Data Processing Addendum (DPA)

This DPA outlines how Mailoodeer processes and protects your data in compliance with GDPR, CCPA, and global privacy laws.

1. Definitions

This section outlines key terms used throughout the Mailoodeer Data Processing Addendum (“DPA”). These definitions ensure clarity regarding how customer data is handled, stored, and protected under international privacy laws like the GDPR, CCPA, and others.

  • Customer Data: Any personal data submitted or imported into the Mailoodeer platform by the customer or on their behalf (e.g., subscriber names, emails, campaign activity).
  • Data Subject: An identifiable individual whose personal data is processed by Mailoodeer on behalf of the customer (e.g., your subscribers or contacts).
  • Processing: Any operation performed on Customer Data, including collection, use, storage, disclosure, or deletion.
  • Controller: The party that determines the purpose and means of processing personal data — typically, this is you (the customer).
  • Processor: The party that processes personal data on behalf of the Controller — in this case, Mailoodeer.
  • Sub-processor: A third-party service provider engaged by Mailoodeer to assist in providing its services (e.g., cloud hosting, email infrastructure providers). All Sub-processors are contractually bound by privacy and security obligations.
  • Sensitive Data: Highly confidential information such as health records, credit card numbers, passwords, or biometric data. Mailoodeer does not intend to process sensitive data and advises against uploading such information into your email campaigns.
  • Security Incident: Any confirmed unauthorized access, use, or disclosure of Customer Data that compromises its integrity or confidentiality. Mailoodeer has strict protocols to detect and respond to such incidents.
  • Data Protection Laws: Global privacy regulations governing data use, including the EU’s GDPR, UK’s Data Protection Act, California's CCPA/CPRA, Canada’s PIPEDA, and others.
  • Standard Contractual Clauses (SCCs): Legal contracts adopted by the European Commission to ensure adequate data protection when transferring personal data outside the EEA.
  • Data Privacy Framework (DPF): U.S.-based self-certification mechanisms that help govern international data transfers from the EU, UK, or Switzerland to the U.S.
  • Mailoodeer Service: The full suite of tools offered by Mailoodeer, including email campaign creation, automation, subscriber management, analytics, and API integrations.

All capitalized terms used in this DPA that are not otherwise defined here shall have the meanings set forth in the Mailoodeer Terms of Service.

2. Roles and Responsibilities

At Mailoodeer, we take data protection seriously. This section clarifies the roles of you (the customer) and us (Mailoodeer) under data protection laws such as the GDPR, CCPA, and similar frameworks. Understanding our respective responsibilities helps ensure transparent and lawful data processing across all your email marketing activities.

  • Mailoodeer as the Data Processor: When you use our platform to manage contacts or run email campaigns, Mailoodeer acts as a data processor. This means we only process Customer Data based on your instructions — for example, sending an email to a selected list, generating campaign reports, or syncing with third-party tools.
  • You as the Data Controller: You (the customer) are the data controller, as you determine what data is collected, how it’s used, and who receives it. You are responsible for ensuring all your actions comply with applicable privacy regulations and that you have proper consent from your subscribers.
  • Permitted Purposes Only: Mailoodeer only processes your data for purposes you’ve authorized — such as sending campaigns, tracking opens/clicks, segmenting lists, and supporting integrations — and always within the scope of our agreement. Any use beyond that requires your explicit, documented instruction.
  • Prohibited Data: You agree not to upload or process any sensitive personal data (e.g., passwords, health info, government ID numbers) on the Mailoodeer platform. We do not provide safeguards for such data and disclaim any liability for its use or exposure.
  • Your Legal Responsibility: You confirm that you have obtained all necessary permissions and consents from your contacts before using their data in Mailoodeer. This includes complying with opt-in requirements, providing privacy disclosures, and honoring unsubscribe requests.
  • Compliance Assurance: If you are using Mailoodeer on behalf of another organization (e.g., you are an agency managing campaigns for clients), you warrant that you are authorized to issue instructions on their behalf, including consent to any Sub-processors we engage.
  • Lawfulness of Instructions: You are responsible for ensuring that any instructions you give us (including sending email campaigns, importing lists, or using automation) are lawful under applicable privacy regulations. If we believe an instruction violates such laws, we will notify you as required.

By using Mailoodeer, you acknowledge and accept your role as Data Controller and our role as Processor in line with global data protection regulations. This collaborative clarity is foundational to secure and compliant email marketing.

3. Sub-processing

To provide you with a fast, scalable, and reliable email marketing platform, Mailoodeer may engage trusted third-party service providers — known as Sub-processors — to help process your Customer Data. This section outlines our sub-processing policies and how we ensure your data remains protected at all times.

  • What is a Sub-processor? A Sub-processor is a third-party vendor or affiliate engaged by Mailoodeer to perform data-related functions, such as cloud hosting, email delivery infrastructure, analytics, or customer support systems.
  • Your Authorization by Default: By using Mailoodeer, you grant us permission to use Sub-processors to support the service. A full list of our current Sub-processors — including their function and location — is available upon request or on our Sub-processor Disclosure Page.
  • Advance Notification of Changes: If we add or replace a Sub-processor that processes your Customer Data, we will provide at least 10 days’ advance notice via email or public update (if you’ve opted in). You may object to a new Sub-processor on reasonable data protection grounds.
  • Strict Data Agreements: Every Sub-processor we work with is bound by a legally enforceable agreement that requires them to uphold security, confidentiality, and data protection standards equal to or greater than those set out in this DPA.
  • Our Responsibility: Mailoodeer remains fully accountable for the actions of any Sub-processor. If a Sub-processor fails to meet their obligations under this DPA, we will take corrective action and remain liable to you for any resulting breach.
  • Confidentiality Restrictions: While we may not be able to share the full text of Sub-processor contracts due to confidentiality clauses, we will always provide you with as much transparency as legally and reasonably possible.

Mailoodeer ensures that any third party processing your data on our behalf does so with the highest level of compliance and security. By choosing our platform, you benefit from a vetted ecosystem of trusted infrastructure providers, helping to power your campaigns efficiently and securely.

4. Security

At Mailoodeer, safeguarding your data is our top priority. We implement industry-standard security protocols to ensure your Customer Data is protected from unauthorized access, breaches, or misuse — supporting your compliance with GDPR, CCPA, and other data protection regulations.

  • Technical & Organizational Safeguards: We apply multi-layered security measures, including encrypted data transmission (HTTPS/TLS), firewalls, access controls, and monitoring systems. Full details can be found in our Security Annex.
  • Employee Access is Limited: Only authorized Mailoodeer team members — who are under binding confidentiality agreements — may access Customer Data, and only when necessary to deliver or troubleshoot the service.
  • Adaptive Security Improvements: Our security measures are regularly reviewed and updated based on evolving threats, new technologies, and regulatory requirements. You can expect our protection standards to grow with your business needs.
  • Security Incident Response: In the unlikely event of a security breach involving your data, we will notify you without undue delay. Our team will assist you with investigation details, scope of impact, and steps taken to mitigate future risk — all while complying with applicable legal obligations.
  • No Unauthorized Content Review: Mailoodeer does not monitor the content of your campaigns or contact data. You retain full control and responsibility for all content uploaded to the platform.
  • Your Role in Security: You are responsible for maintaining the confidentiality of your Mailoodeer account credentials, securely managing access within your team, and ensuring that your imported data does not include sensitive or prohibited content (e.g., unencrypted passwords or medical data).

Security is not a one-way street. While we provide enterprise-grade infrastructure, your participation in following best practices is equally important. Together, we protect your email marketing operations and subscriber data integrity.

5. Security Reports and Audits

Mailoodeer is committed to transparency and accountability in how we protect your data. To support your compliance obligations — including GDPR and enterprise data security assessments — we provide access to security documentation and audit reports as outlined below.

  • Access to Security Documentation: We maintain detailed internal records and policies on how Mailoodeer protects Customer Data. Upon request, we can provide summaries of our most recent third-party audits or security reviews under NDA.
  • Industry Certifications & Standards: Our infrastructure providers (e.g., hosting, cloud, and email delivery) undergo regular security certifications such as ISO 27001, SOC 2, or similar — ensuring your email marketing data is handled on trusted, secure platforms.
  • Audit Support: If your organization requires evidence of compliance (e.g., for internal audit or regulatory purposes), Mailoodeer will reasonably assist by sharing documentation or completing vendor assessments. Please contact us through your account or at privacy@mailoodeer.com.
  • Frequency & Scope: You may request security-related documentation no more than once per calendar year, unless otherwise required by applicable law or due to a confirmed security incident.
  • Third-Party Inspection Rights: In rare cases where a formal audit is legally required or contractually mandated, Mailoodeer will cooperate in good faith — provided that such audit:
    • Is limited to Customer Data only,
    • Is conducted during normal business hours, and
    • Does not disrupt Mailoodeer’s business operations or compromise other customers’ data or infrastructure.

We understand that trust is earned through verification. Mailoodeer welcomes your due diligence and will provide reasonable documentation and cooperation to confirm the integrity of our platform.

6. International Transfers

Mailoodeer operates as a global SaaS email marketing platform, which means your Customer Data may be processed or stored outside of your country. This section explains how we handle cross-border data transfers in full compliance with GDPR, CCPA, and other applicable data protection laws.

  • Global Infrastructure: To ensure speed and reliability, Mailoodeer may process Customer Data in secure data centers located in the United States or other countries where our infrastructure or Sub-processors operate.
  • EU/EEA, UK, and Swiss Transfers: For customers subject to the General Data Protection Regulation (GDPR), UK GDPR, or Swiss DPA, we use legally approved transfer mechanisms such as:
    • Standard Contractual Clauses (SCCs) adopted by the European Commission,
    • The UK International Data Transfer Addendum (UK Addendum), and
    • Swiss-specific SCC modifications for Swiss data transfers.
  • Data Privacy Framework (DPF): Where applicable, Mailoodeer may rely on the EU-U.S. Data Privacy Framework or equivalent schemes to ensure adequate protection for transfers to the United States.
  • Transfers from Other Regions: For countries like Canada (PIPEDA) or Australia (Privacy Act 1988), Mailoodeer ensures data transfers are lawful and protected under contractually binding terms aligned with local law.
  • Customer Rights & Suspension: If you believe an international transfer poses a legal risk under your local law, you may notify us and we will work with you to assess, suspend, or modify the data transfer pathway if reasonably required.
  • Fallback Safeguards: In the event any international data transfer mechanism becomes invalid (e.g., by court decision or regulator action), Mailoodeer will take commercially reasonable steps to adopt alternative safeguards that meet legal requirements and ensure uninterrupted service.

Mailoodeer’s data transfer practices are designed to maintain the confidentiality, integrity, and lawful handling of Customer Data — no matter where it is processed. We continuously monitor global privacy frameworks to stay ahead of evolving requirements.

7. Return or Deletion of Data

Mailoodeer believes in data control, transparency, and privacy-first operations. When your relationship with us ends — whether due to subscription cancellation, contract expiration, or other reasons — you remain in control of your Customer Data. This section explains how data can be deleted, retrieved, or securely retained in accordance with global privacy regulations like GDPR, CCPA, and more.

  • Full Data Export Option: Before terminating your account, you can export all contacts, campaigns, reports, and email templates directly from your Mailoodeer dashboard. We provide accessible tools to ensure you retain a full copy of your data if needed.
  • Data Deletion Upon Request: After your account is closed or upon written request, Mailoodeer will delete all Customer Data stored in our systems — including backups — unless retention is required by law (e.g., for tax, security, or anti-fraud purposes).
  • Secure Deletion Process: When deletion is performed, we follow secure wiping standards to ensure the data is irretrievable. Any archived copies will be isolated and protected until scheduled removal from our systems.
  • Retention Exceptions: Some minimal data may be retained:
    • Where required to fulfill legal obligations (e.g., financial records)
    • Where necessary for dispute resolution or fraud prevention
    • As part of server-level backup retention policies (e.g., 30–90 days)
  • Certification Upon Request: If required for compliance, you may request written confirmation (a “certificate of deletion”) after your Customer Data has been securely erased from our systems.

With Mailoodeer, your data never gets locked in. Whether you want to take it with you, cleanly delete it, or store a legal backup — our system is built to respect your choices and meet your compliance goals.

8. Data Subject Rights

Mailoodeer empowers you — and your subscribers — to stay in control of personal data. In alignment with GDPR, CCPA, and other privacy regulations, this section explains how we support Data Subject Rights such as access, deletion, correction, and restriction.

  • Self-Service Tools: As a Mailoodeer customer, you can access, update, or delete Customer Data (like contact info or campaign content) directly from your dashboard. This helps you fulfill data requests quickly — without needing technical support.
  • Access, Correction, and Deletion Requests: If a contact (data subject) reaches out to you asking to view, correct, or erase their data, you can process those requests using Mailoodeer’s built-in tools. You are the Data Controller, so we won’t act unless directed by you — unless legally required.
  • Cooperation with Customer Requests: If you receive a data subject request and need assistance (e.g. complex deletion or export), our team will provide reasonable support to help you meet your legal obligations. Just contact privacy@mailoodeer.com.
  • Direct Requests to Mailoodeer: If a subscriber contacts Mailoodeer directly (e.g., about email consent or privacy), we will not respond with their data unless we are legally required. Instead, we will redirect them to contact you — the Controller.
  • Data Portability Support: Upon request, we will help you export subscriber data in a machine-readable format (e.g., CSV or JSON) to support portability or migration needs.
  • CCPA & Global Laws: For U.S. users and contacts, Mailoodeer supports CCPA rights including “Do Not Sell My Info” requests, opt-outs, and access to data categories. Similar principles apply for Canada (PIPEDA), Brazil (LGPD), and other global laws.

At Mailoodeer, we don’t just help you send great email — we help you stay compliant with today’s most important privacy rights. Whether it’s a GDPR request or a contact asking for data deletion, we’ve got the tools and support to help you respond fast and accurately.

9. Jurisdiction-Specific Terms

Mailoodeer serves customers around the world. Depending on where you or your subscribers are located, different data protection laws may apply. This section outlines country- or region-specific privacy terms that supplement our global Data Processing Addendum (DPA).

  • 🇪🇺 European Union (EU) / EEA: For customers and subscribers within the EU or European Economic Area, Mailoodeer adheres to the GDPR. We rely on mechanisms like Standard Contractual Clauses (SCCs) for international transfers and support full rights for data subjects as outlined in the GDPR.
  • 🇬🇧 United Kingdom (UK): For UK-based users, Mailoodeer complies with the UK General Data Protection Regulation (UK GDPR). We also incorporate the UK International Data Transfer Addendum into our SCC framework for compliant cross-border transfers.
  • 🇨🇭 Switzerland: Mailoodeer processes Swiss data in accordance with the Swiss Federal Act on Data Protection (FADP). Swiss-specific SCCs and supervisory authority terms apply where relevant.
  • 🇺🇸 United States (California and other states): We follow the California Consumer Privacy Act (CCPA), as amended by the CPRA. This includes supporting consumer rights such as access, deletion, opt-out of sale/sharing, and non-discrimination. We do not “sell” Customer Data under CCPA definitions.
  • 🇨🇦 Canada: For Canadian users, we comply with the Personal Information Protection and Electronic Documents Act (PIPEDA). Mailoodeer ensures that our Sub-processors qualify as “third parties” under Canadian law and implements appropriate transfer protections.
  • 🇧🇷 Brazil: Mailoodeer supports compliance with the Lei Geral de Proteção de Dados (LGPD), including lawful basis for processing, individual rights, and controller/processor responsibilities.
  • 🇦🇺 Australia: If you or your users are located in Australia, we process data in line with the Privacy Act 1988 (Cth). International transfers from Australia follow privacy safeguards similar to GDPR standards.
  • In case of conflict: Where any jurisdiction-specific clause conflicts with the main DPA, the local clause will prevail — but only to the extent it is applicable.

Mailoodeer is built for global compliance. Whether your audience is in Europe, North America, Asia-Pacific, or beyond — our platform adapts to meet regional legal requirements, keeping your campaigns safe, secure, and legally sound.

10. Limitation of Liability

While Mailoodeer is fully committed to maintaining the privacy, security, and integrity of your Customer Data, it’s important to define the scope of legal liability between you (the Customer) and us (Mailoodeer) when it comes to data protection responsibilities.

  • Liability Tied to the Main Agreement: All liability arising from this Data Processing Addendum (DPA) — including any claims related to data privacy, security breaches, or misuse — is subject to the limitations and exclusions set forth in the Mailoodeer Terms of Service or your active service agreement.
  • Aggregate Cap on Liability: Unless prohibited by law, the total liability of each party (including all its affiliates) under this DPA is limited to the amount paid by the Customer for the Mailoodeer services during the 12 months prior to the event giving rise to the claim.
  • No Limitation for Data Subject Rights: Nothing in this section limits or excludes a party’s liability for violating an individual’s data protection rights under GDPR, CCPA, or other applicable laws — where such limitation is legally unenforceable.
  • Single Point of Enforcement: Any claim under this DPA must be brought solely by the Customer entity that signed the main agreement with Mailoodeer. No third party (including a subscriber or contact) can directly enforce this DPA unless required by law.
  • Affiliate Scope: The term “Mailoodeer” under this section includes our subsidiaries, affiliates, employees, contractors, and agents — who are all protected by the same liability boundaries set in this Agreement.

This limitation structure ensures mutual protection and helps keep Mailoodeer accessible and sustainable for thousands of marketers worldwide — while still respecting the legal rights of your subscribers and contacts.

11. Relationship with the Agreement

This Data Processing Addendum (DPA) is an extension of your main agreement with Mailoodeer. It works in tandem with our Terms of Service and other service contracts to clearly define how we handle Customer Data under data protection laws such as GDPR, CCPA, and others.

  • Binding Agreement: This DPA becomes legally binding once you use the Mailoodeer service or sign a service agreement. It governs how we process, secure, and transfer Customer Data on your behalf.
  • DPA > Terms if Conflict Arises: If there's ever a conflict between the DPA and our standard Terms of Service, the following priority order applies:
    1. First — Standard Contractual Clauses (if used)
    2. Second — This Data Processing Addendum (DPA)
    3. Third — Mailoodeer Terms of Service
  • Duration of Effect: This DPA remains in force as long as Mailoodeer processes Customer Data on your behalf — even after your subscription ends — until all data is deleted or returned as per Section 7.
  • Supersedes Older Agreements: If you previously signed any older data processing terms with us, this DPA fully replaces those prior agreements unless otherwise agreed in writing.
  • Third-Party Enforcement Excluded: No third party (such as your contacts or a third-party controller) has rights to enforce any part of this DPA unless legally required by applicable privacy law.
  • Jurisdiction and Governing Law: The DPA follows the governing law stated in your main Mailoodeer service agreement — unless mandatory data protection law requires otherwise (e.g., GDPR jurisdiction rules).

In short, this DPA is fully integrated into your Mailoodeer experience. It clarifies our shared responsibilities when handling personal data — while supporting you with global privacy compliance from day one.

Annex A – Data Processing Details

This Annex outlines the specific details of how Mailoodeer processes Customer Data on your behalf. It includes what types of data are collected, how frequently they’re processed, for what purpose, and for how long.

  • 📌 Categories of Data Subjects:
    • Members: Users who hold a Mailoodeer account (e.g., your team, collaborators).
    • Contacts: Subscribers, leads, or customers whose personal data is imported or collected through your use of the platform.
  • 📂 Categories of Personal Data:
    • For Members: Full name, email address, business title, login credentials, billing info, IP address, account activity.
    • For Contacts: Email address, name, gender, job title, location, marketing preferences, purchase history, open/click behavior, UTM parameters, device info, IP address, cookies (if tracked via embedded forms or pixels).
  • 🚫 Sensitive Data: Mailoodeer does not intentionally collect or process sensitive data (e.g., health info, government ID, biometric data). You agree not to upload or store such information in our system.
  • 🔁 Frequency of Processing: Data is processed continuously and automatically, based on your usage — such as when sending a campaign, importing contacts, or tracking performance analytics.
  • 📬 Purpose of Processing:
    • Sending email campaigns and automations
    • Managing audiences, tags, and segmentation
    • Tracking campaign engagement and link clicks
    • Generating analytics, dashboards, and reports
    • Providing customer support and performance optimization
    • Ensuring platform security, deliverability, and legal compliance
  • ⏳ Duration of Processing: Customer Data is processed as long as your Mailoodeer account is active. After termination, data is deleted or returned according to our retention policies outlined in Section 7.
  • 📥 Data Storage & Hosting: Data may be stored in secure cloud infrastructure located in the United States or other countries where our authorized Sub-processors operate. All transfers follow legal safeguards (see Section 6).

Annex A ensures clarity on exactly what data Mailoodeer touches — and how we help you stay compliant while scaling your email marketing efforts.

Annex B – Security Measures

Mailoodeer employs industry-leading security practices to protect the confidentiality, integrity, and availability of Customer Data. This Annex summarizes the technical and organizational measures we implement to prevent unauthorized access, misuse, or data loss.

  • 🔐 Data Encryption: All Customer Data is encrypted:
    • In transit using TLS 1.2+ (HTTPS)
    • At rest using AES-256 or platform-equivalent security
  • 🧑‍💻 Access Control: Access to systems and Customer Data is restricted to authorized employees or contractors based on job role and least-privilege principles. All access is logged and reviewed regularly.
  • 🪪 Authentication & Account Security: Mailoodeer supports secure account logins with:
    • Hashed & salted passwords (never stored in plain text)
    • Session expiration and inactivity auto-logout
    • Optional two-factor authentication (2FA)
  • 📈 Monitoring & Threat Detection: Real-time system monitoring, anomaly detection, and automated alerts help our team respond to suspicious activity immediately.
  • 🧯 Incident Response Plan: Mailoodeer maintains a structured incident response process, including:
    • Immediate alerting and internal triage
    • Impact assessment and customer notification (if applicable)
    • Mitigation, forensic analysis, and long-term fixes
  • 🧑‍🏫 Employee Training: All Mailoodeer team members receive annual security and privacy awareness training, covering phishing, password safety, and data handling best practices.
  • 🧪 Penetration Testing: We regularly perform vulnerability scans and third-party penetration tests to identify and fix potential weaknesses before they can be exploited.
  • 📁 Data Backup & Recovery: Customer Data is backed up automatically across multiple availability zones. In the event of system failure, disaster recovery plans allow for rapid restoration with minimal downtime.
  • 📜 Documentation & Audits: Security policies, system architecture, and audit logs are maintained and available under NDA for customers with compliance or due diligence requirements. See Section 5.

These controls help ensure that your campaigns, contacts, and email analytics remain secure — from login to delivery. Mailoodeer continues to evolve our security strategy in line with industry standards and real-world threats.

Annex C – Jurisdiction Terms

Mailoodeer supports customers across multiple legal jurisdictions. This Annex provides region-specific data protection provisions that apply in addition to the terms outlined in our core DPA — ensuring local compliance wherever your audience resides.

  • 🇪🇺 European Union (EU) / EEA:
    • Transfers outside the EEA are governed by the EU Standard Contractual Clauses (SCCs).
    • Customers have the right to object to new Sub-processors (see Section 3).
    • If Mailoodeer receives government data access requests, we will (where lawful) notify and redirect the request to you, the Controller.
  • 🇬🇧 United Kingdom:
    • Transfers are subject to the UK Addendum to the SCCs.
    • References to the GDPR should be interpreted under UK law as "UK GDPR."
  • 🇨🇭 Switzerland:
    • SCCs are interpreted according to the Swiss Federal Data Protection Act (FADP).
    • “EU” references in clauses are replaced with “Switzerland.”
    • Swiss courts and supervisory authorities have jurisdiction over disputes.
  • 🇺🇸 United States (California):
    • Mailoodeer acts as a "Service Provider" under the California Consumer Privacy Act (CCPA).
    • We do not "sell" or "share" personal information as defined under the CCPA.
    • Customers must ensure proper use of personal data, and may request deletion or access as per CCPA rules.
  • 🇨🇦 Canada:
    • We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA).
    • All Sub-processors are bound by agreements ensuring compliance with Canadian privacy standards.
    • Cross-border data transfers from Canada include contractual safeguards.
  • 🇧🇷 Brazil:
    • Mailoodeer supports the LGPD (Lei Geral de Proteção de Dados), including lawful basis for processing and user rights.
    • We process Brazilian data with transparency, and customers remain responsible for consent collection and legal usage.
  • 🇦🇺 Australia:
    • We follow the Australian Privacy Act 1988 (Cth).
    • International data transfers from Australia require that adequate safeguards are in place.
  • 📝 Conflict Resolution: If any term in this Annex conflicts with the rest of the DPA, the local clause takes precedence for that region only.

Mailoodeer is committed to building a globally compliant, privacy-first email marketing platform. Whether you're operating in the EU, UK, US, Canada, or beyond — this Annex ensures that your local data laws are fully respected.