Privacy Policy
This page explains what data we collect, why we have it, who else touches it, and what you can do about it. We wrote it the way we would explain it to a friend who asked. If something is unclear, write to privacy@reviewmyemails.com and we will rewrite it.
1. The short version
- We collect what we need to run the service and nothing else.
- Lists you upload for validation live in Europe (Hetzner, Falkenstein) and get deleted within 30 days of the validation finishing.
- We name every company that touches your data in the sub-processor table in Section 3.
- You have rights under the GDPR and similar laws, including the right to human review of any automated scoring decision. Section 5 enumerates them with the relevant article numbers. Section 6 explains the automated scoring.
- All data requests go to privacy@reviewmyemails.com. We answer within 30 days.
2. What we collect
We collect three kinds of data and treat each differently.
2.1 Account data
Your name, email address, company, and billing details. We use this to sign you in, send service emails, and charge your card. We keep account data while your account is open and for up to 3 years after you close it for regulatory and tax reasons (see Section 4).
2.2 Customer data (the lists you upload)
The email addresses and any extra columns (names, tags, metadata) you submit to the validation service. We treat this as material we process on your behalf. We delete it within 30 days of the validation finishing, unless you ask us to delete it sooner, which we will do within 5 business days.
2.3 Usage data
IP address, browser, device, pages visited, and timing. We use this to run the site, debug bugs, and (where you consent) understand how people use the product. The cookies page explains the cookie-set version of this in detail.
3. Who else touches your data (sub-processors)
This is the full list. If a company is not on it, we are not sharing your data with them. We notify you 30 days before we add a new sub-processor.
| Sub-processor | What they do | Where they sit |
|---|---|---|
| Hetzner Online GmbH | Server infrastructure for admin tooling and the domain intelligence pipeline. This is where your uploaded lists are processed. | Germany (Falkenstein), EU |
| Vercel Inc. | Application hosting for the public website. | United States |
| Brevo (Sendinblue SAS) | Transactional and marketing email delivery (only where you have opted in to the latter). | France, EU |
| Stripe, Inc. | Payment processing for credit purchases and subscriptions. | United States, Ireland |
| Anchor | Signup orchestration and credit-purchase routing in front of Stripe. Anchor receives your name, email, and billing metadata; it does not see the lists you upload for validation. | United States |
| Bouncer (UseBouncer Sp. z o.o.) | Email address verification API used as part of our validation pipeline. | Poland, EU |
| MongoDB, Inc. | Database hosting for legacy admin records. | United States, Ireland |
| Google LLC | Google Drive (report delivery), Google Analytics (only with your cookie consent). | United States |
| Microsoft Corporation | Microsoft Clarity user-experience analytics (only with your cookie consent). | United States |
Transfers outside the EU rely on the European Commission's 2021 Standard Contractual Clauses. Where applicable we rely on the EU-US Data Privacy Framework as an additional safeguard for transfers to the United States.
4. How long we keep it
Retention depends on the kind of data. We separated this to remove an ambiguity that existed in our previous policy.
- Customer data (uploaded lists and validation outputs): deleted within 30 days of the validation finishing, or within 5 business days if you ask sooner.
- Account profile: kept while your account is open. After you close your account, we retain the profile for up to 3 years to meet tax, accounting, and statute-of-limitations obligations. Then we delete it.
- Transaction records (Stripe invoices and similar): kept for the period required by tax law in the jurisdiction where the transaction was recognised. In the United States this is 7 years.
- Usage logs: kept for 90 days for debugging and abuse detection.
5. Your rights
Depending on where you live, you have the following rights. We list the GDPR article number for each so you and our team can refer to the same source.
- Access (GDPR Article 15): request a copy of the personal data we hold about you.
- Rectification (GDPR Article 16): correct inaccurate data.
- Erasure (GDPR Article 17): ask us to delete your data.
- Restriction (GDPR Article 18): ask us to pause processing while a dispute is resolved.
- Portability (GDPR Article 20): receive your data in a machine-readable format.
- Objection (GDPR Article 21): object to processing based on legitimate interests.
- Automated decisions (GDPR Article 22): request human review of any decision made by our automated scoring. See Section 6 for what the scoring does and how to invoke this right.
- Withdraw consent: where processing relies on consent (marketing emails, analytics cookies), you can withdraw it without affecting prior processing.
To exercise any of these, email privacy@reviewmyemails.com. We respond within 30 days. If you are unhappy with our response, you can complain to your local data protection authority. In the EU these are listed at edpb.europa.eu.
6. Automated decision-making and profiling
Our validation service runs automated scoring on every email address you submit. The scoring combines deterministic signals (syntax, MX records, blocklist status, history of bounces) with risk classifiers and produces a verdict such as Safe to keep, Review, or Suppress. This is the product you are paying for; it is necessary to deliver the service.
The verdicts are advisory. They do not block any sending action by themselves. You choose which addresses to mail.
If you are a data subject whose email address was scored, you may:
- Request information about the logic and the categories of signals used in the scoring.
- Request human review of the verdict applied to your address.
- Contest the verdict and have it removed or revised.
Email privacy@reviewmyemails.com with the address and a brief description. A human will look at it.
7. International transfers
Customer data (the lists you upload) stays in Europe. The validation pipeline runs on Hetzner in Falkenstein, Germany. Some sub-processors (Vercel, Stripe US, Anchor, Google, Microsoft) are based in the United States and handle different categories of data, as listed in Section 3. We rely on the European Commission's 2021 Standard Contractual Clauses for these transfers, plus the EU-US Data Privacy Framework where applicable.
8. Children
The service is not for anyone under 16. We do not knowingly collect data from anyone under 16. If you believe we have, write to privacy@reviewmyemails.com and we will delete the data within 5 business days.
9. Contact and related documents
- All GDPR or CCPA requests, breach reports, and cookie questions: privacy@reviewmyemails.com
- Enterprise legal and DPA execution: legal@reviewmyemails.com
- Our Data Processing Agreement is available for enterprise customers and covers the same sub-processors and retention rules described here.
- Cookie details: Cookie Policy.
- Refunds: Refund Policy.