When a business uses Mixpanel to track its users, that business is responsible for its users' data as the data controller. Mixpanel processes the data on the business's behalf and is not directly responsible to end users for how their data is handled.
This analysis describes what Mixpanel's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision determines where legal accountability sits for end-user data. Because the business deploying Mixpanel is the data controller, end users must direct data rights requests such as access, deletion, and opt-out to the deploying business, not to Mixpanel.
Interpretive note: The exact contractual language governing the controller-processor relationship was not available in the truncated document; this analysis reflects the standard structure of Mixpanel's published terms and their Data Processing Agreement framework.
The updated terms remove a contractual protection that previously prohibited Mixpanel from treating individually identifiable data as Usage Data. Under the revised language, Mixpanel may now classify data that identifies or is attributable to specific individuals as Usage Data, potentially making such data subject to uses and disclosures beyond what the Customer Content exclusion permits. This broadens the category of data Mixpanel may process and analyze under the Usage Data definition. The terms do not provide a mechanism to opt out of this reclassification.
View change record →The updated terms establish an automatic 7% fee increase mechanism that takes effect upon each subscription renewal. Previously, subscription fees remained fixed for the duration of the subscription term, with new pricing becoming effective only at the start of a new subscription term and only if the parties agreed in writing. Under the revised language, fees will now automatically escalate by 7% upon commencement of each renewal term unless the parties expressly agree otherwise in writing. This shifts the default pricing behavior from fixed-term rates to automatic annual escalation.
View change record →This addition establishes a data processing framework with GDPR/privacy regulation implications by clarifying Mixpanel's role as processor and customer's role as controller, a significant compliance addition.
View full change record →End users whose behavioral data is collected through Mixpanel-powered applications cannot typically exercise data rights directly against Mixpanel. Their rights are governed by the deploying business's privacy policy and the applicable legal framework in their jurisdiction.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We use information to enhance the quality, reliability, and/or accuracy of our AI Features by creating, developing, training, testing, improving, and maintaining AI and ML models run by Strava or our service providers. We use aggregated, de-identified data for this purpose. We also use personal info...
Monitoring
Mixpanel has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
REGULATORY LANDSCAPE: The controller-processor distinction directly engages GDPR Article 28, which requires a Data Processing Agreement specifying the subject matter, duration, nature, and purpose of processing, as well as processor obligations and data subject rights mechanisms. Under CCPA, Mixpanel would constitute a service provider when processing personal information pursuant to a written contract that prohibits selling or retaining the data for purposes other than the specified service. Enforcement authority rests with EU/EEA supervisory authorities and the California Privacy Protection Agency respectively. GOVERNANCE EXPOSURE: High. Misclassification of the controller-processor relationship or failure to execute a compliant Data Processing Agreement exposes the business customer to regulatory action under GDPR and CCPA. If the deploying business fails to provide adequate privacy notices disclosing Mixpanel's role, regulatory exposure falls primarily on that business as controller. JURISDICTION FLAGS: EU/EEA deployments require a GDPR-compliant DPA and assessment of international transfer mechanisms if Mixpanel processes data outside the EEA. California deployments require a CCPA service provider agreement. UK post-Brexit deployments require a UK GDPR-compliant arrangement. Businesses operating in multiple jurisdictions must assess which framework governs each data flow. CONTRACT AND VENDOR IMPLICATIONS: Procurement teams must confirm execution of Mixpanel's Data Processing Agreement prior to processing any personal data. The DPA should be reviewed for sub-processor lists, notification timelines for sub-processor changes, and data subject rights assistance obligations. Businesses should assess whether Mixpanel's standard DPA terms are sufficient or require negotiation. COMPLIANCE CONSIDERATIONS: Legal teams should audit end-user privacy notices to confirm Mixpanel is disclosed as a third-party analytics processor. Consent mechanisms should be reviewed to ensure they meet the applicable standard in each deployment jurisdiction. Data mapping should reflect Mixpanel as a processor and identify all categories of personal data transmitted.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision determines where legal accountability sits for end-user data. Because the business deploying Mixpanel is the data controller, end users must direct data rights requests such as access, deletion, and opt-out to the deploying business, not to Mixpanel.
End users whose behavioral data is collected through Mixpanel-powered applications cannot typically exercise data rights directly against Mixpanel. Their rights are governed by the deploying business's privacy policy and the applicable legal framework in their jurisdiction.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Mixpanel.