GDPR Compliance

MailAdx is built for newsletter advertising in a privacy-sensitive channel. This page explains how MailAdx supports compliance with the EU General Data Protection Regulation (GDPR), the UK GDPR, and comparable European privacy laws — for our business customers, their subscribers, and our own website users.

Effective date: May 25, 2026  |  Last updated: May 25, 2026

This page supplements our Privacy Policy. It is not legal advice. Customers should work with qualified counsel to assess compliance in their specific context.

1. Our role under GDPR

MailAdx acts in different roles depending on the processing activity:

When we process personal data on your behalf, we do so only on documented instructions from you (your dashboard configuration, API calls, and applicable agreement), unless required by law.

2. Privacy by design in MailAdx

Newsletter advertising sits inside a consent-based channel. MailAdx's architecture reflects that reality:

• Open-time serving: ad decisions run when a subscriber opens an email and their client fetches the display URL — not when the email is sent to the entire list. Impressions reflect genuine opens, reducing unnecessary processing and misaligned billing.
• Hash-first identifiers: the standard integration passes a SHA-256 hash of the subscriber's lowercase email via the eh parameter. Plaintext email is not required in ad-serving URLs.
• No cross-site tracking: MailAdx does not use advertising cookies, browser fingerprinting, or cross-site profiling for standard email ad tag integrations.
• Contextual placement: ads are selected based on newsletter inventory, campaign rules, deal configuration, and coarse request signals — not browsing history across unrelated websites.
• Minimal request data: beyond the hash and placement identifiers, we process coarse geo (country/region prefix from IP) and device class from User-Agent for targeting and reporting.
• Subscriber control: individuals may permanently opt out of MailAdx ad targeting via Ad Choices, independent of ESP unsubscribe flows.
• Encryption and access controls: TLS 1.3 in transit, AES-256 at rest, RBAC, scoped API keys, and audit logging as described in our security documentation.

3. Lawful bases (summary)

Publishers and advertisers must determine and document their lawful basis for email marketing and advertising. MailAdx cannot choose this basis on your behalf. In typical deployments:

• Consent: many publishers rely on consent for marketing emails and in-newsletter advertising, obtained at signup with clear disclosure.
• Legitimate interests: where permitted, some publishers may rely on balanced legitimate interests for contextual newsletter ads, provided appropriate transparency and opt-out mechanisms exist.
• Contract: MailAdx processes dashboard user data and billing data as necessary to perform our contract with business customers.

MailAdx's own marketing website processing is based on consent (newsletter signup), contract (demo requests), and legitimate interests (security and product analytics), as detailed in our Privacy Policy.

4. Categories of personal data processed

4.1 Subscriber data (processor role)

• SHA-256 email hash (pseudonymous identifier)
• Impression, click, and conversion event metadata
• Coarse geo and device category from the open-time request
• Suppression status if the subscriber opted out via Ad Choices

We do not require publishers to send plaintext subscriber email addresses to the ad server for standard integrations.

4.2 Business customer data (controller or processor)

• Account user names and work emails
• Billing and invoicing records
• Campaign and placement configuration
• Creative assets and advertiser metadata
• API and audit logs

5. Data Processing Addendum (DPA)

MailAdx offers a GDPR-compliant Data Processing Addendum for business customers who require contractual processor commitments, including:

• Processing only on documented instructions
• Confidentiality obligations for personnel with access
• Security measures appropriate to risk
• Sub-processor transparency and notification
• Assistance with data subject requests where feasible
• Deletion or return of data at end of service (subject to legal retention requirements)
• Audit and inspection rights on reasonable notice

Request a DPA by emailing legal@mailadx.com from your registered account email. Our standard DPA incorporates Standard Contractual Clauses (SCCs) for international transfers where required.

6. Sub-processors

MailAdx uses infrastructure and service providers to host and operate the platform (for example, cloud hosting, database services, content delivery, payment processing, and email delivery for transactional messages). We require sub-processors to protect personal data under written agreements.

We maintain a sub-processor list available to customers upon request or as part of the DPA. We will notify business customers of material new sub-processors with an opportunity to object where required by contract.

7. International transfers

MailAdx is operated from the United States and may process data in the U.S. and other countries where we or our providers maintain facilities. Where personal data is transferred from the EEA, UK, or Switzerland to countries without an adequacy decision, we implement appropriate safeguards — typically SCCs and supplementary measures where a transfer impact assessment indicates they are needed.

8. Data subject rights

8.1 Newsletter subscribers

Depending on applicable law, subscribers may have the right to:

• Access personal data processed about them
• Rectify inaccurate data
• Erase data in certain circumstances
• Restrict or object to processing
• Data portability where applicable
• Withdraw consent where processing is consent-based
• Lodge a complaint with a supervisory authority

Opt out of MailAdx ads: use Ad Choices for immediate global suppression across MailAdx-served inventory.

Other requests: contact the newsletter publisher first — they control the subscription and are usually the controller for subscriber relationship data. Publishers can contact MailAdx support to assist with processor-side deletion or export where technically feasible.

8.2 Business users and website visitors

Submit requests to privacy@mailadx.com or dpo@mailadx.com. We will verify identity and respond within one month, extendable where permitted for complex requests.

9. Publisher and advertiser compliance checklist

Customers using MailAdx in Europe should ensure, at minimum:

1. A valid lawful basis exists for sending marketing emails and serving ads to subscribers.
2. Privacy notices clearly explain that newsletter ads may be served, the role of MailAdx, and how subscribers can opt out of MailAdx ads (link to Ad Choices where appropriate).
3. ESP templates include the email hash merge field only where needed and in accordance with your privacy notice.
4. Data processing agreements are in place between you and MailAdx when you act as controller and we act as processor.
5. Records of processing activities reflect MailAdx as a processor and describe categories of subscriber event data.
6. Creative and landing page content complies with local advertising and consumer laws, including identification of commercial content where required.
7. Data retention settings align with your policies; you export or delete data before account termination where required.

10. Retention and deletion

Operational ad event data is retained for reporting and billing periods aligned with your plan (typically 13–25 months unless a longer period is contractually required or needed for disputes). Audit logs are retained for 90 days (standard) or up to 365 days (Enterprise). Suppression list hashes are retained to honor opt-outs.

Upon termination of a business account, we delete or return Customer Data within a reasonable period, subject to backup cycles and legal retention obligations. Anonymized aggregate statistics may be retained.

11. Security and breach notification

We maintain technical and organizational measures described in our documentation, including encryption, access controls, and monitoring. If we become aware of a personal data breach affecting Customer Data in our role as processor, we will notify the affected customer without undue delay and provide information reasonably required for the customer to meet its regulatory obligations.

12. Apple Mail Privacy Protection (MPP) and similar technologies

Some email clients prefetch images or mask open behavior. MailAdx counts impressions when the display URL is fetched in accordance with our documented measurement methodology. Publishers and advertisers should understand that industry-wide email open signals may be affected by MPP and similar features. MailAdx does not use hidden tracking pixels beyond the ad display URL that is visible as the ad creative slot in the newsletter template.

13. OpenRTB and programmatic partners

If you enable programmatic demand, limited bid request data may be shared with exchange partners under your configuration. You are responsible for ensuring appropriate legal bases, partner agreements, and transparency for programmatic processing. Disable programmatic features if they are not appropriate for your subscriber base or jurisdiction.

14. Supervisory authorities

If you are in the EEA or UK and believe we have not adequately addressed a privacy concern, you have the right to lodge a complaint with your local data protection authority. A list of EU supervisory authorities is available from the European Data Protection Board. UK complaints may be directed to the Information Commissioner's Office (ICO).

15. Contact our privacy team

• General privacy requests: privacy@mailadx.com
• GDPR / DPA inquiries: dpo@mailadx.com
• Legal and contracts: legal@mailadx.com
• Subscriber ad opt-out: Ad Choices

16. Related documents

• Privacy Policy
• Terms of Service
• Security & RBAC documentation
• Architecture documentation