ValidEmailChecker

What data does Valid Email Checker store about my login attempts?

Last updated May 20, 2026Privacy & policies

Every login attempt against your Valid Email Checker account — successful or not — is recorded to a login history table. The record exists for two reasons: so you can see your own login history in Account Settings and flag anything that does not look like you, and so our abuse detection can spot account-takeover patterns early. The data we capture is what you would expect from any security-aware web app, but it is worth knowing exactly what lands in the table.

What we log per login

  • User ID — which account the attempt was against.
  • Success or failure — boolean. Failed attempts get logged too, so brute-force patterns surface.
  • IP address — the client IP we extracted from the request (after any CDN unwrapping).
  • Geolocation — the city and country we resolve from the IP using our internal lookup. This is a coarse signal, not GPS-grade.
  • Device name and type — derived from the User-Agent string (e.g. "Chrome on Windows", "Safari on iPhone").
  • Browser name and version, OS name and version — parsed from the User-Agent.
  • Full User-Agent string — kept verbatim for forensic purposes.
  • Auth methodpassword, google_oauth, or magic_link.
  • 2FA verified — boolean, plus which method (google_authenticator or email).
  • Failure reason — for failed attempts, a short code like wrong_password or 2fa_failed.
  • Suspicious flag — set automatically when a successful login arrives from a device we have not seen before on this account.

How the data is used

Three uses, all defensive. First, you can review your own history under Account Settings, Security tab, and see every login that ever happened on your account. If you see a session from a city you have never been in, you can change your password and revoke active sessions. Second, our abuse system flags suspicious patterns — a successful login on a brand-new device fires an alert in our internal dashboards and, on high-risk accounts, can trigger a step-up challenge. Third, in the rare event of a security incident, the log is what we use to scope blast radius.

What we do not log

  • Your password (we never see the plaintext — it is hashed at the auth layer).
  • Your 2FA secret or backup codes.
  • API key values (only the prefix is stored, see where API keys live).
  • Browsing or click activity inside the dashboard — only the act of logging in is logged here.
Login history vs. session data
The login history table records the event of logging in. Your active session token is held in your browser cookie and is separate from this log. Revoking sessions from Account Settings ends active sessions but does not erase the historical login record — see how long does VEC keep login attempt logs for the retention picture.

Related questions

How long does VEC keep login attempt logs?
Do you store the emails I verify?
How do I download all my data (data export) from Valid Email Checker?
How we protect your data
Back to all FAQs

Still stuck? Email support