/public/legal/dpia-outreach.pdf in the repo so it's versioned alongside other compliance artefacts.
Cold-outreach email campaigns — DPIA v1
1. Purpose of the processing
Mentionhub OÜ sends cold-outreach emails to people who hold marketing, communications, or PR-related corporate roles at European mid-market companies, in order to introduce the Mentionhub brand-monitoring SaaS product. The intended outcome is for the recipient to evaluate whether the product is useful in their professional role.
Each email is targeted at the recipient's professional capacity only. Personal email addresses (gmail.com, hotmail.com, etc.) are excluded by automated filter at the source-list stage.
2. Categories of personal data processed
| Category | Source | Use | Retention |
|---|---|---|---|
| Name (first + last) | SignalHire reveal of public LinkedIn profile | Email salutation | Until campaign archives are deleted (max 18 months) or recipient requests deletion (within 30 days) |
| Corporate email address | SignalHire SMTP-verified reveal | Sending the email | Same — or moved to suppression list permanently if the recipient opts out |
| Job title | SignalHire / public LinkedIn | Filtering for role-relevance | Same as above |
| Employer (company name + domain) | SignalHire / public LinkedIn | Filtering + Mentionhub-personalisation step (looking up brand mentions) | Same as above |
| Country of work | SignalHire / public LinkedIn | Country-specific compliance toggles (e.g. no-pixel for ES/DE/FR) | Same as above |
| Email engagement events (open/click) | Instantly.ai | Sequence pacing, deliverability monitoring | Up to 12 months. Disabled entirely for recipients in DE, FR, ES. |
| Suppression flag (opt-out) | Recipient action (clicked unsubscribe / replied) | Prevent further sends. Required by GDPR Art. 21. | Indefinite — must be retained to honour the opt-out |
No special-category data (Art. 9 GDPR) is processed. No data about the recipient's private life, finances, health, beliefs, or political views.
3. Sub-processors
| Sub-processor | Role | Hosting region | Transfer mechanism |
|---|---|---|---|
| Instantly.ai (Instantly LLC) | Email sending + tracking | EU (Frankfurt) for EU customers | Standard Contractual Clauses (SCC) 2021/914 + DPA on file |
| SignalHire (SignalHire Inc.) | Contact discovery + verification | USA + EU mirrors | SCC 2021/914 + DPA on file. SignalHire maintains its own opt-out registry. |
| Clay (Clay Labs Inc.) | List enrichment / personalisation orchestration | USA | SCC 2021/914 + DPA on file. Used only for transient enrichment; Clay does not retain post-export. |
| Google Workspace | Sending mailboxes | EU (Belgium / Finland) | EU-hosted by config; Google's standard DPA + SCC. |
| OpenAI Ireland Ltd. | AI-visibility prompt for personalisation | EU (Ireland) | EU entity, GDPR-compliant Enterprise Privacy by default. |
| Supabase / AWS Frankfurt | Database (suppression list, snapshot cache) | EU (Frankfurt) | EU-hosted; data never leaves the region. |
| Vercel | Application hosting | EU (Frankfurt) | EU-hosted; AWS/Vercel DPA. |
Each sub-processor has a current DPA stored at /legal/dpa-archive/ (controller's file system). Adding a new sub-processor requires this DPIA to be updated.
4. Necessity and proportionality test
Why is the processing necessary for the legitimate interest?
Without contact data we cannot reach decision-makers about a product that is professionally relevant to them. Generic advertising (paid social, search) is materially less efficient at the company stage we are at and would not allow per-recipient personalisation that demonstrates the product's value.
Could we achieve this with less data?
Yes — we already exclude phone numbers from sends, exclude special-category data, exclude personal email addresses, and exclude tracking pixels in the highest-risk markets. We do not buy or generate behavioural-profile data. We use the minimum dataset that allows targeted, role-relevant outreach.
Could we use opt-in (consent) instead?
No effective alternative exists — opt-in lists at this market segment are sold by data brokers under questionable consent provenance, which would create greater risk than role-targeted legitimate-interest outreach. We accept the higher disclosure burden of legitimate interest in exchange for cleaner data hygiene.
5. Risks and mitigations
| Risk | Likelihood | Impact | Mitigation |
|---|---|---|---|
| Recipient receives email despite earlier opt-out | Low | High (regulatory + reputational) | Suppression check is enforced both at SignalHire enrichment time and at Instantly send time. Two-layer block. |
| Email reaches a non-corporate / personal mailbox | Low | Medium | Source-list filter excludes free-mail domains. Random sample audit monthly. |
| Recipient cannot identify the controller or exercise rights | Low | High | Every email contains: controller name (Mentionhub OÜ), Tallinn registered address, working unsubscribe link, working privacy@mentionhub.ai address. |
| Tracking-pixel processing in a strict-enforcement jurisdiction | Medium | Medium (CNIL / AEPD fines) | Pixels disabled per-campaign for recipients in DE, FR, ES. Country auto-detected from SignalHire enrichment. |
| Sub-processor data breach | Low | Medium | Each sub-processor DPA includes 72-hour breach notification clause. Controller process: notify affected data subjects within 72 hours of confirmed breach. |
| Personalisation step pulls data from a wrong company / brand match | Medium | Low (no personal data leak — only public-domain brand data) | Brand normalisation + name + domain double-check. Manual sample audit weekly during ramp. |
| Recipient claims the personalisation line implies surveillance | Low | Medium | Personalisation uses only public sources (Bluesky, Reddit, HN, public AI assistant responses) — no private-data signals. Disclosed in our Privacy Policy under "Data we use about you". |
6. Data subject rights — how each is honoured
- Right to information (Art. 13/14): the cold email itself contains the controller name, contact, purpose, and link to full Privacy Policy.
- Right to access (Art. 15): requests to
privacy@mentionhub.aiare responded to within 30 days. Data export in CSV / JSON. - Right to rectification (Art. 16): same address, same SLA. We update or delete on request.
- Right to erasure (Art. 17): processed within 30 days. Suppression-list entries are kept after erasure to honour the opt-out — explained in the response.
- Right to object (Art. 21): one-click unsubscribe in every email. Effect: instant + permanent.
- Right to data portability (Art. 20): CSV export of held data on request.
- Right to lodge a complaint: recipients are informed they may complain to their national supervisory authority (e.g. Estonia AKI, Spain AEPD, France CNIL).
7. Retention and deletion
- Active prospect data: retained while the campaign cohort is live, max 18 months from initial reveal.
- Suppression-list data: retained indefinitely; needed to honour opt-out under Art. 21.
- Engagement event logs (open/click): rotated after 12 months.
- Snapshot cache (`prospect_snapshots` table): TTL 7 days, then auto-purged.
- On controller dissolution or business sale: personal data is destroyed or transferred only as part of the asset sale, with successor controller bound by the same DPIA.
8. International transfer assessment
The two non-EU sub-processors (SignalHire and Clay, both US-based) operate under SCC 2021/914 with supplementary measures: data is transferred only as required for the specific operation (contact reveal, list enrichment), not retained beyond the operation, and is segregated by customer. We have reviewed each sub-processor's government-access disclosures (FISA 702, EO 12333) and concluded the residual risk is acceptable for B2B corporate-role contact data, given the limited data categories and short retention.
9. Conclusion
The processing described is necessary for the legitimate interest of Mentionhub OÜ to introduce its product to professional decision-makers. The risks have been identified and mitigated. Data subjects retain meaningful control through the right to object (one-click) and other GDPR rights. The processing is approved subject to ongoing monitoring and the annual review schedule above.
Approval
This DPIA is approved by the controller's acting Data Protection Officer.