Data Protection & Compliance
Effective Date: 2 April 2026
This page describes how MixerLead protects your personal data and complies with applicable data protection regulations, including the Digital Personal Data Protection Act, 2023 ("DPDP Act") and the EU General Data Protection Regulation ("GDPR").
For full details on what data we collect and how we use it, please refer to our Privacy Policy. For information about cookies, see our Cookie Policy. For contractual terms, see our Terms of Service.
1. Our Commitment
MixerLead is committed to protecting the personal data of every user. As an independently operated product based in India, we design our systems with privacy and security as foundational principles — not afterthoughts.
This page provides a transparent overview of our compliance practices under the Digital Personal Data Protection Act, 2023 ("DPDP Act") and the EU General Data Protection Regulation ("GDPR"), along with practical information about how we safeguard your data.
2. Regulatory Frameworks
Digital Personal Data Protection Act, 2023 (India)
The DPDP Act governs the processing of digital personal data in India. Under this Act, MixerLead is a Data Fiduciary (the entity that determines the purpose and means of processing), and you are a Data Principal (the individual whose data is being processed).
Key principles we follow under the DPDP Act:
- Lawful purpose — data is processed only for specific, clear, and lawful purposes
- Consent — we obtain free, specific, informed, and unambiguous consent, or rely on legitimate uses permitted under the Act
- Data minimization — we collect only the data necessary for the stated purposes
- Accuracy — we provide tools for you to keep your data up to date
- Storage limitation — data is retained only as long as necessary
- Security — we implement reasonable security safeguards
General Data Protection Regulation (EU/UK)
For users in the European Economic Area (EEA) and United Kingdom, we additionally comply with GDPR principles. Under the GDPR, MixerLead acts as a Data Controller. We rely on the following legal bases:
- Consent — for optional features (AI content, marketing)
- Contractual necessity — to provide the platform services you signed up for
- Legitimate interest — for security, fraud prevention, and service improvement
- Legal obligation — to comply with applicable laws
3. Your Data Rights
Depending on your location and applicable law, you may exercise the following rights:
| Right | DPDP Act | GDPR | How to Exercise |
|---|---|---|---|
| Access your data | ✓ | ✓ | Account Settings → Export Data |
| Correct inaccurate data | ✓ | ✓ | Account Settings → Edit Profile |
| Erase your data | ✓ | ✓ | Account Settings → Delete Account |
| Withdraw consent | ✓ | ✓ | Disconnect accounts, email opt-out, or contact us |
| Data portability | — | ✓ | Export Data (JSON format) |
| Restrict processing | — | ✓ | Contact privacy@mixerlead.com |
| Object to processing | — | ✓ | Contact privacy@mixerlead.com |
| Nominate representative | ✓ | — | Contact privacy@mixerlead.com |
| File a grievance | ✓ | ✓ | Contact grievance@mixerlead.com |
We respond to all verifiable requests within 30 days. Complex requests may require an additional 30 days, in which case we will notify you of the extension.
4. Processing Activities
Below is a summary of our core data processing activities. For full details on data categories collected, see our Privacy Policy §2.
| Activity | Data Categories | Legal Basis |
|---|---|---|
| Account management | Name, email, password hash, OAuth IDs | Contract / Consent |
| Social publishing | Platform tokens, posts, media | Contract / Consent |
| AI content generation | User prompts, generated text | Consent |
| Email/SMS/WhatsApp campaigns | Contact lists, message content, delivery logs | Contract / Consent |
| Forms & surveys | Responses, IP address, user agent | Consent |
| Billing | Subscription data, billing contact, invoices | Contract / Legal obligation |
| Security monitoring | IP, user agent, login events, session tokens | Legitimate interest |
5. Sub-Processors
We share personal data with the following sub-processors to deliver the Service. Each sub-processor is bound by data processing agreements and/or their published privacy commitments.
| Sub-Processor | Purpose | Location |
|---|---|---|
| AWS (Amazon Web Services) | Media storage (S3), infrastructure | Global (configurable regions) |
| Razorpay | Payment processing (PCI-DSS compliant) | India |
| ZeptoMail (Zoho) | Transactional email delivery | India / Global |
| OpenAI | AI content generation | United States |
| Groq | AI content generation | United States |
| Anthropic | AI content generation | United States |
Social platform APIs (LinkedIn, Instagram, X, Facebook, TikTok, YouTube, Pinterest, Threads) are used for content publishing and account management, but they process data under their own controller capacity.
6. Cross-Border Transfers
MixerLead is operated from India. Some of our sub-processors are based in or process data in the United States and other jurisdictions.
Under the DPDP Act
Cross-border data transfers are permitted to all countries except those specifically notified by the Central Government of India as restricted. As of the effective date of this policy, no such restrictions have been notified.
Under the GDPR
For transfers of EEA/UK personal data outside the EEA/UK, we rely on:
- Standard Contractual Clauses (SCCs) adopted by the European Commission
- Sub-processor compliance certifications and data processing addenda
- Adequacy decisions where applicable
7. Security Measures
We implement technical and organizational measures to protect personal data against unauthorized access, loss, or misuse:
- Encryption at rest — OAuth tokens encrypted with AES-256-GCM; passwords hashed with bcrypt (cost 12); session tokens hashed with SHA-256
- Encryption in transit — TLS for all connections via Traefik + Let's Encrypt certificates
- Authentication — httpOnly, secure JWT cookies; optional TOTP two-factor authentication
- Access control — Role-based workspace permissions; API keys with scoped access and expiry
- Network — CORS restricted to authorized origins; rate limiting on auth endpoints
- Database — Parameterized queries (SQL injection prevention); PostgreSQL with access controls
- CAPTCHA — ALTCHA (self-hosted, privacy-friendly) for bot protection
- Logging — Structured audit logs; sensitive data (passwords, tokens) excluded from logs
8. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes described in our Privacy Policy:
| Data Category | Retention Period |
|---|---|
| Account data | Duration of active account |
| Content & campaigns | Until deleted by user or account closure |
| Session & login logs | Periodically purged (security audit purposes) |
| Billing records | As required by tax/financial regulations |
| Consent records | Duration required for compliance documentation |
| Temporary tokens (OTP, reset) | 5–15 minutes (auto-expire) |
Upon account deletion, all personal data is permanently removed via cascading database deletion. Backups are overwritten within the standard backup rotation cycle.
9. Breach Notification
In the event of a personal data breach that poses a risk to the rights and freedoms of affected individuals:
- We will notify affected users via email within 72 hours of becoming aware of the breach (as required by GDPR Article 33 and DPDP Act provisions)
- We will report to the Data Protection Board of India and/or relevant EU supervisory authorities as required by applicable law
- The notification will include: nature of the breach, data categories affected, approximate number of affected users, likely consequences, and measures taken or proposed to mitigate the breach
10. Accountability & Governance
As an independently operated product, MixerLead takes the following measures to ensure accountability:
- Maintaining records of processing activities
- Logging consent records with timestamps and IP addresses
- Tracking privacy requests through a dedicated compliance log
- Implementing data retention policies with automated enforcement
- Reviewing sub-processor agreements and compliance certifications
- Designating a Grievance Officer as required under the DPDP Act
11. Grievance Redressal
Grievance Officer (DPDP Act)
- Email: grievance@mixerlead.com
- Response time: Within 30 days
If you are not satisfied with our response, you may:
- India: Escalate to the Data Protection Board of India under the DPDP Act
- EU/UK: Lodge a complaint with your local data protection supervisory authority
12. Changes to This Page
We will update this page as our compliance practices evolve or as regulatory requirements change. Material updates will be reflected with a new effective date. We encourage you to review this page periodically.
13. Contact
For data protection inquiries:
- Privacy: privacy@mixerlead.com
- Grievance Officer: grievance@mixerlead.com
- General Support: support@mixerlead.com
If you have questions about this document, contact us at privacy@mixerlead.com.