Privacy Policy
Effective date: 2026-08-01 Last updated: 2026-07-13
This Privacy Policy explains how skink ("skink," "we," "us," or "our") collects, uses, discloses, and safeguards information in connection with our email verification API and dashboard (collectively, the "Service"). skink is operated by Sagar Parmar, an individual resident of India — not a registered company. Contact us at `privacy@skink.dev` for any privacy inquiry.
1. Scope and Roles
This Policy covers two categories of data, treated differently:
- Account data — information about you or your organization as our direct customer (name, email, billing details, API usage). For this data, skink is the data controller (GDPR) / data fiduciary (DPDP) / business (CCPA).
- Submitted address data — the email addresses you submit to our API for verification, which typically belong to your own contacts, leads, or customers. For this data, you (our customer) are the controller / data fiduciary / business, and skink acts solely as a data processor (GDPR) / data processor (DPDP) / service provider (CCPA) on your documented instructions. The terms governing this processor relationship are set out in our Data Processing Agreement ("DPA"), incorporated by reference.
2. Information We Collect
- Account data (role: Controller) — name, email address, billing/payment metadata, API key metadata.
- Submitted address data (role: Processor) — email addresses sent to `/v1/verify` and `/v1/bulk`.
- Verification results (role: Processor) — deliverability status, confidence score, signals.
- Technical/usage data (role: Controller) — IP address (for rate limiting and abuse prevention), request logs, timestamps.
We do not request or require any information beyond what is necessary to operate the Service — we do not, for example, ask for a phone number, physical address, or government ID to create an account or verify an email address.
3. How We Process Submitted Email Addresses
- Hashing by default. Submitted addresses are converted to a keyed hash before being persisted, so the stored value cannot be reversed via a dictionary or rainbow-table lookup against common email patterns. The plaintext address exists only transiently in memory during the live verification check and in a short-lived deduplication cache (bounded TTL, not indefinite).
- Optional plaintext storage. A Controller may separately elect, in its own account settings, to retain an encrypted copy of the submitted address alongside the hash, so that it can review its own verification history. This is off by default and is a Controller-configured processing instruction under Section 4.
- No enrichment. We do not append names, job titles, social profiles, or any other identity data to what you submit. The API returns a deliverability verdict — nothing more.
- No resale, no marketing use. We do not sell submitted addresses, use them for marketing, or disclose them to any third party except the sub-processors listed in Section 8, strictly to perform the verification itself (e.g., a live SMTP handshake with the recipient's own mail server, which is inherent to how email verification works).
- Retention. Verification records are automatically deleted on a schedule the Controller sets in its account settings, from 1 to 90 days (7 days by default). See our Data Retention schedule for the full breakdown by data type.
- Automated processing. The deliverability verdict returned by the Service (status, confidence score, and supporting signals) is generated by an automated process. This output is provided to the Controller for the Controller's own downstream use; skink does not use it to make any decision producing legal or similarly significant effects concerning the Data Subject, and the Controller remains solely responsible for any such decision it makes using the output.
- Indirect collection notice. Where we process an email address submitted to us by our customer rather than obtained directly from the address owner, we do not independently contact that person to provide notice of this processing, in reliance on the exemption for disproportionate effort (GDPR Art. 14(5)(b)) — given the transient, high-volume, non-profiling nature of the processing and our lack of any independent means to contact that person beyond the submitted address itself. If you believe your email address has been submitted to our Service and wish to exercise a data protection right, contact `privacy@skink.dev` with the address in question, and we will route your request to the submitting customer or respond directly where required by law.
4. Legal Basis for Processing (GDPR Art. 6)
- Account data: processed under contract performance (Art. 6(1)(b)) — we need it to provide the Service you signed up for.
- Submitted address data: processed on the legitimate interest of, and under the documented instructions of, our customer (the controller), per Art. 6(1)(f) and the DPA. Customers warrant that they hold an independent lawful basis for every address they submit — see our Acceptable Use Policy.
See our GDPR page for a plain-language summary of how we meet these obligations.
5. India — Digital Personal Data Protection Act, 2023 (DPDP)
- For submitted address data, our customer is the Data Fiduciary; skink acts as Data Processor strictly on the Data Fiduciary's instructions, per the DPA.
- skink is not currently a Significant Data Fiduciary under DPDP §10 (no threshold-triggering processing volume).
- Grievance Officer: Sagar Parmar, reachable at `privacy@skink.dev`, designated under DPDP §13 to handle Data Principal grievances.
- Data Principal rights — access, correction, erasure, grievance redressal, and nomination — are honored through the request process in Section 7 below, routed via the submitting customer where skink is the processor, or handled directly if a Data Principal contacts us.
- Cross-border transfer follows DPDP's restricted-country model (transfers are permitted except to jurisdictions the Central Government notifies as restricted); we review the notified list before enabling any new hosting region.
6. United States — CCPA/CPRA and State Privacy Laws
- The CCPA/CPRA's obligations apply only to a "business" meeting Cal. Civ. Code §1798.140(d)'s thresholds (annual gross revenue over $25 million, or processing the personal information of 100,000+ California consumers/households annually, or deriving 50%+ of annual revenue from selling/sharing personal information). skink does not currently meet any of these thresholds for account data. This section describes our practices and states our commitment to CCPA-consistent handling regardless, and will apply as a matter of law if and when any threshold is met.
- For submitted address data, skink acts as a Service Provider under Cal. Civ. Code §1798.140(ag), not a "business" with a direct relationship to the underlying email owner — our customer is the business.
- skink does not sell or share personal information as defined by the CCPA, and does not retain, use, or disclose submitted address data for any purpose outside performing the verification service specified by the customer, including not combining it with data from other sources, per §1798.140(ag)(1)–(4). No "Do Not Sell or Share My Personal Information" mechanism is required, as no such sale or sharing occurs.
- The same underlying practice satisfies the comparable service-provider/processor carve-outs in other state laws (e.g., Virginia VCDPA, Colorado CPA, Connecticut CTDPA).
7. Your Rights and How to Exercise Them
Depending on your jurisdiction, you may have the right to access, correct, delete, restrict, or port your personal data, and to object to certain processing. To exercise any of these rights, contact `privacy@skink.dev`. Because submitted address data is stored by hash, we identify records by the hash of the address in question, not by a name or account lookup — please include the specific address(es) at issue in your request. We will respond within the timeframe required by applicable law (e.g., 30 days under GDPR, 45 days under CCPA).
8. Sub-processors
We use the following categories of sub-processor to operate the Service. A current, named list is available on request at `privacy@skink.dev` and is kept in step with our infrastructure as it changes:
- Hosting/infrastructure — the server(s) running the API and database.
- Object storage — for bulk verification file uploads/downloads, where used.
- Payment processing — for billing (Lemon Squeezy or Dodo Payments), which never receives raw email address data.
- Mailbox-provider endpoints queried during verification (e.g., Microsoft, Google, Gravatar) — contacted only to determine mailbox existence for the address being verified, not stored by them on our behalf.
9. International Data Transfers
Our infrastructure (servers processing the Service) is currently hosted with a United States infrastructure provider. skink itself is operated from India. Personal data originating in the EU, UK, or Switzerland that reaches this US-hosted infrastructure is transferred outside the EEA/UK under GDPR/UK GDPR Chapter V, and we rely on Standard Contractual Clauses (2021 EU SCCs, Module Two: Controller to Processor) or the UK International Data Transfer Addendum for that transfer. Separately, because the individual operating skink accesses and administers this infrastructure from India, that remote access is itself an additional transfer to a third country, also covered by the same SCCs. India-origin data reaching US-hosted infrastructure is governed by DPDP's restricted-country transfer model (permitted unless the destination is on the Central Government's notified restricted list — the US is not, as of this writing). We will update this disclosure if our hosting region or operating jurisdiction changes.
10. Security
See our Security page for the technical and organizational measures we apply, including hashing, encryption in transit and at rest, least-privilege access controls, and key rotation.
11. Data Retention
See our Data Retention schedule for the exact retention period per data type and our deletion-on-request process.
12. Children's Privacy
The Service is intended for business use and is not directed at, and we do not knowingly collect personal data from, individuals under the age of 18 (or the age of majority in their jurisdiction) in their capacity as our direct customers.
13. Changes to This Policy
We will update this Policy as our practices or applicable law changes, and will update the "Last updated" date above. Material changes affecting existing customers will be communicated by email or in-product notice before taking effect.
14. Contact
Privacy inquiries, Data Principal/Data Subject requests, and Grievance Officer (India DPDP §13) correspondence: `privacy@skink.dev`.