This Data Processing Agreement ("DPA") applies whenever you use SendMerlin to store or email personal data of your subscribers. It supplements the terms & conditions and is entered into by using the service.
Roles
You are the data controller of your subscriber data. SendMerlin (operated by Ludovic Verbeeck) is your data processor under Article 28 GDPR. We process subscriber data only on your documented instructions, which in practice means: to provide the SendMerlin service.
Subject matter and duration
Processing covers the storage and use of your subscriber lists and campaign engagement data for the purpose of sending email campaigns you approve. It lasts as long as your account exists and ends with deletion or return of the data on account closure.
Data processed
Email addresses, names and any custom attributes you import; consent records (double opt-in timestamps and source); message events such as sends, deliveries, bounces, opens, clicks, complaints, and unsubscribes.
Sub-processors
We use a small, fixed set of sub-processors, all processing within the European Union:
- Amazon Web Services (SES), eu-central-1 (Frankfurt): email delivery and delivery events.
- Hetzner Online GmbH, Germany/Finland: application hosting and storage.
- Anthropic (EU-region processing): AI drafting features; content is sent for generation only, not used for model training.
We will inform you of intended sub-processor changes and give you the opportunity to object before they take effect.
Security
Data is encrypted in transit and at rest, access is role-based and limited to what operating the service requires, passwords are hashed, and consent and suppression records are append-only. Personnel with access are bound by confidentiality.
Assistance and breach notification
We assist you with data subject requests (access, correction, export, deletion) that reach us instead of you, and forward them promptly. We notify you without undue delay after becoming aware of a personal data breach affecting your data.
Deletion and return
On account closure, or at your request, we delete your subscriber data. You can export your lists at any time. Suppression records (unsubscribes and complaints) are retained as a legal-obligation safeguard so opted-out addresses are never emailed again.
Audits
We make available the information reasonably necessary to demonstrate compliance with this DPA and allow audits as required by Article 28(3)(h) GDPR.
Contact
Questions about this DPA: support@sendmerlin.com.