The short version: CleanMyList is GDPR-aware by design. We act as a data processor for the email lists you upload, store and process them in EU data centers by default, sign a DPA on request, and provide tools to delete, export, and restrict your data.
Our role
When you upload a list of email addresses to be verified, you are the data controller. CleanMyList is the data processor — we process those addresses only to deliver the verification you requested, never to enrich, advertise, or train models.
Where your data lives
Verification runs are processed in our EU region by default (AWS eu-west-1, Ireland). If your workspace is provisioned in another region, that region is shown on your billing page. We do not move list data between regions without your written instruction.
Subprocessors
We maintain a current list of subprocessors and notify customers of changes at least 30 days in advance. The current list includes our hosting provider (AWS), our error-tracking provider (Sentry), and our transactional email provider (Resend). Email privacy@cleanmylist.io for the full list.
Your rights
You can export, delete, or restrict processing of any list at any time from the Lists page. Account-level deletion is self-serve in Settings and includes a 90-day anonymization window per our privacy policy. To exercise data subject rights on behalf of an end user (e.g. a recipient on a list you uploaded), email privacy@cleanmylist.io — we'll respond within 30 days.
Data processing agreement
We have a standard DPA available on request, pre-signed by CleanMyList, that incorporates the EU Standard Contractual Clauses for any data transfers outside the EEA. Email legal@cleanmylist.io to receive it.
Breach notification
In the unlikely event of a personal data breach affecting your data, we will notify you without undue delay, and in any case within 72 hours of becoming aware, with the information required under Article 33 GDPR.
Contact our DPO
Email dpo@cleanmylist.io for any GDPR-related question. We will respond within 5 business days.