Privacy Policy
1. Introduction
EmailProbe ("we", "us", "our") operates the email validation and intelligence platform at emailprobe.dev. We respect your privacy and are committed to protecting the data you share with us.
This Privacy Policy explains what data we collect, how we use it, how long we retain it, and your rights regarding that data. It applies to all users of our website, API, and related services.
2. Data We Collect
Account Data
- Email address (used for login, notifications, and support)
- Hashed password (PBKDF2 with 100,000 iterations, SHA-256 -- we never store plain-text passwords)
- Account creation date and plan information
API Request Data
- SHA-256 hash of submitted email addresses -- not the raw email addresses themselves
- Domain names extracted from submitted emails
- Detection results (score, verdict, individual check outcomes)
- Response times and processing metadata
Domain Intelligence
- Domain-level aggregate signals: total lookups, unique customer count, random local-part ratio
- This data is aggregated across all API usage and contains no individual email information
Pattern Data
- Email naming convention patterns per domain (e.g., "first.last", "wordNNN", "random string")
- These patterns are derived from structural analysis of email formats, not from actual names or personal information
Usage Data
- API call counts and timestamps
- Plan tier and billing status
- Feature usage statistics
Technical Data
- IP addresses (used for rate limiting only -- not stored long-term)
- Request metadata (HTTP method, endpoint, user agent)
Website Analytics
We use Microsoft Clarity to understand how visitors interact with our marketing website (emailprobe.dev). Clarity may collect:
- Page views, clicks, scroll depth, and mouse movement patterns
- Aggregated session recordings (used to identify usability issues)
- Device, browser, and country (derived from IP, IP itself is not retained by Clarity)
Clarity does not sell personal data, does not use it for advertising, and is governed by Microsoft's privacy practices. For details and opt-out, see the Microsoft Privacy Statement. Clarity is loaded only on the public marketing site (emailprobe.dev) -- it is not loaded in the application dashboard (app.emailprobe.dev) or on any authenticated page.
3. What We DO NOT Collect or Store
We want to be explicit about data we do not collect or retain:
- Raw email addresses -- only SHA-256 hashes, retained for 30 days
- Names from email addresses -- only structural patterns like "word.word" or "wordNNN"
- Passwords in plain text -- only PBKDF2 hashes with 100K iterations
- Browsing history outside our domain -- we do not track pages you visit on other websites
- Advertising trackers -- no Google Analytics, Mixpanel, Segment, ad-network pixels, or remarketing tags
- Personal data from session recordings -- Clarity automatically masks form inputs, passwords, and anything marked sensitive
4. How We Use Data
We use collected data for the following purposes:
- Provide the email validation service -- processing API requests, returning detection results, and maintaining service quality
- Improve detection accuracy -- aggregating domain-level signals across all customers to build crowdsourced intelligence that identifies new disposable and suspicious domains
- Extract email naming patterns -- performing structural analysis at the domain level to detect anomalous registration patterns (e.g., domains where 90% of emails are random strings)
- Monitor and prevent abuse -- detecting API misuse, enforcing rate limits, and protecting our infrastructure
- Send service-related communications -- account verification, security alerts, plan change notifications, and material policy updates
5. Data Retention
| Data Type | Retention Period | Notes |
|---|---|---|
| API request logs (email hashes) | 30 days | Automatically deleted after 30 days |
| Pattern samples | 30 days | Structural patterns only, then deleted |
| Domain-level aggregates | Permanent | Contains no individual or personal data |
| Account data | Until account deletion | Deleted within 30 days of account closure |
| IP addresses (rate limiting) | Ephemeral | In-memory only, not persisted to disk |
6. Data Sharing
We do not sell your data. We do not share personal data with third parties for their marketing purposes. Data is shared only as follows:
Sub-processors
We use a small number of trusted vendors to deliver the service. The current list is published at /sub-processors.html and includes Cloudflare (hosting + database), Microsoft Clarity (marketing website analytics), Brevo (transactional email), and Dodo Payments (billing). Each vendor is bound by a data-processing contract and we provide advance notice before adding new ones.
Infrastructure: Cloudflare
Our service is hosted on Cloudflare's global edge network. Cloudflare processes requests as part of providing hosting, CDN, and DNS services. See Cloudflare's Privacy Policy.
Payments: Dodo Payments
When billing is active, payment processing is handled by Dodo Payments. They receive only the data necessary to process transactions (email, plan information). We do not store credit card numbers or payment credentials.
Law Enforcement
We may disclose data if required by law, subpoena, court order, or government request. We will notify affected users when legally permissible.
7. Your Rights
Under the General Data Protection Regulation (GDPR) and similar privacy laws, you have the following rights:
- Right to access -- request a copy of all personal data we hold about you
- Right to rectification -- request correction of inaccurate personal data
- Right to deletion -- request deletion of your account and all associated personal data
- Right to data portability -- receive your data in a structured, machine-readable format
- Right to object -- object to processing of your personal data for specific purposes
- Right to opt-out of crowdsourced intelligence -- request that your API query patterns not be used to improve detection for other customers
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
8. Cookies and Local Storage
Strictly necessary (always on)
- Session token: An HttpOnly JWT cookie used for authentication when you are logged in to the dashboard. This cookie is strictly necessary and cannot be used for tracking.
- Cookie consent state: A
localStorageentry (ep_cookie_consent) that remembers your choice on the analytics banner so we do not show it again for 6 months.
Analytics (off by default; loaded only on accept)
If you click "Accept" on the cookie banner shown on your first visit, we load Microsoft Clarity, which sets first-party cookies and uses local storage to deduplicate sessions and track engagement. See the Website Analytics section above and the sub-processors list for details on what Clarity collects.
You can change your choice at any time by clicking "Cookie preferences" in the page footer. Choosing "Reject" stops Clarity from loading on subsequent page views and clears the previous consent record.
What we do not use
- Advertising or remarketing cookies
- Third-party tracking pixels (Google Analytics, Facebook, LinkedIn, etc.)
- Cross-site identifiers
9. Security
We take the security of your data seriously. Our security measures include:
- Encryption in transit: All data is transmitted over HTTPS with TLS encryption
- Password hashing: Passwords are hashed using PBKDF2 with 100,000 iterations and SHA-256
- API key hashing: API keys are hashed with SHA-256 before storage -- we cannot recover lost keys
- Email hashing: Email addresses submitted via API are hashed with SHA-256 before any logging or storage
- Edge infrastructure: Our service runs on Cloudflare's global edge network with built-in DDoS protection
- Minimal data retention: We retain only what is necessary and automatically purge time-limited data
If you discover a security vulnerability, please report it to [email protected]. We appreciate responsible disclosure.
10. Children's Privacy
EmailProbe is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a minor, we will delete that data promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make changes:
- The "Last updated" date at the top of this page will be revised
- For material changes, we will notify registered users via email at least 14 days before the changes take effect
- The previous version of the policy will be archived and available upon request
12. Contact
If you have questions about this Privacy Policy or how we handle your data, contact us at: