Data Processing Agreement

Last updated: February 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between ClearBounce and you ("Customer"). It describes how we process personal data on your behalf when you use our email verification services, in compliance with GDPR (EU 2016/679) and other applicable data protection laws.

1. Definitions

  • Controller: You, the Customer, who determines the purposes and means of processing personal data
  • Processor: ClearBounce, which processes personal data on behalf of the Controller
  • Personal Data: Any data relating to an identified or identifiable natural person
  • Processing: Any operation performed on personal data (collection, storage, use, deletion, etc.)
  • Sub-processor: A third party engaged by ClearBounce to process personal data
  • Data Subject: The individual whose personal data is processed

2. Scope and Purpose of Processing

ClearBounce processes personal data solely to provide email verification services to the Customer. This includes:

  • Verifying the deliverability of email addresses provided by the Customer
  • Generating verification reports and results
  • Maintaining verification history for the Customer's account

Types of Personal Data Processed:

  • Email addresses submitted for verification
  • Verification results (deliverable, undeliverable, risky, unknown)
  • IP addresses used for API access
  • Account information (name, email, company)

Categories of Data Subjects:

  • Individuals whose email addresses are submitted for verification by the Customer
  • The Customer's account users and administrators

3. Obligations of the Processor

ClearBounce shall:

  • Process personal data only on documented instructions from the Customer
  • Ensure that persons authorized to process personal data have committed to confidentiality
  • Implement appropriate technical and organizational security measures
  • Not engage another processor without prior written authorization from the Customer
  • Assist the Customer in responding to Data Subject requests (access, rectification, erasure, portability)
  • Delete or return all personal data upon termination of services, unless required by law to retain it
  • Make available all information necessary to demonstrate compliance with GDPR obligations
  • Immediately inform the Customer if an instruction infringes GDPR or other data protection laws

4. Security Measures

ClearBounce implements the following technical and organizational measures to protect personal data:

Encryption:

  • All data in transit is encrypted using TLS 1.3
  • Data at rest is encrypted using AES-256
  • API communications require HTTPS

Access Control:

  • Role-based access control for all systems
  • Multi-factor authentication for administrative access
  • API key authentication with per-key permissions

Data Minimization:

  • Email lists and verification results are automatically deleted after 60 days
  • Bulk verification job data is automatically purged after 60 days
  • Only data necessary for the service is collected and processed

5. Sub-processors

ClearBounce uses the following sub-processors to deliver its services:

Hostinger International Ltd.

  • Purpose: Server hosting and infrastructure
  • Location: Lithuania (EU) / Global data centers
  • Data processed: All service data

Paddle.com Market Ltd.

  • Purpose: Payment processing and billing
  • Location: United Kingdom
  • Data processed: Billing information, payment details

The Customer consents to the engagement of the above sub-processors. ClearBounce will notify the Customer of any intended changes to sub-processors, giving the Customer the opportunity to object.

6. Data Breach Notification

In the event of a personal data breach, ClearBounce shall:

  • Notify the Customer without undue delay and no later than 72 hours after becoming aware of the breach
  • Provide the nature of the breach, including categories and approximate number of affected data subjects
  • Provide contact details for further information
  • Describe likely consequences of the breach
  • Describe measures taken or proposed to address the breach
  • Cooperate with the Customer in fulfilling their obligations to notify supervisory authorities and affected data subjects
  • Document all personal data breaches, including facts, effects, and remedial actions taken

7. Data Retention and Deletion

Automatic Deletion:

  • Email lists and verification results: Automatically deleted 60 days after creation
  • Bulk verification job data: Automatically deleted 60 days after completion
  • Session tokens: Expire and are deleted after 30 days of inactivity

On Account Deletion:

  • All personal data is permanently deleted via cascading database deletion
  • This includes: verification history, bulk jobs, API keys, credit transactions, and all account data
  • Deletion is immediate and irreversible

Retention Exceptions:

  • Payment and financial records may be retained for up to 5 years to comply with tax and accounting regulations
  • Data may be retained if required by applicable law or regulation

Data Export:

Customers can export all their data at any time in JSON format through the account settings.

8. International Data Transfers

ClearBounce's primary infrastructure is hosted in the European region. When personal data is transferred outside the European Economic Area (EEA), ClearBounce ensures adequate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) as approved by the European Commission
  • Adequacy decisions where applicable
  • Technical measures such as encryption to protect data during transfer

The Customer acknowledges that email verification by nature requires communication with mail servers globally, which may involve transient processing of email addresses outside the EEA.

9. Data Subject Rights

ClearBounce shall assist the Customer in fulfilling their obligations to respond to Data Subject requests, including:

  • Right of Access: Providing copies of personal data upon request
  • Right to Rectification: Correcting inaccurate personal data
  • Right to Erasure: Deleting personal data ("right to be forgotten")
  • Right to Restriction: Restricting processing of personal data
  • Right to Data Portability: Providing data in a structured, machine-readable format
  • Right to Object: Ceasing processing where the data subject objects

ClearBounce provides self-service tools for account deletion and data export through the Customer's account settings.

10. Term and Termination

This DPA shall remain in effect for the duration of the Customer's use of ClearBounce services.

Upon termination:

  • ClearBounce will delete all personal data within 60 days, unless retention is required by law
  • The Customer may request immediate deletion through account settings
  • The Customer may export their data before account closure

Governing Law: This DPA is governed by the laws of the Republic of Turkey, without prejudice to mandatory GDPR provisions.

Contact: For questions about this DPA or to exercise data protection rights, contact us at support@clearbounce.net.