Privacy Policy

What we collect

Account data

When you sign up: your email address, optionally your name and avatar URL (if you sign in with Google or GitHub), and a hashed record of your sign-in methods. We never store passwords because we don't use them — sign-in is via Google, GitHub, or a one-time code emailed to you.

Session data

Each time you sign in we store an opaque session token (hashed), the timestamp, your IP address, and the User-Agent string. This lets us show "active sessions" in your account settings and invalidate stolen tokens. Sessions expire after 30 days.

API usage

For every /v1/verify and /v1/report-bounce call we log: the email address you submitted, the verdict we returned, latency, and a timestamp. This is the audit log you see at /dashboard/logs. Retention is plan-dependent (7 days on Free, longer on paid).

Bounce reports

Email addresses you forward to us via /v1/report-bounce or an ESP webhook are stored in your per-customer overlay so future verifies of those addresses (by your key only) return previously_bounced. Bounce reports are not shared with other customers.

What we don't collect

• The contents of any email message — only the address being verified.
• Tracking pixels, third-party advertising cookies, or any analytics SDK on the API path.
• Your billing card number — when paid plans launch, that lives entirely with Stripe.

Where it lives

All data is stored on Cloudflare's infrastructure (D1 + KV + Workers), in their global edge network. We do not move your data outside Cloudflare for processing. Cloudflare's own privacy policy applies to their handling.

Third parties we share data with

• Resend — transactional email provider. We send your sign-in code via Resend, which means Resend sees your email address and the code we sent you. Read their privacy policy.
• Spamhaus — DNS-based blocklist. When you verify a domain, we query <hash>.dbl.dq.spamhaus.net via Cloudflare's resolver. Spamhaus sees the domain (not the full email address) and the timestamp of the query.
• Google + GitHub — OAuth identity providers (only when you choose to sign in with them). They pass us your email + profile info. We never receive your password.

We don't sell, rent, or trade your data with anyone outside this list.

Your rights

• Access — everything we store about you is visible at /dashboard. For the audit log, see /dashboard/logs.
• Export — email hi@vrfymail.com and we'll send you a JSON dump of every row we have keyed to your account, within 7 days.
• Deletion — same email, same response window. Account + every related row gets dropped. Anonymized statistics (e.g. "10 verifies hit DBL today") may be retained.
• Correction — your email is the primary key. To change it, delete your account and re-sign-up with the new one (we'll automate this when there's enough demand).

Security

API keys are stored as SHA-256 hashes; the raw value is shown once at creation and never persisted in plaintext. Session tokens are hashed too. Inbound traffic is HTTPS-only. Outbound calls to Spamhaus / Resend / Google / GitHub use TLS. We do not have a SOC 2 report yet — when paid plans land, that will follow.

Children

vrfymail is a developer tool. We don't knowingly collect data from anyone under 16. If you believe a minor has signed up, email us and we'll delete the account.

Changes

We'll update this page with a new "last updated" date when anything substantive changes. For breaking changes (new sub-processors, new categories of data) we'll email account holders before the change takes effect.

Contact

Questions, requests, complaints — email hi@vrfymail.com. We aim to respond within 3 business days.