Data controller
Responsible for the processing of personal data within the meaning of Art. 4(7) GDPR:
EmailSherlock
Friedrichstr. 155
10117 Berlin, Germany
Contact: via our contact form.
We have not appointed a Data Protection Officer because we are not required to do so under Art. 37 GDPR. You can reach us on any data-protection topic via the contact form above.
Three kinds of data subjects
EmailSherlock processes personal data in three distinct relationships. Different sections of this policy apply depending on which relationship is yours.
Visitors of the public website. People who use the homepage, the free reverse-lookup tool, and resource articles without a paid account. Most sections of this policy apply to you.
Account holders and paying subscribers. People with a registered account who receive transactional emails, manage subscriptions, verify addresses programmatically through our API or Bulk-Verify product, or claim a domain.
Subjects whose addresses are verified by others. People whose email address ends up in our records because a visitor, an API customer, a Bulk-Verify customer, or a Chrome Extension user looked it up, without those subjects having an account with us. Sections 4 and 5 cover what that means for you and how to exercise your rights.
What we collect and why
The table below summarises every category of personal data we process, the legal basis, and how long we keep it. Further detail follows in the numbered sections.
| Purpose | Data | Basis | Retention |
|---|---|---|---|
| Running the website | Session identifier, CSRF token, security cookies, IP address. | art 6 (1) (f) | Session · 30 days |
| Free public lookups | Search query, HMAC-hashed email, IP, User-Agent, timestamp. | art 6 (1) (f) | Cache · until opt-out |
| Programmatic verification | Plain-text address, HMAC hash, verify result snapshot, customer account, timestamp, request IP and UA. | art 6 (1) (b) art 28 | Plain text nulled after 180 days (plan default) · hash + result kept until record deleted or subscription ends |
| Signup abuse prevention | Email-Guard check on our own signup form: domain of the typed address, verdict, reason codes. The address is verified but not stored (no-store path). | art 6 (1) (f) | Domain-only telemetry · address not stored |
| Account & billing | Email, name, country, billing data, payment processor tokens. | art 6 (1) (b) art 6 (1) (c) | Contract + 10 yrs § 147 AO |
| Spam & abuse reports | Reporter email (verified), reported email, comment. | art 6 (1) (f) | 5 years · purgeable |
| Domain claiming | Email, domain, verification tokens. | art 6 (1) (b) | Until claim revoked |
| Domain monitoring (paid) | Claimed domain, monitoring schedule, host snapshots (DNS / SPF / DKIM / DMARC / SSL / blacklists), alert preferences, notification recipients, account ID. | art 6 (1) (b) | Subscription lifetime + 12 mo |
| Contact form | Name, email, message content. | art 6 (1) (f) | 12 months |
| Analytics | Shortened IP, randomised client ID, device type, page events (Google Analytics 4). | art 6 (1) (a) § 25 (1) TDDDG | 14 months |
Storage layers and how erasure works
When an email address enters our system, it can land in up to three separate storage layers. Each layer follows different retention and erasure rules. The distinction matters if you want to exercise your right to erasure under Art. 17 GDPR.
Central verify cache. One record per address with the technical verify facts: mail host, deliverability state, last check timestamp. The address is stored as an HMAC-SHA256 hash with a server-side secret (always) and in plain text (only while not anonymised). On erasure request from the subject we null the plain text and the inferred enrichment, and keep the hash plus the technical facts. The hash is not reversible without our secret, so the remaining record is no longer personal data in the sense of Art. 4(1) GDPR.
Public-page representation. Only created when a visitor of the public website searches an address. Holds the page passkey (URL identifier), social-profile enrichment, and public-page search counters. On erasure request from the subject, all personal-data fields are nulled and the public result page returns a Not Found status, so the address can no longer be looked up here.
Business customer job records. Created when an API customer, a Bulk-Verify customer, or a Chrome Extension user verifies an address. Holds the address in plain text plus the result snapshot at the time of the call. The plain-text address is nulled after the retention window set by the customer's plan (180 days by default, configurable per plan), counted from the verification call. After that point the record keeps only the keyed hash and the result snapshot, kept under the customer's account until the record is deleted or the subscription ends. These records belong to the customer who created them. Erasure goes through the customer, not through us. See section 5.
To trigger erasure of the central verify cache and the public-page representation for an address you control, use our opt-out form. We verify ownership by sending a confirmation link to that address before processing.
If a business customer verified your address
EmailSherlock offers paid verification to business customers through four channels: a REST API, Bulk-Verify CSV uploads, the Chrome Extension, and the Google Sheets™ add-on. When one of these customers verifies your address, the resulting record is stored in that customer's job history together with the address in plain text. Within this relationship the business customer is the Controller under Art. 4(7) GDPR, and EmailSherlock is the Processor under Art. 28 GDPR, governed by the Data Processing Agreement we sign with every business customer before the first verification call.
To exercise your rights against these records, contact the business customer who verified you. We cannot identify the customer for you on our own initiative (that would itself disclose personal data of the customer), but on request we will confirm whether any business-customer record for your address exists and assist in forwarding your request to the relevant Controller under Art. 17(2) GDPR.
Erasure of your address from our central verify cache (section 4) does not automatically reach into business-customer job records. The two layers are legally distinct: the cache is ours, the job records belong to the customer who paid for them.
If you want to be excluded from all future verification attempts, regardless of customer,
contact us through the contact form and request entry
on our suppression list. Once listed, your hash is flagged and we return a
suppressed status code to any customer asking about your address, without
performing further verify attempts.
EmailSherlock for Google Sheets™. If you install our Google Sheets™
add-on, it works only on the spreadsheet you have open. When you run a verification it reads the
email addresses in the cells you select and sends them over HTTPS to the EmailSherlock
verification API (api.emailsherlock.com) to check deliverability, MX records, and
disposable, role and catch-all status. The results are written back into the same spreadsheet.
Your API key is stored in your Google account's per-user properties for the add-on and is never
shared. The add-on does not read any other file in your Google Drive™, and it does not
retain your spreadsheet contents beyond performing the verification. The addresses you verify
are otherwise handled exactly like every other verification described in this policy.
EmailSherlock's use of information received from Google APIs adheres to the Google API Services User Data Policy (developers.google.com/terms/api-services-user-data-policy), including the Limited Use requirements.
Server log files
Our hosting provider records technical access data on every request: IP address, timestamp, User-Agent, requested URL, HTTP status, referrer. These logs help us defend against attacks and diagnose outages. Legal basis: Art. 6(1)(f) GDPR. Logs are rotated within 14 days unless a security incident requires longer retention.
Recipients and processors
We rely on a small number of service providers. Each has signed a Data Processing Agreement with us where required (Art. 28 GDPR).
| Processor | Purpose | Region |
|---|---|---|
| Cloudflare, Inc. | CDN, DNS, anti-abuse protection in front of our servers. | US (DPF) |
| Google Ireland Ltd. | Google Analytics 4, loaded only after Statistics consent. | IE / US |
| Stripe Payments Europe, Ltd. (independent Controller, see below) | Subscription and payment processing for premium products sold under the Stripe merchant-of-record model. Stripe issues the invoice, calculates and remits the applicable taxes, and handles chargebacks and refunds. | IE |
| SendGrid / Twilio Inc. | Transactional email (verification, billing notices, password reset). | US (DPF) |
| EU-based hosting provider | Server infrastructure and backups. | EU |
Business customers of our Bulk-Verify product (and, in future, direct API customers contracted outside the RapidAPI marketplace) sign a separate Data Processing Agreement with us at onboarding, covering the personal data they submit to us for verification. The full list of sub-processors involved in that relationship is part of that agreement and kept current there.
Stripe acts as an independent Controller. For our premium products sold via Stripe under the merchant-of-record model (Chrome Extension Pro, Claimed Host Listings), Stripe is not our Processor; Stripe processes the payment data (payment card details, billing data, fraud-detection signals, tax data) as an independent Controller within the meaning of Art. 4(7) GDPR. Stripe's own privacy notice at stripe.com/privacy governs that processing. Data is exchanged between us and Stripe to make a purchase work: we transmit order data (product, amount, customer identifier) to Stripe; Stripe transmits a payment confirmation and a customer identifier back to us so we can deliver the service. Your rights as a data subject exist in parallel against us (for the data we process about you) and against Stripe (for the data Stripe processes about you). See section 15 of the Terms of Service for the merchant-of-record details and Stripe's customer terms at stripe.com/legal/consumer.
International data transfers
Some of the processors listed above are based in the United States (Cloudflare, Google, Stripe, SendGrid). Transfers to the U.S. are protected by the EU–U.S. Data Privacy Framework adequacy decision of 10 July 2023 for certified recipients, and by Standard Contractual Clauses (Art. 46(2)(c) GDPR) where the Framework does not apply.
Transfer of data on business succession
EmailSherlock is currently operated as a sole proprietorship. We expect to contribute the business to a newly formed German limited liability company (GmbH) and, in a subsequent step, to organise it in a holding structure with an operating subsidiary. This section explains what happens to your personal data in that case.
Transfer of personal data. In the event of a corporate restructuring, merger, demerger, contribution of business, asset deal, or share deal involving the EmailSherlock business, personal data we hold about you may be transferred to the legal successor or acquirer as part of the business.
Legal basis. Such transfer is based on our legitimate interest (Art. 6(1)(f) GDPR) in continuing the Service without interruption and preserving the contractual relationship with you. The successor is contractually bound to honour every data-protection commitment we made to you in this policy.
Your rights continue. Your rights under the GDPR (access, rectification, erasure, restriction, portability, objection, complaint to a supervisory authority) continue to apply unchanged against the successor entity.
Advance notice and objection. We will inform you of any planned transfer at least 30 days in advance, by email to the address on file or via a prominent notice on the Website, identifying the successor and the effective date. During this notice period you may exercise your right of objection under Art. 21 GDPR, or close your account and request erasure under Art. 17 GDPR; we will process the request before the data transfer takes effect.
Your rights
As a data subject you have the following rights, free of charge:
- Access (Art. 15 GDPR): confirmation and a copy of the data we hold about you.
- Rectification (Art. 16 GDPR): correction of inaccurate data.
- Erasure (Art. 17 GDPR): deletion of your data where one of the grounds applies. Registered users can request account deletion in the billing area; for the central verify cache and public-page representation use our opt-out form. For business-customer job records, contact the customer who verified you (see section 5).
- Restriction (Art. 18 GDPR): temporary block on processing.
- Portability (Art. 20 GDPR): receive your data in a machine-readable format.
- Objection (Art. 21 GDPR): object to processing based on legitimate interests, including direct-marketing objection.
- Withdraw consent (Art. 7(3) GDPR): at any time, with effect only for the future. For cookies, use the Cookie settings.
Erasure reaches the central verify cache and the public-page representation when you use the opt-out form. It does not reach business-customer job records, because those belong to the customer who paid for the verification. For a global block on future verification attempts across all customers, request entry on our suppression list as described in section 5.
You also have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). For Berlin our competent authority is the Berliner Beauftragte für Datenschutz und Informationsfreiheit (datenschutz-berlin.de).
Children
EmailSherlock is not directed to children under the age of 16. If you are a parent or guardian and believe your child has provided personal data to us, please contact us and we will delete the information.
Automated decisions
We do not use automated decision-making in the sense of Art. 22 GDPR. Our host and email scoring algorithms provide informational output only; they do not produce legal or similarly significant effects on you.
Security
We apply technical and organisational measures appropriate to the risk: HTTPS everywhere, principle-of-least-privilege access, encrypted backups, regular dependency updates. Plain-text email addresses in business-customer job records are protected by database-level access controls and at-rest encryption on the underlying storage.
Email-Guard on our own signup
We run our own Email-Guard check on the signup form to keep disposable, fake, and mistyped addresses out of new accounts. When you enter an email address to register, we verify it the same way our paid product does (syntax, domain, MX records, mailbox deliverability, and disposable, role and catch-all signals) and use the result to allow, warn, or block the registration. For this processing there is no business customer and no Data Processing Agreement: we are the Controller in our own right under Art. 4(7) GDPR.
Legal basis. Art. 6(1)(f) GDPR. Our legitimate interest is keeping fraudulent and throwaway registrations out of the service, which would otherwise drive abuse and distort our usage and billing.
What we store. For our own signup the guard runs in a no-store mode: the address you type is checked in the moment but is not written to our search history in plain text. We keep only a keyed HMAC hash, so a repeat check of the same address can reuse the cached technical result, and a domain-only telemetry record (the domain part of the address, the verdict, and the reason codes) for abuse analytics. A bare domain is not personal data, and no full address is retained for this path.
Not an automated decision under Art. 22 GDPR. A blocked signup does not produce a legal or similarly significant effect on you. If a legitimate address is blocked, you can reach us through the contact form to complete your registration.
Changes to this policy
When this policy is updated we bump the version number shown at the top. If the changes affect how we process data on the basis of your consent, we will ask you to review your cookie preferences again the next time you visit. Material changes that affect business-customer obligations are communicated through your account dashboard with a minimum 30-day notice period.
Contact
Questions about this Privacy Policy or about how we handle your data? Reach us through our contact form or by postal mail to the address in section 1.
Privacy enquiries
We aim to reply within 7 days; the legal limit is 30.
Berlin DPA
Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstraße 219, 10969 Berlin
The independent state authority where you can lodge a complaint. It is not part of EmailSherlock; we have not appointed a Data Protection Officer because Art. 37 GDPR does not require one for us.
- 27 Jun 2026 · v2.2 What changed Synced the retention of business-customer verification records with what we actually run: the plain-text address is nulled 180 days after the call (plan default, configurable), while the keyed hash and result snapshot are kept until the record is deleted or the subscription ends (sections 3 and 4.3). New section 15 (Email-Guard on our own signup): discloses that we verify addresses entered on our signup form to block disposable and fake registrations, that we are Controller for this on Art. 6(1)(f) GDPR, that the address is checked but not stored (no-store, keyed hash plus domain-only telemetry), and that a block is not an Art. 22 automated decision. Lawyer review pending before publish.
- 17 Jun 2026 · v2.1 What changed Added the EmailSherlock for Google Sheets™ add-on as a fourth verification channel (section 5) and disclosed the Google user data it accesses: it reads only the open spreadsheet's selected addresses, sends them to the verification API, writes results back, and reads no other Google Drive™ files. Added the Google API Services User Data Policy / Limited Use affirmation. No change to consent-based processing.
- 20 May 2026 · v2.0 What changed Major restructure, not yet published. Introduced three data-subject categories, three storage layers, and explicit business-customer terms. Sub-processors moved into a live table. New section 10 (Business succession) discloses that personal data may transfer to a legal successor in the course of restructuring the EmailSherlock business into a German GmbH; anchored on Art. 6(1)(f) GDPR with a 30-day advance notice and the right to object (Art. 21) or request erasure (Art. 17) before the transfer takes effect. Lawyer review pending before publish.
- 16 Apr 2026 · v1.0 What changed Updated cookie list, refreshed sub-processor names, clarified rights section.