Privacy Policy — Data Protection | ValidEmailChecker

Last Updated: March 20, 2024

At ValidEmailChecker, we understand that trust is earned, especially when you entrust us with your personal information and sensitive email data. This Privacy Policy explains what information we collect, how we use it, how we protect it, and what choices you have. Whether you are visiting our website, uploading an email list for validation, using our API, or managing your account, we want you to know that your privacy is protected at every step.

By using ValidEmailChecker (https://validemailchecker.com and https://app.validemailchecker.com), you agree to the practices described in this policy. If you do not agree with this policy, please do not use our services.

1. Who We Are

ValidEmailChecker is an email verification and list cleaning service operated from Ontario, Canada. We provide fast, accurate email validation services for marketers, developers, and businesses of all sizes. Our marketing website is located at validemailchecker.com, the application you use to verify emails lives at app.validemailchecker.com, and our self-service help center is available at help.validemailchecker.com. For any questions or concerns, you can reach our support team at support@validemailchecker.com.

2. Information We Collect

2.1 Information You Provide Directly

Account Registration

When you create a ValidEmailChecker account, we ask you to provide your first name, last name, email address, and a password. Your password is immediately and irreversibly hashed using the bcrypt algorithm through our authentication provider — we never store, transmit, or have any access to your plain-text password at any point. During the registration process, you will also complete a Cloudflare Turnstile challenge, which helps us prevent automated bot signups without invasive tracking.

Once your account is created, you may optionally add additional details to your profile. These include your company name, phone number, billing address (street address, city, state or province, postal code, and country), and a VAT or tax identification number if applicable. None of these additional fields are required to use the service — they exist to support invoicing, billing, and to personalize your experience if you choose to provide them.

Email Verification Data

The core purpose of ValidEmailChecker is to verify email addresses, and the data we process depends on how you use the service. When you verify a single email address through our dashboard or API, we process that individual email address and return the verification result. When you upload a file for bulk verification, we receive the entire file you provide — typically in CSV or TXT format — which may contain email addresses along with any other data columns present in your file. If you use one of our integrations to connect a third-party platform such as Mailchimp, SendGrid, ActiveCampaign, or another email marketing service, we import the email list from that platform for the sole purpose of running the verification you requested. In all three cases, the email data you provide is used exclusively for verification and is never analyzed, profiled, sold, or repurposed in any way.

Payment Information

When you purchase credits or subscribe to a monthly plan, your payment is processed entirely by our third-party payment processors. Credit and debit card payments are handled by Stripe, and cryptocurrency payments are handled by CoinPayments. Your full card number, CVV, and bank account details are transmitted directly to these processors and are never sent to, stored on, or accessible from our servers. What we do store for your convenience is limited reference information: the card brand (such as Visa or Mastercard), the last four digits of the card number, and the expiration date. We also retain your billing name, billing email, and billing address, along with complete transaction records that include the amounts charged, the date and time of each transaction, which plan or credit package was purchased, and how many credits were received. Invoice records are stored with links to downloadable PDF copies so that you always have access to your payment history.

Support Communications

When you reach out to our support team — whether through the contact form on our website, our live chat widget (which is powered by a self-hosted Chatwoot instance running on our own servers), or by emailing us directly — we collect the information you provide in your message. This includes your name, email address, the reason you are contacting us (selected from a predefined list of topics), and the content of your message. To help our team resolve your issue quickly, we also automatically attach contextual information from your account when a support request is initiated from within the application. This contextual data may include your current credit balance, your subscription status, a summary of your recent verification activity, and basic device and browser information. This data is used solely to diagnose and resolve your issue and is never shared with external parties.

2.2 Information Collected Automatically

Security and Authentication Data

Every time you log in to ValidEmailChecker, our system automatically records certain information for security purposes. This includes your IP address, the type of device you are using (such as desktop, mobile, or tablet), your operating system and its version, your browser name and version, and the full user agent string reported by your browser. We also derive your approximate geographic location from your IP address at the city and country level — we do not collect precise GPS coordinates or street-level location data. Each login event is timestamped, and we record which authentication method was used (password, Google OAuth, or two-factor authentication) as well as whether the login attempt succeeded or failed. All of this information is stored in our login history and session management system. Its sole purpose is to allow you to review your account activity, detect unauthorized access, and help our team investigate any suspicious behavior on your account.

Cloudflare Turnstile

Our signup and login pages are protected by Cloudflare Turnstile, a modern, privacy-focused alternative to traditional CAPTCHA systems. Unlike older CAPTCHA solutions, Turnstile does not require you to solve image puzzles and does not place tracking cookies on your device. It does not track you across websites and does not build a profile of your behavior. Its only function is to verify that you are a real person and not an automated bot.

2.3 Information We Do NOT Collect

Transparency about what we do not do is just as important as explaining what we do. ValidEmailChecker does not use Google Analytics, Mixpanel, Hotjar, PostHog, or any other behavioral analytics or session-recording tools. We do not serve advertisements of any kind and do not load scripts from any advertising network. We do not deploy retargeting pixels, conversion tracking tags, or social media tracking pixels from any platform. We do not sell, rent, license, or trade your personal information to any third party for marketing, advertising, or data brokerage purposes — and we never will. Most importantly, we do not read, mine, analyze, or use the content of the email lists you submit for any purpose other than performing the specific verification you requested. Your data is your data.

3. How We Use Your Information

Service Delivery

The primary reason we collect your information is to provide the service you signed up for. Your account information is used to create and maintain your account, authenticate your sessions, and personalize your dashboard. The email addresses you submit are processed through our verification engine to return deliverability results. Your payment information is used to process purchases, generate invoices, and manage your credit balance — including operating the auto-refill feature if you choose to enable it. When you contact us for help, your support communications and the contextual account data we attach are used to diagnose and resolve your issue as efficiently as possible.

Security and Fraud Prevention

The login history, session data, and device information we collect serve a critical security function. We use this data to detect and prevent unauthorized access to your account, to identify patterns of suspicious activity (such as login attempts from unusual locations or rapid-fire credential stuffing attacks), and to enforce our Terms of Use and Anti-Spam Policy. We also monitor for abuse of our free credit allocation at signup, which is designed for legitimate evaluation of our service. If we detect that an individual is creating multiple accounts to exploit free credits, we may take action to prevent further abuse, including suspending the accounts involved.

Platform Improvement

We use aggregate, non-identifiable data to maintain and improve the performance, reliability, and accuracy of our verification service. This includes monitoring system health, identifying and resolving bugs, and understanding overall usage patterns so we can make informed decisions about new features and infrastructure investments. We never use individual user data or the contents of your email lists for these purposes — only anonymized and aggregated metrics such as total verifications processed per day, average response times, and system error rates.

Communications

We send you transactional emails that are essential to the operation of your account. These include account confirmation emails when you sign up, password reset emails when you request one, payment receipts when you make a purchase, and notifications when a bulk verification task is complete. We may also notify you about material changes to our service, policies, or terms. If you have opted in to receive product updates and feature announcements, we will send those as well — but you can unsubscribe from non-essential communications at any time through your account settings or by clicking the unsubscribe link in any email we send.

4. How We Handle Email Verification Data

This section deserves special attention because email verification involves processing email addresses that may belong to third parties — the individuals on your email list. We take this responsibility seriously and have designed our data handling practices with both your privacy and the privacy of those individuals in mind.

4.1 What Happens During Verification

When you submit an email address for verification — whether individually, as part of a bulk upload, or through an integration sync — our system performs a comprehensive series of technical checks to determine whether the email is likely to be deliverable. These checks include validating that the email's domain has properly configured DNS and MX records (the infrastructure that allows a domain to receive email), detecting whether the address belongs to a known disposable or temporary email provider, identifying catch-all domains that accept mail to any address regardless of whether a real mailbox exists, flagging role-based addresses (such as info@, support@, or admin@) that are typically shared and not tied to a single individual, checking against known spam trap databases, verifying whether the mailbox is full, disabled, or currently active, and calculating a deliverability score between 0 and 100 that reflects the overall likelihood that an email sent to that address will successfully reach the inbox.

To perform these technical checks, the email addresses you submit are transmitted over encrypted connections to our trusted third-party verification infrastructure providers. These providers exist solely to execute the low-level SMTP and DNS checks that make verification possible. They process the email addresses exclusively for the purpose of completing the verification request, they do not retain your data beyond what is strictly necessary to fulfill that request, and they are contractually prohibited from using your data for any other purpose.

4.2 Data Retention for Verification Results

15-day automatic deletion: Every email list you upload for bulk verification, along with all of the individual verification results associated with that list, is automatically and permanently deleted from our systems exactly 15 days after the verification is completed. This automated deletion is performed by a scheduled cleanup process that runs daily. There are no exceptions to this rule — the data is purged regardless of whether you have downloaded your results or not. We strongly recommend downloading your verification results promptly after they are ready.

Early deletion: You do not have to wait 15 days. You can delete any verification task and all of its associated results at any time by visiting the Uploads & Results page in your dashboard and removing the task. Deletion is immediate and irreversible — once you delete a task, there is no way to recover the data.

What is retained after deletion: After verification data has been deleted — either automatically after 15 days or manually by you — we retain only aggregate, non-identifiable metadata about the task. This includes the number of credits that were used, the date the verification was performed, and the total number of emails that were processed. No individual email addresses, verification results, or uploaded file contents are retained after deletion.

4.3 Your Responsibility

You are responsible for ensuring that you have the legal right to verify every email address you submit to ValidEmailChecker. This means you should have obtained valid consent from the individuals on your list, or you should have an existing legitimate business relationship that permits you to process their email addresses. You are also responsible for complying with all applicable anti-spam legislation and data protection regulations in your jurisdiction, including (but not limited to) CAN-SPAM, CASL, GDPR, and any local laws that govern the handling of personal data. For complete details on acceptable use, please review our Anti-Spam Policy and Terms of Use.

5. Third-Party Services and Data Sharing

We do not sell your data. We share your information only with a small number of carefully selected service providers, and only to the extent strictly necessary to operate the ValidEmailChecker service. Here is a complete accounting of every third party that may receive your data and why.

Payment Processors

Stripe handles all credit and debit card transactions. When you enter your card details to make a payment, those details are transmitted directly from your browser to Stripe's servers using their secure, PCI DSS Level 1 certified infrastructure. Your full card number never touches our servers. Stripe's privacy practices are governed by their own privacy policy, which you can review at stripe.com/privacy.

CoinPayments handles cryptocurrency payments for users who prefer to pay with digital currency. When you initiate a crypto payment, the transaction is processed through CoinPayments' platform. Their privacy practices are detailed at coinpayments.net/help-privacy.

Email Verification Infrastructure

We rely on trusted third-party verification infrastructure to execute the technical SMTP-level and DNS-level checks that make email verification possible. When you submit an email address for verification, that address is transmitted to these providers over encrypted connections. They process the address solely for the purpose of completing your verification request, they are contractually bound to protect the data they receive, and they are prohibited from retaining your data or using it for any purpose beyond fulfilling the request. We do not disclose the identity of these infrastructure providers for competitive and security reasons, but we hold them to the same data protection standards that we apply to ourselves.

Hosting and Infrastructure

Our application, database, authentication system, file storage, and serverless backend functions are hosted on Supabase infrastructure. Supabase provides enterprise-grade hosting with encryption in transit (all data transmitted over TLS/HTTPS) and encryption at rest (all stored data encrypted on disk). Supabase's role is limited to hosting — they do not access, analyze, or process your data in any way beyond storing and serving it as instructed by our application.

Live Chat Support

Our customer support live chat is powered by Chatwoot, an open-source customer engagement platform that we host entirely on our own servers at desk.validemailchecker.com. Because we self-host Chatwoot, your support conversations never leave our infrastructure. There is no third-party SaaS provider involved in our chat system — your messages travel directly between your browser and our server, and they are stored exclusively in our own database.

Bot Protection

Cloudflare Turnstile is loaded on our signup and login pages to distinguish legitimate human visitors from automated bots. Turnstile is specifically designed as a privacy-preserving alternative to traditional CAPTCHAs. It does not set tracking cookies, does not build user profiles, and does not follow you across the web. Its sole function is to issue a one-time challenge token that our server verifies to confirm you are not a bot.

When We May Disclose Information

Beyond the service providers described above, there are a limited number of circumstances in which we may be required or permitted to disclose your information. We may do so to comply with a valid legal obligation, subpoena, court order, or government request. We may disclose information if we believe it is necessary to protect the rights, property, or personal safety of ValidEmailChecker, our users, or the general public. In the event of a merger, acquisition, reorganization, or sale of all or a portion of our assets, your information may be transferred to the acquiring entity — but we would notify you in advance and give you the opportunity to delete your account before any transfer takes place. Finally, we may share information with your explicit consent if you direct us to do so.

6. Data Security

We take the security of your information seriously and implement multiple layers of protection across every part of our infrastructure. Here is a detailed overview of the measures we have in place.

Encryption

All communication between your browser and our servers is encrypted using HTTPS with modern TLS protocols. This applies equally to the marketing website, the application dashboard, the API, and our help center. No data is ever transmitted in plain text. On the storage side, sensitive data is encrypted at rest using industry-standard encryption. Payment processor credentials stored in our database are encrypted using AES-GCM, a symmetric encryption algorithm that provides both confidentiality and integrity verification. Two-factor authentication secrets (TOTP seeds) and backup recovery codes are also stored in encrypted form, ensuring that even in the unlikely event of a database breach, these values would be unusable without the encryption key.

Authentication Security

Your password is handled exclusively by Supabase Auth, which hashes it using the bcrypt algorithm before storing it. Bcrypt is a deliberately slow hashing algorithm specifically designed for password storage, making brute-force attacks computationally impractical. We never store, log, or have the ability to view your plain-text password. We also support two-factor authentication (2FA) using the TOTP standard, which is compatible with authenticator apps such as Google Authenticator, Authy, and 1Password. When you enable 2FA, your TOTP secret is encrypted before being stored, and you are provided with backup recovery codes (also encrypted) in case you lose access to your authenticator app. Your login sessions are managed with automatic expiration — sessions time out after 5 hours of inactivity, requiring you to re-authenticate. You can view all of your active sessions in your dashboard and revoke any session at any time if you suspect unauthorized use.

Access Control

Our database enforces Row Level Security (RLS) policies on every single table that contains user data. RLS is a database-level enforcement mechanism — not an application-level check — that physically prevents any user from querying, inserting, updating, or deleting rows that do not belong to them. This means that even if a bug existed in our application code, the database itself would still block unauthorized data access. Our system also enforces role-based permissions at the application level. Account owners have full access to their account, including billing, credit purchases, and team management. Team members are restricted to using shared credits and running verifications — they cannot view payment information, manage billing details, or purchase credits.

Webhook and API Security

All incoming payment webhooks from Stripe and CoinPayments are validated using HMAC-SHA256 cryptographic signature verification. Each webhook request includes a signature generated using a shared secret, and our server independently computes the expected signature and compares it before processing any webhook event. We also enforce a 5-minute timestamp window, which means that any webhook request older than 5 minutes is automatically rejected, preventing replay attacks. Every webhook event we receive is logged in an audit table for monitoring and forensic purposes.

7. Data Retention

We believe in retaining your data only for as long as it is needed, and we want you to understand exactly how long each type of data persists in our systems.

Account data — your name, email address, profile details, and preferences — is retained for the entire lifetime of your account. When you close or delete your account, all of this information is permanently and irreversibly removed from our database.

Email verification data — the email lists you upload, the individual email addresses you verify, and all associated verification results — is automatically deleted 15 days after the verification task is completed. You may also delete this data manually at any time before the 15-day window expires. Once deleted, no individual email addresses or verification results can be recovered.

Payment and billing records — including transaction histories, invoice records, and PDF invoice links — are retained for as long as your account is active. These records serve as your receipt and billing history, and may also be retained as required by applicable tax and financial regulations. When you delete your account, these records are permanently removed.

Login history and session data — including IP addresses, device information, geolocation, and login success or failure status — is retained for the lifetime of your account for security auditing purposes. This allows you to review past activity on your account and helps our team investigate any security incidents. All login history is permanently deleted when you delete your account.

Support conversations — the messages you exchange with our support team, including any contextual account data that was attached — are retained for the lifetime of your account to provide continuity across support interactions. If you contact us about an issue that was previously discussed, our team can reference the earlier conversation to provide better help. All support data is permanently deleted when you delete your account.

Credit transaction records — a detailed log of every credit purchase, credit deduction, credit refund, and auto-refill event on your account — are retained for as long as your account is active. These records serve as your credit history and are permanently deleted when you delete your account.

8. Your Rights and Choices

8.1 Account and Data Management

We believe you should have full control over your data at all times, and we have built our platform to make that control easy to exercise.

Access your data: Your dashboard provides transparent access to your account information, verification history and results, payment transaction history, invoice records, login history with device and location details, and active session management. You do not need to submit a formal request to view your own data — it is available to you directly at any time.

Update your data: You can update your first name, last name, email address, password, company name, billing address, notification preferences, and other profile details at any time from your account settings. Changes take effect immediately.

Delete verification data: You can delete any individual verification task along with all of its associated email-level results from the Uploads & Results page. Deletion is performed immediately and is permanent — there is no recycle bin or grace period. Even if you do not delete your data manually, our 15-day automatic cleanup process will permanently remove it.

Delete your account: You can permanently delete your entire account at any time. When you initiate account deletion, our system executes a comprehensive, sequential deletion process that permanently removes your auto-refill settings, user preferences and notification settings, all invoices, all verification results and verification tasks, all credit transaction records and credit balances, all payment transaction records, all subscription records, all team member associations (both as an owner and as a team member), your complete user profile, and finally your authentication account itself. This process is irreversible. Once your account is deleted, there is no way to recover any of your data.

8.2 Communication Preferences

You have full control over what emails you receive from us. From your account settings, you can enable or disable optional communications such as product update announcements and feature releases. However, certain transactional emails — including payment receipts, security alerts (such as new device login notifications), password reset confirmations, and verification completion notices — cannot be disabled, as they are essential to the secure operation of your account.

8.3 Rights for EU/EEA Residents (GDPR)

If you are located in the European Union or the European Economic Area, you have additional rights under the General Data Protection Regulation (GDPR). These include the right to access a copy of all personal data we hold about you, the right to have inaccurate data corrected, the right to have your data erased (the "right to be forgotten"), the right to restrict or object to certain types of processing, and the right to receive your data in a structured, commonly used, machine-readable format (data portability). You also have the right to lodge a complaint with your local supervisory authority if you believe we are not handling your data in compliance with the GDPR. For a comprehensive description of how we fulfill our obligations under the GDPR, please visit our GDPR Compliance page.

8.4 Rights for Canadian Residents (PIPEDA)

Under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), you have the right to access the personal information we hold about you, to challenge its accuracy and have it corrected if necessary, and to withdraw your consent for its continued collection, use, or disclosure. If you wish to exercise any of these rights, please contact us at support@validemailchecker.com and we will respond within 30 days.

9. Cookies

We take a minimalist approach to cookies. ValidEmailChecker uses only the cookies that are strictly necessary for the service to function — we do not use any cookies for advertising, behavioral tracking, analytics, or cross-site profiling.

Authentication cookies are set by Supabase Auth when you log in to your account. These session cookies are essential — without them, the application would not be able to maintain your logged-in state as you navigate between pages. They contain no personal information and expire when your session ends or after the session timeout period (5 hours of inactivity).

Live chat cookies may be set by our self-hosted Chatwoot support widget to maintain your chat conversation state. These are functional cookies that ensure your chat history persists if you navigate to a different page during an active support conversation. Because Chatwoot is self-hosted on our own servers, these cookies never transmit data to any third party.

That is the complete list. We do not set any other cookies. A cookie consent banner will be displayed on our website to provide full transparency and to allow you to manage your preferences in accordance with applicable regulations. For a more detailed breakdown of each cookie we use, including its name, purpose, and duration, please see our Cookie Policy.

10. Children's Privacy

ValidEmailChecker is a commercial business-to-business service designed for use by marketing professionals, developers, and businesses. It is not intended for, marketed to, or designed for use by anyone under the age of 18. We do not knowingly collect personal information from individuals under 18 years of age. If you are under 18, you may not create an account, use our service, or provide any personal information to us. If we become aware that we have inadvertently collected information from a person under 18, we will take prompt action to delete that information and terminate the associated account. If you believe that a person under 18 has provided us with personal information, please contact us immediately at support@validemailchecker.com.

11. International Data Transfers

ValidEmailChecker is operated from Ontario, Canada, and our primary infrastructure is hosted in data centers managed by our hosting provider. If you are accessing our service from a country outside of Canada — including from the European Union, the United Kingdom, or any other jurisdiction — your personal information will be transferred to, stored in, and processed in Canada, and potentially in other jurisdictions where our infrastructure providers and verification partners operate. Canada has been recognized by the European Commission as providing an adequate level of data protection under GDPR, which means that transfers of personal data from the EU to Canada are permitted without the need for additional safeguards such as Standard Contractual Clauses. For transfers to other jurisdictions, we ensure that appropriate technical and contractual safeguards are in place to protect your data in compliance with applicable laws. By creating an account and using our service, you acknowledge and consent to the transfer of your information to these jurisdictions as described in this policy.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, improvements to our technology, new legal requirements, or other operational reasons. When we make changes, we will update the "Last Updated" date at the top of this page. If we make material changes that significantly affect how we collect, use, or share your personal data, we will make reasonable efforts to notify you in advance — for example, by posting a prominent notice on our website or by sending you an email notification. Where required by applicable law, we will obtain your consent before implementing changes that materially alter the way we handle your personal data. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.

13. Contact Us

If you have any questions about this Privacy Policy, concerns about how your data is being handled, or if you would like to exercise any of your rights described in this policy, we are here to help. You can reach us by email at support@validemailchecker.com, or by using our contact form or live chat at any time.