Emailsherlock
Pricing Resources
Sign in Start free →
Verify & clean
Email Verification Is an address real, without sending mail Bulk Verify Clean a whole list before you send
Domain Security
Lookalike Monitoringnew Catch clones of your domain before they turn dangerous Domain Monitoring SPF, DMARC, TLS and blacklists, checked daily DMARC Monitoring See who sends as you, catch spoofing Domain Listing Claim and brand your public page
Developers
API Run lookups and verification from your code Email Guardsoon Block bad emails at your forms Chrome Extension Grade any domain as you browse
Featured Bulk email verification Upload a list. We check syntax, MX, SMTP and catch-all, then hand back what's safe to send. Clean a list →
Use any product on its own or bundled. All products → Compare plans →
Free tools · no signup
MX Lookup Mailservers for a domain SPF Lookup Check the sender policy DMARC Lookup Read the policy record DNS Lookup All records at a glance Host Check Host, IP, location and tech stack Blacklist Check Is the host on any list? Reverse Lookup Find who's behind an email address What Is My IP Your public IP, location and ISP
No account needed. Runs in your browser. All free tools →
Verify & clean
Email Verification Is an address real, without sending mail Bulk Verify Clean a whole list before you send
Domain Security
Lookalike Monitoringnew Catch clones of your domain before they turn dangerous Domain Monitoring SPF, DMARC, TLS and blacklists, checked daily DMARC Monitoring See who sends as you, catch spoofing Domain Listing Claim and brand your public page
Developers
API Run lookups and verification from your code Email Guardsoon Block bad emails at your forms Chrome Extension Grade any domain as you browse
All products →
MX Lookup Mailservers for a domain SPF Lookup Check the sender policy DMARC Lookup Read the policy record DNS Lookup All records at a glance Host Check Host, IP, location and tech stack Blacklist Check Is the host on any list? Reverse Lookup Find who's behind an email address What Is My IP Your public IP, location and ISP All free tools →
Pricing Resources
Sign in Start free →
home / privacy
legal · v2.0

Privacy Policy.

We collect the smallest amount of personal data we can, keep it for the shortest time we can, and hand it back when you ask. Below: what we collect, where it lives, and how to remove it.

Effective 20 May 2026
Version v2.0
Jurisdiction GDPR · TDDDG
Language English (binding)
01 Terms of Service 02 Privacy Policy 03 Data Processing Agreement
In this document
  1. 01Data controller
  2. 02Three kinds of data subjects
  3. 03What we collect and why
  4. 04Storage layers and erasure
  5. 05If a business customer verified your address
  6. 06Cookies and similar technologies
  7. 07Server log files
  8. 08Recipients and processors
  9. 09International data transfers
  10. 10Business succession
  11. 11Your rights
  12. 12Children
  13. 13Automated decisions
  14. 14Security
  15. 15Email-Guard on our own signup
  16. 16Changes to this policy
  17. 17Contact

This page is the binding English version. The structure mirrors our internal data model: three storage layers, three kinds of data subjects.

In plain language

What you should know.

  • We do not sell or share your data with advertisers. There are no third-party trackers on this site.
  • Your address can land in up to three storage layers. Opt-out reaches two of them; the third belongs to the business customer who verified you.
  • Use the opt-out form for the public cache and the public-page entry. Contact the business customer directly for their records, or request the suppression list to block all future verifications.
  • Account holders can manage and delete their account data from the account dashboard.
§ 01 · who we are

Data controller#

Responsible for the processing of personal data within the meaning of Art. 4(7) GDPR:

EmailSherlock
Friedrichstr. 155
10117 Berlin, Germany
Contact: via our contact form.

We have not appointed a Data Protection Officer because we are not required to do so under Art. 37 GDPR. You can reach us on any data-protection topic via the contact form above.

§ 02 · data subjects

Three kinds of data subjects#

EmailSherlock processes personal data in three distinct relationships. Different sections of this policy apply depending on which relationship is yours.

2.1

Visitors of the public website. People who use the homepage, the free reverse-lookup tool, and resource articles without a paid account. Most sections of this policy apply to you.

2.2

Account holders and paying subscribers. People with a registered account who receive transactional emails, manage subscriptions, verify addresses programmatically through our API or Bulk-Verify product, or claim a domain.

2.3

Subjects whose addresses are verified by others. People whose email address ends up in our records because a visitor, an API customer, a Bulk-Verify customer, or a Chrome Extension user looked it up, without those subjects having an account with us. Sections 4 and 5 cover what that means for you and how to exercise your rights.

§ 03 · what we collect

What we collect and why#

The table below summarises every category of personal data we process, the legal basis, and how long we keep it. Further detail follows in the numbered sections.

Purpose Data Basis Retention
Running the website Session identifier, CSRF token, security cookies, IP address. art 6 (1) (f) Session · 30 days
Free public lookups Search query, HMAC-hashed email, IP, User-Agent, timestamp. art 6 (1) (f) Cache · until opt-out
Programmatic verification Plain-text address, HMAC hash, verify result snapshot, customer account, timestamp, request IP and UA. art 6 (1) (b) art 28 Plain text nulled after 180 days (plan default) · hash + result kept until record deleted or subscription ends
Signup abuse prevention Email-Guard check on our own signup form: domain of the typed address, verdict, reason codes. The address is verified but not stored (no-store path). art 6 (1) (f) Domain-only telemetry · address not stored
Account & billing Email, name, country, billing data, payment processor tokens. art 6 (1) (b) art 6 (1) (c) Contract + 10 yrs § 147 AO
Spam & abuse reports Reporter email (verified), reported email, comment. art 6 (1) (f) 5 years · purgeable
Domain claiming Email, domain, verification tokens. art 6 (1) (b) Until claim revoked
Domain monitoring (paid) Claimed domain, monitoring schedule, host snapshots (DNS / SPF / DKIM / DMARC / SSL / blacklists), alert preferences, notification recipients, account ID. art 6 (1) (b) Subscription lifetime + 12 mo
Contact form Name, email, message content. art 6 (1) (f) 12 months
Analytics Shortened IP, randomised client ID, device type, page events (Google Analytics 4). art 6 (1) (a) § 25 (1) TDDDG 14 months
§ 04 · storage

Storage layers and how erasure works#

When an email address enters our system, it can land in up to three separate storage layers. Each layer follows different retention and erasure rules. The distinction matters if you want to exercise your right to erasure under Art. 17 GDPR.

4.1

Central verify cache. One record per address with the technical verify facts: mail host, deliverability state, last check timestamp. The address is stored as an HMAC-SHA256 hash with a server-side secret (always) and in plain text (only while not anonymised). On erasure request from the subject we null the plain text and the inferred enrichment, and keep the hash plus the technical facts. The hash is not reversible without our secret, so the remaining record is no longer personal data in the sense of Art. 4(1) GDPR.

4.2

Public-page representation. Only created when a visitor of the public website searches an address. Holds the page passkey (URL identifier), social-profile enrichment, and public-page search counters. On erasure request from the subject, all personal-data fields are nulled and the public result page returns a Not Found status, so the address can no longer be looked up here.

4.3

Business customer job records. Created when an API customer, a Bulk-Verify customer, or a Chrome Extension user verifies an address. Holds the address in plain text plus the result snapshot at the time of the call. The plain-text address is nulled after the retention window set by the customer's plan (180 days by default, configurable per plan), counted from the verification call. After that point the record keeps only the keyed hash and the result snapshot, kept under the customer's account until the record is deleted or the subscription ends. These records belong to the customer who created them. Erasure goes through the customer, not through us. See section 5.

To trigger erasure of the central verify cache and the public-page representation for an address you control, use our opt-out form. We verify ownership by sending a confirmation link to that address before processing.

§ 05 · business customer records

If a business customer verified your address#

EmailSherlock offers paid verification to business customers through four channels: a REST API, Bulk-Verify CSV uploads, the Chrome Extension, and the Google Sheets™ add-on. When one of these customers verifies your address, the resulting record is stored in that customer's job history together with the address in plain text. Within this relationship the business customer is the Controller under Art. 4(7) GDPR, and EmailSherlock is the Processor under Art. 28 GDPR, governed by the Data Processing Agreement we sign with every business customer before the first verification call.

To exercise your rights against these records, contact the business customer who verified you. We cannot identify the customer for you on our own initiative (that would itself disclose personal data of the customer), but on request we will confirm whether any business-customer record for your address exists and assist in forwarding your request to the relevant Controller under Art. 17(2) GDPR.

Erasure of your address from our central verify cache (section 4) does not automatically reach into business-customer job records. The two layers are legally distinct: the cache is ours, the job records belong to the customer who paid for them.

If you want to be excluded from all future verification attempts, regardless of customer, contact us through the contact form and request entry on our suppression list. Once listed, your hash is flagged and we return a suppressed status code to any customer asking about your address, without performing further verify attempts.

EmailSherlock for Google Sheets™. If you install our Google Sheets™ add-on, it works only on the spreadsheet you have open. When you run a verification it reads the email addresses in the cells you select and sends them over HTTPS to the EmailSherlock verification API (api.emailsherlock.com) to check deliverability, MX records, and disposable, role and catch-all status. The results are written back into the same spreadsheet. Your API key is stored in your Google account's per-user properties for the add-on and is never shared. The add-on does not read any other file in your Google Drive™, and it does not retain your spreadsheet contents beyond performing the verification. The addresses you verify are otherwise handled exactly like every other verification described in this policy.

EmailSherlock's use of information received from Google APIs adheres to the Google API Services User Data Policy (developers.google.com/terms/api-services-user-data-policy), including the Limited Use requirements.

§ 06 · cookies

Cookies and similar technologies#

When you first visit the website we show a consent banner that lets you accept, reject, or individually choose which cookie categories to allow. No optional cookie is set before you give your consent (§ 25(1) TDDDG). You can change or withdraw your decision at any time via the Cookie settings link in the footer. Withdrawing does not affect the lawfulness of processing carried out before.

CategoryCookie / StoragePurposeLifetime
Essential PHPSESSID Session, login state, form state. Session
Essential es_consent Remembers your cookie preferences. 12 months
Essential CSRF token (memory) Protects forms against cross-site request forgery. Session
Statistics _ga, _ga_* Google Analytics 4 with IP anonymisation. 24 months
§ 07 · logs

Server log files#

Our hosting provider records technical access data on every request: IP address, timestamp, User-Agent, requested URL, HTTP status, referrer. These logs help us defend against attacks and diagnose outages. Legal basis: Art. 6(1)(f) GDPR. Logs are rotated within 14 days unless a security incident requires longer retention.

§ 08 · sub-processors

Recipients and processors#

We rely on a small number of service providers. Each has signed a Data Processing Agreement with us where required (Art. 28 GDPR).

ProcessorPurposeRegion
Cloudflare, Inc. CDN, DNS, anti-abuse protection in front of our servers. US (DPF)
Google Ireland Ltd. Google Analytics 4, loaded only after Statistics consent. IE / US
Stripe Payments Europe, Ltd. (independent Controller, see below) Subscription and payment processing for premium products sold under the Stripe merchant-of-record model. Stripe issues the invoice, calculates and remits the applicable taxes, and handles chargebacks and refunds. IE
SendGrid / Twilio Inc. Transactional email (verification, billing notices, password reset). US (DPF)
EU-based hosting provider Server infrastructure and backups. EU

Business customers of our Bulk-Verify product (and, in future, direct API customers contracted outside the RapidAPI marketplace) sign a separate Data Processing Agreement with us at onboarding, covering the personal data they submit to us for verification. The full list of sub-processors involved in that relationship is part of that agreement and kept current there.

Stripe acts as an independent Controller. For our premium products sold via Stripe under the merchant-of-record model (Chrome Extension Pro, Claimed Host Listings), Stripe is not our Processor; Stripe processes the payment data (payment card details, billing data, fraud-detection signals, tax data) as an independent Controller within the meaning of Art. 4(7) GDPR. Stripe's own privacy notice at stripe.com/privacy governs that processing. Data is exchanged between us and Stripe to make a purchase work: we transmit order data (product, amount, customer identifier) to Stripe; Stripe transmits a payment confirmation and a customer identifier back to us so we can deliver the service. Your rights as a data subject exist in parallel against us (for the data we process about you) and against Stripe (for the data Stripe processes about you). See section 15 of the Terms of Service for the merchant-of-record details and Stripe's customer terms at stripe.com/legal/consumer.

§ 09 · transfers

International data transfers#

Some of the processors listed above are based in the United States (Cloudflare, Google, Stripe, SendGrid). Transfers to the U.S. are protected by the EU–U.S. Data Privacy Framework adequacy decision of 10 July 2023 for certified recipients, and by Standard Contractual Clauses (Art. 46(2)(c) GDPR) where the Framework does not apply.

§ 10 · business succession

Transfer of data on business succession#

EmailSherlock is currently operated as a sole proprietorship. We expect to contribute the business to a newly formed German limited liability company (GmbH) and, in a subsequent step, to organise it in a holding structure with an operating subsidiary. This section explains what happens to your personal data in that case.

Transfer of personal data. In the event of a corporate restructuring, merger, demerger, contribution of business, asset deal, or share deal involving the EmailSherlock business, personal data we hold about you may be transferred to the legal successor or acquirer as part of the business.

Legal basis. Such transfer is based on our legitimate interest (Art. 6(1)(f) GDPR) in continuing the Service without interruption and preserving the contractual relationship with you. The successor is contractually bound to honour every data-protection commitment we made to you in this policy.

Your rights continue. Your rights under the GDPR (access, rectification, erasure, restriction, portability, objection, complaint to a supervisory authority) continue to apply unchanged against the successor entity.

Advance notice and objection. We will inform you of any planned transfer at least 30 days in advance, by email to the address on file or via a prominent notice on the Website, identifying the successor and the effective date. During this notice period you may exercise your right of objection under Art. 21 GDPR, or close your account and request erasure under Art. 17 GDPR; we will process the request before the data transfer takes effect.

§ 11 · your rights

Your rights#

As a data subject you have the following rights, free of charge:

  • Access (Art. 15 GDPR): confirmation and a copy of the data we hold about you.
  • Rectification (Art. 16 GDPR): correction of inaccurate data.
  • Erasure (Art. 17 GDPR): deletion of your data where one of the grounds applies. Registered users can request account deletion in the billing area; for the central verify cache and public-page representation use our opt-out form. For business-customer job records, contact the customer who verified you (see section 5).
  • Restriction (Art. 18 GDPR): temporary block on processing.
  • Portability (Art. 20 GDPR): receive your data in a machine-readable format.
  • Objection (Art. 21 GDPR): object to processing based on legitimate interests, including direct-marketing objection.
  • Withdraw consent (Art. 7(3) GDPR): at any time, with effect only for the future. For cookies, use the Cookie settings.

Erasure reaches the central verify cache and the public-page representation when you use the opt-out form. It does not reach business-customer job records, because those belong to the customer who paid for the verification. For a global block on future verification attempts across all customers, request entry on our suppression list as described in section 5.

You also have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). For Berlin our competent authority is the Berliner Beauftragte für Datenschutz und Informationsfreiheit (datenschutz-berlin.de).

§ 12 · minors

Children#

EmailSherlock is not directed to children under the age of 16. If you are a parent or guardian and believe your child has provided personal data to us, please contact us and we will delete the information.

§ 13 · automated decisions

Automated decisions#

We do not use automated decision-making in the sense of Art. 22 GDPR. Our host and email scoring algorithms provide informational output only; they do not produce legal or similarly significant effects on you.

§ 14 · security

Security#

We apply technical and organisational measures appropriate to the risk: HTTPS everywhere, principle-of-least-privilege access, encrypted backups, regular dependency updates. Plain-text email addresses in business-customer job records are protected by database-level access controls and at-rest encryption on the underlying storage.

§ 15 · signup guard

Email-Guard on our own signup#

We run our own Email-Guard check on the signup form to keep disposable, fake, and mistyped addresses out of new accounts. When you enter an email address to register, we verify it the same way our paid product does (syntax, domain, MX records, mailbox deliverability, and disposable, role and catch-all signals) and use the result to allow, warn, or block the registration. For this processing there is no business customer and no Data Processing Agreement: we are the Controller in our own right under Art. 4(7) GDPR.

Legal basis. Art. 6(1)(f) GDPR. Our legitimate interest is keeping fraudulent and throwaway registrations out of the service, which would otherwise drive abuse and distort our usage and billing.

What we store. For our own signup the guard runs in a no-store mode: the address you type is checked in the moment but is not written to our search history in plain text. We keep only a keyed HMAC hash, so a repeat check of the same address can reuse the cached technical result, and a domain-only telemetry record (the domain part of the address, the verdict, and the reason codes) for abuse analytics. A bare domain is not personal data, and no full address is retained for this path.

Not an automated decision under Art. 22 GDPR. A blocked signup does not produce a legal or similarly significant effect on you. If a legitimate address is blocked, you can reach us through the contact form to complete your registration.

§ 16 · changes

Changes to this policy#

When this policy is updated we bump the version number shown at the top. If the changes affect how we process data on the basis of your consent, we will ask you to review your cookie preferences again the next time you visit. Material changes that affect business-customer obligations are communicated through your account dashboard with a minimum 30-day notice period.

§ 17 · contact

Contact#

Questions about this Privacy Policy or about how we handle your data? Reach us through our contact form or by postal mail to the address in section 1.

data-protection contact

Privacy enquiries

Open the contact form

We aim to reply within 7 days; the legal limit is 30.

complaints authority · art. 77 gdpr

Berlin DPA

Berliner Beauftragte für Datenschutz und Informationsfreiheit

Friedrichstraße 219, 10969 Berlin

datenschutz-berlin.de

The independent state authority where you can lodge a complaint. It is not part of EmailSherlock; we have not appointed a Data Protection Officer because Art. 37 GDPR does not require one for us.

Version history
  • 27 Jun 2026 · v2.2 What changed Synced the retention of business-customer verification records with what we actually run: the plain-text address is nulled 180 days after the call (plan default, configurable), while the keyed hash and result snapshot are kept until the record is deleted or the subscription ends (sections 3 and 4.3). New section 15 (Email-Guard on our own signup): discloses that we verify addresses entered on our signup form to block disposable and fake registrations, that we are Controller for this on Art. 6(1)(f) GDPR, that the address is checked but not stored (no-store, keyed hash plus domain-only telemetry), and that a block is not an Art. 22 automated decision. Lawyer review pending before publish.
  • 17 Jun 2026 · v2.1 What changed Added the EmailSherlock for Google Sheets™ add-on as a fourth verification channel (section 5) and disclosed the Google user data it accesses: it reads only the open spreadsheet's selected addresses, sends them to the verification API, writes results back, and reads no other Google Drive™ files. Added the Google API Services User Data Policy / Limited Use affirmation. No change to consent-based processing.
  • 20 May 2026 · v2.0 What changed Major restructure, not yet published. Introduced three data-subject categories, three storage layers, and explicit business-customer terms. Sub-processors moved into a live table. New section 10 (Business succession) discloses that personal data may transfer to a legal successor in the course of restructuring the EmailSherlock business into a German GmbH; anchored on Art. 6(1)(f) GDPR with a 30-day advance notice and the right to object (Art. 21) or request erasure (Art. 17) before the transfer takes effect. Lawyer review pending before publish.
  • 16 Apr 2026 · v1.0 What changed Updated cookie list, refreshed sub-processor names, clarified rights section.
Document v2.0 · effective 20 May 2026 Terms of Service · Opt out · Contact
Emailsherlock

Email intelligence since 2014. Lookups, verification, and domain reputation in one place.

All systems normal
Free tools
  • Reverse email lookup
  • Email verification
  • MX lookup
  • DNS lookup
  • Blacklist check
  • Host check
  • Chrome extension
Products
  • All products
  • Bulk verify
  • Email verification API
  • API reference
  • Integrations
  • Pricing
Privacy
  • Opt out of index
  • Data processing agreement
  • SMTP probe policy
Resources
  • Resources
  • Registrar directory
  • Network explorer
  • Contact
© 2026 Emailsherlock Terms Privacy Imprint Cookies

We value your privacy

EmailSherlock uses cookies strictly necessary to run this website. With your permission we also use optional analytics cookies (Google Analytics) to understand how the site is used. You can accept, reject, or choose which categories to allow. See our Privacy Policy for details.

Cookie preferences

Pick the categories you are comfortable with. Essential cookies are always on because the site cannot function without them.

Essential

Required for core functionality such as logging in, submitting forms, and remembering your cookie choice. These cannot be switched off.

Statistics (Google Analytics)

Anonymised traffic measurement so we can see which pages are useful. IP addresses are anonymised before processing.