Privacy Policy
Last Updated: June 10, 2026
1. Introduction
ParheliaWeb ("we," "us," or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, and safeguard your information when you use our Funding Signal API, Layoffs API, Email Validator API, and related services (the "Service").
We are a sole proprietorship registered in the Netherlands. We comply with the General Data Protection Regulation (GDPR) and applicable Dutch privacy laws.
Given the nature and scale of our processing, we have not appointed a Data Protection Officer. For privacy inquiries, contact us directly at info@parheliaweb.com.
2. Information We Collect
We collect and process only the data necessary to provide and improve our Service:
- Account Information: Name, email address, and billing details provided during registration.
- API Usage Data: Your API key, IP address, request timestamps, and endpoint usage logs. This is used for security, rate limiting, and debugging.
- Payment Information: We do not store your credit card details. All payments are processed securely by Stripe. We only receive confirmation of payment and transaction IDs.
- Technical Data: Browser type, operating system, and device information (if accessing our web documentation).
Email Validator API — Additional Information:
- Email Addresses: When you submit an email address for verification, we process it through our validation pipeline. We do not store the full email address in plain text. Instead, we store a one-way SHA-256 hash of the email address for operational purposes. The original email address is only held in memory during the verification process and is not written to disk in readable form.
- Domain Information: We log the domain portion of verified email addresses (e.g., "gmail.com") for monitoring, blacklist management, and service improvement.
- Verification Results: We store the validation outcome (valid, invalid, risky, unknown), confidence score, SMTP response codes, and performance timing for operational monitoring and quota tracking.
- "First Seen" Timestamp: The "first seen" timestamp associated with a hashed email address indicates when our system first processed that hash, not when the email address was created or first used elsewhere.
- IP Addresses: For free tier users, we store a salted SHA-256 hash of your IP address to detect abuse patterns (such as multiple free accounts from the same network). This hash cannot be reversed to reveal your IP address. Paid tier IP addresses are not logged in this way. IP hashes are retained for 90 days.
3. How We Use Your Information
We use your data for the following purposes:
- To provide, maintain, and secure the API Service.
- To process payments and manage your subscription.
- To detect and prevent fraud, abuse, or security incidents.
- To communicate with you about service updates, maintenance, or support requests.
- To comply with legal obligations (e.g., tax administration in the Netherlands).
Email Validator API — Additional Purposes:
- To improve our blacklist database by identifying disposable and temporary email domains.
- To monitor the health and reputation of our verification infrastructure.
- To track per-customer quota usage for billing purposes.
- To provide the "first seen" feature, which tells you when an email hash was first encountered by our system.
4. Legal Basis for Processing (GDPR)
Under the GDPR, we process your personal data based on:
- Contractual Necessity: To fulfill our Terms of Service and provide the API access you purchased.
- Legitimate Interests: For security, fraud prevention, service improvement, and infrastructure monitoring.
- Legal Obligation: To retain financial records for tax purposes as required by Dutch law.
For email addresses submitted to our Email Validator API, we process this data as a data processor acting on your behalf. You are the data controller and are responsible for ensuring you have a lawful basis to process those email addresses under GDPR.
Automated Decision-Making: Our Email Validator API uses automated algorithms to assign confidence scores and risk categories. These are probabilistic assessments based on technical signals (SMTP responses, domain reputation, syntax checks) and do not produce legal or similarly significant effects on individuals. You are responsible for ensuring any automated decisions you make based on our API outputs comply with applicable law.
5. Data Sharing and Third Parties
We do not sell your personal data. We only share data with trusted third-party service providers who assist us in operating our business:
- Stripe: For payment processing. See Stripe's Privacy Policy.
- TransIP (Netherlands): Hosts our primary API infrastructure. They have access to server logs but do not process your personal data for their own purposes.
- Contabo (Germany): Hosts our email verification worker infrastructure. SMTP verification probes originate from this infrastructure. Contabo does not process your personal data.
- Email Service: If we send transactional emails (e.g., via Postfix), we use secure, encrypted channels. We do not share your data with third-party email marketing platforms.
A current list of sub-processors is available upon request. We will notify you of any intended changes to sub-processors, giving you the right to object on reasonable grounds.
6. Data Retention
We retain your personal data only as long as necessary:
- Account Data: Retained while your account is active. If you delete your account, we will anonymize or delete your personal data within 30 days, except where retention is required by law.
- Financial Records: In accordance with Dutch tax law, we are required to keep financial records (invoices, payment confirmations) for 7 years.
- API Usage Logs: Retained for up to 90 days for security and debugging purposes, then automatically deleted.
Email Validator API — Specific Retention:
- Validation Logs: Hashed email addresses, domains, and verification results are retained for 12 months for operational monitoring and service improvement. No plaintext email addresses are stored.
- Validation Cache: Cached verification results (keyed by email hash) expire automatically: valid results after 24 hours, invalid results after 7 days, and uncertain results after 12 hours.
- Rate Limit Data: Per-domain check counts are retained temporarily and expire within hours.
- IP Hashes: Salted IP hashes from free tier requests are retained for 90 days for abuse detection purposes, then automatically deleted.
7. Your Rights (GDPR)
As a user in the EU/EEA, you have the following rights:
- Access: You can request a copy of the personal data we hold about you.
- Correction: You can update your account information via the dashboard or by contacting us.
- Deletion: You can request the deletion of your account and personal data (subject to legal retention requirements for tax records).
- Portability: You can request your data in a structured, machine-readable format.
- Restriction: You can request that we restrict the processing of your personal data in certain circumstances.
- Objection: You can object to processing based on legitimate interests.
To exercise these rights, please contact us at info@parheliaweb.com.
If you believe our processing of your data violates GDPR, you also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl. Our lead supervisory authority is the Autoriteit Persoonsgegevens, as our main establishment is in the Netherlands.
8. Data Security and Breach Notification
We implement appropriate technical and organizational measures to protect your data, including:
- Encryption of data in transit (HTTPS/TLS).
- Secure storage of API keys and passwords (hashed/salted).
- One-way SHA-256 hashing of email addresses — plaintext addresses are never stored.
- Regular security updates to our server infrastructure.
- Firewall restrictions and access controls to limit who can view user data.
- Isolation of email verification traffic to a dedicated server separate from our primary API infrastructure.
However, no method of transmission over the Internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.
Data Breach Notification: In the event of a personal data breach, we will notify affected users and the relevant supervisory authority in accordance with GDPR Article 33 and 34. We will make reasonable efforts to inform you of breaches affecting your account data without undue delay.
9. International Data Transfers
Our primary infrastructure is located in the European Union. Our hosting providers (TransIP in the Netherlands, Contabo in Germany) operate EU-based data centers. As of the date of this Policy, all sub-processors operate within the European Economic Area. Should this change, we will implement Standard Contractual Clauses (2021/914) or rely on adequacy decisions.
10. Data Minimization
We collect and process only the personal data necessary for the specific purposes outlined in this Policy. We regularly review our data holdings to ensure we do not retain data longer than necessary.
11. Children's Privacy
Our Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, contact us immediately at info@parheliaweb.com.
12. Cookies and Similar Technologies
We use cookies and similar technologies strictly for essential operational purposes. Under the Dutch Telecommunicatiewet (Cookie Law) and GDPR guidelines, "strictly necessary" cookies do not require prior user consent via a cookie banner. We do not use tracking, advertising, or profiling cookies.
12.1 Essential Authentication Cookies
- Session Cookies: When you log into our Customer Portal, we set a temporary session cookie to keep you authenticated as you navigate between pages. This cookie is deleted automatically when you close your browser.
- "Remember Me" Cookies: If you explicitly check the "Remember me" box during login, we set a persistent authentication cookie. This cookie contains a secure, randomly generated token (not your password) that allows our server to recognize you on subsequent visits. This cookie expires after a maximum of 30 days. You can clear this cookie at any time by logging out of your account or clearing your browser's cookies.
12.2 Privacy-Friendly Analytics
- GoatCounter: We use GoatCounter for basic website analytics to understand how our documentation and site are used. GoatCounter is specifically designed to be privacy-compliant. It does not use tracking cookies, does not collect personal data (such as full IP addresses in an identifiable manner), and does not track you across different websites. Therefore, it qualifies as a strictly necessary/privacy-friendly tool that does not require prior consent.
12.3 Managing Cookies
You can control and manage cookies through your web browser settings. Please note that if you choose to block all cookies, you will not be able to log into or use the ParheliaWeb Customer Portal, as the essential authentication cookies will be blocked.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last Updated" date.
14. Contact Us
If you have any questions about this Privacy Policy or our data practices, please contact us at:
ParheliaWeb
Email: info@parheliaweb.com
Registered in the Netherlands