VerifyMail
Sign up
LEGAL

Privacy Policy

Last updated: April 24, 2026

This policy explains what VerifyMail collects, why, and what we don't. We try to be specific about what happens to the email addresses you submit, because that's the question every customer asks us first.

TL;DR

  • Email addresses submitted to /v1/check are processed in memory and not persisted.
  • We store the domain portion of checked emails for aggregate analytics and auto-blocklist promotion.
  • We never sell your data. We never use your data to train third-party models.
  • Payment info is handled by Stripe — we only store an opaque customer ID.

1. What we collect

Account data

When you sign up we collect your email address, a hashed session token, and a Stripe customer ID. We keep this as long as the account exists.

API check traffic

When you call /v1/check we receive the raw email address in the request body. The address is used in memory to compute a verdict and is discarded on response. We persist:

  • The domain portion (for aggregate statistics and the auto-blocklist pipeline)
  • The risk score, recommendation, and latency of the check
  • A reference to which API key made the call

We do not persist the full email address, the local-part of the address, or any per-request payload beyond the domain and metadata above.

Payment data

Payment details (card number, billing address) are handled by Stripe and never touch our servers. We store an opaque Stripe customer ID to look up your subscription, purchase history, and receipts.

Operational logs

Our infrastructure providers (Railway, Vercel, Cloudflare) retain short-lived request logs — IP addresses, user agents, timing — for up to 30 days for debugging and abuse prevention. These logs do not contain email payloads, since request bodies are excluded from application logs.

2. How we use it

  • Provide the Service. Authenticate your account, issue API keys, run checks, bill you.
  • Improve detection. Domain-level aggregates feed our auto-blocklist and catch-all model.
  • Prevent abuse. Identify and block bad actors attempting to resell or misuse the Service.
  • Communicate. Send magic-link sign-in emails and transactional notices (never marketing without your consent).

3. Third parties we use

We share the minimum data needed to operate with a small set of sub-processors:

  • Stripe — payment processing; receives your billing email + card info you enter.
  • Resend — magic-link email delivery; receives your email address + sign-in URL.
  • Unkey — API key management; stores the API key secrets themselves.
  • Railway — hosting for the API.
  • Vercel — hosting for the dashboard and marketing site.
  • Cloudflare — DNS + CDN for verifymailapi.com.

None of these sub-processors receive the email addresses you submit to /v1/check — those never leave our request handler.

4. Your rights

Depending on your jurisdiction (GDPR, CCPA, UK GDPR, etc.) you have rights to access, correct, export, or delete your personal data. To exercise any of these, email privacy@verifymailapi.com from the email on file. We'll respond within 30 days.

Account deletion removes your profile, API keys, and personal identifiers. Domain-level aggregates that cannot be linked back to you are retained to preserve the accuracy of the detection model.

5. Data retention

  • Account data: until you delete the account.
  • Check log (domain + metadata): up to 24 months, then aggregated and anonymized.
  • Magic-link tokens: expire after 15 minutes; single-use.
  • Sessions: 30-day TTL, rotated on sign-in.

6. Security

All traffic is served over TLS 1.2+. Secrets are stored in the hosting provider's secret manager, never in source control. API key secrets are held by Unkey and never by us — we only store the prefix for display. Session tokens are hashed at rest.

7. International transfers

Our primary infrastructure is hosted in the United States. Data you submit is processed in the US. By using the Service you consent to this transfer.

8. Children

VerifyMail is a B2B API and is not intended for users under 16. We do not knowingly collect data from children.

9. Changes to this policy

We may update this policy periodically. Material changes will be emailed to the account owner at least 14 days before taking effect. The “Last updated” date at the top of this page always reflects the current version.

10. Contact

Questions or requests: privacy@verifymailapi.com.