Last updated: April 1, 2026
For the purposes of email verification and the Email Finder service, HeroBounce acts as a Data Processor under Article 28 of the GDPR. Our users are the Data Controllers. This means:
HeroBounce is the Data Controller only for data relating to the management of user accounts (name, email address, billing information, usage logs). This Privacy Policy covers both roles where relevant.
HeroBounce ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our email validation service.
This policy complies with the General Data Protection Regulation (GDPR) and the Spanish Organic Law on Data Protection and Guarantee of Digital Rights (LOPDGDD).
Company: HeroBounce
Contact Email: support@herobounce.com
As Data Controller — HeroBounce controls the processing of user account data (names, email addresses, billing information, login activity). This is the traditional "controller" relationship between HeroBounce and its registered users.
As Data Processor — When users submit emails for verification or use the Email Finder, HeroBounce acts as a Data Processor under Article 28 GDPR, processing personal data strictly on the user's instructions. The user is the Data Controller for those lookups and bears responsibility for their lawful basis. See our full Data Processing Agreement in the Terms of Service §2A.
Important: Email addresses you validate are processed for validation purposes only. We do not use validated email addresses for marketing or share them with third parties.
To improve validation accuracy and reduce response times, we collect and cache aggregated, anonymized domain-level technical data. This data is shared across all users to benefit the overall service quality:
Privacy note: Domain intelligence data is technical and domain-level only. It contains no personal email addresses, names, or identifying information. It relates to mail server configuration, not to individuals.
DNS and infrastructure data is cached for up to 90 days. Email format patterns are cached for up to 180 days, after which they are re-verified. You may request deletion of any data associated with your account at any time.
When you use the Email Finder feature, we process lookup inputs (name, domain) and results on your instruction as Data Controller. Results are stored in your account for 30 days, then permanently deleted. A DPA acceptance log is retained for legal compliance.
Individuals can permanently opt out at herobounce.com/optout.
We use the following third-party services to operate HeroBounce. Each service has its own privacy policy:
We use Stripe to process payments securely. Stripe collects billing information, payment card details, and transaction data.
Privacy Policy: https://stripe.com/privacy
We store your account data, validation history, and usage statistics in a secure PostgreSQL database with encryption at rest.
We use Redis for caching validation results and improving API performance. Cache data is temporary and automatically expires.
We may use third-party DNS, SMTP, and domain validation services to verify email addresses. These services only receive the email address being validated.
For advanced catch-all and pattern detection, we may use OpenAI's API. Only anonymized validation patterns are sent, never your personal data.
Privacy Policy: https://openai.com/privacy
Used for web research queries. Only domain-level inputs are transmitted — no personal data. EU SCCs are in place.
Privacy Policy: https://brightdata.com/privacy
We use Resend to deliver transactional emails including bulk job completion notifications and opt-out confirmation emails. Email addresses are transmitted solely for delivery and are not used for any other purpose.
Privacy Policy: https://resend.com/privacy
To detect spam traps and known fraudulent email addresses, we reference publicly available community-maintained blacklists. Email addresses submitted for validation may be checked against these databases. No personal data is transmitted — only the email address being validated is used for lookup.
We also maintain an internal curated list of known spam trap domains, typo domains, and suspicious email patterns to protect our users' sender reputation.
Account Data & Self-Service Deletion
You can delete your account at any time from Settings → Danger Zone. Upon deletion your account is immediately deactivated, your subscription is cancelled, and your API key is revoked.
Your name and company name are retained in our records alongside your validation history for service-continuity and legal compliance purposes.
Your email address is retained after deletion to protect the integrity of our service. This includes detecting and preventing re-registration to abuse free trials, investigating reported abuse, and responding to lawful requests from authorities. This retention is based on our legitimate interests under GDPR Article 6(1)(f) and will not be used for any marketing purpose. You may object to this retention by contacting us at support@herobounce.com.
Validation History
Your complete validation history (single validations, bulk uploads, and API requests) is retained while your account is active. After account deletion, validation records are retained for up to 12 months and then permanently deleted, except where required for fraud investigation or legal proceedings.
Anonymized Pattern Data
To improve service quality, we retain anonymized domain email patterns (e.g., "company.com uses firstname.lastname format") identified from validations. This data contains no personal email addresses or identifying information and helps enhance catch-all detection accuracy for all users.
Domain Intelligence Cache
Technical domain-level data (DNS records, provider, security gateway, reputation indicators) is cached for up to 90 days to improve validation speed and accuracy. Email format patterns per domain are retained for up to 180 days before re-verification. This data contains no personal information.
Greylist Retry Queue
When an email server temporarily defers verification (greylist response), the email address is stored in a retry queue and re-verified automatically after 15 minutes. Retry queue entries are deleted after processing is complete.
Email Finder Results
Generated email addresses from Email Finder are stored in your private account and automatically deleted after 30 days (GDPR Article 5(1)(e) — storage limitation). Audit log entries (no full email, metadata only) are retained for 90 days. DPA acceptance records are retained indefinitely for legal compliance. Opt-out hashes are retained indefinitely to honour permanent opt-outs.
Billing Records
Transaction history and invoices are retained for 7 years to comply with tax and accounting regulations.
Uploaded Files
Bulk upload CSV files are deleted from our servers immediately after processing. The validation results are stored in your validation history (see above).
Under GDPR and LOPDGDD, you have the following rights:
Request a copy of all personal data we hold about you.
Correct inaccurate or incomplete data.
Delete your account via Settings → Danger Zone, or contact us. Note: email is retained for fraud-prevention under Art. 6(1)(f); billing records are kept for 7 years by law.
Limit how we process your data.
Receive your data in a machine-readable format.
Object to processing based on legitimate interests.
To exercise any of these rights, please contact us at support@herobounce.com. We will respond within 30 days.
We implement industry-standard security measures to protect your data:
For more details, see our Security page.
We use essential cookies to operate our service:
We do not use third-party tracking or advertising cookies. For more information, see our Cookie Policy.
Your data is primarily stored and processed in the European Union. If we transfer data outside the EU, we ensure appropriate safeguards are in place, including:
HeroBounce is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us immediately.
If your professional email address has been generated by a HeroBounce user, you have the following options:
We may update this Privacy Policy from time to time. We will notify you of any material changes by:
Your continued use of HeroBounce after changes constitutes acceptance of the updated policy.
If you have questions about this Privacy Policy or how we handle your data, please contact us:
Email: support@herobounce.com
Data Protection Officer: support@herobounce.com
You also have the right to lodge a complaint with your local data protection authority if you believe we have not handled your data properly.