Privacy Policy

We only collect personal data when you upload email lists for Bulk/List Verification. We do not collect or retain data from single, real-time verification API calls. The data is deleted after 14 days and it's never shared, saved or sold.

We also collect basic account and billing metadata needed to manage accounts and subscriptions when you register or purchase a plan.

• Bulk verification data: email addresses and the verification results produced for those addresses (collected only when you upload a bulk list)
• Account metadata: account email, company name (if provided), billing contact information
• Payment metadata: confirmation and invoice metadata from our payment processor (we do not store raw card data)
• Operational metadata: minimal request identifiers and error metadata used to operate the Service (does not include stored Bulk Results beyond the 14-day window)

We use collected information only to provide and support the IsMailable service and to comply with legal obligations.

We do not use your raw Bulk Results for model training and we do not sell personal data.

• Process bulk verification requests and return verification Results to the requester
• Provide a 14-day window so users can review and export Bulk Results
• Manage accounts, billing, invoices, and refund requests using payment processor metadata
• Detect and respond to fraud, abuse, and legal requests as required by law
• Use aggregated, non-identifiable statistics to improve the Service

We do not sell personal information. We disclose personal data only as necessary to provide the Service or as required by law.

We work with subprocessors and trusted third parties to operate the Service and process payments; we use contractual safeguards to protect data.

• Subprocessors: reputable, industry-standard providers for hosting, storage, authentication, and payments (list available on request)
• Payment processor: we rely on a third-party Merchant of Record for payment processing. (Note: paddle is listed as a paddle pending merchant approval.)
• Legal compliance: when required by law, court order, or to respond to lawful government or regulatory requests
• Business transfers: in connection with a merger, acquisition, or sale of assets (we will notify users where required)
• Aggregate data: non-identifiable, aggregated metrics may be shared publicly or with partners

We implement reasonable technical and organizational measures to protect personal information against unauthorized access, disclosure, alteration, or destruction.

We use industry-standard protections for data in transit and reasonable safeguards for data in use to reduce risk.

• TLS encryption for data in transit
• Access controls and authentication for internal systems
• Contractual safeguards with subprocessors to require appropriate security measures
• Incident response procedures to investigate and mitigate security incidents

We retain personal information only for the time necessary to provide the Service and as required for legal or tax compliance.

Bulk verification data is retained for a strictly limited period to allow users time to export results, after which it is permanently deleted and is not recoverable.

• Bulk verification uploads & Results: retained for 14 days from processing completion, then permanently deleted with no backups or snapshots retained
• Single (real-time) verification calls: not stored — results are returned to the caller and no copy is kept
• Account & billing records: retained as required for account administration and legal/tax compliance (standard practice: up to 7 years where required by law)
• Deletion on request: you can request earlier deletion by emailing [contact@ismailable.com](mailto:contact@ismailable.com); we will verify identity before actioning requests

Depending on your jurisdiction, you may have rights with respect to your personal data. To exercise your rights, contact us by email and we will verify your identity before processing the request.

Because Bulk Results are permanently deleted after 14 days with no backups, data older than 14 days may no longer be available to retrieve.

• Access: request a copy of personal data we hold about you (subject to availability)
• Correction: request correction of inaccurate or incomplete data
• Deletion: request deletion of personal data (we will act on verified requests where feasible and legally permitted)
• Portability: request a machine-readable copy of personal data you provided (where applicable)
• Objection/Restriction: object to or request limitation of certain processing activities where permitted by law

We use cookies and similar technologies for essential service functions, authentication, and limited analytics to help maintain and improve the Service.

Cookie preferences can be controlled through your browser; disabling cookies may affect functionality.

• Essential cookies: required for authentication and basic site functionality
• Analytics cookies: limited use to measure aggregate, non-identifying usage to improve the Service
• Third-party cookies: applied by integrated providers such as payment processors or analytics platforms (if used)

IsMailable may process data in countries other than your country of residence. Where required by law we use appropriate safeguards for international transfers.

For enterprise customers we can include specific transfer mechanisms in a contractual DPA.

• Transfers may occur to subprocessors in jurisdictions necessary to operate the Service
• Standard Contractual Clauses (SCCs) or other lawful mechanisms will be used where required
• Customers may request more information or bespoke transfer agreements in an enterprise DPA

The Service is not intended for children under 16. We do not knowingly collect personal data from children under 16.

For paid contracts please ensure you satisfy applicable age-of-contracting requirements in your jurisdiction.

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws.

Material changes will be communicated as required by law. Continued use of the Service after updates constitutes acceptance of the revised policy.

If you have questions, need to exercise a data subject right, or wish to request a DPA or subprocessors list, contact us by email.

We will verify identity before fulfilling data subject requests. DSRs should be submitted by email only.

• Email: [contact@ismailable.com](mailto:contact@ismailable.com)
• Data Subject Request (DSR): submit deletion/export/access requests by email only; we aim to respond to verified requests within 30 days
• Data Processing Addendum (DPA): available on request for enterprise customers

In the event of a personal data breach that materially affects users, we will notify authorities and affected users as required by law.

We follow legal timelines for notification and will provide information about the incident and mitigation steps where appropriate.

• Supervisory authorities: notified within 72 hours where required by applicable law
• Affected users: notified within 48 hours where contact details are available and notification is appropriate