1. Summary
We collect the minimum personal data required to run MailChecked. We don't sell your data. We don't use your uploaded email lists for our own marketing. Bulk uploads are deleted after 30 days. Validation results are cached as one-way hashes — not as plaintext addresses linked to your account.
2. Who is the controller?
For account, billing, and website-analytics data, MailChecked is the controller. For email addresses you submit for validation, you are the controller and MailChecked is the processor — see our Data Processing Agreement.
3. What we collect
3.1 Account data
- Email address (login)
- Hashed password (we never store plaintext)
- Optional display name
- Country (derived from billing, used for tax)
3.2 Billing data
- Customer ID, invoice history, top-up amounts (Stripe is the processor)
- We don't store full card numbers; Stripe handles all payment details under PCI DSS
3.3 Validation submissions
- Email addresses you submit (single or bulk)
- Bulk CSV files you upload — retained 30 days, then permanently deleted
- Per-validation result records linked to your account, retained for 12 months for billing audit
3.4 Anonymized validation cache
- SHA-256 hashes of validated addresses with their verdict — used to make repeat checks free and to improve accuracy. Not linked to any account.
3.5 Operational data
- Server logs (IP address, request path, user-agent, timestamp) — retained 30 days
- Error reports via Sentry — automatically scrubbed for personal data
4. Why we collect it (lawful bases)
- Contract: to provide the service you've signed up for.
- Legal obligation: tax and accounting records.
- Legitimate interest: security logging, abuse prevention, product improvement, anonymized caching.
- Consent: for non-essential cookies and optional product-update emails.
5. Who we share data with
- Stripe — billing.
- Resend — transactional emails (verification, password reset, billing receipts).
- Cloudflare — DNS, WAF, and edge proxying.
- Contabo — hosting and storage.
- Sentry — error monitoring (with PII scrubbing).
All sub-processors are bound by data-processing terms equivalent to the GDPR. We don't share your data for advertising or with data brokers.
6. International transfers
Some sub-processors operate outside the EU/UK. Where applicable, transfers rely on Standard Contractual Clauses or equivalent safeguards.
7. How long we keep data
- Account data: until you close your account.
- Bulk CSV uploads: 30 days from upload.
- Per-validation result records: 12 months.
- Anonymized validation cache: indefinitely (no personal identifiers attached).
- Server logs: 30 days.
- Billing records: 7 years (legal requirement).
8. Your rights
If you're in the EU, UK, or another jurisdiction with similar protections, you have the right to:
- Access the personal data we hold about you
- Request correction of inaccurate data
- Request deletion ("right to be forgotten") subject to legal retention obligations
- Restrict or object to processing
- Receive your data in a portable format
- Withdraw consent (where processing is based on consent)
- Lodge a complaint with your local data protection authority
Email privacy@mailchecked.com to exercise any of these. We respond within 30 days.
9. Security
- HTTPS (TLS 1.3) for all traffic.
- Passwords stored as hashed credentials by Better Auth (industry-standard hashing).
- API keys stored as SHA-256 hashes; only the prefix is recoverable.
- Database encryption at rest, role-based access controls, audit logging.
- Regular vulnerability scanning and dependency monitoring.
10. Children
MailChecked is not directed at children under 16. We don't knowingly collect personal data from children. If you believe a child has provided data, contact us and we'll delete it.
11. Changes
We'll notify you by email of material changes. Minor wording updates may be made without notice.
12. Contact
Privacy questions: privacy@mailchecked.com. General contact: contact page.