Legal

Privacy Policy

Version 1.0 — Last updated: March 15, 2026

1. Data Controller Identity

This privacy policy applies to Syvel.io, an email validation and disposable email detection API.
Data Controller: RCQD Labs — Sole trader (micro-entreprise) — France
SIRET: 10225373900019 — SIREN: 102 253 739 — Trading name: Syvel.io
Contact: [email protected]

2. Data Collected and Purposes

2.1 Account Data

  • Email address — authentication, communication, billing.
  • Password — stored as a bcrypt hash (never in plaintext).
  • Country — 2-letter ISO code (e.g. FR), collected via Stripe at checkout for VAT calculation.
  • Billing information — processed directly by Stripe; Syvel stores no payment card data.
  • DPA and ToS acceptance version and timestamp — server-side timestamped at each registration (GDPR art. 7).
  • API usage logs — retention varies by plan (see section 4).

2.2 Data Processed via the API

  • Plaintext email address: never stored — held in RAM only for the duration of the request (milliseconds), then discarded.
  • In the database: an irreversible SHA-256 hash of the local part + domain name stored separately for result caching.

2.3 Aggregated Usage Statistics

Syvel maintains an anonymized domain popularity table (e.g. gmail.com → 1,452 checks). Cannot identify any individual user or address.

3. Legal Basis

  • Performance of contract (Art. 6.1.b GDPR)
  • Legal obligation (Art. 6.1.c GDPR)
  • Legitimate interest (Art. 6.1.f GDPR)
  • Consent (Art. 6.1.a GDPR) — marketing communications

4. Retention Periods

  • API logs (Free): 24h — purged within max 4h after expiry.
  • API logs (Starter): 30 days — purged within max 4h after expiry.
  • API logs (Pro): 60 days — purged within max 4h after expiry.
  • API logs (Business): 90 days — purged within max 4h after expiry.
  • Account data: contractual relationship + 3 years.
  • Billing data: 10 years (statutory).
  • DPA/ToS acceptance records: contractual relationship + 5 years.

5. Sub-processors

  • Scaleway SAS (France) — app servers, PostgreSQL database, Redis cache. DPA in place. No transfer outside France.
  • Stripe, Inc. (USA) — payments. EU SCCs in place. Stripe does not process API validation data.
  • Resend, Inc. (USA) — transactional email (password reset). EU SCCs in place. Receives account email only for reset link delivery.

The entire API data processing infrastructure is hosted in France. No data transfer outside France for API processing.

6. Your Rights

Access, rectification, erasure, portability, objection, restriction. Contact: [email protected]. You may also lodge a complaint with your national data protection authority.

7. Security

TLS 1.3 in transit, encryption at rest, role-based access with 2FA, access logging, ephemeral architecture, regular security testing.

8. Cookies and Trackers

8.1 Tools Used

The syvel.io website uses the following analytics tools:

  • Google Tag Manager (GTM) — A script container that deploys and manages third-party trackers without modifying the source code. GTM itself does not collect personal data, but loads the tools listed below.
  • Google Analytics 4 (GA4) — Audience analytics by Google LLC (USA). GA4 collects browsing data (pages visited, session duration, traffic source, device type, country) via cookies and device fingerprinting. IP addresses are anonymized before storage. Data may be transferred to Google servers in the United States under EU Standard Contractual Clauses (SCCs). Cookie retention: 13 months.
  • PostHog — Product analytics and session recording (PostHog, Inc. or self-hosted instance). PostHog collects user interactions (clicks, navigation, product events) to improve the service experience. Data is pseudonymized. Where the cloud version is used, a DPA is in place with PostHog.

8.2 Legal Basis

Placing analytics cookies and trackers is subject to your prior consent (Art. 6.1.a GDPR), except for strictly necessary cookies required for the service to function.

8.3 Managing Your Preferences

You may refuse or withdraw your consent at any time via the cookie management banner on the site. You may also opt out of Google Analytics via the Google Analytics opt-out browser add-on.

9. Changes

Significant changes notified by email, requiring re-acceptance if they affect personal data processing.

10. Contact

[email protected]