Theme
Sign In Get Started

GDPR Compliance

Our commitment to protecting the rights and freedoms of EU data subjects under the General Data Protection Regulation

Overview

Mailor B.V. is fully committed to compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679. As a Netherlands-based company serving users across the European Union and globally, we have implemented comprehensive measures to ensure the highest standards of data protection and privacy.

This page outlines our GDPR compliance framework, your rights as a data subject, and how we fulfill our obligations as a data controller and processor.

Legal Basis for Processing

We process personal data only when we have a valid legal basis under Article 6 of the GDPR:

Contract Performance (Article 6(1)(b))

Processing necessary to provide our email services as outlined in our Terms of Service, including:

  • Account creation and management
  • Email sending and receiving
  • Customer support services
  • Billing and payment processing

Legitimate Interests (Article 6(1)(f))

Processing necessary for our legitimate interests, balanced against your rights:

  • Service improvement and development
  • Security and fraud prevention
  • Internal analytics and performance monitoring
  • Direct marketing to existing customers (with opt-out rights)

Legal Obligations (Article 6(1)(c))

Processing necessary to comply with legal requirements:

  • Tax and accounting obligations
  • Responding to lawful requests from authorities
  • Data retention requirements
  • Anti-money laundering regulations

Consent (Article 6(1)(a))

Processing based on your explicit consent for:

  • Optional features and services
  • Marketing communications (where required)
  • Cookies and similar technologies
  • Third-party integrations

Your Rights Under GDPR

Right to Access (Article 15)

You have the right to obtain confirmation of whether we process your personal data and access to that data, including information about purposes, categories, recipients, retention periods, and your rights.

Right to Rectification (Article 16)

You can request correction of inaccurate personal data and completion of incomplete data.

Right to Erasure / "Right to be Forgotten" (Article 17)

You may request deletion of your personal data when:

  • Data is no longer necessary for original purposes
  • You withdraw consent (where consent is the legal basis)
  • You object to processing and no overriding legitimate grounds exist
  • Data has been unlawfully processed
  • Erasure is required by legal obligation

Right to Restriction of Processing (Article 18)

You can request restriction of processing when:

  • You contest the accuracy of data
  • Processing is unlawful but you oppose erasure
  • We no longer need the data but you require it for legal claims
  • You have objected pending verification of legitimate grounds

Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.

Right to Object (Article 21)

You can object to processing based on legitimate interests or direct marketing at any time.

Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that significantly affects you.

Data Protection Measures

Privacy by Design and Default

  • Data minimization principles embedded in all systems
  • Privacy-first architecture and development practices
  • Default privacy settings maximized for user protection
  • Regular privacy impact assessments (DPIAs)

Technical and Organizational Measures

  • State-of-the-art encryption (AES-256, TLS 1.3)
  • Pseudonymization and anonymization where appropriate
  • Regular security testing and audits
  • Access controls and authentication systems
  • Employee training and confidentiality agreements
  • Incident response procedures
  • Business continuity and disaster recovery plans

Data Protection Officer

We have appointed a Data Protection Officer (DPO) who can be contacted at:

Email: dpo@mailor.com
Phone: +31 20 123 4568
Post: Data Protection Officer, Mailor B.V., Herengracht 501, 1017 BV Amsterdam, Netherlands

International Data Transfers

When we transfer personal data outside the EEA, we ensure appropriate safeguards:

Transfer Mechanisms

  • Standard Contractual Clauses (SCCs): EU Commission-approved model clauses for data transfers
  • Adequacy Decisions: Transfers to countries deemed adequate by the EU Commission
  • Binding Corporate Rules (BCRs): For intra-group transfers
  • Explicit Consent: Where you have provided specific consent for transfers

Transfer Impact Assessments

Following the Schrems II decision, we conduct transfer impact assessments (TIAs) to evaluate:

  • Laws and practices of destination countries
  • Effectiveness of safeguards
  • Need for supplementary measures
  • Risk to data subjects' rights

Data Processing Agreements

As required by Article 28 of the GDPR, we maintain comprehensive Data Processing Agreements (DPAs) with all sub-processors that include:

  • Subject matter and duration of processing
  • Nature and purpose of processing
  • Type of personal data and categories of data subjects
  • Controller's obligations and rights
  • Processor's obligations including security measures
  • Sub-processor engagement requirements
  • Assistance with data subject rights
  • Audit and inspection rights
  • Data return and deletion obligations

Our standard DPA is available for review and execution through your account settings or by contacting our legal team.

Sub-Processors

We carefully select sub-processors who meet our strict data protection standards. Current sub-processors include:

Sub-Processor Service Location Safeguards
Amazon Web Services Cloud Infrastructure EU (Frankfurt) SCCs, Local Processing
Cloudflare CDN & Security Global SCCs, DPA
Stripe Payment Processing EU (Dublin) SCCs, PCI DSS
SendGrid Transactional Email EU SCCs, DPA

We provide 30 days' notice before engaging new sub-processors, allowing you to object to changes.

Data Breach Notification

In accordance with Articles 33 and 34 of the GDPR, we have implemented comprehensive breach notification procedures:

Supervisory Authority Notification

We notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to result in risk to individuals' rights and freedoms.

Data Subject Notification

When a breach is likely to result in high risk to your rights and freedoms, we notify you without undue delay, including:

  • Nature of the breach
  • Contact details of our DPO
  • Likely consequences
  • Measures taken or proposed

Documentation

We maintain records of all personal data breaches, including facts, effects, and remedial actions taken.

Exercising Your Rights

To exercise any of your GDPR rights:

Self-Service Options

  • Access your data through Account Settings → Privacy → Download My Data
  • Update personal information in Account Settings → Profile
  • Delete your account in Account Settings → Security → Delete Account
  • Manage consent in Account Settings → Privacy → Consent Management

Contact Methods

  • Email: privacy@mailor.com
  • Online form: Available in your account settings
  • Post: Privacy Team, Mailor B.V., Herengracht 501, 1017 BV Amsterdam, Netherlands

Response Timeline

  • Acknowledgment: Within 3 business days
  • Response: Within 30 days (extendable by 60 days for complex requests)
  • No fee for reasonable requests
  • Identity verification required for security

Supervisory Authority

You have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is:

Autoriteit Persoonsgegevens (Dutch Data Protection Authority)
Bezuidenhoutseweg 30
2594 AV Den Haag
Netherlands
Phone: +31 70 888 8500
Website: autoriteitpersoonsgegevens.nl

You may also contact the supervisory authority in your country of residence or place of work.