GDPR Compliance
Last updated: 2026-07-13
This page is a plain-language summary of how skink meets its obligations under the EU General Data Protection Regulation and UK GDPR. It is provided for convenience. Where anything here conflicts with our Privacy Policy or Data Processing Agreement ("DPA"), those documents govern.
1. Our Roles
Two categories of data are processed under the Service, in different roles:
- Account data (your name, email, billing details) — skink is the data controller.
- Submitted address data (the email addresses you send to our API for verification) — you are the controller, and skink acts solely as a data processor on your documented instructions. This relationship is governed by our DPA, incorporated by reference into our Terms of Service.
2. Legal Basis for Processing
- Account data is processed under contract performance (Art. 6(1)(b)) — to provide the Service you signed up for.
- Submitted address data is processed on the legitimate interest of, and under the documented instructions of, our customer, per Art. 6(1)(f). Customers warrant that they hold an independent lawful basis for every address they submit.
3. Data Minimization
We collect only what the Service requires to operate: account and billing details, and the email addresses you choose to submit. We do not request a phone number, physical address, or government ID, and we do not enrich submitted addresses with names, job titles, or other identity data.
4. Your Rights
Subject to the conditions and exceptions set out in the GDPR, you have the right to:
- Access the personal data we hold about you.
- Correct inaccurate personal data.
- Request erasure of your personal data.
- Restrict or object to certain processing.
- Receive your personal data in a portable format.
- Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects. The deliverability verdict our Service returns is an automated output provided to our customer for its own use; skink does not itself use that output to make such a decision.
To exercise any of these rights, contact `privacy@skink.dev`. Because submitted address data is identified by a hash rather than a name, please include the specific email address at issue. We respond within 30 days, and route requests concerning submitted address data to the customer that submitted it where we are acting as a processor. You also have the right to lodge a complaint with your local supervisory authority.
5. International Transfers
Our infrastructure is hosted with a United States provider; skink is operated from India. Personal data originating in the EEA, UK, or Switzerland that reaches this infrastructure is transferred outside the EEA/UK under GDPR/UK GDPR Chapter V. We rely on the Standard Contractual Clauses (2021 EU SCCs, Module Two: Controller to Processor) and the UK International Data Transfer Addendum to govern these transfers, annexed to our DPA.
6. Retention
Verification records are deleted on a schedule each customer sets in its own account settings, from 1 to 90 days (7 days by default). See our Data Retention page for the full schedule by data type.
7. Security Measures
Submitted addresses are hashed by default; plaintext storage is opt-in, encrypted at rest, and off unless a customer turns it on. See our Security page for the full description of the technical and organizational measures we apply.
8. Breach Notification
We notify affected customers without undue delay, and in any event within 72 hours of becoming aware, of a personal data breach, per our DPA.
9. Sub-processors
A current list of sub-processor categories is set out in our Privacy Policy; a named, current list is available on request at `privacy@skink.dev`.
10. Data Processing Agreement
Customers that process personal data through the Service should rely on our DPA as the binding agreement governing skink's role as processor. This page summarizes that Agreement and does not modify or supersede it.
11. Contact
GDPR inquiries and Data Subject requests: `privacy@skink.dev`.