General Terms and Conditions

Version: January 2024

When you use MailBlue’s services, you process Personal Data of your contacts, subscribers and customers. Personal Data is data that provides information about a natural person that allows you to identify that person directly or indirectly. This means that the information is either directly about someone or can be traced back to someone. Examples of Personal Data include names, email addresses, telephone numbers and address details.

If you engage another organisation to process Personal Data for you, the General Data Protection Regulation (GDPR) requires you to enter into a Data Processing Agreement with that organisation. Because you use MailBlue’s services, MailBlue is the Processor and you are classed as the Controller. We make arrangements about the processing of Personal Data in this Data Processing Agreement.

To make this Data Processing Agreement easier to read, we are happy to explain the most important terms to you first:

The person or organisation that processes Personal Data for the Controller, for example through a web application. In this Data Processing Agreement, the Processor is MailBlue B.V., with its registered office at Reduitlaan 25c, 4814 DC Breda, and registered in the Business Register of the Chamber of Commerce under number 68740077.

The person or organisation that determines whether Personal Data may be processed and, if so, which Personal Data, the purpose for which this Personal Data may be processed, exactly what that processing entails and what means may be used in that regard. In this Data Processing Agreement, you are the Controller.

Data Subject:
The person to whom the Personal Data relates, such as your customer or supplier.

Personal Data Processing:
Everything you can do with Personal Data, such as:

  • collecting, recording and organising data;
  • retrieving, altering and consulting data;
  • disclosing data to others;
  • restricting or destroying data.

Data Breach:
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Clause 1 - General description

Subject-matter of the processing:
Provision of services by MailBlue

Duration of the processing:
Processing will start on the effective date of this Data Processing Agreement and end on the expiry or termination of this Data Processing Agreement.

Nature and purpose of the processing:
MailBlue specialises in developing email marketing, marketing automation, sales, CRM, contact management and business marketing services. When you use our services, we process Personal Data of your customers or contacts for marketing or management purposes related to the customer relationship. MailBlue stores and processes Personal Data on its servers and will only process Personal Data in accordance with your instructions. The Personal Data is not processed for its own purposes.

Categories of Personal Data processed:
Due to the nature of MailBlue’s services, the categories of Personal Data processed may vary from one Controller to another. Each Controller has the option to choose which Personal Data the Processor will process. In any case, the following data is processed for each Controller:

  • email address;
  • name;
  • if email open tracking is on, IP address and click behaviour;
  • if the Controller uses email link tracking, IP address and click behaviour;
  • depending on how the software is used: other data depending on the Controller.

Categories of Data Subjects:
Customers, potential customers and marketing contacts of the Controller.

Clause 2 - Responsibilities of the Processor

  1. MailBlue will only process Personal Data if and when the Controller instructs it to do so and will follow the Controller’s instructions in that regard. The Personal Data is not processed for its own purposes and remains the property of the Controller.

  2. MailBlue abides by the law and processes the data in a proper, careful and transparent manner.

  3. When processing Personal Data, MailBlue may engage other persons or organisations without the prior written consent of the Controller. MailBlue will make available on its website a public list of the sub-processors it engages. This can be accessed on our website at

  4. MailBlue provides the Controller with the information necessary for support under Articles 32 to 36 of the GDPR, for the purpose of enabling the Controller to carry out a Data Protection Impact Assessment.

  5. MailBlue ensures that its staff and auxiliary persons engaged observe confidentiality.

  6. MailBlue will inform the Controller if it suspects that the Controller’s instructions are in breach of the obligations under the General Data Protection Regulation.

Clause 3 - Guarantee by the Controller

The Controller guarantees that the processing of Personal Data of the Data Subjects is not unlawful and that this processing does not infringe the rights of others. The Controller indemnifies MailBlue in respect of all claims relating to this.

Clause 4 - Security breach (Data Breach)

If MailBlue discovers a Data Breach, MailBlue will notify the Controller so that the Controller can, if necessary, file a report of the Data Breach with the Dutch Data Protection Authority.

MailBlue will keep the Controller informed of new developments regarding the Data Breach and will submit to the Controller the measures taken to mitigate and terminate the Data Breach and to prevent a similar incident in the future.

Clause 5 - Duration and termination

The Data Processing Agreement enters into force on being signed by both parties and on the date of the last signature.

This Data Processing Agreement is entered into for the duration of the Agreement between the two parties and on being signed in any case for the duration of the cooperation.

After termination of this Data Processing Agreement, the obligations regarding confidentiality, liability and indemnity will continue.

After termination of this Data Processing Agreement, MailBlue will return the Personal Data including copies to the Controller or, at the Controller’s option, destroy it after the expiry of the statutory retention period.

Clause 6 - Confidentiality and secrecy

MailBlue will keep all Personal Data and other data it receives from the Controller confidential. MailBlue will restrict access to this data to only those staff who need access for the proper performance of MailBlue’s services.

MailBlue will keep the Personal Data provided confidential and will also impose confidentiality on its staff.

Clause 7 - Rights of Data Subjects

MailBlue will cooperate to ensure that the Controller can respond to requests from Data Subjects.

If MailBlue receives requests from third parties to provide access to Personal Data on the basis of a legal obligation, MailBlue will first inform the Controller in writing.

In that case, the Controller may assess whether that third party’s request is justified.

Clause 8 - Exporting Personal Data

MailBlue operates as a partner of ActiveCampaign and collaborates with ActiveCampaign in providing its services. ActiveCampaign is responsible for the servers and software, and is based in the United States. Depending on the chosen data centre location, your email marketing account data may be stored in the United States or within the European Union. MailBlue has concluded an agreement with ActiveCampaign which sets out specific arrangements regarding the processing of Personal Data. For the purpose of continuous platform support, authorised ActiveCampaign employees from different countries have access to the servers where your email marketing account data is stored.

If MailBlue transfers Personal Data to organisations outside the EEA, MailBlue does so in compliance with the rules set out in the General Data Protection Regulation and the arrangements in this Data Processing Agreement.

Clause 9 - Security of Personal Data

MailBlue ensures that Personal Data is adequately secured. To prevent loss and unlawful processing, MailBlue takes appropriate technical and organisational security measures. The measures that it takes include:

  1. pseudonymisation and encryption of the Personal Data;
  2. ensuring the availability and resilience of the processing systems on an ongoing basis;
  3. in the event of an incident, restoring the availability of the Personal Data in a timely manner;
  4. establishing a procedure for assessing, testing and evaluating security measures

Clause 10 - Audits

The Controller may arrange for a third-party audit to determine whether the processing of Personal Data complies with the law and the arrangements in this Data Processing Agreement. MailBlue will cooperate with this, including by granting access to premises and databases and making relevant information available. The following arrangements apply for conducting an audit:

  1. the audit is conducted after prior written notice is given to MailBlue. This notice will be given by the Controller in the form of an audit plan describing the scope, duration and start date of the audit;
  2. the audit plan is submitted to MailBlue at least ninety (90) days before the proposed audit date;
  3. an audit will not be conducted more than once a year;
  4. the audit is conducted during MailBlue’s normal working hours;
  5. the audit is conducted in a way that minimises disruption to MailBlue’s operations;
  6. all information provided by MailBlue during the audit is kept confidential and the parties will sign a confidentiality agreement before the audit.

Clause 11 - Liability

The Processor’s liability for damage resulting from a culpable or non-culpable breach of the Data Processing Agreement is excluded. Insofar as the said liability cannot be excluded, it is limited for each event (a series of consecutive events counting as one event) to compensation for direct damage, up to a maximum of the amount for one subscription period. 

Clause 12 - Concluding provisions

If any provision of this Data Processing Agreement is void or voidable, that does not change the validity of the rest of this Data Processing Agreement. The void provision will in that case be replaced by a provision that, as far as possible, has the same content as the void provision.

Deviations from and additions to this Data Processing Agreement only apply if they are agreed in writing by both parties.

This Data Processing Agreement and its performance are governed by Dutch law. Any disputes arising between the parties are submitted to the District Court of Zeeland-West-Brabant.


MailBlue makes no commitment or warranty that this Data Processing Agreement provides legally sufficient support to meet the obligations of the Controller under applicable legislation. MailBlue expressly disclaims any representations or warranties that the Data Processing Agreement will satisfy the Controller’s obligations, whether express, implied, under the Articles of Association, under a trade treaty or otherwise. The Controller understands that it is fully responsible itself for complying with obligations imposed by applicable legislation.