Privacy Policy
Effective date: July 12, 2026
1. Who we are and scope
Is It Disposable (isitdisposable.com) is a commercial disposable email address detection service operated by IdeasJam LLC (“we”, “us”, or “our”). This Privacy Policy explains what personal information we collect about you, how we use it, and your rights with respect to it.
This Policy applies to information collected when you visit our website, create an account, subscribe to a plan, or use the Service (our API and JavaScript snippet). It does not govern how our customers handle the email addresses they check through the Service; those customers are responsible for their own data practices.
2. Information we collect
We collect the following categories of information:
Account information
When you create an account we collect your email address, a hashed version of your password (we use argon2 and never store the plain text), your organization name, and the details of any team members you invite (their email addresses and the roles you assign them).
Billing information
Payment processing is handled by Stripe. We store the details Stripe returns to us (subscription status, plan, billing interval, and customer identifiers) but we do not store your full payment card number or raw card data. Stripe’s own privacy policy governs how Stripe handles your payment information.
Email addresses and domains you submit for checking
The Service processes the email addresses your application submits via the API or JavaScript snippet. What we log depends on the privacy mode you have configured for your account:
- Default mode (domain-only logging):We log only the domain portion of each checked address (for example “example.com”). We never log the local part (the portion before the “@” sign) or the full address.
- No-storage mode (opt-in): We log only the detection results (the domain classification signals, such as whether the address is disposable and whether the domain can receive mail), the recommended action, and the minimal metadata needed for billing. We never log the domain, the local part of the address, or the full address.
The live demo on the homepage is rate-limited and is never billed. For demo requests, we record only the domain portion of what you check (never the local part before the “@” sign, and never the full address) together with its detection result, so we can review and improve detection accuracy; these records are kept for up to 180 days and are not linked to you. To speed up repeat checks, the domain-level result (never the full address) is also held in a short-lived shared cache for about 24 hours and then expires automatically.
Domain submissions
If you use the public form to submit a domain for review (to flag it as disposable or to report it as incorrectly flagged), we store the domain, the kind of report, and the reason you gave, along with the network address (Internet Protocol, or IP, address) the submission came from. If you choose to provide your email address, we store that too. We use this information only to review and act on your submission and to prevent abuse of the submission form; we do not use it for marketing. See Data retention below for how long we keep it.
Technical and usage data
We collect your IP address on each request for rate limiting, abuse prevention, and security purposes. We also collect standard server log data such as the request timestamp, the API endpoint called, HTTP status codes, and response times.
Cookies
When you are signed in, we set a server-side session cookie that identifies your authenticated session. Sessions are stored server-side and are individually revocable. Our website analytics (DataFast, listed in Section 4) runs in cookieless mode and sets no cookies at all. If you arrive at the site through a partner referral link, our affiliate platform (Endorsely, listed in Section 4) sets one first-party cookie named endorsely_referral containing a random referral identifier, so the referring partner can be credited if you later purchase a subscription. It contains no personal information, is not used for advertising or cross-site tracking, and is never set for visitors who do not arrive through a partner link.
3. How we use your information
We use the information we collect to:
- Provide, operate, and maintain the Service, including processing detection requests and returning results.
- Manage your account, subscription, and billing, including sending transactional emails (such as account verification, password reset, and quota alerts) through SocketLabs.
- Enforce rate limits, prevent abuse, and protect the security of the Service and our infrastructure.
- Respond to your support requests and communicate with you about the Service.
- Maintain and improve our disposable domain detection data (this work is based on domain-level signals, not on your personal data).
- Comply with legal obligations and enforce our Terms of Service.
4. How we share your information and sub-processors
We do not sell your personal information to third parties, and we do not share it for advertising purposes.
We share information with the following sub-processors to operate the Service:
- DigitalOcean - Hosting and managed databases (PostgreSQL and Valkey), located in the United States. Our application and data are hosted on DigitalOcean App Platform.
- Stripe - Payment processing. Stripe processes subscription payments and stores your payment card details in accordance with their privacy policy.
- SocketLabs - Transactional email. SocketLabs sends our transactional email on our behalf: account verification, existing-account notice, password reset, email change confirmation and notice, team invitation, trial expiry, and quota warning emails.
- Sentry - Error monitoring. Sentry receives error reports and diagnostic data from our web, API, and worker components to help us identify and fix issues.
- Cloudflare - Domain Name System (DNS) and network delivery. Cloudflare sits in front of the entire Service, including the API, and provides DNS, delivery, and protection against attacks. Because it terminates encrypted connections, it has technical access to the full content of requests routed through it (not only your IP address) while they are in transit to us; we do not use it to store or log the email addresses submitted for checking.
- DataFast- Website analytics. DataFast receives anonymous pageview data from across the website, including the dashboard and the staff admin console: the page path (with any tokens or personal query values stripped before sending) and standard request metadata such as your IP address. It runs in cookieless mode, sets no cookies, and it does not receive your password or the email addresses you submit for checking. When you purchase a paid subscription, DataFast also receives payment details from Stripe, our payment processor: the amount paid, the currency, and the billing email address Stripe holds for you, linked to DataFast’s anonymous visitor identifier. We use this so we can measure which marketing channels lead to paying customers. DataFast’s anonymous visitor identifier is also stored with your account at signup and used to report a small set of milestone events to DataFast as you use the Service: starting a trial, completing email verification, starting a paid subscription, and changing or canceling a plan. These events carry only the visitor identifier and plan details (for example the plan name and billing interval), never your email address or payment details.
- Endorsely - Affiliate referral tracking. When you arrive at the site through a partner referral link, Endorsely receives the landing page path, the referral code from the link, and standard request metadata such as your IP address, and a first-party cookie named endorsely_referral stores a random referral identifier in your browser (see Cookies in Section 2). If you later purchase a paid subscription, that referral identifier is attached to the Stripe Checkout record so Endorsely, which is connected to Stripe, can credit the referring partner with the amount paid and the currency. Endorsely does not receive your password, your account email address, or the email addresses you submit for checking, and it receives nothing at all for visits that do not come through a partner link.
- ActiveCampaign - Email marketing and customer communications, an optional integration we control and may choose to turn on. When it is turned on, ActiveCampaign receives your account email address and a small set of marketing tags reflecting your plan and your trial status, together with your subscription status on the mailing list we configure. We use this to send relevant product and marketing communications and to keep that status in sync with your account. When you delete your account, we remove those tags from your ActiveCampaign contact and unsubscribe your address from our list. If you unsubscribe, whether through ActiveCampaign, an email it sends, or because your account was deleted, we never resubscribe you automatically. ActiveCampaign does not receive your password, billing details, or the email addresses you submit for checking.
We may also disclose your information if required by law, court order, or governmental authority, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
5. Data retention
We retain account and billing information for as long as your account is active. After you close your account we may retain certain information for a reasonable period as required to comply with legal obligations, resolve disputes, and enforce our agreements.
Request log data is retained according to your account’s privacy mode. In default (domain-only) mode, we retain domain-level log data for the period needed for billing reconciliation, rate-limit enforcement, and abuse prevention. In no-storage mode, we retain only the minimal billing metadata needed to count the check; no domain or address information is written to our logs. Separately from logging and regardless of privacy mode, domain-level results (never the full address, and not linked to any account) are held in a short-lived shared operational cache for a few minutes to speed up repeat checks, then expire automatically.
For the live demo on the homepage, the domain and detection result described in Section 2 are kept for up to 180 days so we can review and improve detection accuracy, then deleted automatically. A domain checked again within that window refreshes the 180-day period for that record.
When you delete your account, we process the deletion and remove your personal information consistent with these retention periods.
For domain submissions, we remove a decided submission (one we have approved or rejected) within 90 days of the decision, since the outcome of a submission is recorded elsewhere in our systems once it is decided. Regardless of whether a submission has been decided, your email address and IP address, if you provided them, are removed within 180 days at the latest; the domain, the kind of report, and the reason you gave may be kept longer as operational history.
6. Security
We take reasonable technical and organizational measures to protect your information. These include:
- Passwords are hashed using argon2, a memory-hard hashing algorithm. We never store or log plain-text passwords.
- All data is transmitted over encrypted connections (Transport Layer Security).
- Sessions are stored server-side and are individually revocable. Signing out immediately invalidates your session.
- Our infrastructure runs in a United States region on DigitalOcean App Platform with managed PostgreSQL and managed Valkey. Error monitoring through Sentry helps us detect and respond to security-relevant issues quickly.
No system is perfectly secure. If you discover a security issue, please contact us at [email protected].
7. Your rights
You have the right to:
- Access the personal information we hold about you.
- Correct inaccurate or incomplete personal information by updating it in your account settings.
- Delete your account and associated personal information through the account deletion option in your account settings.
To exercise your rights or for questions about your data, contact us at [email protected]. We will respond within a reasonable time.
Depending on where you are located, you may have additional rights under local privacy law. We will honor requests that are required by applicable law.
8. Children
The Service is a commercial developer tool not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, please contact us and we will delete it promptly.
9. United States data storage
Our infrastructure is hosted in the United States. If you are accessing the Service from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States. By using the Service you consent to this transfer.
10. Changes to this policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email to the address on your account and by posting the updated Policy here with a new effective date. Your continued use of the Service after the effective date constitutes acceptance of the revised Policy.
11. Contact
Questions or concerns about this Privacy Policy or your personal data? Contact us at:
IdeasJam LLC
1321 Upland Dr., Suite 12520, Houston, Texas 77043, US