along with a team of privacy and security professionals dedicated to our compliance and to helping you maintain your compliance when using Mixpanel.
If you would like to reach our DPO or have or have follow-up questions please reach out to us at firstname.lastname@example.org.