FeaturesHow it worksPricing
Sign inAdd to Chrome

Data Processing Agreement

Last updated: April 6, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Lanos Technologies Pvt. Ltd. ("Processor", "we", "us") and the entity or individual agreeing to these terms ("Controller", "you"). This DPA governs how we process personal data on your behalf when you use InboxCheck.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable individual.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, and deletion.
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data.
  • "Data Subject" means the individual whose Personal Data is processed.

2. Scope of Processing

We process the following categories of data on your behalf:

  • Email addresses - submitted for verification. These are immediately hashed using SHA-256 and never stored in raw form.
  • Verification results - Safe, Risky, or Unsafe verdicts associated with the SHA-256 hash.
  • Usage metadata - timestamps, daily verification counts for rate limiting.

We do NOT process names, physical addresses, financial data, or any sensitive personal data categories.

3. Processing Purposes

Personal Data is processed solely for:

  • Providing email verification results to you
  • Enforcing rate limits and preventing abuse
  • Generating aggregated, anonymized analytics
  • Maintaining and improving the Service

4. Data Security Measures

We implement the following technical and organizational measures:

  • Encryption at rest: All data is encrypted at rest using AES-256.
  • Encryption in transit: All communications use TLS 1.2 or higher.
  • Pseudonymization: Email addresses are SHA-256 hashed before storage. Raw email addresses are never persisted.
  • Access control: Row-Level Security (RLS) is enabled on all database tables. Service keys are rotated regularly.
  • Edge computing: Verification processing occurs on Cloudflare's edge network with smart placement for minimal data transit.
  • Monitoring: Automated alerting for anomalous access patterns.

5. Sub-processors

We use the following sub-processors. We will notify you 30 days before adding new sub-processors.

Sub-processorPurposeLocation
Supabase (AWS)Authentication, databaseUS East (Virginia)
CloudflareEdge compute, CDNGlobal (Smart Placement)
UpstashRedis caching of hashed resultsUS East (Virginia)

6. Data Retention & Deletion

  • Cached verification results are retained for 30 days, then automatically purged.
  • Verification history logs are retained for 90 days.
  • Account data is retained until the Controller deletes their account.
  • Upon account deletion, all associated Personal Data is permanently deleted within 30 days.

7. Data Subject Rights

We will assist the Controller in responding to Data Subject requests, including:

  • Right of access
  • Right to rectification
  • Right to erasure ("right to be forgotten")
  • Right to data portability
  • Right to restriction of processing

Please contact us at admin@inboxcheck.io for data subject requests.

8. International Transfers

Personal Data may be transferred to and processed in countries outside the Controller's jurisdiction. All transfers are protected by:

  • Standard Contractual Clauses (SCCs) with sub-processors
  • Sub-processor compliance certifications (SOC 2, ISO 27001 where applicable)
  • Technical measures (encryption, pseudonymization) ensuring equivalent protection

9. Breach Notification

In the event of a data breach affecting Personal Data, we will:

  • Notify the Controller within 72 hours of becoming aware of the breach
  • Provide details of the nature, scope, and likely consequences of the breach
  • Describe the measures taken or proposed to address the breach

10. Audit Rights

The Controller may audit our compliance with this DPA upon reasonable written notice. We will provide necessary information and assistance for such audits. Audits shall be conducted no more than once per year and during normal business hours.

11. Term & Termination

This DPA continues for as long as we process Personal Data on the Controller's behalf. Upon termination of the Service, we will delete or return all Personal Data within 30 days, unless retention is required by law.

12. Contact

Lanos Technologies Pvt. Ltd.
Silver Square, Dattatray Road, Santacruz West, Mumbai, India

Data Protection Contact: admin@inboxcheck.io