GDPR Compliance
Last Updated: May 25, 2024
The General Data Protection Regulation (GDPR) is a comprehensive data protection law enacted by the European Union that governs how organizations collect, store, process, and protect the personal data of individuals located in the EU and the European Economic Area (EEA). At ValidEmailChecker, we are committed to handling all personal data in accordance with the principles and requirements of the GDPR, regardless of where our users are located. This page explains how we meet our obligations under the regulation and what rights you have as a data subject.
1. Our Role in Data Processing
Under the GDPR, organizations that handle personal data are classified as either data controllers (who determine the purpose and means of processing) or data processors (who process data on behalf of a controller). ValidEmailChecker operates in both capacities depending on the type of data involved.
As a data controller: When you create an account with ValidEmailChecker, we act as the data controller for your account information. This includes your name, email address, billing details, login history, payment records, and support communications. We determine how and why this data is collected, and we are directly responsible for its protection under GDPR.
As a data processor: When you upload an email list for verification, we act as a data processor. You — the customer — are the data controller for those email addresses, because you determine the purpose of processing (verifying deliverability) and you chose to use our service to do it. We process the email addresses strictly according to your instructions and solely for the purpose of completing the verification you requested. We do not use the email lists you upload for any other purpose, and we do not make independent decisions about how that data is handled.
2. Lawful Basis for Processing
The GDPR requires that every instance of personal data processing be supported by a lawful basis. We rely on the following legal grounds depending on the context:
Contract performance (Article 6(1)(b)): When you create an account and use our services, we process your account data and the email addresses you submit because it is necessary to fulfill our contractual obligations to you — namely, to provide the email verification service you signed up for, to process your payments, to deliver your results, and to manage your account.
Legitimate interest (Article 6(1)(f)): We process certain data — such as login history, IP addresses, device information, and session data — on the basis of our legitimate interest in maintaining the security of our platform, preventing fraud, detecting unauthorized access, and protecting our users and our business from abuse. We have assessed that these interests do not override your fundamental rights and freedoms, particularly because the data we collect for security purposes is limited to what is necessary and is not used for profiling or marketing.
Consent (Article 6(1)(a)): Where we send optional marketing communications or product updates, we do so only with your explicit consent, which you may withdraw at any time through your account settings or by clicking the unsubscribe link in any email.
Legal obligation (Article 6(1)(c)): In certain cases, we may process or retain your data to comply with applicable legal obligations, such as financial record-keeping requirements or responding to lawful government requests.
3. Your Rights Under GDPR
If you are located in the EU or the EEA, the GDPR grants you a comprehensive set of rights regarding your personal data. We have designed our platform to make exercising these rights as straightforward as possible.
Right of access (Article 15): You have the right to request a copy of the personal data we hold about you. Your ValidEmailChecker dashboard already provides direct access to your account information, verification history, payment records, login history, and active sessions — no formal request is needed to view this data. If you require a comprehensive data export beyond what is available in the dashboard, you may contact us and we will provide it within 30 days.
Right to rectification (Article 16): You have the right to have inaccurate personal data corrected. You can update your name, email address, password, billing information, and other profile details directly from your account settings at any time.
Right to erasure (Article 17): You have the right to request the deletion of your personal data, commonly known as the "right to be forgotten." You can exercise this right immediately through our platform in two ways. First, you can delete individual verification tasks and all associated results from the Uploads & Results page at any time — deletion is instant and permanent. Second, you can delete your entire account, which triggers a comprehensive deletion process that permanently removes all of your data from our systems, including your profile, verification data, payment records, credit history, team associations, and your authentication account. Additionally, all verification data is automatically deleted after 15 days regardless of any action on your part.
Right to restriction of processing (Article 18): You have the right to request that we restrict the processing of your personal data in certain circumstances, such as if you contest the accuracy of the data or if you believe the processing is unlawful. To request a restriction, contact us at support@validemailchecker.com.
Right to data portability (Article 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format. Verification results can be downloaded as CSV files directly from your dashboard. If you require your account data in a portable format, contact us and we will provide it within 30 days.
Right to object (Article 21): You have the right to object to the processing of your personal data where we rely on legitimate interest as the legal basis. If you object, we will cease processing your data for that purpose unless we can demonstrate compelling legitimate grounds that override your rights. To exercise this right, contact us at support@validemailchecker.com.
Right to withdraw consent (Article 7(3)): Where we process your data based on your consent (such as optional marketing emails), you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing that occurred before the withdrawal. You can withdraw consent through your account settings or by clicking the unsubscribe link in any marketing email.
Right to lodge a complaint: If you believe that we are not handling your personal data in compliance with the GDPR, you have the right to lodge a complaint with your local supervisory authority. A list of EU data protection authorities can be found at edpb.europa.eu.
4. Data Protection Measures
We implement robust technical and organizational measures to protect personal data in accordance with GDPR Article 32. These measures are designed to ensure the ongoing confidentiality, integrity, availability, and resilience of our processing systems.
Encryption: All data transmitted between your browser and our servers is encrypted using HTTPS with modern TLS protocols. Sensitive data stored in our database — including payment credentials, two-factor authentication secrets, and backup recovery codes — is encrypted at rest using AES-GCM encryption. Passwords are irreversibly hashed using the bcrypt algorithm and are never stored in plain text.
Access control: Our database enforces Row Level Security (RLS) on every table that contains user data. This is a database-level enforcement mechanism that physically prevents any user from accessing rows that do not belong to them, regardless of what happens at the application level. Our system also enforces role-based permissions — account owners and team members have different levels of access appropriate to their roles.
Session security: User sessions expire automatically after 5 hours of inactivity. Users can view all active sessions and revoke any session from their dashboard. All login attempts — successful and failed — are logged with IP address, device information, and timestamp for security auditing.
Webhook integrity: Payment webhooks are validated using HMAC-SHA256 signature verification with a 5-minute replay attack prevention window, ensuring that only authentic webhook events from our payment processors are processed.
Infrastructure security: Our application, database, and serverless functions are hosted on enterprise-grade infrastructure with encryption in transit and at rest. Our customer support chat system (Chatwoot) is self-hosted on our own servers, ensuring that support conversations remain within our infrastructure.
5. Data Retention and Deletion
We adhere to the GDPR principle of storage limitation, which requires that personal data not be kept for longer than is necessary for the purposes for which it is processed.
Email verification data — including uploaded email lists and all individual verification results — is automatically and permanently deleted from our systems 15 days after verification is completed. This deletion is performed by an automated scheduled process and requires no action from you. You may also delete your verification data at any time before the 15-day window through your dashboard.
Account data — including your profile, payment records, credit history, login history, and support conversations — is retained for the lifetime of your account and is permanently deleted when you close your account. The account deletion process removes all data in a comprehensive, sequential cascade that leaves no personal data behind.
After verification data is deleted, we retain only aggregate, non-identifiable metadata such as the number of credits used and the total emails processed. No individual email addresses or verification results survive the deletion process.
6. International Data Transfers
ValidEmailChecker is operated from Ontario, Canada. If you are located in the EU or EEA, your personal data will be transferred to Canada for processing and storage. Canada has received an adequacy decision from the European Commission under GDPR Article 45, which means the European Commission has determined that Canada provides an adequate level of data protection. This adequacy decision allows personal data to flow from the EU to Canada without the need for additional safeguards such as Standard Contractual Clauses.
Where your data may be processed in jurisdictions other than Canada — for example, by our payment processors or verification infrastructure providers — we ensure that appropriate safeguards are in place. These safeguards may include the provider's compliance with recognized frameworks, contractual obligations to protect data, and technical measures such as encryption during transfer.
7. Sub-Processors
To deliver our service, we use a limited number of third-party sub-processors who may handle personal data on our behalf. Each sub-processor is carefully selected and is contractually required to process data only as instructed by us and to maintain appropriate security measures. Our current sub-processors include:
Supabase — provides our application hosting, database, authentication, and serverless infrastructure. All data stored in Supabase is encrypted in transit and at rest.
Stripe — processes credit and debit card payments. Stripe is PCI DSS Level 1 certified and processes payment data in compliance with GDPR. Full card numbers never touch our servers.
CoinPayments — processes cryptocurrency payments for users who choose to pay with digital currency.
Email verification infrastructure providers — perform the technical SMTP-level and DNS-level checks that make email verification possible. Email addresses are transmitted to these providers over encrypted connections, processed solely for verification purposes, and are not retained beyond what is necessary to complete the request.
Cloudflare — provides DNS management, CDN, and bot protection (Turnstile) for our website. Cloudflare processes limited data (such as IP addresses) for security purposes.
8. Data Protection Governance
While we do not currently appoint a formal Data Protection Officer (DPO) — which is not required for all organizations under GDPR — data protection and privacy are overseen directly by our leadership team. Privacy considerations are integrated into our product development process, and we regularly review our data handling practices to ensure continued alignment with GDPR principles. If you have a privacy concern or wish to exercise your GDPR rights, our team is equipped to handle your request promptly and thoroughly.
9. Data Breach Response
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, as required by Article 34. Our notification will include a description of the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures we have taken or propose to take to address and mitigate the breach.
10. Privacy by Design
In accordance with GDPR Article 25, we incorporate data protection principles into the design and development of our platform from the outset. This includes collecting only the minimum personal data necessary to provide the service (data minimization), automatically deleting verification data after 15 days (storage limitation), enforcing database-level access controls that prevent unauthorized data access even in the event of an application-level vulnerability (integrity and confidentiality), and providing users with straightforward tools to access, modify, and delete their data at any time (transparency and user control). These are not afterthoughts or add-ons — they are fundamental to how ValidEmailChecker is built.
11. Contact Us
If you have questions about our GDPR practices, wish to exercise any of your rights as a data subject, or have concerns about how your personal data is being handled, ou can reach us by email at support@validemailchecker.com, or by using our contact form or live chat at any time. We aim to respond to all GDPR-related requests within 30 days, as required by the regulation.