Privacy Policy

Last updated: February 2026

This Privacy Policy describes how Mailcaff ("we", "us", or "our") collects, uses, and protects your personal information when you use our website at mailcaff.com and our email verification API service (the "Service"). We are committed to protecting your privacy and handling your data transparently.

Data Controller

Mailcaff is operated by Gianni Pisa, registered in the Netherlands.
KvK: 96633794
Email: support@mailcaff.com
Website: mailcaff.com

1. Information We Collect

We collect the following information when you create an account and use our Service:

• Account information: Your name, email address, and company name provided during signup.
• Payment information: Billing details processed securely through Stripe. We do not store your full credit card number on our servers.
• API usage logs: Records of API requests, including timestamps, endpoints called, and response statuses. These logs are used for billing, debugging, and abuse prevention.
• Email addresses submitted for verification: Email addresses you submit through the API are processed in real time and are not stored permanently. They appear in your verification history for your reference and are subject to automatic deletion.

2. Legal Basis for Processing

We process your personal data based on the following legal grounds under GDPR Article 6:

• Contract performance (Art. 6(1)(b)): Processing account information and API usage to provide the Service you signed up for.
• Legitimate interest (Art. 6(1)(f)): Monitoring usage, enforcing rate limits, and preventing abuse to maintain service quality and security.
• Legal obligation (Art. 6(1)(c)): Retaining billing records as required by Dutch tax law.
• Consent (Art. 6(1)(a)): Where applicable, such as optional marketing communications. You can withdraw consent at any time.

3. How We Use Your Information

We use your information for the following purposes:

• To provide, operate, and maintain the Service.
• To process payments and manage your subscription.
• To monitor usage, enforce rate limits, and prevent abuse.
• To communicate with you about your account, including service updates and support responses.
• To comply with legal obligations.

4. Data Sharing

We do not sell, rent, or trade your personal data to third parties.

We share data only with the following service providers, strictly as needed to operate the Service:

• Vultr: Cloud infrastructure hosting (Netherlands).
• Stripe: Payment processing. Stripe's privacy policy governs how they handle your payment data.
• Resend: Transactional email delivery (account emails only).

For a complete list of sub-processors and data processing details, see our Data Processing Agreement.

We may also disclose information if required by law, regulation, or legal process.

5. Data Storage and Security

Your data is stored on a self-hosted database running on Vultr VPS infrastructure. We implement appropriate technical and organizational measures to protect your data against unauthorized access, alteration, disclosure, or destruction. These measures include encrypted connections (TLS), access controls, and regular security reviews.

6. Cookies

We use session cookies only to keep you logged in and maintain your session state. We do not use tracking cookies, advertising cookies, or third-party analytics services. No cookie consent banner is needed because we only use strictly necessary cookies.

7. Your Rights (GDPR)

If you are located in the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation (GDPR):

• Right to access: You can request a copy of the personal data we hold about you.
• Right to rectification: You can ask us to correct inaccurate or incomplete data.
• Right to erasure: You can request that we delete your personal data.
• Right to restriction: You can ask us to restrict the processing of your data in certain circumstances.
• Right to data portability: You can request your data in a structured, machine-readable format.
• Right to object: You can object to the processing of your data where we rely on legitimate interests.
• Right to withdraw consent: Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

You can exercise these rights directly from your dashboard:

• Export your data: Dashboard → Settings → Export My Data
• Delete your account: Dashboard → Settings → Delete Account

You can also contact us at support@mailcaff.com. We will respond to your request within 30 days.

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Dutch Data Protection Authority:

Autoriteit Persoonsgegevens
Website: autoriteitpersoonsgegevens.nl
Phone: +31 (0)70 888 85 00

8. Data Retention

We retain your account information for as long as your account is active.

• API usage logs: Automatically deleted after 90 days.
• Verification cache: Results expire after 7 days (valid/invalid) or 24 hours (catch-all/unknown). Entries older than 30 days are purged automatically.
• Account data: Deleted immediately when you delete your account through the dashboard.

If you delete your account or request data deletion, we will remove your personal data immediately, except where we are legally required to retain it.

9. Data Deletion

You can delete your account and all associated data directly from your dashboard (Settings → Delete Account). This is immediate and permanent. You will receive a confirmation email. You can also request deletion by emailing support@mailcaff.com.

10. Automated Processing and AI Transparency

In compliance with the EU Artificial Intelligence Act (Regulation 2024/1689), we provide the following transparency disclosures:

• Email verification: Our service uses automated SMTP checks and pattern-based analysis to determine email deliverability. These are deterministic technical checks, not AI-based profiling.
• Email finder: Our email finder generates candidate email addresses using pattern-matching algorithms based on common naming conventions at a given domain. This is rule-based pattern matching, not machine learning or AI profiling.
• No automated decision-making: We do not use AI or automated decision-making that produces legal effects or similarly significant effects on individuals (GDPR Art. 22).

11. Children's Privacy

Our Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes, we will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically. Continued use of the Service after changes constitutes acceptance of the updated policy.

13. Contact Us

If you have any questions about this Privacy Policy or how we handle your data, please contact us at:

Email: support@mailcaff.com
Website: mailcaff.com