Last updated: March 2026
Data Processing Agreement
1. Scope and Parties
This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Data Controller" or "Customer") and mnml ("Data Processor") for the website builder service at mnml.page.
This DPA applies when mnml processes personal data on your behalf — specifically, data collected through your published websites (e.g., form submissions, email subscriptions, page view analytics from your site visitors).
2. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person.
- "Data Controller" means the entity that determines the purposes and means of processing personal data (you, the Customer).
- "Data Processor" means the entity that processes personal data on behalf of the Data Controller (mnml).
- "Sub-processor" means a third party engaged by mnml to process personal data.
3. Data Processing Details
Purpose of processing: Hosting and delivering your published websites, processing form submissions, managing email subscriptions, and providing site analytics.
Categories of data subjects: Visitors to your published websites, subscribers, and form respondents.
Types of personal data: Email addresses (from forms/subscriptions), names (if provided through forms), page view data (referrer, country, timestamp), and any other data visitors submit through forms you create.
Duration: For the duration of the service agreement, plus 30 days after account deletion for data removal.
4. Obligations of the Processor
mnml shall:
- Process personal data only on documented instructions from the Controller, unless required by law
- Ensure that persons authorized to process personal data are bound by confidentiality obligations
- Implement appropriate technical and organizational measures to ensure security of processing (encryption in transit, hashed credentials, access controls, rate limiting)
- Not engage a sub-processor without prior notification to the Controller (see Section 6)
- Assist the Controller in responding to data subject rights requests
- Delete or return all personal data upon termination of the service, at the Controller's choice
- Make available all information necessary to demonstrate compliance with this DPA
5. Obligations of the Controller
You are responsible for ensuring that you have a lawful basis for collecting personal data through your published sites (e.g., consent for email subscriptions, legitimate interest for analytics). You must provide appropriate privacy notices to your site visitors.
6. Sub-processors
mnml uses the following sub-processors to deliver the Service:
| Sub-processor | Purpose | Location |
|---|---|---|
| Vercel Inc. | Application hosting, edge network, file storage (Vercel Blob) | United States |
| Neon Inc. | PostgreSQL database hosting | United States |
| Resend Inc. | Transactional email delivery | United States |
| Polar.sh | Payment processing (Merchant of Record) | European Union |
| Google LLC | OAuth authentication (optional) | United States |
We will notify you of any intended changes to sub-processors by updating this list. If you object to a new sub-processor, you may terminate the Service by contacting support@mnml.page.
7. International Data Transfers
Some sub-processors are located in the United States. Where personal data is transferred outside the EEA, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) or the sub-processor's participation in recognized data transfer frameworks (e.g., EU-U.S. Data Privacy Framework).
8. Data Breach Notification
In the event of a personal data breach, mnml will notify the Controller without undue delay (and in any event within 72 hours of becoming aware) with details of the breach, the likely consequences, and the measures taken or proposed to mitigate it.
9. Audit Rights
The Controller may request information or conduct an audit (at their own expense, with reasonable notice) to verify compliance with this DPA. mnml will cooperate with such requests, provided they do not compromise the security of other customers' data.
10. Term and Termination
This DPA remains in effect for the duration of the service agreement. Upon termination, mnml will delete all personal data processed on behalf of the Controller within 30 days, unless retention is required by law. The Controller may request data export before account deletion.
Contact
For DPA-related inquiries, contact us at support@mnml.page.