Privacy Policy

Last updated: October 9, 2025

Mailsniper (“Mailsniper”, “we”, “us” or “our”) provides a platform for automated discovery, validation, and classification of email domains. This Privacy Policy explains how we collect, use, disclose, and protect personal data when you visit our websites, create an account, use the Mailsniper API, interact with our documentation, or otherwise engage with us (collectively, the “Services”).

1. Data Controller and Contact

Mailsniper is the data controller for personal data that we collect about you. If you have questions about this Privacy Policy or our data practices, please contact us at [email protected]. We operate the business from Germany and run all core infrastructure for the Services in German data centers.

2. Scope of This Policy

This Privacy Policy covers personal data we collect from:

• Visitors to our marketing site, documentation, and any public web pages we host
• Individuals who create and manage Mailsniper accounts or request support
• Developers and organizations who call the Mailsniper API, including the email addresses and domains submitted for validation
• Participants in onboarding surveys, beta programs, or feedback sessions

3. Personal Data We Collect

We collect the following categories of personal data when you use the Services:

3.1 Account and Profile Information

• Identifiers such as name, email address, company, job title, and password (stored in hashed form)
• Subscription tier, request quotas, verification status, and account activity timestamps
• Optional onboarding survey responses (company size, intended use cases, preferred programming language, referral source)

3.2 Service Usage and API Data

• Email addresses and domains you submit to the Mailsniper API for validation and classification
• Request metadata such as API key, timestamp, request parameters, response payload, usage counts, and status codes, which we log to provide support, quota tracking, and abuse prevention
• Domain review artifacts such as screenshots and extraction context used to document how a domain was discovered

3.3 Communications and Support

• Content of messages you send via email, support forms, or in-product feedback
• Records of interactions with our support team, including attachments and troubleshooting data

3.4 Technical and Analytics Data

• Server and application logs such as IP address, device and browser characteristics, referrer URLs, and error diagnostics generated when you access the Services
• Cookie identifiers and analytics events collected through first-party cookies and Ahrefs Analytics to understand product usage and improve performance
• Network routing logs captured by Cloudflare when proxying traffic to our Services

3.5 Data from Third Parties and Public Sources

• Disposable, spam, or corporate domain information sourced from public websites, community lists, or commercial feeds
• Validation results returned by third-party email validation services that you explicitly enable

4. How We Use Personal Data

We process personal data for the following purposes:

• Provide and maintain the Services: Authenticate users, manage accounts and API keys, deliver API responses, and monitor availability.
• Improve accuracy and performance: Analyze domain discovery efficacy, tune validation heuristics, and develop new features based on anonymized or aggregated insights.
• Usage analytics and quota management: Track request volumes, enforce rate limits, and surface usage dashboards.
• Support and communications: Respond to inquiries, provide onboarding assistance, and send service-related notifications.
• Security and abuse prevention: Detect fraudulent activity, prevent misuse of the API, investigate incidents, and protect the integrity of our systems.
• Legal compliance: Meet record-keeping obligations, comply with applicable laws, and assert or defend legal claims.

5. Legal Bases for Processing

When required by law (including the EU/EEA, UK, and similar jurisdictions), we rely on the following legal bases:

• Contractual necessity to create and administer your account, deliver API responses, and provide customer support.
• Legitimate interests to secure our platform, prevent abuse, improve the Services, and analyze aggregated usage patterns.
• Consent when you opt in to optional onboarding surveys, beta feedback, marketing communications, or enable third-party validators.
• Legal obligations for retaining records required by tax, accounting, or judicial authorities.

6. How We Share Personal Data

We do not sell personal data. We share personal data only as described below:

• Service providers and subprocessors: Trusted vendors that support hosting, storage, analytics, communications, and error monitoring. Key providers include our cloud hosting infrastructure (e.g., Linode or equivalent providers), Cloudflare (which proxies internet traffic to our Services), database and backup vendors, email delivery services, and customer support tools.
• Analytics and product intelligence: Ahrefs Analytics collects pseudonymous usage metrics about visits to our public pages. You can opt out using industry-standard browser controls.
• AI and validation partners: When required to fulfil a request, we share relevant data with OpenAI (for website screenshot analysis) and with third-party email validation services. These processors receive the email addresses or domain details you submit solely to return validation results.
• Notifications and alerts: Operational alerts may be routed through secure internal alerting channels to notify internal teams about newly discovered domains or system health.
• Professional advisors and authorities: We may disclose personal data to auditors, legal counsel, law enforcement, or regulators when required to comply with the law or protect our rights.
• Business transfers: In the event of a merger, acquisition, financing, or sale of assets, personal data may be transferred as part of that transaction, subject to ongoing protection commitments.

7. International Data Transfers

All production infrastructure for the Services is hosted in data centers located in Germany. Mailsniper also operates globally and may process personal data in countries that do not provide the same level of data protection as your home jurisdiction. When transferring personal data internationally, we implement appropriate safeguards such as Standard Contractual Clauses, Data Processing Agreements, or rely on adequacy decisions where available. Our subprocessors are contractually required to apply comparable protections.

8. Data Retention

We retain personal data only as long as necessary for the purposes described in this Privacy Policy or as required by law:

• Account information is retained while your account is active and for up to 24 months afterward to address billing, disputes, or legal obligations.
• API request logs (including submitted email addresses and responses) are retained for up to 12 months for troubleshooting and abuse prevention before being deleted or anonymized.
• Onboarding survey responses and support conversations are retained for as long as you maintain an account or until you request their deletion.
• Domain discovery assets (screenshots, scraper artifacts) are retained while relevant to maintain classification accuracy and may be archived for research purposes in anonymized form.
• Aggregated or de-identified data may be retained indefinitely because it no longer identifies an individual.

If you close your account, we will delete or anonymize personal data within a reasonable period, unless we are required to keep it for legal or legitimate business reasons.

9. Cookies and Tracking Technologies

We use essential cookies to maintain your authenticated session and deliver core functionality. We also use analytic scripts (Ahrefs Analytics) to understand how visitors interact with our content. You can manage cookie preferences through your browser settings. Disabling certain cookies may impact functionality.

10. Data Processed on Your Behalf

When you submit email addresses or domains to the Mailsniper API, you remain the data controller of that information. We process it as your data processor to deliver validation results, monitor abuse, and maintain system integrity. You are responsible for obtaining all necessary rights and consent to submit personal data to our Services.

We do not use customer-submitted email addresses for marketing or to build independent datasets. We do not sell or share them outside the processors described in this policy. Upon request, we can delete or anonymize stored request logs associated with your account, subject to applicable law.

11. Security Measures

We implement technical and organizational measures to protect personal data, including encryption in transit, hashed password storage, role-based access controls, audit logging, rate limiting, and continuous monitoring of our infrastructure. Despite these safeguards, no system can be completely secure; we encourage you to use strong passwords, protect your API keys, and promptly notify us of any suspected unauthorized access.

12. Your Privacy Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate or incomplete data
• Request deletion of personal data, or restriction of processing in certain circumstances
• Object to processing based on legitimate interests or direct marketing
• Request data portability for information you provided to us
• Withdraw consent at any time when processing is based on consent
• Lodge a complaint with your local data protection authority

To exercise your rights, please contact us at [email protected]. We may request additional information to verify your identity before completing your request.

13. California Privacy Notice

If you reside in California, you have the right to request information about how we collect, use, and disclose your personal data under the California Consumer Privacy Act (CCPA). You may request access to or deletion of your personal data by contacting us at the email above. We do not sell or share personal information as defined by the CCPA. We will not discriminate against you for exercising your privacy rights.

14. Children’s Privacy

The Services are intended for business and professional use and are not directed to children under the age of 16. We do not knowingly collect personal data from children. If you believe that a child has provided us with personal data, please contact us so that we can take appropriate action.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we do, we will revise the “Last updated” date above and, if appropriate, provide additional notice (such as by email or in-app notification). Your continued use of the Services after the effective date of the updated policy constitutes your acceptance of the changes.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of personal data, please reach out to [email protected].