Privacy Policy

1. Our Role Under Data-Protection Law

Submitted verification data (addresses, domains, IPs).When you submit email addresses, sending domains, or IPs to the Service for verification or blacklist monitoring, you are the controller (or, under the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”), the data user) of that personal data. Postelist acts as a processor on your documented instructions as expressed in our Terms of Service, our Data Processing Agreement, and the dashboard configuration you select. You are responsible for establishing a lawful basis for each submission.

Account, billing, and telemetry data. With respect to your account information, billing records, and usage telemetry, Postelist acts as an independent controller and determines the purposes and means of processing.

2. Information We Collect

Account information. When you create an account, we collect your name, email address, password hash, and, where you sign in through a third-party identity provider such as Google, the identifier and profile fields that provider returns.

Verification data. When you submit an email address, domain, or IP for checking, we transmit only what is technically necessary to the provider of record or DNSBL in order to determine deliverability or listing status. We retain the submitted value, the verdict, the provider or DNSBLs consulted, SMTP and reason codes, and a timestamp for operational, auditing, accuracy, and abuse-prevention purposes. Verification requests submitted via the API are logged with the requesting key and source IP.

Billing information. Payments are processed by a third-party payment provider. We receive a transaction reference, the amount, currency, and the last four digits of the instrument used; we do not store full card numbers or CVV codes.

Usage data. We automatically collect information about how you interact with the Service, including IP address, browser type, device identifiers, request timestamps, pages viewed, and API traffic patterns. This information is used for security, abuse-prevention, and product-improvement purposes.

Support communications. If you contact us for support, we retain the correspondence and any information you provide in connection with it.

3. How We Use Information

• To provide, maintain, monitor, and improve the Service.
• To process verifications and diagnostic checks you submit and return the results to you.
• To detect, investigate, and prevent fraud, abuse of the Service, violations of our Terms, and threats to the security of the Service, our customers, or upstream mailbox providers. This includes rate-limiting, anomaly detection, and cooperation with mailbox providers, anti-abuse organisations (including Spamhaus), and law-enforcement agencies.
• To process payments, issue receipts, and prevent fraudulent transactions.
• To communicate with you about your account, changes to the Service, security advisories, and product announcements you have subscribed to.
• To monitor and improve classification accuracy using aggregated, de-identified signals.
• To comply with legal obligations and to enforce our Terms.

4. Legal Bases

Where the UK GDPR or EU GDPR applies, we rely on the following legal bases in our capacity as controller of account, billing, and telemetry data: performance of a contract (to provide the Service you have requested); legitimate interests (to secure, maintain, and improve the Service, and to prevent abuse); consent (where you have opted in, for example to marketing emails); and compliance with legal obligations.

Where the PDPO applies, we collect and use personal data for purposes directly related to the provision of the Service, for billing and security purposes, and for purposes otherwise permitted by the PDPO.

Where the California Consumer Privacy Act (CCPA) or other US state privacy laws apply, we treat you as a “consumer” with the rights described in Section 9 below, and we act as a “service provider” (or equivalent) with respect to verification data.

With respect to verification data that you submit, you are responsible for establishing and documenting the lawful basis on which you rely and for providing required notices to the data subjects.

5. Sharing and Disclosure

We do not sell personal data. We share personal data only with:

• Mailbox providers and DNSBLs—to perform the verification or listing check you have asked for. Only the address, domain, or IP being queried, and technically required protocol data, are transmitted.
• Service providers—hosting, content-delivery, payment processing, email delivery, and authentication providers acting under contract and bound to use the data only for the purposes we specify and to apply appropriate safeguards.
• Legal authorities—where we are required to do so by law, court order, or valid legal process, or to protect the rights, property, or safety of Postelist, our users, or the public.
• Anti-abuse partners—where we have a reasonable, good faith belief that disclosure is necessary to investigate or prevent spam, phishing, fraud, or other abuse that could harm mailbox providers, other customers, or individual recipients.
• Successors—in connection with a merger, acquisition, or sale of assets, subject to continuity of this Policy’s protections.

6. Sub-Processors

Postelist engages a limited number of sub-processors to help operate the Service, including cloud infrastructure providers, our payment processor, and our transactional-email provider. Sub-processors are bound by contractual obligations no less protective than those in this Policy. The current list of sub-processors, together with the notification process for changes, is set out in Annex 3 of our Data Processing Agreement.

7. Retention

Account data is retained for as long as your account is active and for a reasonable period afterwards to resolve disputes, satisfy legal, tax, and accounting obligations, and prevent abuse. Verification records (submitted addresses, verdicts, and associated metadata) are retained for up to twenty-four (24) months, after which addresses are deleted or irreversibly hashed while non-personal aggregates may be retained indefinitely. Blacklist monitor history is retained for the life of the monitor and up to twelve (12) months after its deletion. Security and abuse logs are retained for up to thirty-six (36) months. You may close your account at any time from the dashboard, which triggers deletion of account data on the schedule above.

8. Security

We apply administrative, technical, and physical safeguards designed to protect personal data, including TLS-in-transit encryption, secrets management, scoped API keys, restricted access on a least-privilege basis, segmented production networks, and regular patching of our infrastructure. Passwords are stored using industry-standard key-derivation hashing. Despite these measures, no method of transmission or storage is perfectly secure; we cannot guarantee absolute security. You must promptly notify us at security@postelist.com if you suspect unauthorised access to your account.

9. Your Rights

Depending on your jurisdiction, you may have the right to access, correct, delete, or port your personal data; to object to or restrict certain processing; and to withdraw consent where processing is based on consent. Under the PDPO you have a right to request access to and correction of your personal data. Under the UK/EU GDPR and the CCPA you have additional rights including data portability and the right not to be discriminated against for exercising your rights. To exercise any of these rights, contact us at privacy@postelist.com. You also have the right to lodge a complaint with a supervisory authority, including the Hong Kong Office of the Privacy Commissioner for Personal Data (PCPD), the UK Information Commissioner’s Office (ICO), or your local equivalent.

If you are the subject of a verification request submitted by a customer of Postelist and wish to exercise rights in relation to that processing, please contact the customer (the controller) directly. We will assist the customer promptly where required.

10. International Transfers

Postelist is based in Hong Kong and operates infrastructure and sub-processors in multiple jurisdictions. Where personal data is transferred across borders we rely on appropriate safeguards, including the UK International Data Transfer Addendum, the EU Standard Contractual Clauses (with supplementary measures where required), and transfer mechanisms recognised under the PDPO. A copy of the relevant safeguards is available on request.

11. Cookies and Local Storage

We use cookies and browser local storage to keep you signed in, to remember preferences, and to measure use of the Service. Strictly necessary cookies are set without consent; analytic or preference cookies are set only where your consent is required and given. You can clear cookies at any time from your browser settings, though doing so may affect functionality.

12. Automated Decision-Making

Verification verdicts are produced by automated heuristics and provider-response interpretation. These are not used to make decisions that produce legal or similarly significant effects concerning you as an individual. You acknowledge that verdicts are probabilistic and that Postelist does not recommend using a verdict alone to deny service to any individual data subject.

13. Children

The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

14. Changes to this Policy

We may update this Policy from time to time. Material changes will be reflected by updating the “Last updated” date and, where appropriate, by notice to account holders. Continued use of the Service after the effective date constitutes acceptance of the revised Policy.

15. Contact

Privacy enquiries and requests to exercise data-subject rights should be sent to privacy@postelist.com. Security reports should be sent to security@postelist.com. Abuse reports should be sent to abuse@postelist.com.