General Data Protection Regulation

01 April, 2026

Compliance Notice

Autheona is actively working toward full GDPR compliance. This document reflects our current data protection practices and will be updated as we continue to develop our compliance program. We are committed to transparent, lawful, and secure data processing.

1. Introduction

This document explains how Autheona ("we," "us," or "our") complies with the General Data Protection Regulation (GDPR) when providing our intelligent verification platform (the "Service").

Autheona provides real-time email analysis and validation for SaaS applications. We help businesses assess email addresses during signup flows to detect fraud, reduce abuse, and improve onboarding quality.

If you have questions about our GDPR compliance, contact us at: legal@autheona.com

2. Who Controls Your Data?

Understanding who controls data is essential under GDPR.

2.1 For Your Account Information

When you create an Autheona account, we are the Data Controller for:

  • Your name and email address
  • Company information
  • Billing details
  • API credentials
  • Usage statistics

2.2 For Email Addresses You Analyze

When you submit email addresses through our API, you are the Data Controller and Autheona acts as your Data Processor.

This means:

  • You decide what email addresses to analyze
  • You obtain necessary consents from your users
  • You provide privacy notices to your users
  • You respond to data subject requests from your users
  • We process the data according to your instructions (via API calls)

3. What Information Do We Process?

3.1 Your Account Data (We Control This)

  • Account holder name and email
  • Company or organization name
  • Billing information (processed through Polar.sh)
  • API keys and authentication credentials
  • Service usage logs and metrics

3.2 Email Addresses You Submit (You Control This)

When you use our API to analyze email addresses, we process:

  • The email address itself
  • Domain information
  • Risk scores and classifications
  • Analysis timestamps
  • Request metadata

Important: You control whether we store this data. Through API parameters, you can:

  • Opt in to analytics storage: We retain analyzed emails for service improvement and analytics
  • Opt out of storage: Data is analyzed in real-time and not stored long-term

3.3 Technical Information

  • IP addresses used to access our Service
  • API request logs
  • Error logs and debugging information
  • Performance metrics

4. Why Do We Process Personal Data?

We process personal data based on these legal grounds:

  • Contract Performance: To provide the Service you subscribed to
  • Legitimate Interests: For fraud prevention, security monitoring, service improvement, and protecting our infrastructure
  • Legal Compliance: To meet tax, accounting, and regulatory requirements
  • Consent: Where required by you from your end users for email analysis

5. How Do We Protect Your Data?

5.1 Where Is Data Stored?

All data is stored in the European Union (EU region) using Amazon Web Services (AWS) infrastructure.

We do not transfer data outside the EU at this time.

5.2 Security Measures

We implement the following security protections:

Technical Security:

  • AES-256 encryption for data at rest
  • TLS/HTTPS encryption for data in transit
  • Secure API authentication and access controls
  • Infrastructure monitoring and logging
  • Regular security updates

Organizational Security:

  • Access to data limited to authorized personnel only
  • Confidentiality obligations for staff
  • Security incident response procedures
  • Regular security reviews

We cannot guarantee absolute security, but we continuously work to protect data against unauthorized access, loss, or disclosure.

6. Who Do We Share Data With?

We do not sell personal data. We share data only in these limited situations:

6.1 Service Providers

  • AWS (Amazon Web Services): Cloud hosting in EU region
  • Polar.sh: Payment processing

These providers are bound by contract to protect data and use it only for specified purposes.

6.2 Legal Requirements

We may disclose data if required by:

  • Court orders
  • Legal obligations
  • Law enforcement requests
  • Protection of our legal rights

7. Your Rights Under GDPR

If you are in the EU/EEA, you have the following rights:

Right to Access: Request copies of your personal data

Right to Rectification: Correct inaccurate information

Right to Erasure: Request deletion of your data (subject to legal requirements)

Right to Restriction: Limit how we process your data

Right to Data Portability: Receive your data in a portable format

Right to Object: Object to processing based on legitimate interests

Right to Withdraw Consent: Where processing is based on consent

Right to Lodge a Complaint: File a complaint with your supervisory authority

7.1 How to Exercise Your Rights

For Your Account Data:

Email us at legal@autheona.com with your request. We will respond within 30 days.

For Email Addresses You Submitted:

Since you are the Data Controller for email addresses you analyze, your users should contact you first. You can then request deletion or export from Autheona on their behalf.

7.2 Current Capabilities

Data Deletion: Available now - contact legal@autheona.com

Data Export: Available now - contact legal@autheona.com (manual process)

Self-Service Tools: Currently in development

8. How Long Do We Keep Data?

Account Information:

  • Kept while your account is active
  • Retained for a limited period after account closure for legal and operational purposes

Analyzed Email Addresses:

  • Controlled by you via API parameters
  • When analytics storage is enabled: retained for service improvement
  • When analytics storage is disabled: processed in real-time without long-term storage

Technical Logs:

  • Typically retained for 90 days to 12 months
  • Used for security monitoring and troubleshooting

Backup Data:

  • May be retained for up to 30 additional days for disaster recovery

9. International Data Transfers

Currently, all data is stored and processed within the EU region.

If we expand processing outside the EU in the future, we will:

  • Notify affected customers in advance
  • Implement appropriate safeguards (such as Standard Contractual Clauses)
  • Ensure compliance with GDPR transfer requirements

10. Cookies and Tracking

We use cookies and similar technologies for authentication, security, and analytics. See our Cookie Policy for full details.

11. Children's Privacy

Our Service is not intended for children under 16 (or applicable age in your jurisdiction). We do not knowingly collect data from children.

If you believe we have inadvertently collected such data, contact us immediately at legal@autheona.com.

12. Your Supervisory Authority

If you are in the EU/EEA and believe we have not complied with GDPR, you have the right to lodge a complaint with your national data protection authority.

You can find your local authority at: https://edpb.europa.eu/about-edpb/board/members_en

13. Updates to This Document

We may update this document to reflect:

  • Changes in our data practices
  • New legal requirements
  • Service improvements
  • Customer feedback

We will notify users of material changes via email or service notifications.

14. What We're Building

As we grow, we are actively developing:

  • Self-service data deletion tools
  • Automated data export functionality
  • Enhanced audit logging and reporting
  • Data protection impact assessments (DPIAs)
  • Formal appointment of a Data Protection Officer (DPO)

We are committed to continuous improvement of our data protection practices.

15. Contact Us

For questions about GDPR compliance, data protection, or to exercise your rights, contact us at legal@autheona.com