Privacy Policy

The data controller for MailCull is the MailCull team, operating from Maharashtra, India (“we”, “us”, “MailCull”). For privacy-related questions, contact [email protected]. For general support, contact [email protected].

When you upload a list of email addresses to be verified, you act as the data controller for the people in that list and we act as a processor on your behalf for that processing. If you require formal data-processing terms (a Data Processing Addendum or equivalent) to satisfy your own compliance obligations, email [email protected] and we will work with you on terms that fit your situation.

Applicable laws. We process personal data subject to the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act and equivalent US state laws (Colorado, Connecticut, Utah, Virginia, and others), and the Indian Digital Personal Data Protection Act, 2023 (the “DPDP Act”), each as applicable to the data subject’s jurisdiction. Where these laws use different terms for the same concept (controller / fiduciary; processor / data processor; data subject / data principal) we use the GDPR terminology in this policy for consistency.

• Account information. Username, display name, email address, password hash, account timestamps, and account role.
• Validation input. Uploaded CSV content and extracted email addresses submitted through Verify List, and single-address lookups submitted through Verify Email.
• Validation output. Statuses, scores, evidence flags, history entries, and exports generated from the input above.
• Operational metadata. Job status, export history, session activity, IP address, user agent, and device or browser fingerprint information tied to account use.
• Billing information. If you subscribe to Pro, our payment provider (Paddle) collects and stores your payment-method details, billing address, and tax-relevant information. We receive a redacted summary back from Paddle (subscription status, period end, customer reference, last four digits of the card) but never the full card number.
• API metadata. If you use the public API on a Pro account, we record which key issued each request, the endpoint, the response status, and unit-consumption counters for billing and quota purposes. Idempotency-Key values you send are stored briefly to support safe retries.
• Service analytics. When analytics is enabled for the deployment, we record event metadata (page views, feature interactions, jobs started, jobs completed) to understand product usage. Analytics events do not include uploaded email addresses.
• Support correspondence. Anything you send us when you ask for help.

We process the information above for the following purposes. Where the GDPR applies, the legal basis is given in brackets.

• To authenticate users, keep accounts and sessions working, and let you manage them. (Contract.)
• To process your uploaded lists, email checks, exports, and account history as the service you signed up for. (Contract.)
• To take payments, manage subscriptions, issue receipts, and handle refunds and tax. (Contract; legal obligation for tax records.)
• To enforce per-user quotas, rate limits, audit records, and abuse monitoring. (Legitimate interest in keeping the service safe and reliable.)
• To send transactional messages (password resets, billing notices, security alerts). (Contract; legitimate interest.)
• To improve reliability, understand product usage, and investigate operational issues. (Legitimate interest in running and improving the service.)
• To comply with legal obligations and to defend legal claims. (Legal obligation; legitimate interest.)

We do not sell personal information, and we do not use the email addresses you submit for advertising or to contact the people in your lists.

When you upload a CSV file or run an email check, the submitted email data is processed to generate statuses, scores, explanations, history entries, and exports. Deep-scan checks may include a mailbox-level probe of the receiving server using the public SMTP protocol. We do not send marketing or test mail to the addresses you submit.

If you choose to request an optional AI read on a result, the address and its validation signals are sent to our AI sub-processor (OpenAI) to generate a plain-English summary and recommendation; see section 5. This is the only situation in which the addresses you check leave our infrastructure for a non-essential feature, and it happens only at your explicit request, per check.

List history and single-email history remain attached to your account until you delete them. The raw uploaded CSV file is removed from disk on a short operational cycle (see retention below); the extracted results stay in your account history.

Automated processing. Validation produces statuses (deliverable, risky, undeliverable, unknown) and confidence scores through automated processing of public DNS, MX, and SMTP signals. These statuses are descriptive operational guidance about address-level deliverability. They do not produce a “legal or similarly significant effect” on the individuals validated within the meaning of Article 22 of the GDPR or equivalent provisions in other privacy laws. The customer making the upload remains responsible for any decision they make using these statuses, including any decision about whether to send mail to a given recipient.

We use a small number of third-party services to operate MailCull. Each one only sees the categories of data it needs for its function.

• Paddle (Paddle.com Market Ltd. and its affiliates): Merchant of Record for Pro subscriptions. Handles checkout, payment processing, billing, tax, and refunds. Sees your billing email, payment method, billing address, and tax-relevant information.
• Hosting and database infrastructure: Hetzner Online GmbH (Germany). Runs the application and stores account data, validation history, and exports.
• Email delivery: Amazon Web Services, Inc. (Amazon SES). Delivers transactional messages such as password resets and admin login codes.
• Password breach lookup: Have I Been Pwned (Pwned Passwords API, operated by Have I Been Pwned Pty Ltd). Used only when you set or change a password (registration, password change, password reset) to check whether the password has appeared in known public data breach corpuses, so we can warn you and refuse the choice. Only a five-character k-anonymous prefix of a SHA-1 derivation of the password is sent over the network. The full hash, the password itself, your email address, and your username are never sent.
• Product analytics: Mixpanel, Inc. Records anonymised feature-usage events when analytics is enabled. Does not receive the email addresses you upload or check.
• Web analytics: Google LLC (Google Analytics). Measures aggregate page-level traffic on public pages.
• AI Analyst ("AI read"): OpenAI (OpenAI, L.L.C. and its affiliates). Used only when you explicitly request an AI read on a result. When you do, the address being analysed and its validation signals (status, score, and finding codes) are sent to OpenAI to generate a plain-English summary and recommendation. The feature is optional and off unless you trigger it; if you never use it, no validation data is sent to OpenAI. OpenAI processes this data via its API, under which it does not use the inputs to train its models. The deterministic verdict is produced entirely on our own infrastructure and does not depend on OpenAI.

We will keep this list current as the underlying infrastructure changes. Material additions of new sub-processors that handle personal data will be reflected in this policy before they begin processing.

The current operational retention windows are listed below. They may change as the product evolves; material reductions will be announced before they take effect.

• Uploaded CSV files on disk: removed approximately 2 days after the run completes.
• Generated export files (CSV/ZIP) on disk: kept for approximately 7 days after they finish so you can re-download them.
• List run records and results in your history: kept until you delete them yourself from the product.
• Verify Email history rows: kept until you delete them yourself from the Verify Email page.
• Sessions: extend on each visit and are capped at 90 days regardless of activity, after which a new sign-in is required.
• API idempotency records: kept for approximately 24 hours so retries can be matched to the original request, then removed.
• Domain intelligence cache: approximately 14 days.
• Billing webhook payloads from Paddle: the row metadata is kept for accounting purposes; the raw payment payload is redacted on a fixed schedule (currently after approximately 90 days).
• Account deletion: if you ask us to delete your account (currently by emailing [email protected] from your registered address; we are working towards a self-serve flow in the product), we remove your sessions, list runs, results, exports, single-email history, API keys and idempotency records, and password-reset tokens in cascade. We respond within seven days and process eligible deletion requests within that window. If your account has active paid access, pending charges, or legal/accounting retention requirements, we will explain the required next step (for example, cancellation or refund through the Paddle billing portal first) and process deletion once the prerequisite is cleared. Aggregate billing-transaction metadata required for accounting and tax purposes is retained as long as legally required, with the direct user reference removed.

MailCull infrastructure is hosted in Germany. Some of our sub-processors operate in other regions (for example, Paddle operates from the United Kingdom and the United States). Where personal data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision, the transfer relies on Standard Contractual Clauses or another approved transfer mechanism.

Depending on where you live, you may have some or all of the following rights over the personal information we hold about you.

• Access. Ask for a copy of the personal data we hold on your account.
• Correction. Ask us to correct inaccurate or incomplete information.
• Deletion. Ask us to delete your personal data. Individual list runs and Verify Email history rows can be deleted directly from the product. Account deletion is currently handled manually: use the Delete button on the Account page (it opens a pre-filled email to [email protected]) or email us directly. We are working towards a self-serve flow in the product. The handling steps and timing are described in section 6 below.
• Portability. Ask for a machine-readable export of your account data. Verify List exports already provide the validation results in CSV.
• Restriction and objection. Ask us to stop or limit certain kinds of processing, including objecting to processing based on legitimate interest.
• Withdrawing consent. Where processing is based on your consent, you can withdraw it at any time without affecting the legality of earlier processing.
• Complaint. If you are in the European Economic Area or the United Kingdom, you have the right to lodge a complaint with your local data-protection supervisory authority.

Residents of California, Colorado, Connecticut, Utah, Virginia, and other US states with comprehensive privacy laws have substantially similar rights, including the right to know what personal information we collect, the right to delete it, the right to correct it, and the right to opt out of any sale or sharing of personal information for cross-context behavioural advertising. We do not sell personal information.

Indian residents (DPDP Act, 2023). If you are in India, the rights provided under sections 11–14 of the Digital Personal Data Protection Act, 2023 apply: the right to obtain a summary of the personal data being processed and the processing activities, the right to correction or erasure of inaccurate or no-longer-needed data, the right to grievance redressal, and the right of nomination. To exercise these rights or to raise a grievance, email [email protected]. If your grievance is not resolved to your satisfaction, you may complain to the Data Protection Board of India once it is operational.

To exercise any of these rights, email [email protected] from the address associated with your account. We respond within the time-frame required by law (usually one month under the GDPR; 45 days under the CCPA; the period required by the DPDP Act and its rules).

MailCull is not intended for children. You must be at least 16 years old to create an account. We do not knowingly collect personal information from anyone under that age. If you believe a child under 16 has used the service, contact [email protected] and we will delete the account.

MailCull uses a small number of strictly-necessary cookies and similar local-storage entries to keep you signed in, protect against cross-site request forgery, and remember basic UI preferences. We do not use advertising cookies.

Where product or web analytics is enabled, the analytics provider may set its own cookies or device identifiers. The analytics provider list in section 5 names which providers are currently in use.

We use account controls, write protections, quotas, encrypted transport (HTTPS), per-user rate limits, audit logging, and other technical and organisational measures to reduce misuse and unauthorised access. Passwords are stored using a salted hashing algorithm; we never see them in clear form. Sensitive logs are redacted of credentials, tokens, and signature material before they are written.

No online service can promise absolute security, so you should also protect your own credentials, use a strong password, and keep API keys private.

We may disclose personal data to law enforcement, regulators, courts, or other authorities when required to do so by valid legal process (for example, a court order, subpoena, or other binding legal request issued by a court or authority of competent jurisdiction). We disclose only the data scope responsive to that process.

Where it is lawful and not prohibited by the legal process itself (for example, by a non-disclosure provision attached to a national-security request), we will notify the affected user before responding so they have the opportunity to seek a protective order or otherwise contest the request.

We may also disclose personal data where we reasonably believe it is necessary to investigate, prevent, or take action against fraud, abuse of the service, threats to platform stability, or violations of section 3 of the Terms of Service.

If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within the time-frame required by applicable law (72 hours under the GDPR; the period required by the DPDP Act and its rules), and we will notify affected users without undue delay where the breach is likely to result in a high risk to them.

Several controls are available directly inside the product without contacting us:

• Update profile details, change password, and revoke active sessions on the Account page.
• Manage API keys (create, view metadata, revoke) on the Account page.
• Delete an individual list run from its detail page; deleting a run removes its results, logs, and exports.
• Delete an individual Verify Email check from the Verify Email history page.
• Cancel your Pro subscription through the Paddle customer portal (Account → Manage billing) at any time; see Terms of Service section 6.

Account deletion is not yet self-serve. To request deletion, use the Delete button on the Account page (which opens a pre-filled email to [email protected]) or email us directly. We respond within seven days and process eligible requests within that window; if your account has active paid access, pending charges, or accounting-retention requirements, we will explain the prerequisite step (typically cancellation through Paddle and waiting for the period to end) and process deletion once it is cleared. The full handling and retention rules are in section 6 above.

For privacy-specific requests, including data-subject rights, sub-processor questions, or anything else covered in this policy, contact [email protected].

For general support, billing, or account questions, [email protected] is the right address.

This policy may be updated over time to reflect product, infrastructure, legal, or operational changes. The effective date at the top is updated whenever the policy changes. Material changes will also be communicated to active users through the product or by email.