GDPR compliance built in - not bolted on.
Mister Chameleon was designed with European privacy law as a baseline, not an afterthought. Here's how we comply with GDPR and what that means for you as a controller.
Our GDPR commitments
Data Processing Agreement
We offer a standard DPA for all paying customers that documents lawful basis, sub-processors, data transfers, and your rights as controller. Available on request - contact privacy@misterchameleon.io.
Sub-processors
Our key sub-processors are Supabase (database infrastructure), Stripe (payment processing), and Sanity (CMS). All operate under EU-compliant data processing terms.
Data residency
Your account data is stored in the EU by default. Supabase projects are created in your chosen region. We do not transfer visitor data to third countries.
Data subject rights
We respond to data subject requests within 30 days. Contact privacy@misterchameleon.io to submit a request or to support your own customers' rights requests.
No third-party cookies
Mister Chameleon does not use advertising cookies or cross-site tracking. The mc_session_id cookie is a functional first-party cookie - no consent banner required in most implementations.
Privacy by design
Personal data minimisation is built into our architecture. Visitor behavioural data is stored in your own database. We hold only what is necessary to operate the service.
Request a DPA
Contact our privacy team and we'll send you our standard DPA within one business day.