Privacy Policy

This Privacy Policy explains how CheckMate.bio (the "Service", "we", "us") processes personal data in connection with our reverse email lookup and digital-footprint reports. By using the Service you confirm that you have read and understood this policy.

1. Who we are

CheckMate.bio is operated by IASolutions. For any privacy-related request, contact us at privacy@checkmate.bio. For general support, write to support@checkmate.bio.

2. Geographic scope — EU, EEA, and UK

The Service is not offered to, and is not intended for, residents of the European Union, the European Economic Area, or the United Kingdom. Access to the Service from these regions is blocked at the network edge based on IP geolocation, in accordance with Regulation (EU) 2016/679 ("GDPR") and the UK General Data Protection Regulation ("UK GDPR").

We do not knowingly provide the Service to, nor intentionally process personal data of, individuals located in the EU/EEA/UK. If you believe you have accessed the Service from a restricted region, you must stop using the Service immediately.

3. What data we process

To operate the Service we process a small, purpose-limited set of data:

• The email address you submit to the search form. This address is passed to an upstream OSINT aggregation provider to produce the report.
• Your IP address, used for rate limiting, abuse prevention, and GDPR/UK-GDPR geo-blocking.
• Payment metadata provided by PayPal when you purchase a detailed report (order ID, capture ID, payer ID, amount, currency). We do not see or store your PayPal credentials or card numbers.
• Short-lived technical records: a signed unlock token (HMAC, 15-minute validity), a job record for the in-flight report (24-hour TTL), and rate-limit counters.
• Aggregate product analytics events that record which actions happened (page view, search submitted, unlock click, payment succeeded, error encountered). The only personal-data field sent with these events is the domain portion of the submitted email (for example, "gmail.com") — never the full address or the search result. Analytics providers also receive standard request metadata (truncated IP address, user agent, referrer, approximate country from IP).

4. What we do NOT store

We do not persist the OSINT results returned to you. The detailed report is held in short-term storage for up to 24 hours so that you can retrieve it after payment, and is then automatically deleted. We do not build long-term profiles of the subjects of your searches and do not retain found data beyond the short-lived session needed to deliver the report.

We do not collect passwords, private messages, location history, browsing history, or any data that would require bypassing authentication on any third-party service.

5. Third parties we rely on

• An upstream OSINT data provider that aggregates publicly observable sources. Your search email is passed to this provider solely to produce the report.
• PayPal — for processing the $0.99 unlock payment. PayPal's own privacy policy applies to that transaction.
• Vercel — our hosting and edge network provider. Vercel Analytics receives the aggregate product events described in Section 3.
• Umami Cloud (umami.is) — a privacy-focused product analytics provider. Umami receives the same aggregate product events described in Section 3. Umami does not use cookies and does not build cross-site profiles.
• Upstash — a managed Redis provider used to hold the short-lived job record and rate-limit counters.

6. Legal basis and purpose

For users outside the EU/EEA/UK, we process personal data on the basis of the legitimate interest of operating a reverse email lookup service, and on the basis of your consent and the contract for providing the paid report. The Service must be used only where you have a genuine legitimate interest — such as personal safety checks, due diligence on people you already interact with, or verifying information about yourself.

7. Retention

• Job records (in-flight and completed reports): up to 24 hours, then deleted automatically.
• Rate-limit counters and abuse signals: up to 60 seconds per window.
• Unlock tokens: 15 minutes from issuance.
• Payment records stored by PayPal: governed by PayPal's retention policy.
• Server logs (request-level): retained by our hosting provider per their default policy.
• Aggregate product analytics events stored by Vercel Analytics and Umami Cloud: governed by those providers' retention policies. We do not maintain a separate copy.

8. Your rights

Subject to applicable law, you may have the right to access, rectify, or erase personal data we process about you, to object to or restrict processing, and to data portability. Because the Service is not offered in the EU/EEA/UK, we treat equivalent requests from all users on a best-effort basis.

To exercise these rights, send a request to privacy@checkmate.bio with enough information for us to identify the relevant data (for example, the email address you previously submitted).

9. Security

We use HTTPS for all traffic, HMAC-signed unlock tokens, signed webhook verification for payment events, strict payment-amount and order-identity checks, and rate limiting to reduce abuse. No system is perfectly secure; use the Service with that understanding.

10. Changes to this policy

We may update this Privacy Policy from time to time. The effective date is shown at the top of the page. Continued use of the Service after changes indicates acceptance of the updated policy.

11. Contact

Privacy or data-subject requests: privacy@checkmate.bio. General support: support@checkmate.bio.