Data Processing Terms
How CountdownMail.com handles data: our roles, what we do and do not receive, sub-processors, security, and retention.
Last updated: July 14, 2026
These Data Processing Terms form part of our Terms of Use and Privacy Policy. They apply automatically to every customer using CountdownMail.com. No signature is required. By using the service you accept these terms. You are welcome to reference this page in your vendor and compliance records.
1. What CountdownMail is
CountdownMail.com provides countdown timer images (GIFs) that customers embed in emails they send themselves. Our system generates the timer image and counts how many times that image is loaded. We do not send email on your behalf, we do not have access to your systems, accounts, or contact lists, and we do not integrate with your production systems.
2. Our roles, and why a DPA is generally not required
For the personal data of your email recipients (such as names and email addresses), CountdownMail is not a data processor: this data is never transmitted to, received by, or stored on our systems. We only count how many times a timer image is loaded.
CountdownMail acts as an independent controller only of the account holder's own account data (name, email, and billing information), as described in our Privacy Policy.
Because we do not process your recipients' personal data on your behalf, a traditional controller-to-processor Data Processing Agreement is generally not required for our service. We publish these terms so your legal, security, and procurement teams have our data practices on file. Your legal or security team should confirm whether this setup meets your internal requirements.
3. Recipient identifiers (Evergreen timers)
Evergreen timers use an identifier, supplied by you, to keep each recipient's countdown consistent. We do not require, request, or need any personal data about your recipients for this. Our Terms of Use require customers to use a random, non-identifying value and not to include email addresses, names, or other personal data.
Any value received is treated as an opaque key used solely to render the correct countdown for that recipient. It is never used to identify, contact, or profile recipients. If your organization considers a recipient-level identifier to be personal data, you should generate and pass a random non-identifying value rather than any identifiable value.
4. Technical request data
When a timer image is loaded, our servers receive standard technical request data, including the requesting IP address, user agent, and timestamp. In the vast majority of cases this request does not come from the recipient at all: major email providers, including Gmail, Apple Mail, and Outlook, load images through their own proxy and caching servers. The IP address we see belongs to the provider's data center, not to the recipient's device.
Where an email client loads the image directly, we process the IP address transiently, acting as an independent controller for our own limited purposes: serving the image, counting the view, and preventing abuse. Server logs are deleted within 10 days. This data is not linked to any identity and is not used to build recipient profiles. An Article 28 data processing agreement does not apply to this processing, as it is not carried out on your behalf or under your instructions.
5. Merchant of Record
Subscriptions are sold through Paddle.com, our Merchant of Record. Paddle is the seller and contracting party for the transaction. Entity-level matters sit with Paddle: legal name, jurisdiction, tax forms (such as W-8/W-9), invoicing, purchase orders, and banking. Their team can be reached at [email protected].
6. Sub-processors
We use a small number of third-party providers to operate the service under appropriate confidentiality and data-protection terms:
- Paddle.com: Merchant of Record and payment processing.
- Google Analytics (Google LLC) (USA): website usage analytics for our own site.
- Cloudflare, Inc. (USA): content delivery (CDN) and network security for timer image delivery.
- The Constant Company, LLC (Vultr) (USA): cloud hosting and infrastructure.
- Transactional email provider: account and service notifications sent to the account holder.
This list may change from time to time. When it does, we update this page.
7. Security
We follow industry-standard practices to protect data: encryption in transit and at rest, access restricted to authorized personnel on a least-privilege basis, and regular patching of our infrastructure.
We do not currently hold a SOC 2 report, ISO 27001 certification, or a third-party penetration-test report. This reflects the nature of the Service: we do not receive, store, or have access to your data, systems, or infrastructure, so there is no customer-data environment for such an audit to cover.
8. Data retention
Account data is retained while your subscription is active and for up to 2 years after cancellation. You can delete all data in your account yourself at any time from your profile page. Aggregated view counts contain no recipient identifiers. Technical request data (server logs) is retained for no more than 10 days, solely for security and abuse prevention, and is then deleted.
9. International transfers
Our infrastructure is hosted in the United States by the providers listed in section 6, so account data is processed in the US. By using the service you acknowledge this transfer. As described above, we do not receive your recipients' names, email addresses, or contact lists.
10. Data breach notification
In the event of a security incident affecting account data, we will notify affected account holders without undue delay, and within 72 hours where required by applicable law.
11. Your rights
Account holders may access, correct, or delete their account data at any time from their profile page, or by contacting [email protected]. Because we do not hold your recipients' personal data, requests concerning recipients are handled by you as the controller of that data.
Vendor due diligence: common questions
Do you sign a DPA, MSA, or custom contract?
CountdownMail is a self-serve product sold through Paddle, our Merchant of Record. We operate under uniform, published terms and do not sign per-customer agreements. These Data Processing Terms apply automatically to every customer and are the document to place on file.
Do you have SOC 2 or ISO 27001?
No. As explained in section 7, there is no customer-data environment for such an audit to cover. Our security practices and data terms are published here and in our Terms of Use.
Who is the contracting entity for tax and invoicing?
Paddle, our Merchant of Record ([email protected]).
Do you receive our recipients' email addresses or personal data?
No. Timers are images embedded in emails you send. We only count image views, and in most cases the image request reaches us through the mail provider's image proxy (such as Gmail's or Apple's) rather than from the recipient's device. For Evergreen timers our terms require customers to pass a random, non-identifying value rather than any personal data.
Contact
For any data-protection or compliance questions, contact our team at [email protected].