Data Processing Addendum

Last updated: March 3, 2026

This Data Processing Addendum ("DPA") forms part of the Terms of Service between Thunk Mail ("Processor," "we," "our," or "us") and you ("Controller," "Customer," or "you") and governs the processing of personal data by Thunk Mail on your behalf.

This DPA applies where and only to the extent that Thunk Mail processes personal data on behalf of the Customer in the course of providing the services, and such personal data is subject to data protection laws of the European Union, the European Economic Area, the United Kingdom, or other applicable jurisdictions.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person, as defined by applicable data protection laws.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, transmission, and deletion.
  • "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
  • "Sub-processor" means any third party engaged by Thunk Mail to process Personal Data on behalf of the Customer.
  • "Data Protection Laws" means all applicable laws relating to the processing of Personal Data, including the GDPR (EU 2016/679), UK GDPR, and other applicable national data protection legislation.

2. Scope and Roles

When you use Thunk Mail to manage contact lists and send email campaigns, you act as the Data Controller and Thunk Mail acts as the Data Processor. You determine the purposes and means of processing; we process Personal Data only on your documented instructions.

Types of Personal Data Processed

  • Contact information (email addresses, names)
  • Email engagement data (opens, clicks, bounces, unsubscribes)
  • Any custom fields you choose to include in your contact lists

Categories of Data Subjects

  • Your email subscribers and contacts

3. Customer Obligations

As the Data Controller, you are responsible for:

  • Ensuring you have a lawful basis for processing (e.g., consent) for all Personal Data you provide to Thunk Mail
  • Providing appropriate privacy notices to your Data Subjects
  • Ensuring the accuracy of Personal Data provided to us
  • Responding to Data Subject rights requests (we will assist you as described below)
  • Complying with all applicable Data Protection Laws

4. Thunk Mail Obligations

As the Data Processor, Thunk Mail will:

  • Process Personal Data only on your documented instructions, unless required by law
  • Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
  • Implement appropriate technical and organizational measures to protect Personal Data
  • Not engage another processor (sub-processor) without your prior authorization
  • Assist you in responding to Data Subject requests, to the extent reasonably possible
  • Assist you in ensuring compliance with security, breach notification, and data protection impact assessment obligations
  • Delete or return all Personal Data upon termination of services, at your choice
  • Make available to you all information necessary to demonstrate compliance with this DPA

5. Sub-processors

You authorize Thunk Mail to engage the following sub-processors:

  • Supabase (United States) — Database hosting and authentication
  • Amazon Web Services (AWS) (United States) — Email delivery via Simple Email Service (SES)
  • Stripe (United States) — Payment processing
  • Vercel (United States) — Application hosting

We will notify you of any changes to our sub-processors by updating this page. If you object to a new sub-processor, you may terminate your account by contacting us within 30 days of the notification.

Thunk Mail will ensure that each sub-processor is bound by data protection obligations no less protective than those set out in this DPA.

6. Security Measures

Thunk Mail implements appropriate technical and organizational security measures, including:

  • Encryption of data in transit (TLS/HTTPS)
  • Encryption of data at rest
  • Access controls and authentication mechanisms
  • Regular security reviews and monitoring
  • Employee confidentiality obligations
  • Incident response procedures

7. Data Breach Notification

In the event of a Personal Data breach, Thunk Mail will:

  • Notify you without undue delay, and in any event within 72 hours of becoming aware of the breach
  • Provide sufficient information to enable you to meet your breach notification obligations under applicable Data Protection Laws
  • Take reasonable steps to mitigate the effects of the breach
  • Cooperate with you in investigating and remedying the breach

8. Data Subject Rights

Thunk Mail will assist you in fulfilling your obligations to respond to Data Subject requests, including requests for:

  • Access to Personal Data
  • Rectification of inaccurate data
  • Erasure ("right to be forgotten")
  • Restriction of processing
  • Data portability
  • Objection to processing

If Thunk Mail receives a request directly from a Data Subject, we will promptly redirect them to you unless legally required to respond directly.

9. International Data Transfers

Thunk Mail and its sub-processors are located in the United States. Where Personal Data is transferred from the European Economic Area, the United Kingdom, or Switzerland to the United States, such transfers are made subject to appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Any successor framework or adequacy decision recognized by applicable authorities

10. Data Retention and Deletion

Thunk Mail will retain Personal Data for the duration of your use of our services. Upon termination of your account:

  • You may export your data before account closure
  • We will delete your Personal Data within 30 days of account termination
  • We may retain anonymized or aggregated data that does not identify individuals
  • We may retain data as required by law or for legitimate business purposes (e.g., fraud prevention)

11. Audits

Upon reasonable request and subject to confidentiality obligations, Thunk Mail will make available information necessary to demonstrate compliance with this DPA. Audits shall be conducted no more than once per year, with reasonable advance notice, during normal business hours, and at your expense.

12. Term and Termination

This DPA is effective for as long as Thunk Mail processes Personal Data on your behalf. It terminates automatically upon the termination of your Thunk Mail account and the completion of all data deletion obligations described herein.

13. Contact Us

For questions about this Data Processing Addendum or to exercise your rights, please contact us at:

privacy@thunkmail.com