GDPR & Compliance Guide

This guide addresses data protection and regulatory compliance questions for organizations evaluating or using Emailyze. It covers what data Emailyze processes, the legal basis for processing, retention policies, and options for organizations with strict data residency requirements.

#### What Data Emailyze Processes

Emailyze is designed to minimize personal data processing. The API accepts an email address or domain name as input, but the system operates on the domain portion only.

What is processed: The domain part of the submitted email address (e.g., example.com from user@example.com). Domain names are not personal data under GDPR — they are organizational or service identifiers.
What is not stored: The local part of the email address (the username before @) is not stored in Emailyze's database. It is parsed transiently to extract the domain and is not persisted.
API request logs: Emailyze retains API request logs for operational purposes (latency, status codes, error rates). These logs contain the domain checked, the API key identifier, and a timestamp. They do not contain the full email address or any personal identifier of the end user whose email was submitted.

This architecture means Emailyze processes no personal data about the email address owners whose addresses are being validated. The only personal data in scope is the dashboard user's account information (email and password) and the API key credentials.

#### Data Retention Policy

| Data Type | Retention Period | Notes | |-----------|-----------------|-------| | Domain records | Indefinite | Operational database; updated continuously by ETL pipeline | | API request logs | 90 days | Rolled after 90 days; used for billing and abuse detection | | Dashboard account data | Duration of account | Deleted within 30 days of account deletion request | | Feedback submissions | 12 months | Used to improve classification accuracy |

Retention periods are subject to change; see the Privacy Policy for the current version.

#### GDPR Lawful Basis

Emailyze's lawful basis for processing data is legitimate interest (Article 6(1)(f) GDPR) in the context of fraud prevention and service delivery.

For Emailyze as a data processor: When customers use the Emailyze API to validate email addresses collected during their own user registration or checkout flows, Emailyze acts as a data processor under Article 28 GDPR. The customer (data controller) is responsible for ensuring they have a valid lawful basis for the underlying email address collection. Emailyze's role is limited to domain-level classification, which does not involve processing personal data about the email address owners.

For Emailyze as a data controller: Emailyze processes dashboard users' account data (email, password hash) on the basis of contract performance (Article 6(1)(b)) — necessary to provide the service — and legitimate interest for fraud prevention and abuse detection.

#### Data Processing Agreement (DPA)

A Data Processing Agreement is available for customers on Starter plans and above. The DPA formalizes Emailyze's obligations as a data processor under Article 28 GDPR, including:

Processing only as instructed by the controller
Implementing appropriate technical and organizational security measures
Assisting with data subject rights requests
Notifying of security incidents within 72 hours
Deleting or returning data upon contract termination

To request a DPA, contact hi@emailyze.dev with the subject line "DPA Request" and your account email.

#### On-Premise Deployment for Full Data Residency

Organizations with strict data residency requirements — including those subject to data localization laws or internal policies prohibiting data transfer outside a specific jurisdiction — can deploy Emailyze on-premise.

Growth and Enterprise plans include access to the hourly JSONL data dump (GET /v1/download/), which contains the full classified domain list. This allows you to:

1. Download the domain database to your own infrastructure 2. Run all lookups locally without any data leaving your network 3. Integrate the domain list into your own classification pipeline

For full on-premise deployment including the API server, scoring pipeline, and ETL components, contact sales for the Enterprise self-hosted option.

#### CCPA Considerations

Emailyze's data practices are compatible with the California Consumer Privacy Act (CCPA):

Domain names are not personal information under CCPA (Cal. Civ. Code § 1798.140(v)). Domain classification data does not identify or is not reasonably linkable to a specific consumer.
Dashboard user data (account email) qualifies as personal information under CCPA. California residents may exercise rights to access, delete, and opt out of sale. Emailyze does not sell personal information.
Data subject rights requests for dashboard account data can be submitted to hi@emailyze.dev.

#### How to Request Data Deletion

For dashboard account data:

Submit a deletion request to hi@emailyze.dev from the email address associated with your account. Include "Account Deletion Request" in the subject line. Emailyze will:

1. Confirm receipt within 2 business days 2. Delete or anonymize your account data within 30 days 3. Confirm completion by email

Account deletion includes: account credentials, API keys, usage logs linked to your account, and feedback submissions. Anonymized aggregate usage data may be retained for billing reconciliation.

For API request logs:

API request logs are retained for 90 days and then automatically purged. If you require earlier deletion, submit a request to hi@emailyze.dev with your API key identifier (visible in the dashboard) and the approximate date range.

#### Security Measures

Emailyze implements the following technical and organizational measures relevant to compliance:

Encryption in transit: All API traffic is served over HTTPS (TLS 1.2+). No HTTP access.
Encryption at rest: Database and storage encrypted at rest.
Access controls: Dashboard access is protected by email + password authentication with email verification required. API access is controlled by per-key credentials.
Audit logging: API request logs capture key identifier, domain, latency, and status for audit purposes.
Incident response: Security incidents are investigated and, where required, reported to affected customers within 72 hours.

For detailed security architecture, see the [Security page](/blog/trust/security).