1. Overview
MailSift is operated by NORTHPIN INC ("we", "us", "our"). This policy describes what data we collect when you use the MailSift platform, what we do with it, and how you can exercise your rights as a data subject.
We design our product to collect the minimum data needed to run a high-quality verification API. We do not sell personal data, ever.
2. Data we collect
Account data: name, email, and hashed password when you create an account; or the OAuth subject identifier if you sign in via Google or GitHub.
Billing data: card last-4 digits, billing address, and invoice records. Payment is processed by Stripe; we never receive or store full card numbers.
Verification inputs: email addresses you submit via the API or dashboard, along with metadata required to perform the check (timestamp, requesting key, request size).
Operational logs: IP address, user-agent, request paths, and error codes, retained for 30 days for security and debugging.
3. How we use your data
To provide the service — running verifications, returning results, and billing your account.
To improve reliability — aggregate statistics on latency, error rates, and abuse patterns (no individual user identifiers).
To send service-related communications — billing receipts, security alerts, and incidents. We do not send marketing email by default.
4. Retention
Account data is retained for the lifetime of your account plus 90 days after deletion to satisfy financial-record requirements, then erased.
Verification results are retained for 90 days by default. You may purge them sooner from the dashboard or via the API. Bulk job CSVs are deleted automatically 90 days after the job completes.
Operational logs (IP, user-agent) are kept for 30 days, then rotated out.
5. Who we share with
Sub-processors: Stripe (payments), AWS (infrastructure, us-east-1 / eu-west-1), Sentry (error monitoring), Postmark (transactional email). A full, current list is available on request.
Legal requests: we will not voluntarily disclose customer data. We comply with valid legal process and notify customers unless prohibited.
6. Your rights
You may request access to, correction of, export of, or deletion of your data at any time by emailing [email protected]. We respond within 30 days.
If you are in the EU/UK/EEA, you have additional rights under the GDPR, including the right to lodge a complaint with your supervisory authority.
7. International transfers
If you are based outside the United States, your data may be processed in the United States. We rely on Standard Contractual Clauses (SCCs) for transfers from the EU/UK to the US.
8. Children
MailSift is not directed at children under 16 and we do not knowingly collect personal data from anyone under 16.
9. Changes to this policy
We will email you at least 14 days before any material change becomes effective. The effective date at the top of this page reflects the current version.
10. Contact
Privacy questions: [email protected].