GDPR compliance built in - not bolted on.

Mister Chameleon was designed with European privacy law as a baseline, not an afterthought. Here's how we comply with GDPR and what that means for you as a controller.

Our GDPR commitments

Data Processing Agreement

We offer a standard DPA for all paying customers that documents lawful basis, sub-processors, data transfers, and your rights as controller. Available on request - contact privacy@misterchameleon.io.

Sub-processors

Our key sub-processors are Supabase (database infrastructure), Stripe (payment processing), and Sanity (CMS). All operate under EU-compliant data processing terms.

Data residency

Your account data is stored in the EU by default. Supabase projects are created in your chosen region. We do not transfer visitor data to third countries.

Data subject rights

We respond to data subject requests within 30 days. Contact privacy@misterchameleon.io to submit a request or to support your own customers' rights requests.

No third-party cookies

Mister Chameleon does not use advertising cookies or cross-site tracking. The mc_session_id cookie is a functional first-party cookie - no consent banner required in most implementations.

Privacy by design

Personal data minimisation is built into our architecture. Visitor behavioural data is stored in your own database. We hold only what is necessary to operate the service.

Request a DPA

Contact our privacy team and we'll send you our standard DPA within one business day.