GDPR Policy

Prime Verifier (“Prime Verifier”, “we”, “us”, or “our”) is committed to protecting personal data and to meeting the requirements of the EU General Data Protection Regulation (GDPR) and the UK GDPR. This page explains how we comply, what roles we take, and how we help our customers meet their own obligations. It sits alongside our Privacy Policy and Cookie Policy and, where one is in place, our Data Processing Agreement.

1. Our approach

Email verification is privacy-sensitive by nature, so we designed the platform to hold as little personal data as possible and to process it only for the purpose it was given. We apply data minimization, purpose limitation, and short retention as defaults, not afterthoughts. We do not sell personal data, and we do not reuse the email data you submit for our own marketing or for any unrelated purpose.

2. Controller and processor roles

GDPR distinguishes between the controller, who decides why and how data is processed, and the processor, who acts on the controller’s instructions. Our role depends on the data.

We are the controller of Account Data: the information you provide when you register, use, and pay for the Services. We process it to run your account, bill you, support you, secure the platform, and improve the Services, as set out in our Privacy Policy.

We are the processor of Verification Data: the email addresses and related fields you submit to be checked. You are the controller of that data. You decide what to submit, you confirm you have a lawful basis to process it, and we act only on your instructions to return verification results. We do not use Verification Data for any purpose of our own.

3. Lawful basis

For Account Data we rely on performance of our contract with you, our legitimate interests in running and improving the Services securely, your consent for optional marketing and non-essential cookies, and compliance with our legal obligations.

For Verification Data, you as the controller are responsible for identifying and documenting your own lawful basis for processing the data and for verifying it with us. We process it under your instructions and on the basis of our agreement with you.

4. How we handle Verification Data

We process Verification Data only to perform the checks you request.

• Single API verifications are processed in real time and are not retained as stored lists.
• Bulk files and their results are kept for up to 15 days so you can download them, and are then deleted automatically. You can delete them yourself at any time before then, and we honor deletion requests promptly.
• Verification Data is encrypted in transit and, where held temporarily for a bulk job, encrypted at rest.
• We do not share one customer’s data with another, and we do not sell or rent it.

5. Data subject rights

GDPR gives individuals rights over their personal data, including the right to access, correct, delete, restrict, object to processing, and data portability, as well as the right to withdraw consent.

For Account Data, you can exercise these rights directly by contacting [email protected]. We will respond within one month, as the law requires, and may ask you to verify your identity first.

For Verification Data, because we act as a processor, requests from the individuals behind that data should go to you, our customer, as the controller. If we receive such a request directly, we will forward it to you rather than act on it ourselves, unless we are legally required to do otherwise. We will assist you in responding to these requests as set out in our Data Processing Agreement.

6. International transfers

Prime Verifier operates globally, and the Services may rely on infrastructure in more than one country. Where personal data is transferred across borders, including outside the EEA or the UK, we put appropriate safeguards in place, such as Standard Contractual Clauses or another recognized transfer mechanism. If you require processing in a specific region, contact us at [email protected] to discuss the options available to you.

7. Sub-processors

We use a limited set of sub-processors to deliver the Services, including cloud hosting and infrastructure, payment processing, analytics, and support tooling. Each sub-processor is bound by contract to protect personal data and to process it only on our instructions. We maintain a current list of sub-processors, which is available on request, and we vet new sub-processors against our data protection and security standards before they are engaged.

8. Security

We apply technical and organizational measures appropriate to the risk, including encryption of data in transit and at rest, access controls on a least-privilege basis, per-API-key controls such as IP allowlisting, audit logging, and regular review of our infrastructure and vendors against recognized security standards. We keep these measures under ongoing review and improve them as threats and best practices evolve.

9. Data breach response

We maintain procedures to detect, investigate, and respond to personal data breaches. If a breach is likely to result in a risk to individuals’ rights, we will notify the relevant supervisory authority without undue delay and, where required, within 72 hours of becoming aware of it. Where we act as your processor and a breach affects your data, we will notify you without undue delay so you can meet your own obligations.

10. Records and accountability

We maintain records of our processing activities, keep our policies documented and current, and apply the principles of data protection by design and by default when we build and change the Services. These records and measures support our accountability under GDPR.

11. Data Processing Agreement

If you process personal data of individuals in the EEA or UK through the Services, you can put a Data Processing Agreement (DPA) in place with us. The DPA sets out our obligations as your processor, including instructions, confidentiality, security, sub-processing, assistance with data subject requests, breach notification, and deletion or return of data at the end of the engagement. To request a DPA, email [email protected].

12. Your responsibilities

As the controller of the data you submit, you are responsible for having a lawful basis to verify it, for providing any required notices to the individuals behind it, and for honoring their rights. Using the Services does not transfer these responsibilities to us.

13. Complaints

If you believe we have not handled personal data in line with this policy or the law, contact us first at [email protected] so we can put it right. You also have the right to lodge a complaint with your local data protection authority. In the EEA this is the supervisory authority in your country, and in the UK it is the Information Commissioner’s Office (ICO).

14. Contact

For any question about this GDPR Policy, our processing, or a DPA, contact:

Prime Verifier, Nexaris LLC
12436 FM 1960 Rd W, Houston, TX 77065
Email: [email protected]