GDPR
This page sets out how VerifyMaill meets its obligations under the EU GDPR and UK GDPR. It complements our Privacy Policy and Data Processing Agreement.
1. Our Role Under GDPR
We process personal data in two capacities:
- As a controller: for the personal data of our website visitors, account holders and support contacts. We decide how this data is used; see our Privacy Policy.
- As a processor: for the email addresses you upload for verification. You are the controller of that data and we process it only on your documented instructions, under our Data Processing Agreement (DPA).
2. Lawful Bases
When we act as a controller, we rely on the following lawful bases under Article 6 GDPR:
- Contract: to create your account and deliver the Service you purchased.
- Legitimate interests: to secure, support, analyse and improve the Service, and to prevent abuse and fraud, balanced against your rights and freedoms.
- Consent: for non-essential cookies and any optional marketing; you may withdraw consent at any time.
- Legal obligation: to meet tax, accounting and other legal duties.
When we act as your processor, the lawful basis for processing the uploaded addresses is yours to determine as the controller. You confirm you have one (for example legitimate interest or consent) when you submit data. See the Terms and the DPA.
3. Your Rights
If you are in the EEA or UK, you have the right to:
- Access the personal data we hold about you;
- Rectify data that is inaccurate or incomplete;
- Erase your data ("right to be forgotten"), subject to legal limits;
- Restrict or object to certain processing, including profiling;
- Portability: receive your data in a structured, machine-readable format;
- Withdraw consent at any time, where we rely on consent; and
- Lodge a complaint with your supervisory authority.
Where the data is something you uploaded about your own contacts, you (as controller) exercise these rights directly through your account, and we support you in responding to the people whose data it is.
4. Sub-Processors
We engage the sub-processors below to help deliver the Service. Each is bound by a contract that requires data-protection commitments at least as protective as ours.
| Provider | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting, compute and database storage | Global (region-dependent) |
| Cloudflare | Content delivery, DNS and DDoS / security protection | Global |
| Polar | Merchant of Record: checkout, billing and tax | United States / EU |
| Stripe | Payment and card processing (via our Merchant of Record) | United States |
We keep this list current and will give notice of new sub-processors as described in the DPA, so you can object on reasonable data-protection grounds.
5. International Transfers
We operate from India, and some sub-processors are located outside the EEA and UK. Where we transfer personal data of individuals in the EEA or UK to a country without an adequacy decision, we put appropriate safeguards in place, primarily the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, along with additional technical and organisational measures where needed. A copy of the relevant safeguards is available on request.
6. Retention & Deletion
We keep personal data only as long as necessary for the purposes it was collected, or as the law requires. Uploaded lists and results remain under your control and can be deleted at any time; deletion is permanent. Account data is deleted within 30 days of account closure, except where we must retain limited records (for example for tax). Full detail is in our Privacy Policy and the DPA.
7. Security Measures
We implement appropriate technical and organisational measures under Article 32 GDPR, including: encryption of data in transit (TLS) and at rest (AES-256); least-privilege, role-based access control; network and application monitoring; secure software-development practices; and regular review of our measures. The detailed list of measures is set out in Annex of the DPA.
8. Breach Notification
If we become aware of a personal-data breach, we will notify affected controllers without undue delay and, where we are the controller, the relevant supervisory authority within 72 hours where required, and affected individuals where the breach is likely to result in a high risk to their rights. Where we act as your processor, we will notify you without undue delay so you can meet your own obligations.
9. DPO & Representatives
Given our size and the nature of our processing, we are not currently required to appoint a Data Protection Officer or an EU/UK Article 27 representative. We will appoint them if and when the law requires, and update this page accordingly. In the meantime, all privacy matters are handled directly by our team at team@verifymaill.com.
10. Exercising Your Rights
To make a request, email team@verifymaill.com. We may need to verify your identity. We respond within one month, which can be extended for complex requests as the GDPR allows, and we will tell you if so.
11. Contact
For GDPR matters, contact us at team@verifymaill.com or write to 47labz (VerifyMaill), India. If you need a signed Data Processing Agreement, we're happy to provide one.