Controller and Processor Dual-Role Structure

What it is

When you use a third-party app that runs Mixpanel's analytics tools, Mixpanel handles your data on behalf of that app's owner, not on its own behalf, which means your data rights must generally be directed to that app rather than to Mixpanel.

Why it matters (compliance & governance perspective)

This provision determines who is responsible for your personal data and where you must direct rights requests; end users of apps built on Mixpanel's platform may have limited direct recourse against Mixpanel itself.

Consumer impact (what this means for users)

If your data is collected through a third-party product that uses Mixpanel's analytics, the policy states Mixpanel's obligations to you are governed by its contract with that product's operator, not by this privacy policy directly; you must contact that operator to exercise deletion, correction, or access rights.

What you can do

Institutional analysis (Compliance & governance intelligence)

1) REGULATORY LANDSCAPE: This provision directly engages GDPR Articles 4(7) and 4(8) defining controller and processor roles, and the associated obligations under GDPR Articles 24 through 28 requiring documented data processing agreements. The Irish Data Protection Commission is identified as the lead supervisory authority for EU matters. Under CCPA, the equivalent distinction between business and service provider is similarly operative, with the California Privacy Protection Agency as relevant enforcement authority. 2) GOVERNANCE EXPOSURE: High. The controller/processor distinction has direct compliance consequences for organizations deploying Mixpanel. If a Mixpanel customer transmits personal data to Mixpanel without an executed Data Processing Addendum, that organization may be operating outside GDPR Article 28 requirements, creating regulatory exposure. The policy places the burden on the business customer to handle end-user data rights requests, which requires that those customers have implemented appropriate intake and response processes. 3) JURISDICTION FLAGS: EU and UK deployments face the highest exposure given mandatory DPA requirements under GDPR and UK GDPR. California-resident data processed through Mixpanel by a third-party business triggers CCPA service provider agreement requirements. Deployments involving minors' data may engage COPPA, where the operator/processor chain requires heightened diligence. 4) CONTRACT AND VENDOR IMPLICATIONS: Procurement teams must confirm execution of Mixpanel's Data Processing Addendum prior to deployment. The policy's assertion that Mixpanel acts only on customer instructions as a processor should be verified against the actual DPA terms, including sub-processor lists, audit rights, and breach notification obligations. Organizations should assess whether Mixpanel's standard DPA terms align with their own regulatory obligations. 5) COMPLIANCE CONSIDERATIONS: Compliance teams should confirm DPA execution, review sub-processor disclosure lists, and update their own privacy notices to accurately reflect Mixpanel's involvement in data processing. Data subject rights intake procedures should be mapped to include forwarding obligations where requests concern data processed through Mixpanel's platform.

Applicable agencies

Applicable regulations

Provision details

Other risks in this policy

• Third-Party Advertising and Analytics Vendor Sharing medium
• CCPA Opt-Out of Sale or Sharing of Personal Information medium
• EU-U.S. Data Privacy Framework Certification medium
• Data Retention Policy medium
• Data Subject Rights (Access, Correction, Deletion, Portability) medium
• Cookies and Tracking Technologies medium

Related Analysis

• OpenAI Changed Its Privacy Policy 4 Times in One Week. Here Is What Actually Changed.

  Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.