gdpr compliance / proxycheck.io

What is the GDPR?

The GDPR or General Data Protection Regulation is a regulation within the European Union which protects the personal information of those living within the EU with regards to how their information is stored, accessed, processed and transferred online. Specifically it lays out a set of mandatory guidelines that we have to follow to maintain the privacy of both our customers and your customers when you send their personal information to us for processing.

As an address metadata company we need to receive the addresses of your visitors so that we can retrieve the data we already hold about that address in our database and then present that data to you.

Due to this it means for a brief time period we have IP address information from you and the GDPR considers IP addresses to be personal information as they can be correlated through your customers internet service providers billing system with a date and time stamp to identify who had an IP address at a specified time.

If I don't live in Europe am I still protected by your GDPR compliance?

Yes you are still protected by our GDPR compliance. We protect all our customer data the same way regardless of where you visit us from and we extend the same rights for data portability and deletion to all customers. We strongly believe everyone should have the highest possible measure of privacy and control over their data.

What kind of information audits have you conducted?

We have gone over all of our information processes and concluded that we are using best practices for data storage and processing. We make good use of encryption for the little data we do collect and store, we only collect the bare minimum of personal information to make our business viable and we know our limitations and plan for them accordingly. Below are some examples of what we do for our own customers.

  • All webpages on our website are delivered through TLS encryption with a valid certificate.
  • We only require an email address to signup which can be changed at any time.
  • We hash all customer passwords at creation time, we at no point ever store passwords, only hashes.
  • We limit our exposure to customer banking details by having Stripe handle it through a secure payment page on their website.
  • When customers make payments we store only Stripe tokens on our servers to maintain our knowledge of successful transactions.
  • All communication between our server nodes within our cluster is encrypted with a pre-shared key known only to us.

In addition to the above we also have a specified process for how we handle the IP addresses sent to us for processing by our customers. We have detailed that below also.

  • Only positive detections (meaning anonymous addresses) are stored long term in our logs and databases unless you send &tag=0 with your request which disables all logging/storing.
  • Negative detections (meaning not anonymous) are not logged as being checked by your account in any way but the address will go through a battery of post-query testing. This can also be disabled by supplying &tag=0.
  • When utilising data from third parties we download databases from them that contain thousands to millions of addresses and perform matching and processing on our own servers.
When I perform an API call, how is that data stored, for how long and who has access to it?

Any data you send us in an API call is only stored on our own servers and only accessible to us and you. We do not make available this data to any third-parties or sub-processors. Below we've detailed exactly what data we store and for how long we store it.

  • We only log that you made a query including what kind of query result you received.
  • The actual data you provided (IP address or email address) is not logged or saved anywhere.
  • We log that you made a query including that you received a clean IP address result.
  • The IP address is stored for 5 minutes and processed through our locally-run post-processing inference engine then discarded.
  • We log that you made a query including that you received a clean IP address result.
  • The IP address is stored for 5 minutes and processed through our locally-run post-processing inference engine then discarded.
  • We log that you made a query including what kind of query result you received.
  • The IP address is logged in your accounts positive detection log with your provided tag and stored there for 1 year.
  • If a categorisable tag was provided that category will be stored as metadata with the IP in our database while the IP remains unclean.
  • We log that you made a query including that you received a non-disposable email result.
  • The email address you provided is not logged or saved.
  • We log that you made a query including that you received a disposable email result.
  • The address is logged in your accounts positive detection log with your provided tag and stored there for 1 year.

In the above we noted that we categorise tags and then sometimes store the categories but not the tags themselves. For example if you tagged a query with https://example.com/login our engine may determine that to be a login page and so the category would be Login Attempt. Other categories we save include Registration Attempt, Comment Spam and Vulnerability Probing among others.

What personal information do you store about me and who has access to it?
  • Your current email Address
  • Your email message preferences within your dashboard
  • Your current password (as a hash, the actual password itself is not retrievable by us)
  • All the positive detections you made with our API including your tags
  • Any domain names (for CORS) you have supplied within your dashboard which are still present
  • Any custom lists you have created within your dashboard which are still present
  • Any custom rules you have created within your dashboard which are still present
  • Statistics showing how many queries you made over the past 90 days and total since your account opened.
  • The querying IP Address you used with our API (we only store the most recent IP and only for 24 hours).
  • = Stored at proxycheck.io but accessible by both proxycheck.io & Amazon AWS
  • = Stored at proxycheck.io and only accessible by proxycheck.io

In the above section we noted that Amazon AWS is able to access your email address when you give it to us. Amazon is one of our two email providers and all emails sent from proxycheck.io go through Amazon servers.

Amazon does not have permission to do anything with your email address other than to send you emails directly from us. This means you should not expect your email address to be sold, given away, added to spam lists or any other nefarious usage.

  • Your current email Address
  • The content of the messages you send us
  • = Stored at hostinger.com but accessible by both proxycheck.io & Hostinger

In the above section we noted that Hostinger is able to access your email address when you send us an email or use our contact form. Hostinger is one of our two email providers and all emails sent to proxycheck.io go through Hostinger servers.

Hostinger does not have permission to do anything with your email address other than to store the emails and web form messages you send us. This means you should not expect your email address to be sold, given away, added to spam lists or any other nefarious usage.

If you're a paying subscriber we also have information about you stored with our merchant of record, Stripe. Free users will not have any of their data shared with Stripe.

  • Your current email Address
  • Your Billing Name and Address, if given at the start of a paid plan
  • The origin country of your payment information
  • The amount you have been billed and the date of the billing
  • Your full payment information (full card number, security code etc)
  • Your payment card brand (Mastercard, Visa etc)
  • The last four digits of your bank card
  • The expiry date of your bank card
  • = Stored at Stripe but accessible by both proxycheck.io & Stripe
  • = Stored at Stripe and only accessible to Stripe
Can I delete my account and all the data you hold about me?

Yes you can. Within the customer dashboard on our website you'll find a red button in the top right corner of the settings tab called "Close account and erase all data", when you click this and confirm the deletion your entire account including all the data we hold about you will be erased from our live servers in 30 minutes time.

Please note however that some of your account data may live on in our off-site backups for 90 days, this is due to our backup systems being fully isolated from our live systems and so we cannot automatically expunge data from our backups through any mechanism on our live website. Instead our backups will naturally expire your data as time progresses with the very last copy being erased at the 90 day mark.

With regards to the GDPR data portability requirements, can I export my data?

We have made your query statistics, positive detections, custom rules, custom lists and CORS domains downloadable and exportable from the dashboard and through JSON API's so that you can take a copy of your data to use with another data processing company at your convenience.

How seriously do you take personal information security?

We take all information security very seriously. Every single one of our features has been designed with security in mind from the first moment. We hash all customer passwords, we limit how much personal information we hold and we make a conscious effort to keep all our software up to date.

When exchanging any data between the server nodes in our cluster we use strong encryption with a pre-shared key known only to us. Our checking API that receives IP data from customers also offers a TLS encrypted endpoint which customers are encouraged to use.

We know how important security is, it's after all what our entire company is built around, helping you to keep your own web properties safe.

The GDPR requires that you obtain prior written authorisation from the data-controller (i.e. customers of proxycheck.io) before you use a sub-processor for their data, do you adhere to this stipulation?

What this responsibility means is, when you send IP or email addresses to us for processing we cannot then send those addresses to another entity to process on our behalf without written approval from the original address provider (meaning you).

We do comply with this stipulation as we do not use any sub-processors and we do not intend to ever use any.

In addition to this, anytime we take on a new data provider, we always download their data as one big contiguous block of information and then any data analysis is done on our servers by us. At no point are the IP or email addresses you send us sent to third parties.

How will you notify me of a data information breach?

Under the GDPR we're required to deliver a notice to our customers within 72 hours of us becoming aware of a data breach. We believe we can deliver such a notice within 24 hours and that is our current internal policy. All notices would be delivered by email directly to our customers. As of October 2025 we have had no data breaches of any kind.

Do you have data protection officers?

Under the GDPR companies who deal in sensitive personal information must have a named data protection officer. But under the GDPR they specifically list IP addresses as a type of non-sensitive personal information and companies that deal solely in IP address metadata are not required to have a data protection officer. This would change if we held user-specific information like genetic data, health data, political opinions, names and identities etc. These are all examples of data types we do not collect or offer.

Also we should note, when you send an address to us to be checked we are providing you information we already hold on that address. The only time we're generating information based on a query you perform is to log for you that you performed an address check that resulted in an anonymous declaration from our database. In real terms this means we're not generating information about addresses that could ever lead to or point to a specific individual or group.

What do I need to do as a data-controller when I use proxycheck.io?

Before you send addresses to us for processing you should make your customers aware in plain english that their address will be sent for processing to a third party to check that they're not utilising an anonymising service to access your property.

As a data-controller you have the responsibility to take care of your customers information and you must make it clear to your customers that their data is leaving your organisation to be processed on your behalf by another organisation. You're free to make clear to your customers that proxycheck.io is your data processing partner.

To make sure you're compliant with the GDPR please read the official GDPR website here.

Back
Last update: 27th of September 2025
27th of September 2025
A lot of the text on the page was changed to clean up ambiguous meanings and update some terminology to align with our new v3 API, for example references to proxies and vpn's were changed to anonymous addresses.
26th of September 2025
Corrected the links which appear throughout the page to the correct and official GDPR.EU website.
8th of September 2024
The section titled "Can I delete my account and all the data you hold about me?" was renamed and updated to emphasise how you can delete your account and your data from within the dashboard. We also added a section about how long your data will stay within our off-site backups. The section regarding how we obtain prior written authorisation from data controllers before we use sub-processors was re-written to clarify we do not and have never used any sub-processors and that any IP or email address you send to us is never sent to any third-parties. The section titled "What personal information do you store about me?" was updated to include a new section about Hostinger which is our email inbox provider. We also updated the styling to break each section up with square borders for easier readability.
7th of September 2024
A new section titled "When I perform an API call, how is that data stored, for how long and who has access to it?" was added which specifically details what data we save, where we save it, who has access to it and for how long we save data. The section titled "What personal information do you store about me?" was updated to remove references to Whitelists and Blacklists and replace them with references to Custom Lists which replaced the function of specific White and Blacklists in our service. The section titled "What personal information do you store about me?" was updated to add references to CORS domains which users can supply within the customer dashboard to activate client-side querying.
3rd of December 2021
The section titled "What kind of information audits have you conducted?" was updated to clarify how positive and negative addresses are stored and logged once checked with our service.
7th of October 2021
The section regarding how to erase the data we have held about you has been altered because you can now erase the data yourself from within the dashboard as opposed to needing to contact our support to do this.
19th of July 2020
All references to Mailgun in the document were removed and replaced with Amazon as we have switched from using Mailgun to Amazon AWS for all email sending.
30th of January 2020
Updated the document to explain that we now ask for billing information (Name & Address) of new paid customers. This information is stored exclusively on Stripe servers and not our own.

This change was done to increase the chances of a successful payment as banking anti-fraud systems prefer to have more information presented during checkout. We added data access guides with easy to understand coloured padlocks so you can better understand what information we have access to and where it's stored.
24th of April 2018
A new section was added explaining how we apply our GDPR compliance worldwide and we also cleaned up some wording within the document that doesn't change any meaning of the text but makes it easier to understand.
16th of February 2018
First draft of our GDPR Compliance document.