Privacy Policy

DataBridge is an email list cleaning service. We process CSV files containing email addresses on behalf of our users and return filtered, clean versions of those files. When you use the Service to process personal data of third parties, you are the data controller and DataBridge is your data processor.

For questions about this policy contact us at support@databridge.so. B2B and enterprise customers can request a signed Data Processing Agreement (DPA) at the same address.

• →To provide the email cleaning service you requested.
• →To enforce plan limits and calculate billing.
• →To send transactional emails: job completion notifications, billing receipts, and support replies.
• →To respond to support requests you initiate.
• →To detect and prevent abuse of the service.
• →To monitor aggregate, non-identifying metrics for product improvement (e.g. total rows processed across all users).

We do not sell your data. We do not use your data for advertising. We do not share email addresses with any data broker, enrichment service, or third-party network.

We use the following sub-processors. Each handles data only as necessary to provide their service:

Customer-configured webhook URLs are not sub-processors of DataBridge — they are endpoints you control. Data sent to those URLs is your responsibility. We will notify you at least 30 days before we add or change a sub-processor in the table above.

• Raw uploaded filesRetained alongside the dataset until you delete it. Moved to Trash on delete; permanently purged 30 days later.
• Processed (clean) filesSame lifecycle as raw files above.
• Dataset metadataIncludes file name, row counts, issue breakdown. Kept while the dataset exists; purged with the files.
• Typo-fix approvalsStored per-dataset as structured data. Deleted with the dataset.
• Account dataRetained for the life of your account; deleted within 30 days of account closure.
• Usage logsRetained for 12 months for billing and abuse prevention.
• Support messagesRetained for 24 months.
• API key hashesRetained while the key is active. Purged on revocation.
• Webhook delivery logsRetained for 30 days (last status + timestamp only).
• Error monitoring eventsRetained by Sentry for 90 days. May contain stack traces and request metadata; no file content.

If you are in the European Economic Area, UK, or Switzerland, you have the following rights under GDPR (and equivalent laws):

• AccessRequest a copy of the personal data we hold about you.
• RectificationAsk us to correct inaccurate data.
• ErasureAsk us to delete your account and associated data.
• PortabilityReceive your data in a machine-readable format (CSV or JSON).
• RestrictionAsk us to limit how we use your data while a dispute is resolved.
• ObjectionObject to processing based on legitimate interests.
• Withdraw consentRevoke any consent you've given; does not affect past lawful processing.

To exercise any of these rights email support@databridge.so. We respond within 30 days and do not charge for these requests.

You also have the right to lodge a complaint with your local supervisory authority. In the EU, a list of authorities is available at edpb.europa.eu. UK residents can contact the ICO.

If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) gives you specific rights regarding your personal information:

• Right to knowRequest disclosure of the categories and specific pieces of personal information we have collected about you in the last 12 months.
• Right to deleteRequest that we delete personal information we collected from you.
• Right to correctRequest correction of inaccurate personal information.
• Right to opt outOpt out of the “sale” or “sharing” of your personal information. DataBridge does not sell or share personal information — this right is always in effect by default.
• Right to limitLimit the use of sensitive personal information to what is necessary to provide the Service.
• Right to non-discriminationWe will not deny service, charge different prices, or provide a different level of quality because you exercised your CCPA rights.

To exercise any CCPA right, email support@databridge.so with “CCPA Request” in the subject. We will respond within 45 days (extendable by 45 more when reasonably necessary). We may verify your identity via the email address associated with your account before honoring the request.

We do not sell or share personal information as those terms are defined under CCPA. We have not done so in the prior 12 months and have no plans to change this.

DataBridge uses sub-processors located in the United States, European Union, and global edge networks (see section 4). For data transferred out of the EU / UK, we rely on the European Commission's Standard Contractual Clauses (SCCs) and our sub-processors' Data Processing Agreements to maintain an adequate level of protection.

You can request copies of relevant SCCs or DPAs by emailing support@databridge.so.

We use industry-standard security practices: all data in transit is encrypted with TLS 1.2+, data at rest is encrypted with AES-256 by our storage provider (Supabase), passwords are hashed with bcrypt, and API keys are stored as SHA-256 hashes. Access to production systems is restricted to authorised personnel, logged, and reviewed periodically. We conduct security reviews before major releases.

If you discover a security vulnerability please disclose it responsibly to support@databridge.so. We aim to acknowledge reports within 48 hours.

DataBridge is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

We may update this policy from time to time. When we do, we will update the “Last updated” date at the top and, for material changes, notify you by email at least 14 days before the change takes effect. Continued use of the Service after that date constitutes acceptance of the updated policy.