Legal
Privacy Policy
Effective date: 8 July 2026
StopBouncing ("we", "us", "our") is committed to protecting your personal data. This Privacy Policy explains what data we collect, why we collect it, how long we keep it, and what your rights are under the General Data Protection Regulation (GDPR) and applicable Dutch law.
We are the data controller for personal data you provide to us directly. For personal data contained in email lists you upload for verification, you are the controller and we act as your data processor under a processor relationship (see Section 6).
1. Data we collect
Account data — when you register:
- Name and email address
- Hashed password (we never store your plain-text password)
- Email verification status and timestamp
Billing data — when you purchase credits:
- Credit pack purchased, amount paid, transaction reference
- Stripe customer ID (Stripe processes and stores card details; we never receive or store them)
Usage data:
- Verification jobs: filename, total emails, status, timestamps
- Verification results: email address + verification status (valid / invalid / unknown / disposable)
- API key labels and usage timestamps (key values are SHA-256 hashed — we cannot recover them)
- Credit transaction history
Uploaded email lists (processed data):
- Email addresses you upload are stored temporarily to process your verification job
- They are permanently deleted within 48 hours of job completion
- We do not use them for any purpose other than returning verification results to you
Technical data:
- Server logs (IP address, user agent, request path, timestamps) — retained for 30 days for security and debugging
- Session cookies necessary for authentication
2. Legal basis for processing
| Purpose | Legal basis (GDPR Article 6) |
|---|---|
| Providing the Service (account, verification, downloads) | Performance of contract — Art. 6(1)(b) |
| Processing payments and maintaining financial records | Legal obligation — Art. 6(1)(c) |
| Sending transactional emails (verification link, password reset) | Performance of contract — Art. 6(1)(b) |
| Security, fraud prevention, abuse detection | Legitimate interests — Art. 6(1)(f) |
| Improving the Service | Legitimate interests — Art. 6(1)(f) |
We do not send marketing emails without your explicit consent.
3. Data retention
| Data type | Retention period |
|---|---|
| Account data | Until account deletion request |
| Uploaded email lists | Deleted within 48 hours of job completion |
| Verification results | 7 days after job completion, then purged |
| Credit transaction records | 7 years (Dutch financial record-keeping obligation) |
| Server logs | 30 days |
| Audit log entries | 1 year |
4. Who we share data with
We do not sell your data. We share it only with the following sub-processors, each bound by a Data Processing Agreement:
- Stripe — payment processing. Stripe is certified PCI-DSS Level 1. Data may be transferred to the USA under Standard Contractual Clauses.Stripe Privacy Policy
- Resend — transactional email delivery (verification links, password resets). Data may be transferred to the USA under Standard Contractual Clauses.
- Verification infrastructure — we use a third-party email verification service to perform SMTP and deliverability checks. Individual email addresses from your uploaded list are sent to this provider solely to retrieve a verification result. No other personal data is shared with them.
We may also disclose data if required by law, court order, or to protect the rights, property, or safety of StopBouncing or others.
5. International transfers
Our primary servers are located in the EU. Where sub-processors transfer data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission.
6. Processor relationship for uploaded lists
When you upload an email list for verification, you are the data controller for the personal data in that list. We process it solely on your documented instructions (i.e. to return verification results). We delete the list within 48 hours of job completion and do not sub-process it further except to send individual addresses to our verification infrastructure provider to obtain verification results.
If you require a signed Data Processing Agreement (DPA) for GDPR compliance, contact us at support@stopbouncing.com.
7. Your rights
Under GDPR, you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate data.
- Erasure — ask us to delete your account and personal data (subject to legal retention obligations).
- Portability — receive your data in a structured, machine-readable format.
- Restriction — ask us to restrict processing in certain circumstances.
- Objection — object to processing based on legitimate interests.
To exercise any of these rights, email support@stopbouncing.com. We respond within 30 days. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.
8. Cookies
We use one session cookie, strictly necessary for authentication. We do not use tracking cookies, advertising cookies, or third-party analytics. No cookie banner is required.
9. Security
We use HTTPS for all data in transit, bcrypt hashing for passwords, SHA-256 hashing for API keys, and server-side session management. Access to production data is strictly limited. Despite these measures, no system is 100% secure; we will notify you and the relevant authority without undue delay in the event of a personal data breach.
10. Changes to this policy
We may update this policy. We will notify registered users by email of material changes at least 14 days before they take effect. The current version is always available at stopbouncing.com/privacy.
11. Contact
Questions or requests: support@stopbouncing.com or our contact form.