Privacy Policy

Last updated: January 26, 2026

BounceShift ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information when you use our email validation service.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

Name
Email address
Password (encrypted)
Company name (optional)
Billing information (processed securely via Stripe)

1.2 Email Addresses for Validation

When you use our service, you submit email addresses to validate. We process these addresses to:

Verify email format and syntax
Check MX records and domain validity
Perform SMTP verification where possible
Detect disposable, role-based, and catch-all addresses
Check against known spam traps and complainers

Important: We do not permanently store the email addresses you validate. Validation results are cached temporarily (24 hours) to improve performance, then automatically deleted.

1.3 Usage Data

We automatically collect:

API request logs (timestamps, endpoints, response codes)
IP addresses
Browser type and version
Pages visited on our dashboard
Validation statistics and history

1.4 ESP Webhook Data

If you connect ESP webhooks, we receive:

Bounce notifications (email addresses that bounced)
Complaint notifications (spam complaints)
Event metadata (timestamp, bounce type, ESP provider)

Important: Email addresses from webhooks are immediately converted to one-way cryptographic hashes (SHA-256). We never store the original email address—only the hash. This means:

We cannot read, view, or recover the original email addresses
We cannot sell or share email addresses (we don't have them)
We can only check if an email matches a known hash during validation

2. How We Use Your Information

2.1 To Provide Our Service

Process email validations
Maintain your validation history
Display results in your dashboard
Generate downloadable reports

2.2 To Improve Our Service

Analyze validation patterns to improve accuracy
Monitor system performance and reliability
Identify and fix bugs

2.3 To Communicate With You

Send account-related notifications
Respond to support requests
Notify you of service updates (with opt-out option)

2.4 For Security

Detect and prevent fraud
Monitor for abuse of our service
Enforce our Terms of Service

3. Data Retention

3.1 Validation Cache

Email validation results are cached for 24 hours
Cached results improve performance and reduce redundant checks
Cache entries are automatically purged after expiration

3.2 Validation History

Your validation history is retained while your account is active
You can request deletion of specific records or all history
Upon account deletion, all data is removed within 30 days

3.3 ESP Reputation Data (Hashed Only)

Our reputation database stores only cryptographic hashes of email addresses—never the actual addresses:

One-way hashing: We use SHA-256 hashing, which is irreversible. There is no way to convert a hash back to the original email address.
No plain-text storage: The original email address is discarded immediately after hashing. We never store it.
Privacy by design: Even if our database were compromised, attackers would only find meaningless hashes, not email addresses.
Lookup only: During validation, we hash the email you submit and check if that hash exists in our database. We cannot enumerate or export the emails in our reputation database.

You can request removal of reputation data associated with your account at any time.

4. Data Sharing

4.1 We Do Not Sell Your Data

We never sell, rent, or trade email addresses or personal information to third parties.

4.2 Service Providers

We share data with trusted service providers who assist in operating our service:

Stripe - Payment processing
Cloud hosting providers - Infrastructure
Email service providers - Transactional emails

All service providers are contractually obligated to protect your data.

4.3 Legal Requirements

We may disclose information if required by law, court order, or government request.

4.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity.

5. Our Hash-Only Approach

We designed BounceShift so that we cannot access your email data—even if we wanted to.

How It Works

When email addresses enter our reputation database (via ESP webhooks), we immediately:

Convert the email to a SHA-256 hash (a 64-character string like a1b2c3d4...)
Discard the original email address
Store only the hash

Why This Matters

We cannot read your data: Hashing is one-way. There is no key, no password, no way to reverse a hash back to an email address.
We cannot sell your data: We literally do not have email addresses to sell.
We cannot be compelled to reveal data: Even with a legal request, we can only provide meaningless hashes.
Data breaches are less harmful: If attackers accessed our database, they would find hashes—not usable email lists.

Technical Details

Algorithm: SHA-256 (industry-standard cryptographic hash function)
No salt stored per-email (we cannot reverse the hash)
Hashes are used solely to check "have we seen this email bounce before?"

6. Data Security

We implement industry-standard security measures:

All data transmitted via HTTPS/TLS encryption
Passwords are hashed using bcrypt
API keys are securely generated and stored
Regular security audits and updates
Access controls and authentication for internal systems
Database encryption at rest

7. Your Rights

7.1 Access

You can access your data through your dashboard at any time.

7.2 Correction

You can update your account information in your profile settings.

7.3 Deletion

You can request deletion of:

Your account and all associated data
Specific validation records
ESP webhook data

To request deletion, contact us at [email protected] or use the account deletion feature in your dashboard.

7.4 Export

You can export your validation history in CSV format from your dashboard.

7.5 Objection

You can opt out of marketing communications at any time.

8. Cookies and Tracking

8.1 Essential Cookies

We use essential cookies for:

Session management
Authentication
Security (CSRF protection)

8.2 Analytics

We may use analytics tools to understand how users interact with our service. You can opt out of analytics tracking in your browser settings.

8.3 No Third-Party Advertising

We do not use advertising cookies or share data with ad networks.

9. International Data Transfers

Your data may be processed in countries outside your own. We ensure appropriate safeguards are in place through:

Standard contractual clauses
Data processing agreements with service providers
Compliance with applicable data protection laws

10. Children's Privacy

Our service is not intended for users under 18 years of age. We do not knowingly collect data from children.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via:

Email notification
Dashboard announcement
Updated "Last modified" date

12. Contact Us

For privacy-related questions or requests:

Email: [email protected]
Data Protection Officer: [email protected]

13. Data Protection Rights (GDPR)

If you are in the European Economic Area (EEA), you have additional rights:

Right to access your personal data
Right to rectification of inaccurate data
Right to erasure ("right to be forgotten")
Right to restrict processing
Right to data portability
Right to object to processing
Right to withdraw consent

To exercise these rights, contact us at [email protected].

14. California Privacy Rights (CCPA)

California residents have the right to:

Know what personal information we collect
Request deletion of personal information
Opt out of the sale of personal information (we do not sell data)
Non-discrimination for exercising privacy rights

By using BounceShift, you acknowledge that you have read and understood this Privacy Policy.