GDPR Data Processing Information

Data Processing Schedule

This Data Processing Schedule ("Schedule") provides detailed information about how MaileniumAI ("we", "us", "our", or "Processor") processes personal data in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws. This Schedule supplements our Privacy Policy and Terms of Service and forms part of our Data Processing Agreement with users who act as data controllers.

Last Updated: March 2, 2026

1. Categories of Data Subjects

01.

1.1 User Data Subjects. We process personal data of the following categories of data subjects:

  • Account Holders: Individuals who create and maintain accounts on MaileniumAI, including account owners, administrators, and authorized users.
  • Contact Recipients: Individuals whose contact information is stored in user accounts and who receive email marketing campaigns sent through MaileniumAI.
  • Support Contacts: Individuals who contact our support team, submit inquiries, or interact with our customer service.
  • Website Visitors: Individuals who visit our website, use our services, or interact with our marketing content.
  • Prospective Customers: Individuals who express interest in our services, request information, or participate in sales processes.
  • Affiliates and Partners: Individuals who participate in our affiliate program or partner agreements.

2. Categories of Personal Data

01.

2.1 Account and User Data. We process the following personal data related to account holders:

  • Name, email address, phone number, and physical address
  • Company name, job title, and business information
  • Account credentials (encrypted passwords, authentication tokens)
  • Profile information (avatar, preferences, settings)
  • Billing and payment information (processed by third-party payment processors)
  • Subscription and plan information
  • Usage data and activity logs
  • Support communications and inquiry history
03.

2.2 Contact Data. We process the following personal data related to email recipients (contacts):

  • Email addresses
  • Names (first name, last name, full name)
  • Phone numbers
  • Physical addresses
  • Company names and job titles
  • Custom fields and tags
  • Segmentation data and preferences
  • Engagement history (opens, clicks, unsubscribes)
  • Subscription and consent records
05.

2.3 Technical and Usage Data. We process the following technical and usage data:

  • IP addresses and device identifiers
  • Browser type, version, and operating system
  • Log data and system performance metrics
  • Email delivery and engagement metrics
  • Campaign performance data
  • API usage and integration data
  • Location data (approximate, based on IP address)
07.

2.4 Content Data. We process the following content data:

  • Email campaign content (subject lines, body text, HTML, images)
  • Email templates and designs
  • Automation workflows and rules
  • Form submissions and landing page data
  • User-generated content and communications

3. Purposes of Processing

01.

3.1 Service Provision. We process personal data for the following service-related purposes:

  • Creating and managing user accounts and subscriptions
  • Processing payments and managing billing
  • Delivering email campaigns to recipients
  • Managing contact lists and segmentation
  • Providing automation and workflow functionality
  • Generating analytics and performance reports
  • Providing customer support and technical assistance
  • Ensuring platform security and preventing abuse
03.

3.2 Legal and Compliance. We process personal data for legal and compliance purposes:

  • Complying with applicable data protection laws (GDPR, CCPA, etc.)
  • Complying with anti-spam laws (CAN-SPAM, CASL, etc.)
  • Responding to legal requests and court orders
  • Protecting our rights and preventing fraud
  • Maintaining audit trails and compliance records
  • Enforcing our Terms of Service and policies
05.

3.3 Business Operations. We process personal data for business operations:

  • Improving and developing our services
  • Conducting research and analytics
  • Marketing and promotional activities (with consent where required)
  • Managing partnerships and affiliate programs
  • Business administration and operations

4. Legal Basis for Processing

01.

4.1 Contractual Necessity. We process personal data when necessary to perform our contract with you, including:

  • Providing email marketing services as specified in our Terms of Service
  • Processing payments and managing subscriptions
  • Delivering email campaigns to recipients
  • Providing customer support and technical assistance
  • Managing user accounts and access
03.

4.2 Legitimate Interests. We process personal data based on our legitimate interests, including:

  • Improving and developing our services
  • Ensuring platform security and preventing abuse
  • Conducting analytics and research
  • Marketing our services (where permitted by law)
  • Managing business operations and administration
05.

4.3 Legal Obligation. We process personal data to comply with legal obligations, including:

  • Complying with data protection laws and regulations
  • Responding to legal requests and court orders
  • Maintaining records for tax and accounting purposes
  • Complying with anti-spam and email marketing regulations
07.

4.4 Consent. We process personal data based on consent when:

  • Users provide explicit consent for marketing communications
  • Users consent to the use of cookies and tracking technologies
  • Users consent to specific data processing activities
  • Consent is required by applicable law
09.

4.5 Data Controller Instructions. As a data processor, we process contact data (email recipient data) in accordance with instructions from data controllers (our users) who have obtained appropriate consent or have another lawful basis for processing.

5. Data Retention Periods

01.

5.1 Account Data. We retain account and user data:

  • Active Accounts: For the duration of the account's active status and as necessary to provide services.
  • Terminated Accounts: For up to 30 days after account termination, after which data is deleted except where retention is required by law.
  • Billing Records: For 7 years after the last transaction, as required by tax and accounting laws.
  • Support Communications: For 3 years after the last interaction, unless longer retention is required for legal purposes.
03.

5.2 Contact Data. We retain contact data (email recipient data):

  • Active Contacts: For as long as the data controller (user) maintains the contact in their account.
  • Deleted Contacts: Removed immediately upon deletion, with data retained in backups for up to 30 days.
  • Unsubscribed Contacts: Retained in suppression lists indefinitely to prevent re-subscription, as required by anti-spam laws.
  • Engagement Data: Retained for 2 years after the last engagement, unless longer retention is required for analytics or legal purposes.
05.

5.3 Technical and Log Data. We retain technical and log data:

  • Access Logs: For 90 days, unless longer retention is required for security or legal purposes.
  • Error Logs: For 30 days, unless longer retention is required for troubleshooting.
  • Analytics Data: For 2 years, aggregated and anonymized where possible.
07.

5.4 Legal Requirements. We may retain personal data longer than specified above when required by law, court order, or regulatory requirement, or when necessary for legal claims or disputes.

6. Technical and Organizational Security Measures

01.

6.1 Encryption. We implement encryption measures:

  • Data in Transit: All data transmitted over networks is encrypted using TLS 1.3 or higher.
  • Data at Rest: Personal data stored in databases is encrypted using AES-256 encryption.
  • Password Storage: Passwords are hashed using bcrypt with salt rounds (12+).
  • Sensitive Fields: Additional field-level encryption for highly sensitive personal data.
03.

6.2 Access Controls. We implement access controls:

  • Role-based access control (RBAC) with granular permissions
  • Multi-factor authentication (MFA) for administrative access
  • Regular access reviews and permission audits
  • Principle of least privilege for all system access
  • Session management and timeout controls
05.

6.3 Network Security. We implement network security measures:

  • Firewalls and intrusion detection systems
  • DDoS protection and mitigation
  • Network segmentation and isolation
  • Regular security monitoring and threat detection
  • HTTPS-only connections with HSTS enabled
07.

6.4 System Security. We implement system security measures:

  • Regular security updates and patch management
  • Vulnerability scanning and penetration testing
  • Secure coding practices and code reviews
  • Input validation and sanitization
  • API rate limiting and abuse prevention
09.

6.5 Data Backup and Recovery. We implement backup and recovery measures:

  • Regular automated backups of all data
  • Encrypted backup storage
  • Disaster recovery procedures and testing
  • Data retention and deletion policies
11.

6.6 Organizational Measures. We implement organizational security measures:

  • Employee training on data protection and security
  • Confidentiality agreements for all personnel
  • Regular security audits and assessments
  • Incident response procedures and breach notification
  • Data protection by design and by default

7. Sub-Processors and Third-Party Services

01.

7.1 Sub-Processor Categories. We engage the following categories of sub-processors:

  • Cloud Infrastructure: Hosting and infrastructure providers (e.g., AWS, MongoDB Atlas)
  • Email Delivery: Email service providers for sending emails (e.g., Amazon SES)
  • Payment Processing: Payment processors for handling transactions (e.g., Stripe)
  • Analytics: Analytics and monitoring services (e.g., Google Analytics, where used)
  • Support Tools: Customer support and help desk platforms
  • Content Delivery: CDN and content delivery services (e.g., Cloudinary)
03.

7.2 Sub-Processor Requirements. All sub-processors are:

  • Bound by data processing agreements that meet GDPR requirements
  • Required to implement appropriate security measures
  • Prohibited from using personal data for purposes other than providing services to us
  • Required to comply with applicable data protection laws
  • Subject to regular security and compliance assessments
05.

7.3 Sub-Processor List. A current list of sub-processors is available upon request. We will notify users of any material changes to sub-processors in accordance with our Data Processing Agreement.

06.

7.4 Objection to Sub-Processors. Users may object to the use of a sub-processor by contacting us. If an objection cannot be resolved, we may need to terminate the affected services.

8. International Data Transfers

01.

8.1 Transfer Locations. Personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States and other jurisdictions where our sub-processors operate.

02.

8.2 Transfer Safeguards. We ensure that international data transfers comply with GDPR requirements through:

  • Standard Contractual Clauses (SCCs): We use EU-approved standard contractual clauses with sub-processors located outside the EEA.
  • Adequacy Decisions: We rely on adequacy decisions where applicable (e.g., for transfers to countries with adequate data protection laws).
  • Additional Safeguards: We implement additional technical and organizational safeguards to protect transferred data.
04.

8.3 Your Consent. By using MaileniumAI, you acknowledge that personal data may be transferred to and processed in countries outside your jurisdiction. You are responsible for ensuring that such transfers comply with applicable laws in your jurisdiction.

9. Data Subject Rights

01.

9.1 Rights Under GDPR. Data subjects have the following rights regarding their personal data:

  • Right of Access: The right to obtain confirmation of whether personal data is being processed and to access that data.
  • Right to Rectification: The right to have inaccurate personal data corrected.
  • Right to Erasure ("Right to be Forgotten"): The right to have personal data deleted in certain circumstances.
  • Right to Restrict Processing: The right to limit how personal data is processed.
  • Right to Data Portability: The right to receive personal data in a structured, commonly used format.
  • Right to Object: The right to object to processing of personal data for certain purposes.
  • Right to Withdraw Consent: The right to withdraw consent at any time (where processing is based on consent).
  • Right to Lodge a Complaint: The right to file a complaint with a supervisory authority.
03.

9.2 Exercising Rights. Data subjects can exercise their rights by:

  • Contacting us directly at privacy@mailenium.ai
  • Using account settings and tools provided in our Service
  • Contacting the data controller (for contact data processed on behalf of users)
05.

9.3 Response Time. We will respond to data subject rights requests within 30 days (or as required by applicable law). We may extend this period by up to 60 days for complex requests, with notification to the data subject.

06.

9.4 Verification. We may require verification of identity before processing data subject rights requests to protect against fraudulent or unauthorized requests.

10. Data Breach Notification

01.

10.1 Breach Detection. We have procedures in place to detect, assess, and respond to personal data breaches promptly.

02.

10.2 Notification to Data Controllers. In the event of a personal data breach affecting contact data processed on behalf of users (data controllers), we will:

  • Notify the affected data controller without undue delay (within 72 hours where feasible)
  • Provide information about the nature of the breach, affected data, and mitigation measures
  • Assist the data controller in notifying affected data subjects if required
  • Cooperate with regulatory authorities as necessary
04.

10.3 Notification to Data Subjects. Where a breach poses a high risk to data subjects' rights and freedoms, we will assist data controllers in notifying affected data subjects without undue delay.

05.

10.4 Notification to Supervisory Authorities. We will notify relevant supervisory authorities of personal data breaches in accordance with applicable law and regulatory requirements.

11. Data Protection Impact Assessments

01.

11.1 Assessment Requirements. We conduct Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in a high risk to data subjects' rights and freedoms.

02.

11.2 Assessment Process. DPIAs include:

  • Description of processing operations and purposes
  • Assessment of necessity and proportionality
  • Assessment of risks to data subjects
  • Measures to address identified risks
  • Consultation with data protection authorities where required
04.

11.3 Consultation. We consult with supervisory authorities before processing when a DPIA indicates high risk that cannot be mitigated by appropriate measures.

12. Records of Processing Activities

01.

12.1 Maintenance of Records. We maintain records of all processing activities carried out on behalf of data controllers, including:

  • Categories of data subjects and personal data
  • Purposes of processing
  • Categories of recipients
  • International transfers and safeguards
  • Retention periods
  • Security measures
03.

12.2 Availability. Records of processing activities are available to supervisory authorities upon request and are maintained in accordance with GDPR requirements.

13. Updates to This Schedule

01.

13.1 Schedule Updates. We may update this Data Processing Schedule from time to time to reflect changes in our processing activities, legal requirements, or industry practices. We will notify users of material changes by posting the updated schedule on our Service and updating the "Last Updated" date.

02.

13.2 Continued Processing. Your continued use of MaileniumAI after we post an updated schedule constitutes your acceptance of the updated schedule. If you do not agree with the updated schedule, you should stop using our Service.

14. Contact Information

01.

14.1 Supervisory Authority. If you are located in the EEA, you have the right to lodge a complaint with your local supervisory authority. Contact information for supervisory authorities can be found at: https://edpb.europa.eu

02.

If you have questions about this Data Processing Schedule, need to exercise data subject rights, or have concerns about data processing, please contact us:

03.

Data Protection Officer
Email: dpo@mailenium.ai

04.

For general inquiries or support, please contact us at support@mailenium.ai or visit our Help Portal.

Data Processing Agreement

This Data Processing Schedule forms part of our Data Processing Agreement with users who act as data controllers. By using MaileniumAI, you acknowledge that you have read and understood this Schedule and agree to our data processing practices as described herein.

We are committed to processing personal data in accordance with GDPR and other applicable data protection laws, and we implement appropriate technical and organizational measures to protect personal data and ensure compliance.