Acceptable Use Policy

KillBounce is a verification tool, not a sending tool. We exist to help senders confirm that the addresses on their lists are syntactically correct, that the receiving domain exists, and that the recipient mail server will accept mail at that address. We do this so that legitimate senders can protect their sender reputation, reduce wasted spend, and avoid embarrassing bounce rates. We do not exist to help bad actors enrich harvested lists, scrub leaked credentials, or validate addresses they have no business contacting in the first place.

This AUP draws the line between those two worlds. It describes the categories of lists we are willing to process, the categories we are not, the uses of verification results we tolerate, and the uses we treat as immediate cause for enforcement. The rules apply whether you submit addresses through the dashboard, a CSV upload, the bulk paste box, or the API. They apply equally to the trial workflow and to paid usage.

We take a substance-over-form approach. If your activity violates the spirit of this policy, you cannot save it by labelling the workflow differently or by spreading the activity across multiple accounts. Conversely, if you have an unusual but legitimate use case that sits near a line drawn below, contact us at abuse@getkillbounce.com before you run it. We would rather understand a borderline case in advance than enforce after the fact.

You may submit addresses to the Service where you have a lawful basis for holding and processing those addresses. In practice that means one of the following categories.

Lists you collected with consent. Addresses captured through your own signup forms, lead-capture pages, gated-content downloads, event registrations, newsletter subscriptions, account creation flows, or similar first-party touchpoints where the recipient knowingly provided their address to you. This also covers addresses you collected from public business directories where the directory's terms permit such use and the underlying legal basis (typically legitimate interest for B2B contacts in jurisdictions that recognise it) supports verification.

Lists you legally purchased. Addresses bought from data providers that (i) obtained the addresses with appropriate consent or under a lawful basis suitable for B2B outreach, (ii) have the right to transfer that data to you for the purposes you intend, and (iii) provide reasonable documentation of provenance on request. The provider should be able to tell you how, when, and from whom each address was sourced. If they cannot, you should treat the list as suspect and not run it through the Service.

Lists provided by your customer to you. If you operate an agency, consultancy, ESP, CRM, or other service where your customer hands you addresses to verify on their behalf, you may submit those addresses to KillBounce provided your contract with that customer flows down the obligations in this AUP — at minimum, the customer must represent to you that they have a lawful basis to hold and process the addresses. You remain responsible to us for compliance with this AUP for everything you submit, regardless of how your customer obtained the addresses.

Public B2B business contacts. Generic role addresses (sales@, info@, support@), addresses listed on company websites, and similar publicly-published business contact information may generally be verified, subject to local law. We say "generally" rather than "always" because some jurisdictions impose stricter rules on commercial contact even with B2B addresses; the ultimate responsibility for compliance with your local law sits with you.

The following categories of lists are out of scope for the Service. Submitting them is a material breach of this AUP and the Terms of Service, and will result in enforcement action without warning where the breach is clear.

Scraped lists without a consent basis. Addresses harvested by scrapers, crawlers, or automated extraction tools from the open web, social networks, forums, professional networking sites, or any source where the underlying data was collected without a lawful basis for downstream commercial contact. Scraping a website that publishes addresses does not, by itself, create a lawful basis to email — much less to run those addresses through verification at scale.

Breach data and dark-web sources. Addresses obtained from leaked credential dumps, breach compilations, combolists, or any source whose provenance traces back to a data breach, hack, or unauthorised disclosure. We do not care whether the breach is recent or historical, whether the data is "already public," or whether you intend to use the verified addresses for ostensibly defensive purposes. These lists are off-limits.

Personal addresses with no relationship and no lawful basis. Personal email addresses (gmail.com, yahoo.com, outlook.com, free providers, and so on) of individuals where you have no prior relationship, no documented consent, and no legitimate interest that would withstand scrutiny under applicable privacy law. The fact that a personal address can be guessed, enumerated, or assembled (firstname.lastname@ patterns and the like) does not make it a list you may verify.

Children's addresses. Addresses you know or reasonably should know belong to individuals under the local age of digital consent (which varies by jurisdiction — typically 13 in the United States under COPPA, 16 in many EU member states under the GDPR unless lowered to as low as 13 by national law, 18 in India under the DPDP Act 2023 for many processing activities involving children). If a list is plausibly sourced from a context aimed at minors, do not submit it.

Enumeration and discovery attacks. Lists constructed by algorithmically generating addresses against a target domain (a.smith@target.com, b.smith@target.com, and so on) to discover which mailboxes exist. This use of verification is a form of reconnaissance and is prohibited regardless of the sender's stated intent.

Even where a list is permitted under Section 2, the verification results we return may only be used for legitimate sender hygiene. The following uses of results are prohibited.

Spam, phishing, smishing, fraud, and malware. You may not use KillBounce results to support unsolicited bulk email, phishing campaigns, SMS phishing (smishing) where the verified address feeds a multichannel attack, fraud schemes (business email compromise, invoice fraud, romance scams, advance-fee fraud), or the distribution of malware, ransomware, or other malicious payloads. This applies whether you are the originator of the campaign or a vendor enabling it.

Re-selling raw results as your own service. You may not take the per-address verification results KillBounce returns and re-sell, re-license, or re-package them as your own verification product, whether under your brand or unbranded. You may use the results internally within your business and you may surface them inside a product where verification is incidental to a broader workflow your customer paid for. What you may not do is wrap our API in yours and call the result a competing verification service. Genuine white-label resale of KillBounce is available under a separate paid agreement; email legal@getkillbounce.com if that interests you.

Training models on customer data. You may not use KillBounce results, or the addresses you submit for verification, to build or train any machine-learning model, statistical classifier, or generative system, whether for your own use or for third parties. This restriction is in addition to the data-protection considerations that would apply to any such training under our Privacy Policy and applicable law.

Stalking, harassment, and doxxing. You may not use the Service to confirm the existence of a specific person's address as part of a targeted harassment, stalking, intimate-partner-abuse, or doxxing campaign, or to compile dossiers on private individuals for similar purposes. This is true even where the address is technically public.

Sanctions and export-control violations. You may not use the Service in a manner that violates applicable economic sanctions, export-control regulations, or anti-money-laundering law, including by submitting addresses associated with sanctioned persons, entities, or jurisdictions for the purpose of facilitating prohibited transactions.

The Service is operated under a fair-use model. We publish per-minute and per-day rate caps in our developer documentation for both the dashboard-driven bulk workflow and the API. These caps exist to protect the platform from concentrated load, to keep verification latencies acceptable for all customers, and to limit the burden we place on downstream recipient mail servers during SMTP probing.

API keys are personal to your account. You may not share an API key across organisations, embed it in a publicly distributed client (mobile app, browser extension, open-source repository) where it can be extracted and reused, or otherwise expose it in a way that permits unauthorised parties to consume your credit balance. If a key leaks, rotate it from the dashboard immediately and email support@getkillbounce.com if you need help auditing the leaked usage.

We rate-limit by returning HTTP 429 responses rather than billing for throttled requests. Sustained attempts to evade rate limits — by distributing load across multiple accounts, opening duplicate accounts, masking originating IPs through proxy pools, or retrying aggressively without backoff — are themselves a breach of this AUP, separately from whatever workload prompted the evasion. If you have a legitimate need for a higher ceiling, email support@getkillbounce.com in advance and we will accommodate it where we reasonably can. We would rather raise the cap than catch the spike on monitoring.

Beyond the general rate limits, certain patterns of API and bulk-job usage are prohibited because they degrade the Service for everyone or because they suggest the Service is being repurposed for an unintended role.

No parallel duplicate jobs. You may not submit the same list to the bulk pipeline multiple times in parallel to accelerate processing. Each bulk job consumes Celery worker capacity, and duplicating jobs wastes that capacity for other customers without producing a faster result for you. If a job is running slowly, contact support rather than retrying.

No use as an open relay or anonymiser. You may not use the Service to launder verification traffic on behalf of unidentified third parties — for example, by building a public proxy that accepts arbitrary email addresses from unauthenticated clients and verifies them through your KillBounce account. The customer of record for every verification must be a known party for whom you can answer this AUP's provenance questions.

No reverse-engineering or scraping the Service. You may not attempt to reverse-engineer our scoring model, probe our infrastructure for vulnerabilities outside a coordinated disclosure (see Section 8), scrape the dashboard, or use automated tools to extract data from the Service beyond the documented API. Coordinated security research is welcome and should be reported to security@getkillbounce.com.

Truthful identifiers. Where the API accepts optional metadata fields (job name, callback URL, customer reference), the values you submit must not be designed to obscure the true nature of the workload or to impersonate another KillBounce customer.

We take a graduated approach to enforcement, calibrated to the severity of the breach and the customer's history. The general progression is warning, then temporary suspension, then permanent account closure. Egregious breaches — those that put recipients, mail providers, or the platform itself at immediate risk — skip the earlier steps.

Warning. For first-time, low-severity issues (for example, a single bulk upload that appears to mix consented and non-consented sources, or a rate-limit evasion attempt that looks accidental), we will email the account owner, pause the relevant job if necessary, and ask for clarification or remediation. No credits are forfeited at this stage.

Temporary suspension. For repeated or moderate-severity issues, or where the warning was ignored, we will suspend the account for a defined period ( typically seven to thirty days). During suspension, the account cannot run verifications, but the credit balance is preserved and the account is restored to good standing at the end of the suspension if no further issues arise. We will explain the basis for the suspension in writing.

Permanent account closure. For serious breaches, for repeat offences following suspension, or where continued access would expose the platform or third parties to ongoing harm, we will close the account permanently. For breaches in this category we may forfeit the unused credit balance without refund. This is a departure from the general rule that credits do not expire, and it applies only to closures for serious or repeated breach of this AUP — not to ordinary account terminations under the Terms of Service.

Immediate action. Where a breach is in progress and waiting for the warning ladder would cause real harm — for example, a live phishing operation being enriched through our API, or a sustained enumeration attack against a specific domain — we will suspend the account immediately and provide notice as soon as reasonably practicable. The fact that we acted before notifying you is not a defence to the underlying breach.

Forfeiture of credits in the most serious category exists because we do not want confiscated funds to act as a price list for abuse. The customer-friendly reading is that a clean account, even one we close for ordinary reasons, retains its credit balance for the twelve-month window described in the Terms of Service; only accounts closed for serious AUP breach lose that protection.

If you believe a KillBounce customer is using the Service in breach of this AUP — for example, you have received phishing or spam that you have reason to believe was preceded by a KillBounce verification — email abuse@getkillbounce.com with as much detail as you can share. Useful information includes the sending address, the recipient address, the date and time of the message, the full email headers (where available), and any other context that would help us identify the originating account.

We commit to acknowledging abuse reports within two (2) business days and to completing an initial investigation within five (5) business days. Where the report identifies a live ongoing harm, we will act faster. We will not, in general, disclose the identity of the reported customer to the reporter, but we will tell you whether we took action.

Security-vulnerability reports (as opposed to abuse reports) should go to security@getkillbounce.com. We treat coordinated disclosure reports in good faith and will not pursue legal action against researchers who follow standard responsible-disclosure practice.

KillBounce verifies addresses; you send the mail. The legal compliance of what you send, to whom, and on what basis is your responsibility, not ours. This Section restates the point because customers occasionally treat a clean verification result as a green light to send. It is not.

You remain solely responsible for compliance with all applicable anti-spam, consumer protection, and data-protection laws when you send to addresses we have verified. Depending on where you send, where your recipients are, and the nature of the message, this may include the United States CAN-SPAM Act, the Canadian Anti-Spam Legislation (CASL), the EU GDPR and the ePrivacy Directive (or its successor regulation), the UK GDPR and PECR, the Indian Digital Personal Data Protection Act 2023, the California Consumer Privacy Act as amended by the CPRA, and equivalent state-level statutes in Virginia, Colorado, Connecticut, and other US jurisdictions.

A "Valid" result from KillBounce means the address is likely to accept mail. It is not, and was never, a representation that you have consent to email the recipient, that the recipient's jurisdiction permits the contact, or that the content you intend to send is lawful in that jurisdiction. Where our refund commitment in the Terms of Service kicks in for an inaccurate result, that commitment is bounded to the credit value of the verification; it is not an indemnity for downstream regulatory exposure on your send.

Where you process EU, UK, or otherwise GDPR-covered personal data through the Service, our role and yours, the processing terms required by Article 28 of the GDPR, and the associated international-transfer mechanics are set out in our Data Processing Addendum. The DPA controls in case of conflict between it and this AUP for the personal data it covers.

We may update this AUP from time to time to reflect new abuse patterns, regulatory changes, or operational lessons learned from running the Service. The current version is always available at this URL, and the "Last updated" date at the top reflects the most recent revision.

Material changes — those that meaningfully expand the categories of prohibited use, or that change the enforcement ladder — will be notified by email to the address on your account at least fifteen (15) days before they take effect, except where a shorter notice period is necessary to respond to an emerging threat. Non-material changes (clarifications, typographical fixes, updates to reflect operational changes that do not alter what is prohibited) may take effect on posting.

Continued use of the Service after an updated AUP takes effect constitutes acceptance of the update. If you do not accept a change, your remedy is to stop using the Service and, where applicable, request a refund of unused credits to the extent permitted under the refund mechanism in the Terms of Service.

Use the appropriate address below depending on what you need. Routing your message correctly helps us respond faster.

• Abuse reports and AUP questions: abuse@getkillbounce.com
• Security vulnerability disclosures: security@getkillbounce.com
• Legal and contractual matters (including white-label resale): legal@getkillbounce.com
• Privacy and data protection requests: privacy@getkillbounce.com
• Product support, billing queries, and rate-limit increases: support@getkillbounce.com