GDPR Compliance

You are the data controller. We are the data processor. We process the email addresses you submit only on your documented instructions, for the sole purpose of verifying them.

You must have a lawful basis (Article 6) to upload addresses for verification. Most customers rely on legitimate interest (Article 6(1)(f)) — verifying a list you're legally entitled to email. We do not validate your basis; that's your responsibility.

End-users have the right to:

• Access their data
• Rectify inaccurate data
• Erase data ("right to be forgotten")
• Restrict or object to processing
• Data portability

When end-users contact you, you can fulfill these rights through your dashboard or by emailing privacy@killbounce.com. We'll respond within 30 days.

By default, we process data in EU regions for EU customers. Cross-border transfers (e.g. to US-based subprocessors) are covered by Standard Contractual Clauses (SCCs).

A complete, current list of subprocessors is published at /compliance. We'll notify customers 30 days before adding any new subprocessor.

In the unlikely event of a personal data breach, we'll notify affected customers within 72 hours of becoming aware of it, with all details required by Article 33.

Email legal@killbounce.com with your company name to receive our pre-signed DPA (which incorporates SCCs by reference). We countersign and return within 1 business day.