Privacy Policy

Last updated: May 27, 2026

1. Who We Are

CheckThatPhone ("CheckThatPhone," "we," "us," "our") operates the website at checkthatphone.com and the phone-validation API at api.checkthatphone.com/v1/lookup. Questions about this policy or your data: hello@checkthatphone.com.

2. Information We Collect

Account information

  • Email address (required to create an account)
  • Password hash if you sign up with email/password (we never store the plaintext password)
  • Google profile data (name, email, profile image) if you sign in with Google
  • IP address and user agent at sign-up and on each session (security and abuse detection)

Billing information

  • Name and billing address you provide to Stripe at checkout
  • Subscription plan, billing cycle, and renewal dates
  • We do not store payment card numbers. Stripe processes payments and stores card data under PCI DSS Level 1.

Service usage data

  • API key hashes (we display the plaintext key once and never store it again)
  • API request timestamps, response codes, credits used, and the source IP of the request
  • Aggregated daily usage records used for billing reconciliation

Phone numbers submitted via the API

Phone numbers and optional IP addresses you submit to our API are passed through to our upstream carrier-data provider in the United States for the duration of the lookup, then discarded. We do not store the phone numbers you query. Our internal usage analytics record only request metadata — your user ID, plan, the credits charged, upstream latency, and the prefix of the API key used — never the phone number itself. We do not sell, share for marketing, or otherwise repurpose phone numbers you submit.

Analytics

We use a third-party web-analytics service across the site — both our public pages (homepage, blog, pricing, docs, about, legal) and the authenticated /dashboard — to understand traffic patterns and product usage. We never send the phone numbers you submit or your lookup results to analytics.

3. How We Use Information

  • Provide the API service and operate your account
  • Bill you for usage and process payments via Stripe
  • Send transactional and quota-related email (account confirmation, password reset, billing receipts, usage warnings)
  • Detect, prevent, and respond to abuse, fraud, and security incidents
  • Improve our service through aggregated, non-identifying analytics
  • Comply with legal obligations and respond to lawful requests

4. Subprocessors

We rely on a small set of service providers (subprocessors) to operate the platform. Each is bound by its own privacy and security commitments and processes data only as needed to deliver its function:

  • Payment processor (Stripe) — billing and card processing; we never store card numbers
  • Email delivery provider — transactional and account email
  • Cloud infrastructure provider — API delivery, edge compute, content delivery, and DDoS protection
  • Application hosting provider — the marketing site and dashboard
  • Managed database & authentication provider — account records and sign-in sessions
  • Authentication provider for optional social sign-in (Google) — used only if you choose "Continue with Google"
  • Web-analytics provider — aggregate traffic and product-usage measurement
  • Upstream carrier-data provider — performs the underlying carrier lookups in the United States

We can provide the current named list of subprocessors on request — email hello@checkthatphone.com.

5. Data Retention

  • Account data — retained while your account is active. On deletion request, we erase or anonymize within 30 days.
  • Billing records — retained for up to 7 years to meet tax, accounting, and financial-reporting obligations.
  • Daily usage records — retained for up to 3 years for billing reconciliation and dispute resolution.
  • Audit and security events — retained for up to 1 year.
  • API key hashes — retained until you revoke the key or delete your account.
  • Phone numbers submitted to the API — not retained. Passed to the upstream carrier-data provider for the duration of the lookup and then discarded; not stored, not cached, not logged.

6. International Transfers

We operate from the United States, and your data is processed in the United States. If you access the service from the EU, UK, or Switzerland, we rely on the Standard Contractual Clauses (SCCs) and the UK Addendum, or other lawful transfer mechanisms such as the EU-US Data Privacy Framework where applicable, for cross-border transfers.

7. Your GDPR Rights (EU/EEA/UK)

If you are in the EEA or the UK, you have the right to:

  • Access the personal data we hold about you
  • Rectify inaccurate or incomplete data
  • Erase your data ("right to be forgotten"), subject to legal retention obligations
  • Restrict or object to processing
  • Receive your data in a portable, machine-readable format
  • Withdraw consent at any time where consent is the legal basis
  • Lodge a complaint with your supervisory authority

To exercise these rights, email hello@checkthatphone.com. We do not engage in solely automated decision-making with legal or similarly significant effect.

8. Your CCPA Rights (California)

California residents have the right to know what personal information we collect, to request deletion, to correct inaccurate information, and to opt out of any "sale" or "sharing" of personal information. We do not sell or share personal information for cross-context behavioral advertising. To submit a request, email hello@checkthatphone.com.

9. Cookies

We use a small number of cookies:

  • Session cookies set by our authentication system to keep you signed in to the dashboard. Required for the service to function.
  • Third-party analytics cookies across the site, including the dashboard, to measure aggregate traffic and product usage. You can block these in your browser settings or with a tracker-blocking extension.

10. Children's Privacy

The service is not intended for individuals under 18. We do not knowingly collect personal information from children. If you believe we have collected such information, contact us and we will delete it.

11. Security

We use TLS for data in transit, encryption at rest where supported by our infrastructure providers, access controls limiting who can see customer data, hashed credentials and hashed API keys, and routine security review of dependencies. No system is perfectly secure; we cannot guarantee absolute protection.

12. Account Deletion

You can delete your account yourself from the Account page in the dashboard, or by emailing hello@checkthatphone.com. On deletion we cancel your subscription, revoke your API keys, and erase your personal data subject to the retention windows above for legal and financial records.

13. Changes to This Policy

We may update this policy from time to time. Material changes will be announced by email to active account holders and noted with a new "Last updated" date at the top of this page. Continued use of the service after a change indicates acceptance of the updated policy.

14. Contact

Questions, requests, or complaints regarding this policy: hello@checkthatphone.com.

Related: Terms of Service