Last updated: March 2026

GDPR Policy

1. Overview

mnml is committed to protecting the privacy of individuals in the European Economic Area (EEA) and the United Kingdom. This policy explains how we comply with the General Data Protection Regulation (EU 2016/679) and the UK GDPR when processing personal data through our website builder service at mnml.page.

2. Data Controller

For your account data (email, password hash, profile), mnml acts as the Data Controller. We determine the purposes and means of processing this data to provide the Service.

For data collected through your published websites (form submissions, subscriber emails, page view analytics), you are the Data Controller and mnml acts as the Data Processor. See our Data Processing Agreement for details.

3. Legal Bases for Processing

We process personal data under the following legal bases:

  • Contract performance (Art. 6(1)(b)): Processing your account data and site content is necessary to provide the Service you signed up for.
  • Legitimate interest (Art. 6(1)(f)): Fraud prevention, security monitoring, service improvement, and basic analytics for site owners.
  • Consent (Art. 6(1)(a)): Where applicable, such as optional marketing communications. You can withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c)): Where we are required to retain certain data by law (e.g., tax records via Polar.sh).

4. Your Rights Under GDPR

If you are located in the EEA or UK, you have the following rights:

  • Right of access — obtain a copy of the personal data we hold about you
  • Right to rectification — correct inaccurate or incomplete data
  • Right to erasure ("right to be forgotten") — request deletion of your personal data
  • Right to restrict processing — limit how we use your data in certain circumstances
  • Right to data portability — receive your data in a structured, machine-readable format
  • Right to object — object to processing based on legitimate interest
  • Right to withdraw consent — where processing is based on consent, withdraw it at any time
  • Right to lodge a complaint — file a complaint with your local data protection authority

To exercise any of these rights, email support@mnml.page. We will respond within 30 days. We may ask you to verify your identity before processing your request.

5. Data Minimization

We collect only the minimum personal data necessary to provide the Service. We do not require a real name to create an account — only an email address. Page view analytics are aggregated and do not store visitor IP addresses persistently. We do not use third-party tracking cookies or advertising networks.

6. International Data Transfers

Our infrastructure is primarily hosted in the United States through the following sub-processors:

  • Vercel Inc. — application hosting, edge network, and file storage (Vercel Blob) — US
  • Neon Inc. — PostgreSQL database hosting — US
  • Resend Inc. — transactional email delivery — US
  • Polar.sh — payment processing (Merchant of Record) — EU
  • Google LLC — OAuth authentication (optional) — US

For transfers to the US, we rely on Standard Contractual Clauses (SCCs) and, where applicable, the EU-U.S. Data Privacy Framework certifications of our sub-processors. Vercel provides edge computing in EU regions, meaning content can be served from EU nodes.

7. Data Retention

We retain personal data as follows:

  • Account data: retained while your account is active. Deleted within 30 days of account deletion.
  • Site content: retained while your account is active. Deleted within 30 days of account deletion.
  • Page view analytics: individual records retained for up to 90 days. Aggregated statistics retained indefinitely.
  • Form submissions and subscribers: retained until deleted by the site owner or account deletion.
  • Payment records: retained by Polar.sh in accordance with tax and legal requirements.

8. Security Measures

We implement appropriate technical and organizational measures to protect personal data, including:

  • TLS encryption for all data in transit
  • Encryption at rest for database storage
  • Password hashing with bcrypt (never stored in plain text)
  • HTTP-only, Secure, SameSite session cookies with JWT authentication
  • CSRF origin validation on all API routes
  • Rate limiting on public-facing endpoints
  • Input validation with schema-based verification (Zod)
  • Ownership checks on all database mutations (IDOR prevention)

9. Data Breach Procedures

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify affected users and the relevant supervisory authority within 72 hours of becoming aware of the breach. Notification will include the nature of the breach, likely consequences, and measures taken to address it.

10. Guidance for Site Owners

If you use mnml to create websites that collect personal data from EU/EEA visitors (e.g., through forms or email subscription blocks), you are the Data Controller for that data. You should:

  • Include a privacy notice or link on your published site explaining what data you collect and why
  • Obtain appropriate consent before collecting personal data through forms
  • Respond to data subject access requests from your site visitors
  • Review our Data Processing Agreement which governs how we process data on your behalf

11. Data Protection Officer

As a small-scale operation, mnml is not required to appoint a formal Data Protection Officer under Article 37 of the GDPR. However, all data protection inquiries are handled directly and can be directed to support@mnml.page.

12. Changes to This Policy

We may update this GDPR policy to reflect changes in our practices or applicable law. Material changes will be communicated via email or a notice within the Service.

Contact

For any GDPR-related questions or to exercise your data rights, contact us at support@mnml.page.