Privacy Policy
Last updated: May 1, 2026
This Privacy Policy describes how Surewyse (“Surewyse”, “we”, “us”) collects, uses, discloses, and safeguards personal data when you visit our website, sign up for an account, or use the Service. It supplements (and does not replace) our Terms of Use and GDPR statement.
1. Who we are (Controller)
For data we collect about our customers and visitors (account holders, prospects, billing contacts), Surewyse is the data controller.
For email addresses you submit to verify (“Submitted Data”), you are the controller and we act as your data processor under our Data Processing Addendum.
You can contact us about privacy at privacy@surewyse.com.
2. What we collect
2.1 Information you give us
- Account data: name, email address, hashed password (or Google ID if you sign in with Google), API key prefix (the full key is hashed at rest).
- Billing data: plan selection, billing email, transaction reference, payment status, narration. Payment-card details are entered on our processor’s hosted page (Lipila / DPO) and never touch our servers; we receive only a tokenized reference and amount.
- Communications: messages you send to support, sales, or legal.
- AppSumo redemption data (if applicable): the code you redeem and the email tied to your AppSumo purchase.
2.2 Information we collect automatically
- Login events: IP address, user-agent string, derived device/OS/browser, and (only when you tick “remember this device”) approximate geolocation derived from IP.
- Service-usage logs: verifications you initiate, including the email address checked, the verdict, score, and per-check signals (syntax, MX, SMTP, etc.). These appear in your dashboard history.
- Web analytics: pages visited, referrer, and timestamps. We do not run third-party advertising trackers.
- Cookies and similar technologies: see our Cookie Policy.
2.3 Submitted Data (the addresses you verify)
When you verify an address, we store the address, the verdict, the score, and the per-check signals in your account’s history so you can review and export it. We do not sell, rent, or share Submitted Data with advertisers, data brokers, or any third party for marketing purposes.
3. Why we use your data (lawful bases)
| Purpose | Examples | Lawful basis (GDPR) |
|---|---|---|
| Provide the Service | Run verification checks, render dashboard, store history, issue API keys | Contract (Art. 6(1)(b)) |
| Billing & fraud prevention | Process payments, detect chargebacks, prevent abuse of free quota | Contract; legitimate interests (Art. 6(1)(f)) |
| Security | Login auditing, rate limiting, blocking unauthorized access | Legitimate interests; legal obligation (Art. 6(1)(c)) |
| Communications | Welcome email, billing receipts, security notices, product updates | Contract; legitimate interests; consent for marketing where required |
| Compliance | Tax records, responding to lawful requests | Legal obligation |
| Improving the Service | De-identified, aggregated analytics on verifier accuracy and latency | Legitimate interests |
4. SMTP probing — what hits remote mail servers
To verify an address, our verifier opens an SMTP connection to the recipient’s MX server and issues EHLO → MAIL FROM → RCPT TO commands using a neutral “mail-from” identity (configured as VERIFIER_FROM_EMAIL). We do not send the message body, attachments, or any unsolicited mail. Our probes do not appear in the recipient’s inbox.
5. Who we share data with
We use a small set of vetted sub-processors to operate the Service. We do not sell personal data.
| Sub-processor | Purpose | Data shared | Region |
|---|---|---|---|
| Amazon Web Services (SES) | Outbound transactional email (welcome, billing, security) | Recipient email, message body | EU / US |
| Lipila + DPO | Card and mobile-money collections | Name, email, billing reference, amount | Africa / EU |
| Google (Sign-in with Google) | Federated authentication | Email, Google ID, name (only if you choose Google sign-in) | Global |
| ip-api.com | Approximate geolocation for “remember device” events | IP address | EU |
| Hosting provider | Compute, storage, networking | All Service data at rest | EU / US (configurable) |
We may also disclose personal data: (i) to comply with legal process; (ii) to enforce our Terms; (iii) to protect rights, property, or safety; (iv) in connection with a merger, acquisition, or asset sale, in which case we will notify affected customers.
6. International transfers
If we transfer personal data out of the European Economic Area, the United Kingdom, or another jurisdiction with cross-border transfer rules, we rely on (a) Standard Contractual Clauses approved by the European Commission, (b) the UK International Data Transfer Addendum, or (c) another lawful transfer mechanism. A copy of the SCCs in force is available on request from privacy@surewyse.com.
7. How long we keep data
| Category | Retention |
|---|---|
| Account record | For the life of the account, plus 30 days after closure |
| Verification history | Until you delete it from your dashboard, or 24 months after your last login if your account is inactive |
| Login events | 12 months |
| Billing records | 7 years (tax / accounting requirement) |
| Support correspondence | 3 years |
| Server logs | 30 days |
8. Your rights
Subject to your jurisdiction, you have the right to: access your personal data, rectify inaccuracies, request deletion, restrict or object to processing, data portability, and to withdraw consent (where processing is based on consent). EU/UK/EEA residents have these rights under the GDPR; California residents have analogous rights under the CCPA/CPRA, including the right not to be discriminated against for exercising them.
To exercise any right, email privacy@surewyse.com from the address tied to your account. We respond within 30 days. You also have the right to lodge a complaint with your supervisory authority.
9. Security
We implement organizational and technical measures appropriate to the risk, including: encryption in transit (TLS), bcrypt password hashing, hashed API keys at rest, CSRF protection on all state-changing endpoints, prepared statements for database access, role-segregated infrastructure, restricted access to production data, and monitored logins.
No system is perfectly secure. Notify us immediately at security@surewyse.com if you suspect a breach of your account.
10. Children
The Service is not directed to children under 16, and we do not knowingly collect personal data from them. If you believe a child has provided us data, contact privacy@surewyse.com and we will delete it.
11. Automated decision-making
Verification verdicts are produced algorithmically and may be considered automated decisions. The verdicts are advisory, not legally binding decisions about the data subject; you, as our customer, decide what to do with them. You retain meaningful human oversight of any downstream action.
12. Changes to this policy
We will update this policy from time to time and revise the “Last updated” date. For material changes, we will notify customers by email or in-product banner before the change takes effect.
13. Contact
Privacy questions, access requests, deletion requests:
privacy@surewyse.com