GDPR Compliance

Last updated: 2026-05-10

emailzeno is built and operated to be compliant with the EU General Data Protection Regulation (Regulation (EU) 2016/679).

Our role

For data you submit through our API or dashboard (e.g. email lists you upload for verification), we act as a processor. You are the controller. For account, billing, and usage data we collect about you directly, we act as the controller.

Lawful basis

• Contract — providing the verification service you signed up for.
• Legitimate interest — preventing fraud, debugging incidents, securing infrastructure.
• Legal obligation — invoicing and tax records.
• Consent — optional features such as SMS phone verification (only when you opt in).

Data Processing Agreement (DPA)

We offer a standard Data Processing Agreement to all paying customers free of charge. To request the DPA, email [email protected] with your account email and company name. The DPA incorporates the EU Standard Contractual Clauses (SCCs) for any transfers to countries without an adequacy decision.

Sub-processors

The complete list is in our Privacy Policy. We notify customers of any sub-processor change at least 30 days before it takes effect, and you have the right to object.

Data subject rights

If you are an EU/UK resident whose data appears in our system (either as our customer or in a customer's verification list), you have the right to:

• Access — request a copy of the personal data we hold
• Rectification — correct inaccurate data
• Erasure ("right to be forgotten") — request deletion
• Portability — receive your data in machine-readable format
• Restriction — limit processing pending verification
• Objection — object to processing based on legitimate interest
• Withdraw consent — for any feature you opted into
• Lodge a complaint with your national supervisory authority

Email [email protected]. We respond within 30 days; complex requests may take up to 90 days with notice.

Data residency

Our primary infrastructure is hosted in Germany (Hetzner). Verification engine workloads run on EU servers by default. Some sub-processors (Stripe, Cloudflare, Twilio, IPQualityScore) operate from outside the EU; transfers are protected by SCCs and, where applicable, the EU–US Data Privacy Framework.

Security

See our Security page for details on encryption, access controls, and incident response.

Data Protection Officer

Contact: [email protected].

---

Questions? Contact [email protected].