Last updated: 15 June 2026
This Privacy Policy explains how MailGuard ("we", "us", "our") handles personal data when you use the MailGuard email-verification API and website (the "Service"). We are committed to compliance with the UK GDPR and the Data Protection Act 2018.
MailGuard is the data controller for personal data about our account holders and website visitors. You can contact us at anthony@anthonyhughes.work for any privacy matter, including to exercise your rights.
| Data | Why | Lawful basis |
|---|---|---|
| Email addresses you submit for verification (via the API) | To perform the verification you requested and return a result. We do not store these addresses. We cache only the domain's mail-server (MX) result to speed up future checks, never the full address. | Performance of a contract |
| Your sign-up email address (free tier) | To create and manage your free API key, prevent duplicate free accounts, and send you your key and essential service messages. | Performance of a contract |
| Account & API key data (your key, plan, usage counts) | To authenticate your requests, enforce plan limits, and operate your account. | Performance of a contract |
| IP address (at sign-up only) | Used transiently to rate-limit sign-ups and prevent abuse. Held only as a short-lived counter, not a profile. | Legitimate interests (security & abuse prevention) |
| Payment information | Handled entirely by our payment provider. We never see or store your card details. | Performance of a contract |
We use no tracking or advertising cookies. The dashboard can optionally store your
API key in your browser's localStorage on your own device (only if you
tick "remember"), purely so you don't have to paste it each visit. You can clear it at
any time from your browser, and it is never sent to us beyond normal authenticated
requests.
| Data | Retention |
|---|---|
| Verified email addresses | Not stored (processed in-memory for the request only) |
| Domain MX cache | Up to ~24 hours |
| Sign-up IP rate-limit counter | ~48 hours |
| Usage counters | ~40 days (rolling monthly) |
| Account / API key / sign-up email | Until you ask us to delete it or your account is closed |
We use a small number of reputable providers to run the Service:
Each processes data only as needed to provide their service to us.
Some providers may process data outside the UK/EEA. Where they do, transfers are protected by appropriate safeguards such as UK adequacy regulations or Standard Contractual Clauses.
You have the right to: access your data; have it corrected or erased; restrict or object to processing; data portability; and to withdraw consent where we rely on it. To exercise any of these, email anthony@anthonyhughes.work and we will respond within one month.
You also have the right to complain to the UK regulator, the Information Commissioner's Office (ICO), though we'd appreciate the chance to help first.
If you use the API to verify your own users' email addresses, you are the data controller for those addresses and we act as your data processor. We process them only to return verification results, do not store them, and do not use them for any other purpose. A Data Processing Agreement (DPA) is available on request at anthony@anthonyhughes.work.
All traffic is encrypted in transit via HTTPS/TLS. Data is held in access-controlled infrastructure provided by Cloudflare. Keep your API key secret; you can rotate it any time from the dashboard.
The Service is intended for businesses and developers and is not directed at children.
We may update this policy; we'll change the "last updated" date above and, for material changes, take reasonable steps to let account holders know.
Questions or requests: anthony@anthonyhughes.work.