Last updated · 17 April 2026

Privacy Policy

This policy describes how bouncyboobs (the “service”) processes personal data under UK GDPR and the Data Protection Act 2018.

Who we are

Privacy contact: privacy@bouncyboobs.dev. We do not currently appoint a Data Protection Officer; ordinary processing for a service of this scale does not require one.

What we process and why

Account data (name, email, hashed password, OAuth identifiers): to create and authenticate your account. Lawful basis: contract.
Payment metadata (Stripe customer ID, subscription status, invoice records): to bill you and meet HMRC record-keeping obligations. Lawful basis: contract and legal obligation.
Email lists you upload: processed on your behalf to verify deliverability. We act as processor under Art. 28; you are the controller. Lawful basis: contract with you.
Usage counts (how many verifications, when): for quota enforcement and invoicing. Lawful basis: contract.
Verification inputs and derived signals: we may retain email addresses you submit and the verification outputs we produced for them to improve accuracy, detect abuse, and develop internal models and heuristics. We do not sell this data or share it with advertisers. Lawful basis: legitimate interests (service improvement and fraud prevention). You may object under the rights section below.

Retention

Uploaded email addresses (job inputs): deleted 24 hours after job completion.
Verification verdicts paired with addresses (job outputs): 30 days.
Aggregate counts (no addresses): kept for billing.
Internal archive for service improvement and abuse detection (verification inputs and outputs): retained indefinitely unless you exercise your right to object or erasure.
Subscription records: 7 years after cancellation (HMRC).
Account record: duration of account + 30 days grace.
Application logs (no PII): 30 days.

Recipients (subprocessors)

We engage the following subprocessors to operate the service:

Neon (Amazon Web Services, US regions) — managed Postgres and authentication.
Stripe (US / EU) — billing, subscription management, and tax-invoice records.
Resend (US) — transactional email delivery (welcome emails, quota warnings, job completion).
Vercel (US, global edge) — web hosting and CDN.
Railway (US, EU) — verification worker compute and the internal probe service.
Upstash (AWS, global) — durable rate-limit counters.

We commit to at least 30 days’ advance notice when we add or replace a subprocessor; email privacy@bouncyboobs.dev to receive those notices.

International transfers

Some subprocessors are based in the United States. Transfers rely on UK IDTA / Standard Contractual Clauses and the EU–US Data Privacy Framework where applicable.

Data Processing Agreement

When you upload email lists, you are the controller and bouncyboobs is the processor under Art. 28 UK GDPR. This section incorporates the processor obligations that would otherwise live in a standalone DPA.

Subject matter + duration: verification of email addresses for the duration of your subscription.
Nature and purpose: the layered verification pipeline (syntax, DNS, disposable/role, SMTP probe, deliverability insights) initiated by the controller.
Personal data + data subjects: email addresses (and any columns the controller chooses to upload) belonging to the controller’s contacts.
Controller warrants a lawful basis for each address submitted and accepts responsibility for the accuracy, legality, and proportionality of the upload.
Processor obligations: process only on documented controller instructions; confidentiality-bound personnel; appropriate technical + organisational security (encryption in transit + at rest, least-privilege access, incident response); engage subprocessors only with the controller’s general authorisation and the 30-day notice described above; assist with data-subject-rights requests; notify the controller of any personal data breach without undue delay, in any case within 72 hours; delete or return personal data at the end of the agreement at the controller’s choice; provide the information necessary to demonstrate compliance and allow for reasonable audits.
Signing: this DPA applies click-through when you accept the Terms of Service. A countersigned version is available on request to legal@bouncyboobs.dev.

Your rights

Under UK GDPR you have rights of access, rectification, erasure, restriction, portability, objection, and withdrawal of consent (where consent is the basis). Contact privacy@bouncyboobs.dev and we will respond within one month.

Self-serve export and deletion endpoints are on the roadmap; in the meantime, manual requests are honoured.

Data subjects who are not our customers

If your email address appears in a list one of our customers uploaded, the customer is the data controller. Forward your request to the customer in the first instance, or contact us and we will help you identify them where possible.

Complaints

You have the right to lodge a complaint with the UK Information Commissioner’s Office (ico.org.uk).

What we process and why

Account data (name, email, hashed password, OAuth identifiers): to create and authenticate your account. Lawful basis: contract.

Payment metadata (Stripe customer ID, subscription status, invoice records): to bill you and meet HMRC record-keeping obligations. Lawful basis: contract and legal obligation.

Email lists you upload: processed on your behalf to verify deliverability. We act as processor under Art. 28; you are the controller. Lawful basis: contract with you.

Usage counts (how many verifications, when): for quota enforcement and invoicing. Lawful basis: contract.

Verification inputs and derived signals: we may retain email addresses you submit and the verification outputs we produced for them to improve accuracy, detect abuse, and develop internal models and heuristics. We do not sell this data or share it with advertisers. Lawful basis: legitimate interests (service improvement and fraud prevention). You may object under the rights section below.

Retention

Uploaded email addresses (job inputs): deleted 24 hours after job completion.

Verification verdicts paired with addresses (job outputs): 30 days.

Aggregate counts (no addresses): kept for billing.

Internal archive for service improvement and abuse detection (verification inputs and outputs): retained indefinitely unless you exercise your right to object or erasure.

Subscription records: 7 years after cancellation (HMRC).

Account record: duration of account + 30 days grace.

Application logs (no PII): 30 days.

Recipients (subprocessors)

We engage the following subprocessors to operate the service:

Neon (Amazon Web Services, US regions) — managed Postgres and authentication.

Stripe (US / EU) — billing, subscription management, and tax-invoice records.

Resend (US) — transactional email delivery (welcome emails, quota warnings, job completion).

Vercel (US, global edge) — web hosting and CDN.

Railway (US, EU) — verification worker compute and the internal probe service.

Upstash (AWS, global) — durable rate-limit counters.

We commit to at least 30 days’ advance notice when we add or replace a subprocessor; email privacy@bouncyboobs.dev to receive those notices.

Data Processing Agreement

Subject matter + duration: verification of email addresses for the duration of your subscription.

Nature and purpose: the layered verification pipeline (syntax, DNS, disposable/role, SMTP probe, deliverability insights) initiated by the controller.

Personal data + data subjects: email addresses (and any columns the controller chooses to upload) belonging to the controller’s contacts.

Controller warrants a lawful basis for each address submitted and accepts responsibility for the accuracy, legality, and proportionality of the upload.

Processor obligations: process only on documented controller instructions; confidentiality-bound personnel; appropriate technical + organisational security (encryption in transit + at rest, least-privilege access, incident response); engage subprocessors only with the controller’s general authorisation and the 30-day notice described above; assist with data-subject-rights requests; notify the controller of any personal data breach without undue delay, in any case within 72 hours; delete or return personal data at the end of the agreement at the controller’s choice; provide the information necessary to demonstrate compliance and allow for reasonable audits.

Signing: this DPA applies click-through when you accept the Terms of Service. A countersigned version is available on request to legal@bouncyboobs.dev.

Your rights

Self-serve export and deletion endpoints are on the roadmap; in the meantime, manual requests are honoured.