GDPR

At no2bounce, privacy and GDPR compliance are not checkboxes—they are built into the foundation of our platform.
When you upload data, you trust us with sensitive information. We are committed to protecting that data through secure infrastructure, transparent practices, and strict compliance with applicable data protection laws. 

1. Our GDPR Commitment
no2bounce complies with:
· UK GDPR
· EU GDPR
· Data Protection Act 2018
We are committed to processing personal data lawfully, fairly, and transparently. 


2. Roles: Data Controller vs Data Processor
no2bounce acts in different roles depending on the context:
‍
· Data Processor
When processing customer-uploaded email data for validation services, no2bounce acts strictly on behalf of the customer under documented instructions.
· Data Controller
For internal operations such as account management, billing, security, and service improvement, no2bounce determines the purpose and means of processing.  

3. Data Protection by Design and Default
We integrate privacy principles into every layer of our platform:
‍
· Data minimisation: Only necessary data is processed
· Pseudonymisation: Email addresses may be hashed to reduce exposure of identifiers
· Secure infrastructure: EU/UK-based hosting environments
· Encryption: Data encrypted in transit and at rest
· Access control: Role-based access restrictions
Hashed data remains personal data under GDPR and is treated accordingly. 

4. Lawful Bases for Processing
We process personal data under the following lawful bases:
· Contractual necessity
To provide email verification services requested by customers
· Legitimate interests
To maintain service performance, security, and improvement
· Legal obligation
For compliance with statutory, accounting, and regulatory requirements
· Consent (where applicable)
For direct marketing to individuals outside corporate contexts  

5. Data Processing Agreement (DPA)
A GDPR Article 28 compliant Data Processing Agreement (DPA) is executed with all customers prior to processing personal data.

The DPA is available upon request and governs all processing activities performed by no2bounce as a Data Processor. 

6. Use of Customer Data
no2bounce does not:
· Sell personal data
· Use customer-uploaded data for independent marketing
· Build internal databases from client data
Customer data is processed only for the purpose of providing the requested service. 

7. Data Subject Rights
Individuals have the following rights under GDPR:
· Right of access
· Right to rectification
· Right to erasure
· Right to restrict processing
· Right to object
· Right to data portability
· Right to withdraw consent
· Right not to be subject to automated decision-making

How Requests Are Handled
· Requests are processed within one calendar month
· Identity verification may be required
· Individuals may contact the UK Information Commissioner’s Office (ICO) if concerns are not resolved
Contact: support@no2bounce.com 

8. Data Retention and Minimisation
We retain personal data only as necessary:
· Account data: Up to 7 years (legal and accounting requirements)
· Uploaded email lists: Retained only for verification, then deleted or anonymised
· Suppression data: Retained to ensure opt-out preferences are respected
All retention practices are reviewed regularly.

 9. Client Responsibilities
Customers are responsible for ensuring:
· They have a valid lawful basis for processing personal data
· They are authorised to upload data to the platform
no2bounce processes data strictly under customer instructions. 

10. Data Sharing and Subprocessors
We do not sell data. Data may be shared with:
· Hosting and infrastructure providers
· Analytics and support services
· Legal and professional advisors
· Regulatory authorities where required
A current list of subprocessors and hosting locations is available upon request. Customers are notified of material changes. 


11. International Data Transfers
Where data is transferred outside the UK/EU:
· Standard Contractual Clauses (SCCs) or UK IDTA are used
· Risk assessments are conducted
· Technical safeguards (encryption, access controls) are applied  

12. Security Measures
We implement appropriate technical and organisational measures:
· Encryption (at rest and in transit)
· Pseudonymisation techniques
· Role-based access control
· Regular security audits and testing
· Incident response procedures
Our controls are aligned with recognised industry standards (e.g., ISO 27001 principles). 

13. Data Breach Notification
In the event of a personal data breach:
· Supervisory authorities are notified within 72 hours where required
· Affected individuals are informed if there is a high risk  

14. Children’s Data
no2bounce does not knowingly process data relating to:
· Children under 13 (UK)
· Children under 16 (EU)
Such data is deleted if identified. 

15. Transparency Information
We process:
· Email addresses (provided by customers)
· Account and usage data
Source of data: Customer-provided
Supervisory authority:
UK Information Commissioner’s Office (ICO) 

16. Changes to This Policy
We may update this page periodically.
Material changes will be communicated via the platform or email. 

17. Contact Information
For GDPR-related inquiries:
Email: support@no2bounce.com
Address: Lily Hill House, Lily Hill Road, Bracknell, RG12 2SJ, United Kingdom 


Last Updated : 07 April 2026
© 2026 no2bounce. All rights reserved.