Article 28 GDPR · Last updated: 2 May 2026
We process personal data on your behalf solely for the purpose of providing the ExcellenceMail Service (sending email campaigns, managing your subscriber lists, and reporting on results). Processing continues for as long as your contract with us is active and for up to 30 days afterwards while we delete your data.
The nature of our processing is operating an email marketing platform. The purposes are: (a) storing the subscriber data you upload; (b) sending the campaigns you create; (c) recording engagement events (opens, clicks, bounces, complaints, unsubscribes); (d) providing you analytics and exports.
Your subscribers — individuals who have given you consent (or who fall under another lawful basis) to receive your email communications.
Typically: email address, name, optional segmentation fields you choose (e.g. country, interests, signup date), IP address and timestamp of subscription, engagement data per campaign.
We use the following sub-processors, each bound by GDPR-compliant terms:
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Server hosting | Germany (EU) |
| Amazon Web Services EMEA SARL | Email delivery (SES) | Ireland (EU) |
| Hostinger International Ltd | DNS hosting | EU/EEA |
We give you 30 days' notice before adding or replacing a sub-processor. You may object — and if we cannot agree on an alternative, you may terminate the affected service and receive a pro-rated refund.
We maintain industry-standard security measures, including:
All personnel with access to customer personal data are bound by written confidentiality obligations and trained on data protection.
We provide tools in your account to access, export, correct, and delete subscriber data, so you can fulfil GDPR Articles 15–21 requests directly. Where you need our additional assistance, we provide it without undue delay and at no cost (except for unfounded or excessive requests).
All processing takes place within the European Union. We do not transfer personal data to third countries. If a sub-processor in the future requires a transfer outside the EU/EEA, we rely on Standard Contractual Clauses approved by the European Commission and notify you in advance.
Once per year, you may audit our compliance with this DPA — either remotely (via documentation, written questions, and security reports) or, with reasonable notice, on-site. Costs are borne by the requesting party unless the audit identifies a material breach.
On termination of the contract, you may export your data in a portable format. Within 30 days of confirmed termination, all personal data we process on your behalf is deleted from our active systems. Backups are overwritten on the standard rotation, typically within 90 days.
Liability under this DPA is governed by the limitations set out in our Terms of Service, except where Article 82 GDPR or other applicable law mandates otherwise.
The standard DPA forms part of our Terms of Service — by accepting the Terms when you sign up, you accept the DPA on behalf of your organisation. If your legal team requires a separately signed copy, email privacy@excellencemail.com and we will send a PDF for counter-signature.