Privacy
Overview
Mixpanel believes in respecting and protecting people’s fundamental online privacy and data rights. This is why we've built Mixpanel's analysis tools in compliance with industry best practices and global data regulations like the GDPR and the CCPA.
Visit our Privacy Hub (opens in a new tab) to see how we comply with various privacy guidelines.
Storing Your Data in the European Union
By default, Mixpanel stores user data on its US Servers via the Google Cloud Platform. However, Mixpanel also provides you with the option to process and store your customers' personal data in Europe via our EU Data Residency Program (opens in a new tab). You can enable this by selecting the "EU Data Residency" option when creating a new project and using our EU subdomain during all API calls.
| API | Standard Server | EU Residency Server |
|---|---|---|
| Ingestion API (opens in a new tab) | api.mixpanel.com | api-eu.mixpanel.com |
| Query API (opens in a new tab) | mixpanel.com/api | eu.mixpanel.com/api |
| Raw Data Export API (opens in a new tab) | data.mixpanel.com/api/2.0/export | data-eu.mixpanel.com/api/2.0/export |
| Data Pipelines API (opens in a new tab) | data.mixpanel.com/api/2.0/export | data-eu.mixpanel.com/api/2.0/export |
| Lexicon Schemas API (opens in a new tab) | mixpanel.com/api/app/projects | eu.mixpanel.com/api/app/projects |
| Connectors API (opens in a new tab) | mixpanel.com/api/app/projects | eu.mixpanel.com/api/app/projects |
Using Our SDKs
Next, you'll need to set the server location to EU when initializing the Mixpanel library. You can find instructions for the required config settings for each SDK below:
Log in via SSO
If you want the IdP initiated flow to direct to eu.mixpanel.com (opens in a new tab), prepend "eu." to your postback URL. For example, mixpanel.com/security/login/1 (opens in a new tab) would need to be changed to eu.mixpanel.com/security/login/1 (opens in a new tab).
Manage Personal Data
Mixpanel deletion and retrieval APIs are in place to help Mixpanel implementations meet the requirements outlined by the General Data Protection Regulation (GDPR) legislation.
📘GDPR Request Rate Limits You can batch up to 2000 distinct IDs per deletion request and up to 2000 for a retrieval request. Request rates are limited for GDPR API requests.
User Opt-Out
While the following API can be used to delete or retrieve personal data as outlined by the GPDR, it is important to also opt users out of subsequent tracking. If tracking using a client-side Mixpanel library, you can opt users out of tracking using Mixpanel's opt-out methods. These are available in the following client-side libraries:
See Mixpanel’s Managing Personal Information guide for more information on best practices when handling personal information in Mixpanel.
Authentication
Authentication occurs via a user-specific OAuth token with a scope that only includes the following deletion and retrieval APIs. Users can retrieve this token from their Account Settings (opens in a new tab) by selecting their initials in the top right of Mixpanel and selecting Profile & Preferences, and then the Data & Privacy tab. The OAuth token has a one-year expiry. It should be passed in the Authentication header. Users are eligible to generate an OAuth token if they are the project owner, or if they are a project owner or admin of a project that supports team member roles.
Was this page useful?