BounsoBounso

Privacy Policy

Last updated: May 11, 2026

This policy explains what personal data Bounso collects when you use our email verification service, how we use it, who we share it with, and the rights you have over it. We’ve written it in plain English. If something here is unclear, please contact us.

Who we are

Bounso is an email verification service operated by Brisk Birds LLC, a company organized in the United States. In this policy, “Bounso”, “we”, “us”, and “our” refer to Brisk Birds LLC.

For European data protection law, Brisk Birds LLC is the “controller” of personal data you provide about yourself (your account email, billing details, etc.). For email lists you upload to be verified, you are the controller and we act as a “processor” on your behalf under our Data Processing Addendum.

Personal data we collect

We collect personal data in a few categories:

Account data

  • Your email address and (optionally) full name
  • Authentication credentials (managed by our auth provider; we never see your raw password)
  • Your account preferences, plan, and credit balance

Billing data

  • Plan and subscription information
  • Payment method tokens held by Stripe (we don't see full card numbers)
  • Invoice and tax information

Usage data

  • IP address and approximate location
  • Browser type, device, and operating system
  • Pages visited, features used, and timestamps
  • API request volume and verification activity

Support data

  • The contents of support tickets, feedback, and bug reports you submit to us

Email data we process

When you use Bounso to verify email addresses, you upload one or more email addresses (a “list”). For each address we:

  • Look up the domain's MX records over DNS
  • Establish an SMTP connection to the destination mail server and probe for the address
  • Optionally use third-party APIs (Google, Microsoft) to detect catch-all and provider-level signals
  • Record the verification verdict, score, and metadata

We don’t send messages to the addresses. We don’t use uploaded lists to market to anyone. We don’t resell the data. Lists you upload are processed under your control as the controller, governed by our DPA.

How we use your data

  • To provide the verification service you signed up for
  • To process payments and bill for usage
  • To maintain account security and detect abuse
  • To communicate operational notices about your account (e.g., billing receipts, security alerts)
  • To improve product quality (aggregate, non-identifying metrics)
  • To respond to support requests
  • To comply with legal obligations

We do not sell your personal data, and we do not share it with third parties for their own marketing purposes.

Lawful basis (GDPR)

For users in the EU, UK, and Switzerland, we rely on the following lawful bases under the GDPR:

  • Performance of a contract — to deliver the service you agreed to when you signed up.
  • Legitimate interests — to operate, secure, and improve the service, prevent abuse, and process aggregate usage analytics, where these interests are not overridden by your rights.
  • Legal obligation — to keep tax/accounting records and to respond to lawful requests from authorities.
  • Consent — for any processing where we ask for it explicitly (e.g., optional analytics cookies).

California residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act, as amended by the CPRA:

  • The right to know what personal information we collect and how we use it
  • The right to request deletion of your personal information
  • The right to correct inaccurate personal information
  • The right to opt out of the sale or sharing of personal information (Bounso does not sell or share your personal information for cross-context behavioral advertising)
  • The right to limit the use of sensitive personal information (Bounso does not use sensitive personal information for purposes beyond providing the service)
  • The right to non-discrimination for exercising any of these rights

To exercise any of these rights, email privacy@bounso.com. We may need to verify your identity before fulfilling the request.

Sub-processors and sharing

We share personal data only with vendors that help us operate the service. These sub-processors are bound by contractual confidentiality and security obligations and are limited to processing data on our instructions.

  • Stripe — payment processing and billing
  • Supabase — managed database and authentication
  • Contabo — server hosting for our verification workers
  • Google — provider-level signals for the People API during catch-all verification
  • Microsoft — provider-level signals for Microsoft 365 / Outlook verification
  • SMTP destination servers — we connect to the recipient’s mail server (e.g., Gmail, Outlook) as part of verification; that server processes the lookup

A current list of sub-processors is maintained at our DPA. We’ll notify customers of material changes in advance.

We may also disclose personal data if required by law, court order, or to protect the rights, property, or safety of Bounso, our customers, or others.

Data retention

We keep data only for as long as we need it for the purposes set out in this policy or as required by law.

  • Verification results: retained for 90 days from the date of verification, then deleted or anonymized. Cached results may be served to you during this window to avoid charging you twice for the same address.
  • Account data: retained for as long as your account is active and for a reasonable period afterward to handle disputes, refunds, and legal obligations.
  • Billing records: retained for as long as required by tax and accounting law (typically 7 years in the United States).
  • Support tickets: retained for the duration of your account and a reasonable archive period.
  • Logs and analytics: retained in identifiable form for up to 12 months, then aggregated.

When you delete your account, we delete or anonymize your personal data within 90 days, except for records we’re legally required to keep.

International data transfers

Bounso’s servers and core sub-processors are located in the United States. If you access the service from outside the US, your personal data will be transferred to and processed in the US.

For customers in the European Economic Area, the United Kingdom, and Switzerland, we rely on the European Commission’s Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, and equivalent mechanisms to provide a lawful basis for the transfer. A copy of the SCCs is available on request.

Security

We use technical and organizational measures to protect personal data, including:

  • Encryption in transit (TLS) for all customer-facing traffic
  • Encryption at rest for stored verification data and account records
  • Role-based access controls and the principle of least privilege
  • Audit logging of administrative actions
  • Regular review of vendor security postures

No system is perfectly secure. If we become aware of a personal data breach that affects you, we’ll notify you and the relevant authorities as required by applicable law.

Your rights

Depending on where you live, you may have the following rights over your personal data:

  • Access — a copy of the personal data we hold about you
  • Rectification — correction of inaccurate or incomplete data
  • Erasure — deletion of your data (subject to legal retention)
  • Restriction — to limit how we process your data
  • Portability — to receive your data in a structured, machine-readable format
  • Objection — to processing based on our legitimate interests
  • Withdrawal of consent — where we rely on consent, you can withdraw it at any time
  • Complaint — you can lodge a complaint with your local data protection authority

To exercise any of these rights, email privacy@bounso.com. We’ll respond within 30 days (or sooner where required by law). We may ask you to verify your identity first.

Cookies

We use a small number of cookies to keep you signed in and to operate the service. These are strictly necessary for the service to work and do not require consent under GDPR/ePrivacy.

We may also use privacy-respecting analytics to understand aggregate product usage. Where consent is required by law, we’ll ask for it via a banner on your first visit.

Children's data

Bounso is a B2B service and is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we’ll delete it.

Changes to this policy

We may update this policy from time to time. If we make material changes, we’ll notify you by email or via a prominent notice in the product before the change takes effect. The “Last updated” date at the top reflects the most recent revision.

Contact us

For privacy questions or to exercise your rights: