bouncyboobs

Last updated · 16 April 2026

Privacy Policy

This policy describes how bouncyboobs (the “service”) processes personal data under UK GDPR and the Data Protection Act 2018.

Who we are

Privacy contact: privacy@bouncyboobs.dev. We do not currently appoint a Data Protection Officer; ordinary processing for a service of this scale does not require one.

What we process and why

  • Account data (name, email, hashed password, OAuth identifiers): to create and authenticate your account. Lawful basis: contract.
  • Payment metadata (Stripe customer ID, subscription status, invoice records): to bill you and meet HMRC record-keeping obligations. Lawful basis: contract and legal obligation.
  • Email lists you upload: processed on your behalf to verify deliverability. We act as processor under Art. 28; you are the controller. Lawful basis: contract with you.
  • Usage counts (how many verifications, when): for quota enforcement and invoicing. Lawful basis: contract.

Retention

  • Uploaded email addresses: deleted 24 hours after job completion.
  • Verification verdicts paired with addresses: 30 days.
  • Aggregate counts (no addresses): kept for billing.
  • Subscription records: 7 years after cancellation (HMRC).
  • Account record: duration of account + 30 days grace.
  • Application logs (no PII): 30 days.

Recipients

See the subprocessors page for the current list of vendors with whom we share data, including Neon (database, auth), Stripe (payments), Resend (transactional email), Vercel (hosting), and Railway (worker compute).

International transfers

Some subprocessors are based in the United States. Transfers rely on Standard Contractual Clauses (SCCs) and the EU–US Data Privacy Framework where applicable.

Your rights

Under UK GDPR you have rights of access, rectification, erasure, restriction, portability, objection, and withdrawal of consent (where consent is the basis). Contact privacy@bouncyboobs.dev and we will respond within one month.

Self-serve export and deletion endpoints are on the roadmap; in the meantime, manual requests are honoured.

Data subjects who are not our customers

If your email address appears in a list one of our customers uploaded, the customer is the data controller. Forward your request to the customer in the first instance, or contact us and we will help you identify them where possible.

Complaints

You have the right to lodge a complaint with the UK Information Commissioner’s Office (ico.org.uk).