Privacy Policy

This Privacy Policy explains how Bition B.V. ("we", "us") handles personal data when you use CheckMail. We are the data controller for the personal data described below.

Bition B.V. · Verdunplein 17, 5627SZ Eindhoven, the Netherlands · KvK: 95743731 · BTW-ID: NL867271966B01 · mail@checkmail.dev

§00Summary in plain English

• We store your email address, your API keys, and your credit balance so you can use the service.
• The email addresses you verify through our API are never written to disk in plaintext. We hash them with SHA-256 and only the hash is cached for 24 hours.
• We use Stripe for payments and Resend for transactional email. Both are essential service providers.
• We do not sell your data. On every page of this site we load Google's gtag.js so we can measure which Google ads bring us customers. It runs in Consent Mode v2 and writes nothing to your device until you accept the cookie banner; visitors outside the EU/EEA, UK, and Switzerland are auto-granted (the banner is suppressed there).

§01Data we collect about you

When you sign up, we collect:

• Email address. Used to send you a magic link, deliver service notifications, and tie API keys to your account.
• Billing address and tax identifiers. Collected by Stripe at checkout for VAT and invoicing. Stored on the Stripe Customer object linked to your account.
• Payment method (last 4 digits, brand, expiry). Full card details are handled exclusively by Stripe; we never see or store them.
• Account metadata. User ID, API keys, credit balance, auto-topup settings, last-used timestamps. Stored in our DynamoDB tables in AWS region eu-west-1 (Ireland).
• Server logs. IP address, request method, path, status, and user-agent of API and dashboard requests, retained for up to 30 days for abuse prevention and operational debugging.

§02Email addresses you verify through our API

This is the most sensitive question for an email verification service, so we want to be explicit:

• When your application sends an email address to /v1/verify or /v1/verify/batch, we hash the lowercased address with SHA-256 and use the hash as a cache key.
• The plaintext email address is never written to disk. It exists only in memory for the duration of the verification request, and is discarded as soon as the request completes.
• The cache stores the hash, the verification result, and a 24-hour expiry. You cannot reverse a SHA-256 hash to recover an email address; this means we cannot, even in principle, hand over a list of which addresses you verified.
• We do not log the plaintext addresses you submit. Server logs (see above) capture URLs and headers, not query parameters or request bodies.

This design is intentional and is the GDPR foundation of CheckMail: there is no personal data of your contacts at rest in our systems to leak, export, or delete.

§03Legal basis for processing

• Contract (Art. 6(1)(b)): your email address, API keys, balance, and billing details are necessary to perform the agreement we have with you.
• Legal obligation (Art. 6(1)(c)): VAT records and invoices are kept for the period required by Dutch tax law (currently seven years).
• Legitimate interest (Art. 6(1)(f)): server logs and abuse-prevention metrics, balanced against your reasonable expectation that the service can defend itself against fraud and DoS.

§04Service providers (sub-processors)

• Amazon Web Services EMEA SARL: cloud infrastructure (DynamoDB, EC2, S3, CloudFront, Route 53) hosted in EU region eu-west-1 (Ireland).
• Stripe Payments Europe Ltd.: payment processing, billing addresses, tax IDs.
• Resend, Inc.: transactional emails (magic links, receipts, auto-topup notifications). Some Resend processing may take place outside the EEA under Standard Contractual Clauses.
• Google Ireland Limited: gtag.js loaded on every page, used for Google Ads conversion measurement. The tag runs under Google Consent Mode v2 and writes no cookies until you accept the cookie banner. Once accepted it sets cookies such as _gcl_au and _gcl_aw and may transfer data to Google LLC in the United States under the EU–US Data Privacy Framework and Standard Contractual Clauses.

§05Retention

• Account data: kept for the lifetime of your account. If you delete your account, we erase your record within 30 days, except where retention is required by law (see below).
• Verification cache (hashed): 24 hours.
• Server logs: up to 30 days.
• Invoices and tax records: seven years, as required by Dutch tax law.
• Stripe customer data: retained by Stripe according to their own retention policy.

§06Your rights

Under the GDPR, you have the right to:

• Request access to the personal data we hold about you.
• Request correction of inaccurate data.
• Request erasure of your account ("right to be forgotten"), subject to our legal retention obligations.
• Request a portable copy of your data.
• Object to or restrict certain processing.
• Lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

To exercise any of these rights, email mail@checkmail.dev from the address associated with your account. We respond within 30 days.

§07Security

API keys are stored as opaque secrets and only the holder can present them. Session cookies are HttpOnly, Secure, and SameSite=Lax. Webhook deliveries from Stripe are signature-verified. The verification cache stores SHA-256 hashes only. All data in transit is TLS-encrypted. Data at rest in DynamoDB and S3 is encrypted with AWS-managed keys.

§08Cookies

Essential cookies (dashboard). When you sign in we set cm_session (your authenticated session) and cm_csrf (cross-site request forgery protection). Both are strictly necessary to operate the service and are not used for tracking.

Advertising cookies. Every page on this site loads Google's gtag.js for Google Ads conversion measurement. It runs under Google Consent Mode v2: nothing is written to your device until you accept. For visitors in the EU/EEA, UK, and Switzerland we show a cookie banner with equally prominent Accept and Reject buttons; visitors elsewhere are auto-granted. When granted, gtag may set cookies such as _gcl_au and _gcl_aw to attribute purchases to Google ads you may have clicked.

You can change your mind at any time: reset cookie preferences (this clears your stored choice and reloads the page so the banner reappears).

Third-party pages. Stripe and Resend may set their own cookies on pages they serve directly (such as Stripe Checkout), governed by their respective privacy policies.

§09Changes

We may update this Privacy Policy from time to time. Material changes will be announced by email or via a notice in the dashboard.

§10Contact

Questions about your privacy or this policy can be sent to mail@checkmail.dev.