GDPR Statement

KillBounce is an email verification platform based in India, providing a pay-as-you-go service to customers worldwide. Where our customers or the individuals whose addresses they verify are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we treat the GDPR and UK GDPR as the baseline standard for how we handle personal data — regardless of whether a given customer asks us to.

In substantially all cases involving customer-uploaded email lists, KillBounce acts as a data processor and the customer acts as the data controller. For our own account holders (people who sign up to use the dashboard, pay invoices, or contact support), we act as the controller for that limited set of account data. The division of responsibilities, security obligations, sub-processor terms, and Standard Contractual Clauses applicable to the processor relationship are set out in our Data Processing Agreement, which is incorporated by reference into our Terms of Service and binds both parties on signup.

We do not claim certifications we do not hold. KillBounce is not currently SOC 2, ISO 27001, or HIPAA certified. We describe what we actually do for security and privacy in plain terms in this document, in the Privacy Policy, and in the DPA, so that buyers can make an informed risk decision.

Article 6 of the GDPR requires a lawful basis for every processing activity. Because KillBounce processes data in two distinct capacities (controller for account data, processor for customer-uploaded lists), the lawful basis depends on the activity.

(a) Customer-uploaded email lists (processor activity). When you upload a list to be verified, we process those addresses solely on your documented instructions to perform the verification service. The lawful basis on which the underlying personal data may be processed at all is the controller's (i.e., your) responsibility under Article 6. In practice, B2B customers typically rely on legitimate interests (Article 6(1)(f)) to verify the deliverability of addresses they have a pre-existing relationship with or have collected through lawful lead generation. We do not assess or validate your lawful basis; our Acceptable Use Policy requires you to represent that one exists.

(b) Account creation and authentication (controller activity). When you create a KillBounce account using email and password, Google OAuth, or GitHub OAuth, we process your account identifiers and authentication tokens to perform our contract with you under Article 6(1)(b). Passwords are stored hashed with bcrypt and never in plaintext.

(c) Billing and payments (controller activity). Payment processing is performed by Dodo Payments as merchant of record. We process invoice metadata (amount, credit balance, transaction reference) on the basis of contract performance under Article 6(1)(b) and of compliance with our tax and accounting obligations under Article 6(1)(c).

(d) Transactional email (controller activity). Confirmation, receipt, security, and service notification emails are sent via Resend on the basis of contract performance (Article 6(1)(b)). Marketing email, where any is sent, is sent only on the basis of consent (Article 6(1)(a)) and is independently withdrawable.

(e) Service security, abuse prevention, and product analytics (controller activity). We keep application logs, rate-limit counters, and aggregate usage statistics on the basis of legitimate interests under Article 6(1)(f) — specifically, the interest in operating a stable, abuse-resistant verification service. We minimise these logs and do not sell or share them.

The GDPR gives individuals a set of rights over their personal data: the right of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), objection (Art. 21), and the right not to be subject to solely automated decision-making with legal or similarly significant effects (Art. 22). EU and UK residents also have the right to lodge a complaint with their supervisory authority.

If you are a KillBounce account holder, you can exercise most of these rights directly from your dashboard — export your data, update your profile, or delete your account. For anything that cannot be done in-product, email privacy@getkillbounce.com and we will respond within 30 days as required by Article 12(3), with one extension of up to two further months for genuinely complex requests.

If you are an end user whose email address appears on a customer's uploaded list, KillBounce is processing your data only on the instructions of that customer (the controller). Please address your request to the customer first. If you are unable to identify or reach them, you may contact us at privacy@getkillbounce.com and we will use reasonable efforts to forward the request to the relevant controller, or — if the seven day retention window has expired — confirm that we no longer hold the data. A more detailed breakdown of each right and how it applies is set out in our Privacy Policy.

Article 28 of the GDPR requires a written contract between controller and processor that covers specific topics — subject matter, duration, nature and purpose, type of personal data, categories of data subjects, and the controller's rights and obligations. Our DPA satisfies these requirements and incorporates the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) for module two (controller to processor) and the UK ICO's International Data Transfer Addendum where applicable.

You do not need to send us a separate DPA request. Our DPA is pre-executed and applies automatically to every paying customer on account creation, as a term of our Terms of Service. There is no negotiation step, no countersignature delay, and no additional fee. This is intentional: customers should not have to chase a vendor for a basic Article 28 contract before they can use the product. If your procurement process requires a separately countersigned copy on your letterhead or paper, email legal@getkillbounce.com with the document and we will return it signed within one business day at no charge.

The DPA covers the full lifecycle of customer-uploaded list data: the seven day retention window for uploaded addresses and per-row verification results, the lifetime aggregate counters retained on the user record, the security measures we apply, our use of sub-processors, audit rights, and the procedure for returning or deleting data on termination.

KillBounce relies on a small, deliberately short list of sub-processors to deliver the service. As of the date of this statement, our sub-processors are Webdock (VPS hosting and self-hosted Postgres in the EU), Vercel (frontend hosting and edge CDN), Cloudflare (DNS and edge protection), Dodo Payments (payment processing as merchant of record), Resend (transactional email delivery), and the Google and GitHub OAuth services used at your election for authentication. Redis cache and Celery workers are self-hosted on the same Webdock VPS and are not separate sub-processors.

The authoritative, current list — including each sub-processor's role, processing location, and the personal data categories it sees — is maintained at /subprocessors. Under our DPA, we will give customers prior notice of any new or replacement sub-processor and a reasonable window to object before the change takes effect.

KillBounce is established in India, and India is not currently the subject of a European Commission adequacy decisionunder Article 45 of the GDPR. Transfers of personal data from the EEA, the UK, or Switzerland to KillBounce in India accordingly rely on appropriate safeguards under Article 46.

The safeguard we use is the 2021 Standard Contractual Clauses adopted by the European Commission (Commission Implementing Decision (EU) 2021/914), in their controller-to- processor configuration (module two). For UK transfers we use the UK ICO's International Data Transfer Addendum. Both are incorporated by reference into our DPA and execute automatically alongside it. We have also conducted a transfer impact assessment covering the practical risk of public authority access in India; that assessment is available on request to enterprise customers under NDA.

Onward transfers to sub-processors located outside the EEA, UK, or Switzerland (for example, US-based edge components of Vercel or Cloudflare) are likewise covered by the SCCs, by the relevant sub-processor's own EU representative arrangements, or by their certification under the EU-US Data Privacy Framework where applicable.

Article 33 of the GDPR requires a processor to notify the controller without undue delay after becoming aware of a personal data breach, and a controller to notify its supervisory authority within 72 hours where the breach is likely to result in a risk to the rights and freedoms of natural persons. Article 34 requires notification to affected data subjects where the risk is high.

KillBounce commits, as a binding term of our DPA, to notify affected customers without undue delay and in any event within 72 hours of becoming aware of a personal data breach affecting their data. The notification will include, to the extent then known, the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address it and to mitigate possible adverse effects.

We will assist controllers, at their reasonable request, in meeting their own Article 33 and 34 notification obligations, including by providing the information necessary to file a supervisory authority report and by preparing data subject notifications where required.

KillBounce is not required to formally appoint a Data Protection Officer under Article 37 of the GDPR — our core activities do not consist of large-scale, regular and systematic monitoring, nor of large-scale processing of special category data. Nonetheless, we designate a dedicated privacy contact who is accountable for GDPR matters and available to data subjects, customers, and supervisory authorities.

Our Data Protection Officer can be reached at dpo@getkillbounce.com. Messages to that address are reviewed by the KillBounce privacy team. We aim to respond within two business days for general questions and within the GDPR-mandated timeframes for formal rights requests and breach matters.

Article 30 requires both controllers and processors to maintain records of processing activities. KillBounce maintains the records required by Article 30(1) (for our controller activities — account, billing, and transactional communications) and Article 30(2) (for our processor activities — verification of customer-uploaded lists).

These records are kept internally and are not published in full, because they include information about our security architecture. They are made available to a competent supervisory authority on request, in line with Article 30(4), and we will provide relevant excerpts to enterprise customers under NDA where reasonably necessary for their own compliance.

Article 27 of the GDPR generally requires a non-EU controller or processor that is caught by Article 3(2) to designate, in writing, a representative within the Union. The obligation does not apply where the processing is occasional, does not include large-scale processing of special category or criminal data, and is unlikely to result in a risk to the rights and freedoms of natural persons (Art. 27(2)(a)).

KillBounce launched in June 2026 and our EU processing currently qualifies as occasional under Article 27(2)(a). We have not yet appointed an EU representative, and we say this transparently rather than name a placeholder. We will appoint an EU representative when our processing of EU resident data ceases to qualify as occasional or when the volume of our EU customer base materially grows — whichever happens first — and we will update this statement and notify affected customers when that appointment is in place.

In the meantime, EU and UK data subjects can reach us directly at dpo@getkillbounce.com, and the absence of an appointed representative does not limit any of the rights or remedies available to them under the GDPR, including the right to lodge a complaint with a supervisory authority.

For GDPR, data subject rights, breach notifications, and any other privacy-related matter, the primary contact is dpo@getkillbounce.com.

For DPA countersignature, SCC paperwork, or other contract questions, email legal@getkillbounce.com. For general privacy inquiries, privacy@getkillbounce.com. For product and billing questions, support@getkillbounce.com.

KillBounce is based in India. Disputes relating to our Terms of Service are governed by the laws of India and subject to the courts of Bengaluru, except that disputes relating specifically to our DPA and to compliance with the GDPR are governed by the law and jurisdiction specified in the DPA and the Standard Contractual Clauses incorporated into it.