isburner
Start free

Privacy Policy

Last updated 2026-05-12.

This Privacy Policy explains what personal data isburner ("we") collects when you use the API and the dashboard, and what we do with it. It applies to isburner.com, dashboard.isburner.com, and api.isburner.com.

1. Data we collect

Email addresses you check via the API

Addresses submitted to /v1/check are never stored for marketing, profiling, or contact purposes — neither by us nor by any third party. They are cached for a short window (up to 30 days, see §3) inside the EU (Hetzner, Germany) solely to return faster, identical answers when the same address is checked again. The cache key is a SHA-256 hash of the address; only the domain is kept in plain text so we can measure blocklist accuracy in aggregate. We never email, contact, or build a profile of the person an address belongs to.

Account information

Your own email address (used as your login), an optional display name, and a timestamp of signup.

API request metadata

Per-request timestamps, response codes, and the API key prefix (not the full key) — used for rate limiting and your usage page.

Billing information

If you upgrade, Stripe collects and stores your payment method. We receive only the customer ID, subscription status, and invoice events — never card numbers.

Approximate country

Resolved at the network edge from your connection and used to display pricing in your local currency. We never store the IP address itself.

2. Purposes and lawful basis

PurposeLawful basis (GDPR Art. 6)
Provide the API responses you requestContract performance (Art. 6(1)(b))
Bill you for paid plansContract performance + legal obligation (Art. 6(1)(c))
Detect abuse, enforce rate limits, prevent fraudLegitimate interest (Art. 6(1)(f))
Improve our blocklist and detection rules using aggregated, anonymised request signalsLegitimate interest (Art. 6(1)(f))

3. Retention

  • Cached check results: 30 days, then deleted automatically.
  • Per-request metadata in dashboards: 90 days at row-level; aggregated counts kept indefinitely.
  • Billing records: 7 years (Swiss accounting requirements).
  • Account record: kept while your account is open; deleted within 30 days of account deletion request unless we have an active legal obligation to retain.

4. Third parties (processors)

We share necessary subsets of data with these processors:

  • Hetzner Online GmbH (Germany) — compute and Redis. All processing happens in their EU data centres.
  • Cloudflare, Inc. (USA) — DNS, edge proxy, DDoS protection. Cloudflare may briefly process request metadata at edge nodes worldwide.
  • Supabase, Inc. (USA / EU region) — Minimal database + auth. Hosted in the EU (Ireland) region.
  • Stripe Payments Europe Ltd (Ireland) — billing and payments for paid plans.

Transfers to processors outside the EU/EEA happen under the European Commission's Standard Contractual Clauses (SCCs).

5. Your rights (EU/UK/Swiss residents)

You have the right to:

  • access the personal data we hold about you;
  • have inaccurate data corrected;
  • have your data erased ("right to be forgotten");
  • restrict or object to certain processing;
  • receive your data in a portable format;
  • lodge a complaint with a supervisory authority — in Switzerland, the Federal Data Protection and Information Commissioner (FDPIC); in the EU, your national data-protection authority.

To exercise any right, email [email protected]. We respond within 30 days.

6. Cookies

We use a minimal set of strictly-necessary cookies — session cookies on the dashboard (so you stay logged in) and a theme preference cookie (light / dark). We do not use advertising, analytics, or tracking cookies. No consent banner is required for strictly-necessary cookies under the ePrivacy Directive.

7. No third-party analytics or tracking

We strictly do not use Google Analytics, Meta Pixel, Mixpanel, Segment, Hotjar, or any equivalent third-party analytics, advertising, fingerprinting, or behavioural-tracking product — on any of our sites. We made this choice deliberately to avoid exposing our visitors and customers to tracking by non-Swiss / non-EU entities and to keep our processing scope as narrow as GDPR's data-minimisation principle expects.

Internal usage counters (request totals, error rates) are computed from our own server logs inside the EU and contain no personally identifiable information beyond what is described in §1.

8. Security

All connections use TLS 1.2+. API keys are stored only as SHA-256 hashes — we cannot recover your plaintext key after creation. Two-factor auth is available via OAuth-with-Google sign-in. Access to production systems is role-restricted.

9. Children

The Service is not directed at children under 16. We do not knowingly collect personal data from children.

10. Changes

Material changes to this Policy are announced by email and via a banner on the dashboard at least 30 days before they take effect.

11. Contact

Data protection enquiries: [email protected]. See also the GDPR statement for a structured description of our compliance posture.