Legal
Last updated: May 2026
When you create an account, we collect your email address and organization name via Clerk, our authentication provider. When you use the API, we process the email addresses and contact names you submit for validation or finding. We also collect usage data (API calls, credit usage) for billing and service operation.
Email addresses submitted for validation are hashed (SHA-256) and cached for up to 7 days to improve response times. We do not sell, share, or distribute the email addresses you validate or the contacts you look up. Your data is used solely to provide the service you requested.
Validation results are cached for 7 days, then automatically deleted. Domain information (MX records, provider, catch-all status) is cached for 24 hours. Account data is retained for the duration of your account. You can request deletion of your account and all associated data at any time by contacting us.
We use the following third-party services:
Each of these services has its own privacy policy. We do not share your validated email data with any of these providers.
To validate email addresses, our servers connect to mail servers via SMTP. This is a standard protocol check that does not send any actual email. We check whether a mailbox exists and disconnect. No messages are delivered during this process.
We use essential cookies for authentication (via Clerk). We use Google Analytics for aggregate website traffic analysis. We do not use advertising cookies or trackers.
You can export your data, delete your account, or revoke API keys at any time from the dashboard. For data deletion requests or questions, contact us at jeff@opflow.io.
gtmcli is operated by Opflow. For privacy-related questions:
jeff@opflow.io