When a business uses Mixpanel to track its users, that business is responsible for its users' data as the data controller. Mixpanel processes the data on the business's behalf and is not directly responsible to end users for how their data is handled.
This analysis describes what Mixpanel's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision determines where legal accountability sits for end-user data. Because the business deploying Mixpanel is the data controller, end users must direct data rights requests such as access, deletion, and opt-out to the deploying business, not to Mixpanel.
Interpretive note: The exact contractual language governing the controller-processor relationship was not available in the truncated document; this analysis reflects the standard structure of Mixpanel's published terms and their Data Processing Agreement framework.
The updated terms establish an automatic 7% fee increase mechanism that takes effect upon each subscription renewal. Previously, subscription fees remained fixed for the duration of the subscription …
End users whose behavioral data is collected through Mixpanel-powered applications cannot typically exercise data rights directly against Mixpanel. Their rights are governed by the deploying business's privacy policy and the applicable legal framework in their jurisdiction.
How other platforms handle this
When Okta provides its products and services to its customers (e.g., organizations that use Okta to manage their workforce or Auth0 to manage their customer identity), Okta processes personal data on behalf of those customers as a data processor. In those cases, the customer is the data controller a...
When we provide the Service to our customers, we act as a data processor on behalf of those customers. Our customers are the data controllers, meaning that they determine the purposes and means of the processing of personal data that is submitted into the Service. If you are an end user of a custome...
This Privacy Policy does not apply where Anthropic acts as a data processor and processes personal data on behalf of commercial customers using Anthropic's Commercial Services – for example, your employer has provisioned you a Claude for Work account, or you're using an app that is powered on the ba...
Monitoring
Mixpanel has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
REGULATORY LANDSCAPE: The controller-processor distinction directly engages GDPR Article 28, which requires a Data Processing Agreement specifying the subject matter, duration, nature, and purpose of processing, as well as processor obligations and data subject rights mechanisms. Under CCPA, Mixpanel would constitute a service provider when processing personal information pursuant to a written contract that prohibits selling or retaining the data for purposes other than the specified service. Enforcement authority rests with EU/EEA supervisory authorities and the California Privacy Protection Agency respectively. GOVERNANCE EXPOSURE: High. Misclassification of the controller-processor relationship or failure to execute a compliant Data Processing Agreement exposes the business customer to regulatory action under GDPR and CCPA. If the deploying business fails to provide adequate privacy notices disclosing Mixpanel's role, regulatory exposure falls primarily on that business as controller. JURISDICTION FLAGS: EU/EEA deployments require a GDPR-compliant DPA and assessment of international transfer mechanisms if Mixpanel processes data outside the EEA. California deployments require a CCPA service provider agreement. UK post-Brexit deployments require a UK GDPR-compliant arrangement. Businesses operating in multiple jurisdictions must assess which framework governs each data flow. CONTRACT AND VENDOR IMPLICATIONS: Procurement teams must confirm execution of Mixpanel's Data Processing Agreement prior to processing any personal data. The DPA should be reviewed for sub-processor lists, notification timelines for sub-processor changes, and data subject rights assistance obligations. Businesses should assess whether Mixpanel's standard DPA terms are sufficient or require negotiation. COMPLIANCE CONSIDERATIONS: Legal teams should audit end-user privacy notices to confirm Mixpanel is disclosed as a third-party analytics processor. Consent mechanisms should be reviewed to ensure they meet the applicable standard in each deployment jurisdiction. Data mapping should reflect Mixpanel as a processor and identify all categories of personal data transmitted.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and liability.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision determines where legal accountability sits for end-user data. Because the business deploying Mixpanel is the data controller, end users must direct data rights requests such as access, deletion, and opt-out to the deploying business, not to Mixpanel.
End users whose behavioral data is collected through Mixpanel-powered applications cannot typically exercise data rights directly against Mixpanel. Their rights are governed by the deploying business's privacy policy and the applicable legal framework in their jurisdiction.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Mixpanel.