Privacy policy

• We collect your account info, the email addresses you submit for verification, and standard server logs.
• We never store verification addresses in plaintext — only a SHA-256 hash.
• We don't sell your data and we don't train AI models on it.
• You can export everything we have and delete your account from Settings.

"Trumailo", "we", and "us" refer to the Trumailo team. We operate the email-verification service at trumailo.com. For billing questions our merchant-of-record is Paddle.com Market Ltd.

When you create an account or use our service we collect:

• Account data — email, hashed password, display name, optional 2FA secret.
• Billing data — held by Paddle; we only mirror your subscription state and the Paddle customer ID.
• Usage data — API requests, response codes, IP address, user agent.
• Sign-in events — timestamp, IP, user agent for the last 25 sign-ins.

When you verify an email address (yours or your customers'), we store:

• SHA-256 hash of the address — not the plaintext address.
• The domain (e.g. gmail.com) for aggregate reporting.
• Verdict (valid / risky / invalid / unknown), confidence score, response time, signal-by-signal results.

The raw address lives in memory only for the duration of the verification request. It is never written to a database, log file, or cache.

• To authenticate you and bill you for the service.
• To prevent abuse (rate limiting, brute-force protection, fraud detection).
• To improve our verifier — aggregate signal-rate stats by domain, never per-address.
• To provide customer support when you contact us.

We only share data with sub-processors that help us run the service:

• Paddle.com Market Ltd — payment processing, tax handling, invoicing (merchant of record).
• Our cloud hosting provider — infrastructure for compute, database, and storage.
• Your designated webhook endpoints — we POST verification verdicts back to URLs you configure.

We do not sell personal data. We do not share it with advertisers.

• Account data — while your account is active; deleted within 30 days of account deletion.
• Verifications — 18 months, then aggregated.
• Server logs — 30 days.
• Sign-in events — 90 days, capped at 25 most recent.
• Webhook delivery log — 30 days.

Under GDPR, CCPA, and similar laws you have the right to:

• Access — download a JSON export of everything from Settings → Your data.
• Delete — Settings → Delete account erases your data within 30 days.
• Rectify — edit your profile or change your email in Settings.
• Object / restrict processing — email privacy@trumailo.com.
• Lodge a complaint with your supervisory authority (e.g. ICO in the UK, DPC in Ireland).

Passwords are hashed with bcrypt. API keys are stored as SHA-256 hashes. 2FA is available via TOTP. Sessions can be revoked across all devices at any time. The full security posture is documented at /security.

We may transfer data outside your country to our cloud provider's regions. Where required we rely on the EU Standard Contractual Clauses and equivalent UK / Swiss mechanisms. EU data residency is available on Enterprise plans.

Trumailo is not directed at children under 16. We don't knowingly collect data from them. If you believe a child has provided us data, email us and we'll delete it.

We'll post any material changes here and notify active customers by email at least 30 days before they take effect.

For privacy questions, email privacy@trumailo.com. For everything else, use the contact form.