Skip to content
DebounceAPI
Product
Email List Validation Email Validation API
Pricing API Docs Service Status About Us Contact Us
Currency
Choose currency
Log in Sign up — 100 free credits

Legal

GDPR Compliance

Alongside our commitment to continuously improve our email validation service, our ongoing efforts are focused on protecting your data and privacy. Transparency matters — here's what that looks like at DebounceAPI.

Last updated:

1. Why GDPR Matters Here

The General Data Protection Regulation (GDPR) is the European Union's framework for privacy and security standards covering personal data of EU residents. Companies that collect, process, or store such data must adhere to specific requirements regarding how the data is collected, processed, stored, and erased.

DebounceAPI acts as a data processor for the email lists you submit to us — those addresses belong to you, the data controller. We act as a data controller for personal information about you (your account email, billing details, IP address, support correspondence).

This page explains, in plain language, what we do to comply with GDPR — and what tools we give you to exercise your rights.

2. GDPR-Compliant by Design

We take your privacy extremely seriously and have implemented privacy-by-design principles since day one. Our practices include:

  • Application servers hosted in the EU, with regional failover disclosed in our DPA.
  • Data minimisation — we only collect what we need to operate the Services.
  • Encryption of data in transit (TLS) and at rest.
  • Role-based access control and full audit logging on production systems.
  • Vendor due diligence on every subprocessor.
  • Documented, exercised data subject access request (DSAR) procedures.

3. Manage Your Preferences

Our application servers are hosted in the EU and adhere to GDPR's data protection requirements. Validation servers operate internationally for performance, but you can request that your validation traffic stays within EU regions — contact Customer Support for details.

From your Account Settings you can:

  • Consult and update your personal information.
  • Change your email preferences (marketing opt-in is off by default).
  • Permanently delete your account and the data associated with it.

4. DebounceAPI as Data Collector

As the controller of your account-level personal data, we have implemented the following options for you:

  • Consult your personal data and update it whenever necessary, from your account settings or by emailing [email protected].
  • Delete your personal information or your account. Deletion is permanent.
  • Choose what newsletters you want to receive from us — marketing email is strictly opt-in and never bundled with transactional email.

5. DebounceAPI as Data Processor

As the processor of the email addresses you submit for validation, we provide:

  • A Data Processing Agreement (DPA) available on request, which sets out the technical and organisational measures we apply.
  • A list of third-party subprocessors (see section 9), available on request and updated whenever it changes.
  • Internal access logs on every list you upload — what was read, when, and by which authorised process.
  • Choice of validation server region (EU or North America), available on request for accounts with the relevant business need.
  • Idempotent deletion — when you delete a list, both the source and the results files are removed from primary storage and purged from backups within 30 days.

6. Your Rights Under GDPR

You have the following rights regarding your personal data:

  • Right of access — obtain a copy of the personal data we hold about you.
  • Right to rectification — correct inaccurate or incomplete data.
  • Right to erasure ("right to be forgotten") — delete your account and associated data.
  • Right to restrict processing — limit how we process your data while a dispute is resolved.
  • Right to data portability — receive your data in a structured, commonly used, machine-readable format and ask us to transmit it to another controller where technically feasible.
  • Right to object — object to specific processing activities, including direct marketing.
  • Right not to be subject to automated decision-making — DebounceAPI does not make solely automated decisions that produce legal effects on you.
  • Right to withdraw consent — where processing is based on consent, you can withdraw it at any time.

7. Lawful Basis for Processing

We rely on different lawful bases depending on the purpose:

  • Performance of a contract — to deliver the Services you purchased.
  • Legitimate interest — to detect and prevent abuse and fraud, secure our systems, and improve product quality.
  • Legal obligation — to retain billing records and comply with tax and accounting law.
  • Consent — for optional marketing emails, non-essential cookies, and any voluntary surveys.

8. International Data Transfers

Where data is transferred outside the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, plus supplementary technical measures (encryption, pseudonymisation where applicable) and contractual safeguards from the recipient.

9. Subprocessors

A current, contra-signed list of subprocessors is available on request to [email protected]. The list is also reproduced in the Privacy Policy. We give 30 days' notice before adding a new subprocessor that processes personal data.

10. Data Processing Agreement (DPA)

If you process personal data of EU residents through DebounceAPI, we offer a standard DPA that includes the SCCs as an annex. Email [email protected] to receive a contra-signed copy.

11. Deletion of Data

At the end of your engagement with DebounceAPI you can request the deletion of any data sent to us for verification. We comply with these requests. You can also delete your own data at any time from your dashboard — list deletion is permanent and not recoverable.

After account deletion, retention windows still apply to billing records (7 years, for tax compliance) and to security logs (30 days). All other personal data is purged within 30 days.

12. Records of Processing Activities

DebounceAPI maintains internal Records of Processing Activities (Article 30 GDPR), documenting the purposes of processing, categories of data and recipients, retention schedules, and security measures. These records are reviewed regularly and made available to supervisory authorities upon request.

13. Restriction of Data Movement

You can request that processing be restricted — for example while you contest the accuracy of data we hold — and we will only store the data without further processing until the matter is resolved.

14. Breach Notification

In the event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, we notify the competent supervisory authority within 72 hours where feasible. Affected controllers are notified without undue delay, and affected data subjects are notified directly when the breach is likely to result in a high risk.

15. Data Protection Officer

You can reach our DPO at [email protected]. The DPO is your single point of contact for any data protection matter, including DSARs, DPAs, and SCC-related queries.

16. How to Exercise Your Rights

To exercise any of your GDPR rights, email [email protected] from the address registered with your account, or — if that is not possible — provide enough information for us to verify your identity. We respond within 30 days of receipt; in complex cases this can be extended by a further 60 days, in which case we will tell you in advance.

We do not charge a fee for handling reasonable DSARs.

17. Lodging a Complaint

You have the right to lodge a complaint with the supervisory authority in the EU member state where you reside, where you work, or where the alleged infringement occurred. A list of national supervisory authorities is maintained by the European Data Protection Board at edpb.europa.eu.