Last updated: 2 July 2026
What we process when you run a check
When you check an email address, that address is sent to our server and looked up against public sources: breach-exposure data (Have I Been Pwned), the domain's DNS records (mail, SPF and DMARC records), the domain's public registration record (RDAP/WHOIS), and public Gravatar profile data. We also check it against published lists of disposable-email domains.
Results are cached briefly on our infrastructure (Cloudflare) so repeat checks of the same address are fast, and expire automatically. We keep a short-lived, per-IP counter for rate limiting to prevent abuse. We do not build marketing lists from checked addresses, and we do not sell or publish them.
Payments
The $5 report is processed by Stripe. Your card details go directly to Stripe and never touch our servers. Stripe shares with us the payment status and the email associated with the checkout so we can deliver the report you paid for. Stripe's own privacy policy applies to the payment itself.
Analytics
We use Google Analytics and Microsoft Clarity to understand how the site is used — pages visited, checks run, and where the experience breaks. These services set cookies and collect standard usage data under their own privacy policies. We don't attach the addresses you check to analytics events.
What we don't do
- Sell, rent or publish the email addresses people check.
- Email the addresses that get checked, or sign anyone up to anything.
- Store card or bank details — payments are Stripe's domain, not ours.
Third-party sources
Exposure data comes from Have I Been Pwned, used under its Creative Commons Attribution licence. We are not affiliated with, or endorsed by, Have I Been Pwned. Domain records come from public DNS and registry data.
Questions or requests
For any privacy question — including asking us to purge a cached result — get in touch via the contact page.