Privacy Policy

This summary is provided for convenience. It is not a substitute for the full policy below, which controls in the event of any inconsistency.

• What we collect: the account information you give us (name, work email, hashed password or OAuth identifier), the email addresses you upload for verification, the verification results we generate, payment metadata from our payment processor, and basic server logs needed to run and secure the service.
• What we do not collect: we do not collect or store payment card numbers, we do not sell personal data, we do not rent it, and we do not use customer verification lists to train machine learning models for third parties.
• How long we keep it: uploaded lists and per-row verification results are purged approximately seven days after a job completes. Aggregate counters (such as lifetime verifications) remain on your account. Account data persists while your account is active; payment records are kept for seven years to satisfy Indian tax and companies-law requirements.
• How to delete: you can delete your account at any time from your dashboard, or by emailing privacy@getkillbounce.com. We confirm deletion within thirty days and purge backups on our normal rotation.
• How to contact us: privacy and rights requests go to privacy@getkillbounce.com. General support is support@getkillbounce.com.

KillBounce is an email verification platform based in India. Throughout this policy, "KillBounce", "we", "us", and "our" refer to KillBounce. "You" refers to the individual or organisation that has registered for an account, uses our APIs, or visits our marketing pages.

This policy covers personal data we process in connection with the KillBounce service, including: the marketing website at getkillbounce.com and its subdomains; the authenticated dashboard at app.getkillbounce.com; our HTTP APIs; and any support, billing, or transactional communications we send you. It does not cover third-party services we link to (such as our payment processor or OAuth providers) — those services operate under their own privacy policies, although we describe what we receive from them in Section 3.

KillBounce is a business-to-business service intended for use by professionals operating on behalf of an organisation. Where you use the service as an employee, contractor, or agent of an organisation, that organisation is generally the "controller" of the customer data uploaded through your account for GDPR purposes, and we act as a "processor". The relationship between controller and processor is governed by our Data Processing Addendum, which is incorporated into the Terms of Service by reference.

Account information

When you register, we collect the name and email address you provide, a bcrypt hash of your password (we never store the password itself), and optionally a company name. If you register or sign in using Google or GitHub OAuth, we receive the OAuth provider's stable user identifier, your verified email address, and your display name — we do not receive your password or unrelated profile data.

Customer-uploaded lists

The core function of the service is to verify email addresses you submit to us. You may submit those addresses by uploading a CSV or text file, by pasting them into the dashboard, or by sending them to our API. We treat the uploaded addresses, and any accompanying columns you choose to include, as "customer data" under our Terms and as personal data of your contacts under the GDPR and similar laws.

Verification metadata

For each address verified, we generate and retain metadata describing the verification: syntactic validity, the DNS and MX records discovered for the domain, the SMTP conversation result (accept, reject, greylist, catch-all, timeout), provider-aware heuristics, a numeric score from 0 to 100, and a result bucket (Valid, Risky, Invalid, or Unknown). We also retain the timestamp of the verification and the job to which it belongs.

Payment information

Payments are processed by Dodo Payments, which acts as the merchant of record for credit purchases on KillBounce. We do not see, receive, or store payment card numbers, CVVs, or bank account details. From Dodo Payments we receive only the transaction identifier, the amount and currency, the high-level payment method category (for example "card"), the billing country and tax identifier you provided, and the status of the transaction. We use that information to credit your account, issue invoices, comply with tax obligations, and investigate disputes.

Usage and telemetry

We collect basic server-side telemetry needed to operate the service: timestamps of API calls and dashboard actions, the IP address of the request (used for rate limiting, abuse prevention, and geographic display in security logs), the user agent string, and a coarse browser fingerprint used to detect coordinated fraud across newly created accounts. We do not use third-party advertising or behavioural tracking pixels on our authenticated dashboard.

Communications

When you email support, reply to a transactional email, or use an in-product feedback form, we retain the contents of that message together with your email address and the time it was sent. Support correspondence is retained for as long as it is useful to improve the service and to provide context on subsequent requests from the same account.

We use the personal data described above for a small number of clearly defined purposes, and we do not repurpose it without notice. Specifically, we use it to:

• Perform the verification service. Running the three-layer probe (syntax, DNS/MX, live SMTP), scoring results, handling catch-all domains, returning results to you, and re-verifying addresses on cache hits where appropriate.
• Operate billing. Crediting your account when you purchase credits, deducting credits as verifications are performed, issuing invoices and receipts, and handling refunds, including under our bounce-back credit guarantee.
• Secure the platform. Detecting and stopping abuse, brute-force login attempts, credential stuffing, list-trading fraud, and other behaviour that violates our Acceptable Use Policy.
• Provide support. Answering questions, diagnosing issues against your actual job history, and following up on bug reports.
• Improve the product, in aggregate. Studying anonymised aggregates of scoring accuracy, provider distributions, and system performance to improve the underlying engine. We do not use the content of any one customer's lists to build customer-facing features for any other customer.
• Comply with legal obligations. Responding to lawful requests from regulators or courts, retaining tax and accounting records, and enforcing our Terms.

Where the GDPR or the UK GDPR applies, we rely on one of the following legal bases under Article 6 for each processing purpose. The basis applicable to each purpose is identified below.

• Performance of a contract (Art. 6(1)(b)). Processing your account data, the addresses you upload, verification metadata, and payment metadata to deliver the service you have signed up for and to bill you for it.
• Legitimate interests (Art. 6(1)(f)). Operating server logs, retaining IP addresses for rate limiting and abuse prevention, the limited browser fingerprint used to detect coordinated fraud, aggregate product analytics, and responding to unsolicited correspondence you initiate. Our legitimate interest is keeping the service available, accurate, and free of abuse; we have balanced this against your privacy interests and consider this processing proportionate.
• Legal obligation (Art. 6(1)(c)). Keeping payment records for the period required by Indian tax and companies-law requirements, responding to lawful requests from competent authorities, and complying with anti-fraud rules imposed on us by our payment processor.
• Consent (Art. 6(1)(a)). Sending occasional product-update emails beyond strictly transactional notifications, and setting non-essential cookies. You can withdraw consent at any time without affecting prior processing.

For the addresses you upload as customer data, you are the controller and we are the processor; the lawful basis for your processing those addresses is your responsibility, and you confirm under our Terms of Service that you have one.

We keep personal data only for as long as we need it for the purposes described above, or for the period required by law. The standard retention periods are:

• Verification jobs and per-row results: approximately seven days after job completion. After that window we delete the uploaded list and the per-row results from primary storage. Backups containing this data are overwritten on our normal backup rotation, typically within thirty days.
• Aggregate counters: retained while your account is active. We keep running totals such as "lifetime addresses verified" and "credits consumed this month" on your user record. These contain no email addresses.
• Account data: retained while your account is active, plus thirty days after a deletion request. The thirty-day grace window allows for accidental deletion recovery and final invoicing. After that the account record is deleted from primary storage.
• Payment records: retained for seven years. The Indian Companies Act, 2013 and tax statutes require us to retain books of account and supporting documents for this period. Records kept under this basis are restricted to the data necessary for the legal obligation.
• Operational logs: retained for ninety days. Application logs, request logs, and security logs roll off after ninety days, except where a specific entry has been pinned for an active security investigation.

The seven-day retention on uploaded lists is shorter than what many vendors offer. We chose it because we do not need your lists once a job is done — keeping them longer would expand our risk surface without giving you a benefit.

We share personal data only with a small set of service providers ("sub-processors") that help us run the service, and only to the extent necessary for them to do so. The current categories are:

• Hosting and infrastructure: Webdock (VPS hosting in the European Union, where the primary application servers, the Postgres database, and the Redis cache run), Vercel (the marketing and dashboard frontend), and Cloudflare (CDN, DNS, and edge protection).
• Payments: Dodo Payments (merchant of record for credit purchases).
• Email delivery: Resend (transactional email for sign-up, password reset, receipts, and job-completion notifications).
• Identity and OAuth: Google and GitHub for optional single sign-on.

The current list of named sub-processors, with their roles and processing locations, is published at /subprocessors and is updated whenever it changes.

We do not sell personal data. We do not rent it. We do not share it with data brokers, advertising networks, or AI training data marketplaces. We may disclose personal data to law enforcement or other public authorities where we are legally required to do so, and to professional advisors (lawyers, accountants) under confidentiality obligations.

KillBounce is operated from India. Our primary application servers and database are located in the European Union (with Webdock); our frontend and CDN are operated from global edge locations. Depending on where you are located, your personal data may be transferred to and processed in jurisdictions other than your own, including India and the European Union.

Where personal data of individuals in the European Economic Area or the United Kingdom is transferred to India or to any other country that has not received an adequacy decision from the European Commission or the UK government, we rely on the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914), supplemented by the UK Information Commissioner's International Data Transfer Addendum where applicable. Equivalent clauses are incorporated into our agreements with sub-processors.

For data subjects in India, the DPDP Act's cross-border transfer rules apply. KillBounce monitors any notifications the Central Government issues restricting transfers to specified countries and will comply with them.

Depending on where you live, you have some or all of the following rights over your personal data. KillBounce honours these rights for all account holders regardless of location, with the exception of obligations that depend on a specific statutory framework.

• Access. You can ask for a copy of the personal data we hold about you.
• Rectification. You can ask us to correct inaccurate data.
• Erasure. You can ask us to delete your data, subject to the retention exceptions described in Section 6 (notably, payment records we must retain by law).
• Restriction. You can ask us to limit how we process your data while a dispute is resolved.
• Portability. You can ask for the data you provided in a structured, machine-readable format.
• Objection. You can object to processing carried out on the basis of our legitimate interests.
• Withdraw consent. Where processing is based on consent, you can withdraw it at any time without affecting prior processing.

To exercise any of these rights, email privacy@getkillbounce.com from the address associated with your account. We respond to verified requests within thirty days; complex requests may be extended by a further sixty days where the law permits, and we will tell you if that is the case. We do not charge a fee for routine requests.

If you believe we have not handled your personal data correctly, you can complain to the data protection authority for your jurisdiction. In the EU this is the supervisory authority of your member state; in the UK this is the Information Commissioner's Office; in India it is the Data Protection Board of India established under the DPDP Act.

California (CCPA / CPRA)

If you are a California resident, you have the right to know what personal information we have collected about you, the categories of sources, the business purposes for which it is used, and the categories of third parties with whom we share it; the right to delete your personal information; the right to correct inaccurate personal information; and the right to opt out of the sale or sharing of your personal information. KillBounce does not sell or share personal information as those terms are defined under the CCPA as amended by the CPRA, so there is nothing to opt out of, but you may still exercise the other rights by emailing privacy@getkillbounce.com. We will not discriminate against you for exercising any CCPA right.

India (DPDP Act, 2023)

If you are a Data Principal under the DPDP Act, you have the right to obtain a summary of the personal data we are processing about you and the activities undertaken with respect to it; the right to correction, completion, and updating; the right to erasure; the right to nominate another person to exercise your rights in the event of your death or incapacity; and the right to grievance redressal. Grievances may be addressed to privacy@getkillbounce.com. If you are not satisfied with our response, you may approach the Data Protection Board of India.

Other US state privacy laws

Residents of states with comprehensive privacy statutes (including Virginia, Colorado, Connecticut, Utah, and others as they come into force) have similar rights of access, correction, deletion, and opt-out of targeted advertising and sale. We honour these rights through the same intake channel described above.

KillBounce is a business-to-business service. It is not directed at, marketed to, or designed for children, and we do not knowingly allow children to register accounts. "Children" means individuals under sixteen years of age in the EU and UK (or the lower age set by an EU member state where applicable), under thirteen in the United States as defined by COPPA, and under eighteen in India as defined by the DPDP Act.

If you believe a child has provided personal data to us, please contact privacy@getkillbounce.com and we will delete the account and associated data promptly.

KillBounce uses a small number of strictly necessary cookies to keep you signed in, to remember basic preferences, and to defend the service against abuse. We do not use third-party advertising cookies on the authenticated dashboard. The marketing website uses privacy-respecting analytics to understand aggregate traffic.

The full list of cookies, their purposes, and their retention periods is available in our Cookies Policy. Where required by law, we ask for your consent before setting non-essential cookies, and you can change your cookie preferences at any time.

We take reasonable and appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. At a high level: passwords are stored as bcrypt hashes (we never see the plaintext); connections to our servers are encrypted in transit with TLS; production databases are encrypted at rest; payment card data is never stored on our systems; access to production systems is restricted, logged, and reviewed.

A more detailed description of our security practices, including our incident response process and our position on certifications, is published at /security. KillBounce does not currently hold SOC 2, ISO 27001, or HIPAA certifications, and we disclose that plainly rather than claiming otherwise. We will update /security as our assurance program matures.

We may update this Privacy Policy from time to time to reflect changes in our practices, our service, or applicable law. The "Last updated" date at the top of this page identifies the current version. Material changes — those that meaningfully reduce your rights or expand our processing — will be notified to account holders by email at least thirty days before they take effect, except where a shorter period is required by law.

Continued use of the service after the effective date of an updated policy constitutes acceptance of the updated terms. Older versions are retained on file; you can request a copy by emailing legal@getkillbounce.com.

For privacy questions, data subject requests, or grievances under the DPDP Act, contact privacy@getkillbounce.com. For legal notices, contact legal@getkillbounce.com. For day-to-day support, use support@getkillbounce.com. KillBounce is based in India; a mailing address will be provided on written request to legal@getkillbounce.com where required for the exercise of a legal right.