Data Processing Agreement

This Data Processing Agreement (DPA) is between Damien Chapus, Entrepreneur Individuel (SIRET 48240994300024, registered office: 14 Avenue des Jonquilles, 06600 Antibes, France) operating Mixprism Pro ("Mixprism", "we", "us", the data processor) and the Mixprism Pro subscriber ("Customer", "you", the data controller).

Mixprism processes the following categories of data on behalf of the Customer:

• Customer account data: email address, billing information (handled by Stripe; we never store full card numbers), authentication tokens.
• Listener event data: anonymous listening events on indexed tracks. Listener identity is NOT exposed to Mixprism or the Customer. All listener IPs are hashed via salted SHA-256 before storage.

Mixprism uses the following sub-processors to operate the service:

• Hostinger (EU/France) — VPS infrastructure hosting our database and application.
• Cloudflare (EU/global) — DNS, DDoS protection, edge caching.
• Stripe (Ireland/global) — payment processing.
• Resend / Amazon SES (EU) — transactional emails (magic-link, digests).
• Google Analytics (mixprism.eu only, not for listening events) — site usage analytics.

Mixprism will notify subscribers of any change in sub-processors at least 30 days in advance via email.

Listener IP addresses are hashed via SHA-256 with a server-side salt before storage. Re-identification is computationally infeasible. We do not store: real names, geolocation, device fingerprints, social profiles of listeners.

Customer account data: retained as long as the subscription is active, plus 12 months after cancellation for accounting/tax compliance.

Listener event data: retained for analytical aggregation. Anonymized hashes have no expiry.

On request to hello@mixprism.eu, Customers may request deletion of their account data within 30 days, subject to legal retention obligations.

Customers have the right to access, rectify, delete, restrict processing, port, and object to processing of their personal data. Requests should be sent to hello@mixprism.eu and will be processed within 30 days.

In the event of a personal data breach affecting Customer data, Mixprism will notify the affected Customer without undue delay (within 72 hours where feasible) and cooperate in good faith on remediation.

Customer data is stored on EU-based servers (France). Some sub-processors (Stripe, Cloudflare) may process data outside the EU under appropriate safeguards (Standard Contractual Clauses, adequacy decisions).

For any data protection question, contact us at hello@mixprism.eu.

For complaints, you may also contact the French data protection authority (CNIL): cnil.fr.