Privacy Policy

Who we are

vrfymail is a service of Server Management LLC (doing business as Wiremo), a Delaware limited liability company. Registered address: 1201 N Orange St, STE 700, Wilmington, DE 19801, United States. Server Management LLC is the data controller for personal data processed through the service.

Privacy-related questions, data-subject access requests, and deletion requests: contact our privacy team . For product, billing, or sales: use the vrfymail sales address .

What we collect

Account data

When you sign up: your email address, optionally your name and avatar URL (if you sign in with Google or GitHub), and a hashed record of your sign-in methods. We never store passwords because we don't use them — sign-in is via Google, GitHub, or a one-time code emailed to you.

Session data

Each time you sign in we store an opaque session token (hashed), the timestamp, your IP address, and the User-Agent string. This lets us show "active sessions" in your account settings and invalidate stolen tokens. Sessions expire after 30 days.

API usage

For every /v1/check and /v1/report-bounce call we log: the email address you submitted, the verdict we returned, latency, and a timestamp. This is the audit log you see at /dashboard/logs. Retention is plan-dependent (7 days on Free, longer on paid).

Bounce reports

Email addresses you forward to us via /v1/report-bounce or an ESP webhook are stored in your per-customer overlay so future verifies of those addresses (by your key only) return previously_bounced. Bounce reports are not shared with other customers.

Safe-domain allowlist

Domains you mark as safe via /v1/safe-domains or /dashboard/safe-domains are stored against your account along with the optional note you provided. Used only to short-circuit verifies for those domains to customer_safelisted. Per-account; never shared with other customers and never used to train shared classifiers.

What we don't collect

• The contents of any email message — only the address being verified.
• Tracking pixels, third-party advertising cookies, or any analytics SDK on the API path.
• Your billing card number — when paid plans launch, that lives entirely with Stripe.

Where it lives

All data is stored on Cloudflare's infrastructure (D1 + KV + Workers), in their global edge network. We do not move your data outside Cloudflare for processing. Cloudflare's own privacy policy applies to their handling.

Third parties we share data with

• Resend — transactional email provider. We send your sign-in code via Resend, which means Resend sees your email address and the code we sent you. Read their privacy policy.
• Spamhaus — DNS-based blocklist. When you verify a domain, we query <hash>.dbl.dq.spamhaus.net via Cloudflare's resolver. Spamhaus sees the domain (not the full email address) and the timestamp of the query.
• Google + GitHub — OAuth identity providers (only when you choose to sign in with them). They pass us your email + profile info. We never receive your password.
• Google Tag Manager + Google Analytics — analytics, only if you accept cookies. GTM loads tags that may set cookies (e.g. _ga, _ga_*) used to count unique visitors and pageviews. We use Google Consent Mode v2 — if you reject the banner, these tags load with all storage denied and no analytics cookies are written.

We don't sell, rent, or trade your data with anyone outside this list.

Cookies & analytics

We use two categories of cookies:

• Essential — mv_session (your sign-in session, HttpOnly, 30 days) and vrfy_consent (records your cookie-banner choice for 1 year). These can't be disabled because they're required for the site to work.
• Analytics — set by Google Analytics via Tag Manager only after you click Accept all on the cookie banner. Identifies your browser anonymously (not your account) so we can count pageviews and signup-funnel drop-off.

You can change your mind anytime:

Your rights

• Access — everything we store about you is visible at /dashboard. For the audit log, see /dashboard/logs.
• Export — email us and we'll send you a JSON dump of every row we have keyed to your account, within 7 days.
• Deletion — same email, same response window. Account + every related row gets dropped. Anonymized statistics (e.g. "10 verifies hit DBL today") may be retained.
• Correction — your email is the primary key. To change it, delete your account and re-sign-up with the new one (we'll automate this when there's enough demand).

Security

API keys are stored as SHA-256 hashes; the raw value is shown once at creation and never persisted in plaintext. Session tokens are hashed too. Inbound traffic is HTTPS-only. Outbound calls to Spamhaus / Resend / Google / GitHub use TLS. We do not have a SOC 2 report yet — when paid plans land, that will follow.

Children

vrfymail is a developer tool. We don't knowingly collect data from anyone under 16. If you believe a minor has signed up, email us and we'll delete the account.

Changes

We'll update this page with a new "last updated" date when anything substantive changes. For breaking changes (new sub-processors, new categories of data) we'll email account holders before the change takes effect.

Contact

Questions, requests, complaints — contact our team . We aim to respond within 3 business days.