'%3e%3cpath%20d='M12%2041%20L24%2041%20L32%2049%20L40%2041%20L52%2041%20L52%2056%20L12%2056%20Z'%20fill='%2384CC16'%3e%3c/path%3e%3cpath%20d='M23%2041%20L32%2050%20L41%2041%20L37%2041%20L32%2046%20L27%2041%20Z'%20fill='%23B4E863'%3e%3c/path%3e%3c/g%3e%3cg%20clip-path='url(%23filtratFlask)'%3e%3crect%20x='8'%20y='27'%20width='48'%20height='10'%20fill='%23CBC9ED'%20opacity='0.9'%3e%3c/rect%3e%3c/g%3e%3cg%20clip-path='url(%23filtratFlask)'%3e%3ccircle%20cx='22'%20cy='32'%20r='1.4'%20fill='%236E69D1'%3e%3c/circle%3e%3ccircle%20cx='29'%20cy='34'%20r='2.4'%20fill='%236E69D1'%3e%3c/circle%3e%3ccircle%20cx='38'%20cy='33'%20r='1.8'%20fill='%23F87171'%3e%3c/circle%3e%3ccircle%20cx='44'%20cy='31'%20r='1.3'%20fill='%236E69D1'%3e%3c/circle%3e%3ccircle%20cx='33'%20cy='30'%20r='1.1'%20fill='%238B87E0'%3e%3c/circle%3e%3c/g%3e%3cg%20clip-path='url(%23filtratFlask)'%3e%3ccircle%20cx='34'%20cy='20'%20r='2.6'%20fill='%236E69D1'%3e%3c/circle%3e%3ccircle%20cx='29'%20cy='24'%20r='3.4'%20fill='%238B87E0'%3e%3c/circle%3e%3ccircle%20cx='33'%20cy='15'%20r='1.6'%20fill='%236E69D1'%3e%3c/circle%3e%3ccircle%20cx='30'%20cy='18'%20r='1.1'%20fill='%238B87E0'%3e%3c/circle%3e%3c/g%3e%3cpath%20d='M28%2012%20V25%20L13%2050%20Q11.5%2053.5%2015%2053.5%20H49%20Q52.5%2053.5%2051%2050%20L36%2025%20V12'%20stroke='%234338CA'%20stroke-width='4'%20stroke-linejoin='round'%20stroke-linecap='round'%3e%3c/path%3e%3cpath%20d='M8%2036%20H56'%20stroke='%234338CA'%20stroke-width='4'%20stroke-linecap='round'%3e%3c/path%3e%3crect%20x='24'%20y='7'%20width='16'%20height='4.5'%20rx='2.25'%20fill='%234338CA'%3e%3c/rect%3e%3c/svg%3e)
Privacy Policy
Last updated: June 2026
Data Controller
[FULL LEGAL NAME] (Przedsiebiorca Jednoosobowy)
NIP: [NIP NUMBER] — REGON: [REGON NUMBER]
[REGISTERED ADDRESS], [POSTAL CODE] [CITY], Poland
Privacy contact: [email protected]
We have not appointed a Data Protection Officer. As a small B2B SaaS provider, we are not required to do so under GDPR Article 37. All privacy enquiries should be directed to the contact above.
1. Introduction
This Privacy Policy explains how [FULL LEGAL NAME] (“we,” “us,” or “our”), acting as data controller, collects, uses, and safeguards personal data when you use filtrat.io (“the Service”), a B2B email verification platform accessible at filtrat.io.
This Policy is issued in accordance with Regulation (EU) 2016/679 (“GDPR”) and the Polish Act on Personal Data Protection (ustawa o ochronie danych osobowych).
In short: we collect only what we need to operate the Service. We never sell personal data. Email addresses submitted for verification are cached for 180 days and then permanently deleted. You only pay for confirmed results — addresses we cannot determine cost nothing and are treated the same way.
2. Personal Data We Collect
We collect personal data in three contexts: when you create and use an account, when you make a payment, and when you use the verification service.
a) Account Data
| Data type | Purpose | Legal basis (GDPR Art. 6) |
|---|---|---|
| Email address, name | Account creation and authentication | Performance of contract — Art. 6(1)(b) |
| Hashed password / OAuth token | Secure login | Performance of contract — Art. 6(1)(b) |
| Credit balance, subscription status | Service delivery and billing | Performance of contract — Art. 6(1)(b) |
| API request logs | Service operation, abuse prevention, support | Legitimate interest — Art. 6(1)(f) |
| IP address, browser, device data | Security and fraud prevention | Legitimate interest — Art. 6(1)(f) |
| Support communications | Customer support | Legitimate interest — Art. 6(1)(f) |
b) Payment Data
Payments are processed by Stripe, Inc., who acts as payment processor. We do not store full card numbers. Stripe operates under its own privacy policy and is an independent data controller for payment transactions.
| Data type | Purpose | Legal basis |
|---|---|---|
| Billing name, email, billing address | Invoicing and tax compliance | Legal obligation — Art. 6(1)(c) |
| Last 4 digits of card, payment method type | Subscription management | Performance of contract — Art. 6(1)(b) |
| Transaction history | Accounting, refunds, audits | Legal obligation — Art. 6(1)(c) |
c) Email Addresses Submitted for Verification
When you use the Service you submit email addresses to be verified. These addresses may belong to third parties.
| Data type | Purpose | Legal basis |
|---|---|---|
| Email addresses submitted via dashboard or API | Performing verification and returning results | Performance of contract — Art. 6(1)(b) |
| Verification results (deliverable, bounce, catch-all, etc.) | Caching results for 180 days to avoid repeat charges | Performance of contract — Art. 6(1)(b) |
We do not use submitted email addresses for any purpose other than providing the verification result to you. We do not share them with third parties for marketing, advertising, or any secondary purpose. Submitted addresses are automatically deleted after 180 days. Users may clear their cached results at any time from account settings.
3. How We Use Personal Data
We use personal data only for the purposes described in Section 2. Specifically:
- Providing, operating, and improving the Service
- Authenticating users and managing accounts
- Processing subscriptions, payments, and credits
- Responding to support requests
- Sending essential service notifications (billing, security, service changes)
- Preventing fraud, abuse, and unauthorised access
- Meeting tax, accounting, and legal obligations
- Conducting anonymised, aggregated analytics to improve the Service
We do not:
- Sell personal data to third parties
- Use personal data for behavioural advertising or ad targeting
- Share personal data with data brokers
- Send marketing or promotional emails. All communications from filtrat.io are transactional: account confirmations, billing receipts, security alerts, and service-related notices. There is no newsletter or marketing mailing list.
- Use personal data for purposes incompatible with those listed above
4. Automated Decision-Making
filtrat.io’s verification service produces automated verdicts — confirmed deliverable, confirmed bounce, catch-all, uncertain, risky, role address, disposable — without human review of individual results.
How it works
The system contacts mail servers, analyses domain configuration, cross-references external naming pattern databases, and applies AI-assisted normalisation to identify likely name misspellings. Results reflect the deliverability status of an address at the time of verification.
Significance
These verdicts directly affect whether a third party receives email from filtrat.io’s customers. A result of confirmed bounce, disposable, or role address may result in that person being excluded from outreach.
Your rights
If you are an individual whose email address has been verified through filtrat.io, you have the right to request human review of your result, express your view, and contest the automated verdict. Contact the filtrat.io customer who submitted your address in the first instance — they are the data controller for your data. Where you cannot identify that customer, contact [email protected] and we will assist to the extent possible.
5. Controller and Processor Roles
When a filtrat.io user submits email addresses belonging to third parties — whether through single verification, bulk upload, or the API:
- filtrat.io is the Data Processor for those addresses. We process them only to provide the verification service, under the user’s instructions, and for no other purpose.
- The filtrat.io user is the Data Controller for those addresses. They are responsible for having a lawful basis to submit those addresses, for providing appropriate notices to data subjects where required, and for responding to data subject rights requests from those individuals.
Rights requests from individuals regarding email addresses in a verified list should be directed to the filtrat.io customer who submitted them. Where filtrat.io receives such a request and cannot identify the relevant customer, we will use reasonable efforts to assist.
A Data Processing Agreement (DPA) is available upon request and governs all verification processing — single, bulk, and API — of personal data subject to GDPR. Contact [email protected] to execute.
6. Sharing Personal Data
We share personal data only with the following recipients, all bound by contractual data protection obligations:
| Recipient | Purpose | Country | Transfer mechanism |
|---|---|---|---|
| Stripe, Inc. | Payment processing | United States | SCCs (primary) / EU–US Data Privacy Framework |
| Resend, Inc. | Transactional email delivery | United States | SCCs (primary) / EU–US Data Privacy Framework |
| SuperTokens, Inc. | Authentication infrastructure | United States | SCCs (primary) / EU–US Data Privacy Framework |
| [HOSTING PROVIDER] | Cloud infrastructure and data storage | [COUNTRY] | [ADEQUACY / SCCs] |
| Serper | Domain pattern data lookup | United States | SCCs (primary) / EU–US Data Privacy Framework |
| Linkup | Domain pattern data lookup | France | EU–EU transfer — no additional mechanism required |
| Competent authorities | When required by law or court order | — | Legal obligation |
For all US-based sub-processors, Standard Contractual Clauses (SCCs) are the primary transfer mechanism. Where a sub-processor is also certified under the EU–US Data Privacy Framework, that certification provides an additional safeguard but is not relied upon as the sole basis for transfer. If the Data Privacy Framework is invalidated, transfers continue under SCCs without interruption.
In the event of a business transfer, personal data may be transferred to the acquiring party under equivalent privacy protections.
This list is maintained and updated as sub-processors change. You may request the current version at [email protected]. Copies of applicable Standard Contractual Clauses are available upon request.
7. Data Retention
| Data category | Retention period |
|---|---|
| Account data (name, email) | Duration of account plus 30 days after closure |
| Verification results cache | 180 days from date of verification, then automatically deleted. On account closure, cached results are deleted at the 30-day account deletion mark, even if the 180-day window has not expired. |
| API keys | Cryptographic hash retained until revocation, then deleted |
| Invoices and accounting records | 7 years (Polish accounting and tax law) |
| Server and access logs | 90 days |
| Support correspondence | 3 years from last contact |
| Analytics data | 26 months aggregated; individual session data deleted at session end |
Billing records subject to statutory retention obligations cannot be deleted on request during the mandatory period. All other data can be deleted by contacting [email protected].
8. Security and Data Breach Notification
We protect personal data through:
- TLS encryption for all data in transit
- Cryptographic hashing of passwords and API keys
- Encryption at rest for sensitive data
- Access controls on a strict need-to-know basis
- Regular security reviews
No system is perfectly secure. In the event of a personal data breach likely to result in risk to data subjects’ rights and freedoms, we will notify the Urzad Ochrony Danych Osobowych (UODO) within 72 hours and affected users without undue delay, as required by GDPR Articles 33 and 34. Notifications will be sent to the email address on your account. To report a suspected security issue contact [email protected].
9. Cookies
We use a minimal set of cookies:
Strictly necessary — no consent required
Session management, authentication, and security. Cannot be disabled without affecting Service functionality.
Analytics — consent required
Privacy-friendly aggregated analytics to understand how the Service is used. No individual profiles are built.
No advertising cookies. filtrat.io does not use marketing pixels, retargeting cookies, or cross-site tracking.
You can manage cookie preferences through your browser settings or the cookie preference centre in the website footer.
10. Your Rights
Under GDPR you have the right to:
- Access — obtain confirmation of whether we process your data and a copy of it
- Rectification — correct inaccurate or incomplete data
- Erasure — request deletion where no legal basis for retention applies
- Restriction — limit processing in certain circumstances
- Portability — receive your data in a structured, machine-readable format
- Object — object to processing based on legitimate interests
- Withdraw consent — where processing relies on consent, withdraw it at any time without affecting prior lawful processing
- Contest automated decisions — request human review of verification verdicts (see Section 4)
- Lodge a complaint — bring a claim before your competent data protection authority (see Section 11)
How to exercise your rights: Email [email protected]. We will respond within one month. Where requests are complex or numerous, this may be extended by two further months with notice given within the first month. We will not charge for reasonable requests.
11. Supervisory Authority
Our lead supervisory authority is:
Urzad Ochrony Danych Osobowych (UODO)
ul. Stawki 2, 00-193 Warsaw, Poland
Users in other EU member states may also contact their local supervisory authority.
12. Age Restriction
The Service is intended for business use by individuals aged 16 or older. We do not knowingly collect personal data from children. If you believe a child has provided personal data through the Service, contact [email protected] and we will delete it promptly.
13. US State Privacy Rights
California (CCPA/CPRA)
California residents have the right to know what personal data is collected, to request deletion, to correct inaccurate data, and to opt out of the sale or sharing of personal data. filtrat.io does not sell or share personal data as defined by the CCPA. California residents will not be discriminated against for exercising their privacy rights. To exercise these rights, contact [email protected].
Other US states
Residents of Virginia, Colorado, Connecticut, Texas, and other states with applicable privacy laws may exercise equivalent rights by contacting [email protected].
14. Changes to This Policy
When we update this policy we will update the date at the top of this page and notify active users by email of any material changes at least 30 days before they take effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.
15. Contact
For any question, request, or complaint regarding this policy or your personal data:
Email: [email protected]
Post: [FULL LEGAL NAME], [REGISTERED ADDRESS], [POSTAL CODE] [CITY], Poland
Placeholders to complete before publishing
[FULL LEGAL NAME]— your registered first and last name[REGISTERED ADDRESS], [POSTAL CODE], [CITY][NIP NUMBER]— Polish tax identification number[REGON NUMBER]— statistical number from CEIDG[HOSTING PROVIDER]— e.g. Hetzner, Fly.io, AWS[COUNTRY]for hosting provider[ADEQUACY / SCCs]for hosting provider