Skip to content
DebounceAPI
Product
Email List Validation Email Validation API
Pricing API Docs Service Status About Us Contact Us
Currency
Choose currency
Log in Sign up — 100 free credits

Legal

Privacy Policy

This page explains what information we collect, use, disclose and maintain — and how we use it. We try to keep it short on jargon and long on clarity.

Last updated:

1. Overview

This Privacy Policy explains how DebounceAPI ("DebounceAPI", "we", "us", "our") collects, uses, discloses, and protects information when you visit our website, create an account, or use our email validation services (collectively, the "Services").

We act as a data controller for personal information about you (e.g. your account email, billing details). We act as a data processor for email addresses you submit for validation — they belong to you and we process them solely to return validation results.

By using the Services you agree to the practices described below. If you do not agree, please do not use the Services.

2. Types of Data Collected

Among the types of personal data that this website collects, either by itself or through third parties, are:

  • Account information — name, email address, hashed password, time zone, and authentication metadata you provide when you sign up or update your profile.
  • Billing information — Stripe customer identifiers, currency, country, transaction history, and the metadata required to operate refunds and tax reporting. We do not store card numbers; payments are handled exclusively by Stripe.
  • Email lists you submit — the addresses and any optional metadata you upload to be validated, plus the validation results we return to you.
  • API usage data — request timestamps, source IP, user agent, endpoint, response code, latency, and the email address being validated.
  • Cookies and similar technologies — strictly necessary session cookies, CSRF tokens, currency preference, and (with your consent) functional/analytics cookies described in our Cookie Policy.
  • Communications — content of any message you send through our contact form, support channels, or transactional email replies.

Complete details on each type of personal data collected are provided in the dedicated sections of this Policy or by specific explanation texts displayed prior to the data collection.

Personal data may be freely provided by the User, or, in the case of usage data, collected automatically when using this website.

Unless otherwise specified, all data requested by this website is mandatory and failure to provide it may make it impossible for us to deliver the Services. In cases where the website specifically states that some data is not mandatory, Users are free not to communicate this data without consequences for availability or functioning.

Users who are uncertain about which personal data is mandatory are welcome to contact us. Any use of cookies — or of other tracking tools — by this website or by the owners of third-party services used by this website serves the purpose of providing the service required by the User, in addition to any other purposes described in this document and in the Cookie Policy, where available.

Users are responsible for any third-party personal data obtained, published, or shared through this website and confirm that they have the third party's consent to provide the data to DebounceAPI.

3. Mode and Place of Processing the Data

Methods of Processing

We take appropriate security measures to prevent unauthorised access, disclosure, modification, or destruction of the data. Processing is carried out using computers and/or IT-enabled tools, following organisational procedures and modes strictly related to the purposes indicated.

In addition to DebounceAPI, in some cases the data may be accessible to certain types of persons in charge involved with the operation of this website (administration, sales, marketing, legal, system administration) or external parties such as third-party technical service providers, mail carriers, hosting providers, IT companies, and communications agencies appointed, if necessary, as Data Processors by DebounceAPI. An up-to-date list of these parties is available on request.

Legal Basis of Processing

We process personal data relating to Users where one of the following applies:

  • Consent — Users have given consent for one or more specific purposes. Under certain legislation, DebounceAPI may be permitted to process personal data until the User objects ("opt-out"), without relying on consent or another legal basis. This does not apply whenever processing is subject to European data protection law.
  • Contract — provision of data is necessary for the performance of an agreement with the User and/or any pre-contractual obligations thereof.
  • Legal obligation — processing is necessary for compliance with a legal obligation to which DebounceAPI is subject.
  • Public interest — processing relates to a task carried out in the public interest or in the exercise of official authority vested in DebounceAPI.
  • Legitimate interest — processing is necessary for the purposes of the legitimate interests pursued by DebounceAPI or by a third party, such as fraud prevention and product improvement.

In any case, we will gladly help clarify the specific legal basis that applies — in particular whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract.

Place

The data is processed at DebounceAPI's operating offices and at our infrastructure providers' data centres. Depending on the User's location, data transfers may involve transferring the User's data to a country other than their own. Users can find out more about the place of processing of transferred data in the section below on International Transfers, or by contacting us using the information in the contact section.

4. Purposes of Processing

Data concerning the User is collected to allow DebounceAPI to provide its Services, as well as for the following purposes:

  • Service delivery — operating the website, dashboard, API, and email validation engine.
  • Billing and fraud prevention — processing payments through Stripe, issuing invoices, preventing abuse, and complying with anti-fraud rules.
  • Transactional communication — sending account, billing, and security messages relating to your use of the Services.
  • Product analytics — understanding aggregated, anonymised usage patterns to improve the Services.
  • Customer support — responding to your requests through the contact form, email, or in-app messages.
  • Compliance — meeting tax, accounting, and legal obligations applicable to us.
  • Optional marketing — if you have opted in, sending product updates and deliverability tips that you can unsubscribe from at any time.

5. Subprocessors

DebounceAPI uses the following categories of subprocessors. A current, contra-signed list is available on request to [email protected]:

SubprocessorPurposeLocation
StripePayment processing, fraud screening, tax complianceUSA / Ireland
MailgunTransactional email delivery (account, billing, security)USA / Germany
Email validation upstreamUnderlying SMTP/MX/disposable detection signals used to compute resultsVariable — see DPA
Cloud hostingApplication hosting, queues, storageEU primary; failover regions disclosed in the DPA

6. Your Rights

Users may exercise certain rights regarding their data. In particular, you have the right to:

  • Withdraw consent at any time — where you have previously given consent to processing.
  • Object to processing — when the processing is carried out on a legal basis other than consent.
  • Access your data — learn if we are processing your data, obtain disclosure regarding certain aspects, and receive a copy of the data undergoing processing.
  • Verify and seek rectification — check the accuracy of your data and ask us to update or correct it.
  • Restrict processing — under certain circumstances, we will only store the data and stop other processing.
  • Have personal data deleted — request the erasure of your data, subject to legal retention obligations.
  • Data portability — receive your data in a structured, commonly used, machine-readable format and have it transmitted to another controller where technically feasible.
  • Lodge a complaint — bring a claim before your competent data protection authority.

To exercise any of these rights, write to [email protected]. We respond within 30 days.

7. Data Protection Mechanisms for Sensitive Data

We protect personal and sensitive data as follows:

  • Minimal storage of processed content — when you use our API to validate an address, we record only the address and the result needed to support reporting and billing. We do not resell, share, or reuse validated content for any purpose other than providing the Services to you.
  • Encryption in transit — all data transmitted between your device and our services is encrypted using TLS (HTTPS).
  • Encryption at rest — credentials are hashed; payment tokens are stored only as opaque Stripe identifiers; uploaded lists are stored with platform-level encryption.
  • Access control — access to systems that process your data is limited to authorised personnel who need it to operate or support the Services, under internal policies and confidentiality obligations.
  • Infrastructure security — our API and infrastructure are operated with security and availability measures and, where applicable, under contractual commitments to confidentiality and security from our providers.
  • Vulnerability reporting — please send security issues to [email protected]. We acknowledge reports within two business days.

8. Cookies

This website uses cookies. To learn more, please consult our Cookie Policy, which explains the categories we use, why we use them, and how to manage your preferences.

9. Children

The Services are directed at organisations and professionals over the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided personal data to us, please contact [email protected] and we will delete it.

10. Security

We employ industry-standard measures to safeguard your data, including TLS, scoped API keys, salted password hashing, isolated tenant data, and least-privilege access controls. No system is perfectly secure; please report vulnerabilities to [email protected].

11. Retention Time

Personal data shall be processed and stored for as long as required by the purpose it has been collected for. Therefore:

  • Personal data collected for purposes related to the performance of a contract between DebounceAPI and the User is retained until that contract is fully performed.
  • Personal data collected for the purposes of DebounceAPI's legitimate interests is retained as long as needed to fulfil those purposes.
  • Uploaded validation lists are retained for 90 days by default and can be deleted earlier on request from your dashboard.
  • Billing records are retained for 7 years for tax compliance.
  • Server logs are retained for up to 30 days for security and abuse prevention.

DebounceAPI may be allowed to retain personal data for a longer period whenever the User has given consent, or where required by law. Once the retention period expires, personal data is deleted. After expiration, the rights of access, rectification, erasure, and portability cannot be enforced.

12. International Transfers

Where data is transferred outside the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, supplementary security measures, and — where appropriate — additional contractual safeguards with the receiving party. Users are entitled to learn about the legal basis of data transfers and the security measures we have taken to safeguard their data; please contact [email protected] for details.

13. Additional Information

Legal action

The User's personal data may be used for legal purposes by DebounceAPI in court or in the stages leading to possible legal action arising from improper use of this website or related Services. The User declares to be aware that DebounceAPI may be required to reveal personal data upon request of public authorities.

Additional information about User's personal data

In addition to the information contained in this Privacy Policy, this website may provide the User with additional and contextual information concerning particular Services or the collection and processing of personal data upon request.

System logs and maintenance

For operation and maintenance purposes, this website and any third-party services may collect files that record interaction with this website (system logs) and use other personal data (such as the IP address) for this purpose.

Information not contained in this policy

More details concerning the collection or processing of personal data may be requested from DebounceAPI at any time. Please see the contact information at the end of this document.

How "Do Not Track" requests are handled

This website does not currently support "Do Not Track" requests. To determine whether any of the third-party services we use honour the "Do Not Track" signal, please read their privacy policies.

14. Changes to this Privacy Policy

DebounceAPI reserves the right to make changes to this Privacy Policy at any time by giving notice to Users on this page and, where technically and legally feasible, by sending a notice via available contact information. Material changes will be communicated at least 14 days before they take effect. It is strongly recommended to check this page regularly, referring to the date of the last modification listed at the top.

Should the changes affect processing activities performed on the basis of the User's consent, DebounceAPI shall collect new consent where required.

15. Contact

Questions about this Policy or your data? Write to [email protected]. For data protection requests specifically, you can also reach our DPO at [email protected].