Data Processing Agreement
Last updated: April 3, 2026
1. Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Data Controller", "Customer") and Mailero ("Data Processor", "we", "us") and governs the processing of personal data in connection with the Service.
This DPA is designed to comply with the General Data Protection Regulation (EU) 2016/679 ("GDPR").
2. Definitions
"Personal Data", "Processing", "Data Subject", "Controller", "Processor", and "Supervisory Authority" have the meanings given in the GDPR.
"Service Data" means personal data that is processed by Mailero on behalf of the Customer in the course of providing the Service.
3. Scope and roles
The Customer acts as the Data Controller. Mailero acts as the Data Processor. We process Service Data only on behalf of the Customer and in accordance with the Customer's documented instructions (which include use of the Service as described in our documentation).
4. Types of data processed
- Email addresses of senders and recipients
- Names (when included in email headers)
- Email content (subject, body text, HTML body)
- Email headers and metadata
- File attachments
- IP addresses (for security and access logs)
5. Data subjects
Data subjects include the Customer's end users (customers who send support emails) and the Customer's authorized users of the Service.
6. Processing location
All Service Data is processed and stored within the European Union (Frankfurt, Germany). We do not transfer personal data outside the EU/EEA.
7. Sub-processors
We use the following sub-processors to deliver the Service:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database, auth, storage | EU (Frankfurt) |
| Resend | Email sending/receiving | EU (Ireland) |
| Render | Application hosting | EU (Frankfurt) |
| Polar.sh | Payment processing | EU |
| Cloudflare | Bot protection | Global (edge) |
We will notify the Customer before adding or replacing sub-processors. The Customer may object to a new sub-processor by contacting us within 30 days of notification.
8. Security measures
We implement appropriate technical and organizational measures to protect Service Data, including:
- Encryption in transit (TLS) and at rest
- Access control and authentication
- httpOnly session cookies (tokens not exposed to client-side scripts)
- Row-level security on database tables
- Regular security reviews
9. Data subject rights
We will assist the Customer in responding to Data Subject requests (access, rectification, deletion, portability) as required by GDPR. The Customer can delete their account and all associated data through the profile settings, or by contacting us.
10. Data retention and deletion
Service Data is retained for as long as the Customer's account is active. Upon account deletion or termination, all Service Data (inboxes, tickets, messages, attachments) is deleted within 30 days. Billing records may be retained as required by applicable law.
11. Data breach notification
In the event of a personal data breach, we will notify the Customer without undue delay (and in any event within 72 hours) after becoming aware of the breach, providing sufficient information for the Customer to meet its obligations under GDPR.
12. Audit rights
The Customer has the right to audit our compliance with this DPA. Audits shall be conducted with reasonable notice, during business hours, and at the Customer's expense. We may provide existing audit reports or certifications as an alternative to on-site audits where appropriate.
13. Contact
For questions about this DPA, email us at support@mailero.com.