Skip to main content

Privacy & Compliance

Learn how to protect user data, handle privacy requests, and maintain compliance with regulations like GDPR and CCPA.

Protecting User Data

Mixpanel gives you full control over the data you send to Mixpanel and provides you with the tools necessary to respect a customer’s request to opt out of tracking. When a user is opted out, no data is sent to Mixpanel for that user.

Opting Users Out of Tracking

Mixpanel’s client-side libraries include an ‘opt_out’ method that allows you to manage a user’s request to opt out of tracking. This allows you to quickly flag a user when they choose to opt out of tracking during the cookie consent management process.
The client-side ‘opt_out’ method sets a flag in the user’s browser cookie or local storage, preventing data from being sent to Mixpanel. The opt-out state persists across sessions.For mobile SDKs, when the ‘opt_out’ method is called, any events and people updates that have not been sent to Mixpanel (i.e., those still in the local queue) are deleted from the device.Once opted out, the Mixpanel SDKs will continue to function normally, but will not send any data to the Mixpanel project.
The client-side ‘opt out’ call will not affect server-side events. For server-side implementations, you need to manage the opt-out process manually.
JavaScript:
mixpanel.opt_out_tracking();
Objective-C:
Mixpanel *mixpanel = [Mixpanel sharedInstance];
[mixpanel optOutTracking];
Swift:
Mixpanel.mainInstance().optOutTracking();
Android:
mixpanel.optOutTracking();
React Native:
mixpanel.optOutTracking();
You can also configure our SDKs to opt users out of tracking by default:JavaScript:
mixpanel.init(YOUR_TOKEN, {opt_out_tracking_by_default: true});
Objective-C:
Mixpanel *mixpanel = [Mixpanel sharedInstanceWithToken:@YOUR_API_TOKEN 
    trackAutomaticEvents:NO 
    optOutTrackingByDefault:YES];
Swift:
let mixpanel = Mixpanel.initialize(token: YOUR_PROJECT_TOKEN, 
    trackAutomaticEvents: no, 
    optOutTrackingByDefault: true)
Android:
MixpanelAPI mixpanelOptOutDefault = MixpanelAPI.getInstance(
    context, 
    YOUR_PROJECT_TOKEN, 
    true, 
    true /* opt out by default */);
React Native:
const trackAutomaticEvents = false;
const optOutTrackingDefault = true;
const mixpanel = new Mixpanel('your project token', 
    trackAutomaticEvents, 
    optOutTrackingDefault);
mixpanel.init();

Opting Users In For Tracking

The ‘Opt In’ methods are used to allow users to opt into tracking after they have been previously opted out or when the SDK is initialized with users opted out by default.
When the Opt In method is called, it triggers an event called “$opt_in”, which appears as “Opt In” in your project. This event is sent to Mixpanel to indicate that the user has opted into tracking.Locally, a flag is set in the user’s cookie/local storage to indicate to the SDK that the user consents to data tracking.After calling the ‘Opt In’ method, Mixpanel will start collecting and sending data for that user.
JavaScript:
mixpanel.opt_in_tracking();
Objective-C:
Mixpanel *mixpanel = [Mixpanel sharedInstance];
[mixpanel optInTracking];
Swift:
Mixpanel.mainInstance().optInTracking();
Android:
mixpanel.optInTracking();
React Native:
mixpanel.optInTracking();

Disabling Geolocation

Mixpanel’s Web and Mobile libraries use IP addresses to enrich events with geographic information like city, country, and region. Mixpanel does not store IP addresses, but rather, only uses IPs to assign geolocation properties to data upon ingestion. You can disable this using the following configuration options:
JavaScript:
mixpanel.init("YOUR_TOKEN", {"ip": false})
Objective-C:
useIPAddressForGeoLocation = NO
Swift:
Mixpanel.initialize(token: "MIXPANEL_TOKEN", useIPAddressForGeoLocation: false)
Android:
<meta-data android:name="com.mixpanel.android.MPConfig.UseIpAddressForGeolocation" 
    android:value="false" />
React Native:
setUseIpAddressForGeolocation(false)
You can also disable geolocation for individual payloads by setting the ip property value to 0.

Anonymizing Users

Mixpanel does not know, or need to know, any identifying information about users (like email or phone number). Mixpanel only needs to know that a set of events was performed by a particular user ID. You choose the ID and how you want to send that to Mixpanel. If you want to analyze aggregate user behavior without being able to drill down into any particular user, we recommend generating a hash of some unique ID of the user and using that hash as the user’s ID when you call the .identify() method in our SDKs.

Blacklisting Default Properties

Our JavaScript library automatically captures default properties to help enrich your data, but you can choose to prevent the setting of default properties using the property_blacklist config option. 
mixpanel.init("YOUR_TOKEN", {
  property_blacklist: ['$referrer', 'custom_property']
});

GDPR Compliance

As controllers of personal data, Mixpanel and its customers must uphold certain rights stated by the GDPR.

Right to Access and Data Portability

Mixpanel supports individuals’ right to access and right to portability of their personal data through individual export requests. Any Mixpanel account holder can request an export of one’s personal data, as well as the personal data of their end-users.
The form for submitting end-user personal data export requests is available through Personal Settings > Data & Privacy.

Right to Erasure

We support individuals’ right to erasure through a permanent deletion of personal data upon request. Deletion API is available to all users.

Right to Object

Our customers control what data is sent to Mixpanel, and may decide to halt the sending of personal data at any time. To assist with supporting individuals’ right to object to the collection of one’s personal data, Mixpanel has built dedicated methods for our client-side SDKs that can be used to opt end users out of tracking. Mixpanel recognizes the importance of an individual’s right to object and has streamlined opt-out systems for its customers, who can opt out of tracking through simple controls, located under Personal Settings > Data & Privacy.

Data Retention Policy

As the processor of its customers’ data and to protect the privacy of information it stores, Mixpanel holds data no longer than is needed to provide its services.
Events are automatically deleted after 2 years on an ongoing basis from all projects.
  • The start of the retention period is the date that is transferred to Mixpanel with an Event (i.e., the “Event Date”)
  • As of September 1, 2025, Mixpanel’s event retention period is 2 years
  • If your project was created prior to September 1, 2025 the retention period is 5 years; provided, that your project retention period will be reduced to 2 years in the event that you modify your plan or move to Mixpanel’s Free Plan
User data is retained for the duration of an active Subscription Plan. Customers are given the ability to delete profiles using the Engage API.Custom data retention windows can be set for user data by sending regular deletion requests to the Engage API. For more questions about setting custom data retention windows, contact our support team.
Session Replays are stored for 30 days from ingestion date.
  • Custom retention periods for Session Replay are available to customers on certain plans for a period of up to 12 months
  • Changes to the retention period impact replays ingested after the change
  • Underlying Events will be retained for the period set out in the Event Retention policy
This policy includes projects that were deleted or reset through the Project Settings - deleting a project through the Project Settings triggers a soft deletion.The data in the deleted or reset project will remain stored in Mixpanel for 60-90 days, after which it will be hard deleted and unrecoverable.

End User Data Management

Mixpanel supports account holders’ ability to request the deletion or export of end user data. These tools can be used to exercise Right to Access, Right to Portability, and Right to be Forgotten for end users or “data subjects” as part of GDPR and CCPA.
Only organization owners and admins can access or submit end user export or deletion requests.
Requests to export or delete end user data can take multiple weeks to process.

Generate OAuth Token

In order to submit a request, you must first generate a GDPR OAuth token from your Personal Settings.
  1. Select your initials in the top right of Mixpanel
  2. Select Profile & Preferences
  3. Select the Data & Privacy tab
  4. Generate your OAuth token
The OAuth token has a one year expiry. For requests submitted via API, the token should be passed in the Authentication header.

Gather Project Information and Distinct IDs

Mixpanel exports or deletes end user data according to the user’s distinct_id. To export or delete end user data:
  1. Select a project that you own
  2. Collect the distinct_id of the user(s)
Like all data in Mixpanel, the distinct_id can be custom specified in a tracking implementation. Ensure that any provided distinct_id is accurate and stored in a project. Incorrect identifiers will result in inability to process the request.
If you implemented Mixpanel before 2020 and are using the alias method to manage user identity, it is possible to submit either the end user’s alias or their distinct_id as part of a deletion request.

Submit Requests via Mixpanel Interface

To export end user data to satisfy a GDPR right to access request:
  1. Navigate to “Data & Privacy” by clicking on the settings gear > Organization Settings
  2. Select Data & Privacy on the left hand side
  3. Click Request Export
  4. In the “Export User Data” box:
    • Select either CCPA or GDPR under type of export
    • Select a project in the “Project” dropdown
    • Under “User Data To Export”, select to export data for a single user or multiple users
      • For a single user, provide the distinct_id of the user
      • For multiple users, upload a list of distinct_ids as a .csv file (limit of 2000 Users)
  5. Click Submit Request
Requests can take multiple weeks to process.
To delete end user data to satisfy a GDPR right to erasure request:
  1. In the “Data and Privacy” section, click Request Deletion
  2. In the “Request User Data Deletion” box:
    • Select either CCPA or GDPR under type of export
    • Select a project in the “Project” dropdown
    • Select to delete data for a single user or multiple users
      • For a single user, provide the distinct_id of the user
      • For multiple users, upload a list of distinct_ids as a CSV file (limit of 500 users per request)
  3. Click Submit Request
Requests can take up to several weeks to process.

GDPR vs CCPA Requests

GDPR requests are specifically designed to satisfy requirements as outlined in the General Data Protection Regulation.Export: A GDPR export contains all data connected to the requested distinct_id.Deletion: A GDPR deletion includes all data connected to the requested distinct_id.
CCPA requests are specifically designed to satisfy requirements as outlined in the California Consumer Privacy Act.Export: A CCPA export contains all data from the previous year connected to the requested distinct_id.Deletion: A CCPA deletion includes all data connected to the requested distinct_id.Disclosure types: There are three different disclosure types as outlined in the CCPA:
  • Data: Export or delete everything
  • Categories: Export or delete the data table headers
  • Sources: Export or delete data connected to the means of data collection

Submit Requests via API

Mixpanel deletion and retrieval APIs are in place to help Mixpanel implementations meet the requirements outlined by GDPR and CCPA legislation.
GDPR Request Rate Limits: You can batch up to 2000 distinct IDs per deletion request and up to 2000 for a retrieval request. Request rates are limited for GDPR API requests.
Please see our GDPR API Reference to learn more about the deletion/retrieval endpoints.

Opt Out Users After Deletion

Deleting data from Mixpanel will remove it permanently, but it will not prevent the data from being collected moving forward. You must also opt users out of subsequent tracking.
If tracking using a client-side Mixpanel library, you can opt users out of tracking using Mixpanel’s opt-out methods available in: See Mixpanel’s Privacy-Friendly Tracking guide for more information on best practices.

Privacy Best Practices

Data Minimization

Collect only the data you need:
  • Avoid tracking personally identifiable information (PII) when possible
  • Use hashed or anonymized identifiers
  • Don’t track sensitive data like passwords, credit card numbers, or social security numbers
  • Regularly review what data you’re collecting and remove unnecessary tracking

Transparency

Be transparent with your users:
  • Provide clear privacy policies
  • Explain what data you collect and why
  • Make it easy for users to opt out
  • Respond promptly to data access and deletion requests

Security

Protect the data you collect:
  • Use encrypted connections (HTTPS/TLS)
  • Implement proper access controls
  • Regularly audit who has access to data
  • Use Data Views and Classification to segment sensitive data

Compliance Monitoring

Stay compliant:
  • Keep up to date with privacy regulations in your jurisdictions
  • Document your data handling practices
  • Train your team on privacy best practices
  • Regularly review and update your privacy policies

FAQ

While Mixpanel provides tools to help our customers remain compliant with privacy regulations (such as methods for opting users in and out of tracking), it is the responsibility of the implementing company to ensure compliance with privacy regulations.For GDPR purposes, Mixpanel is considered the data processor, whereas you (the customer) are considered the data controller. Your end user’s data is your responsibility.Typically, organizations must obtain explicit consent from individuals before collecting, using, or sharing their personal data.
Yes, Mixpanel provides tools for handling user data requests. However, it is important to note that Mixpanel doesn’t handle end-users’ requests directly. The company implementing Mixpanel is responsible for using Mixpanel’s tools to fetch the data and provide it to its end-users.Learn more about our GDPR Data Retrieval API Endpoint.
When a user is opted out of tracking, no subsequent data moving forward is sent to Mixpanel for that user. This means that future events won’t be tracked or available in Mixpanel.However, data previously collected will remain in your project until:
  • The data retention period has passed
  • A data deletion is performed for that user’s data
  • A GDPR deletion is requested and performed
GDPR (General Data Protection Regulation):
  • European Union regulation
  • Applies to all data of EU residents
  • Requires explicit consent for data collection
  • Stricter penalties for non-compliance
CCPA (California Consumer Privacy Act):
  • California state law
  • Applies to California residents
  • Requires opt-out mechanism rather than opt-in
  • Different disclosure requirements
Both give users rights to access, delete, and control their personal data, but have different specific requirements.

Build docs developers (and LLMs) love

Get started for freeTalk to us