ValidKit is an email validation API built specifically for AI agents. It verifies email domains with sub-200ms response times (P95 under 200ms), making it 2-3x faster than industry average solutions.

How much does ValidKit cost?

ValidKit offers a free tier with 1,000 validations/month. Paid plans start at $20/month for 10,000 validations (Pro tier). The Growth tier at $50/month includes 50,000 validations, priority support, and 99.9% uptime SLA. Pricing is as low as $0.001 per email with overage billing.

How fast is ValidKit?

ValidKit delivers sub-200ms response times with a median <150ms and P95 <200ms. This makes it 2-3x faster than the industry average of 200-500ms, ensuring your auth flows stay snappy.

How is ValidKit different from SMTP verification?

ValidKit focuses on domain validation which is 90% cheaper and 100x faster than full SMTP verification. While SMTP verification checks if specific mailboxes exist (5-30 seconds per email), ValidKit instantly validates domains, catches typos, and detects disposable emails - perfect for real-time applications and AI agents.

ValidKit - Bulk Email Validation API | No Timeouts, Fair Pricing

Q: How is ValidKit different from SMTP verification?

ValidKit focuses on domain validation which is 90% cheaper and 100x faster than full SMTP verification. While SMTP verification checks if specific mailboxes exist (5-30 seconds per email), ValidKit instantly validates domains, catches typos, and detects disposable emails - perfect for real-time applications and AI agents.

ValidKit is committed to protecting your privacy and complying with the EU General Data Protection Regulation (GDPR).

Your Rights Under GDPR

As a data subject in the EU/EEA, you have the following rights when using ValidKit:

1. Right to Access (Article 15)

Request a copy of your personal data we hold.

How: Email [email protected] or use API: GET /api/v1/gdpr/export
Response Time: 30 days maximum
Format: JSON export

2. Right to Rectification (Article 16)

Correct inaccurate personal data.

How: Update via Dashboard or email [email protected]
Response Time: 30 days maximum
Self-Service: Account settings available 24/7

3. Right to Erasure (Article 17)

Request deletion of your personal data ("right to be forgotten").

How: Email [email protected] or use API: POST /api/v1/gdpr/delete
Response Time: 30 days maximum
What is Deleted: Account data, validation history, cached results, logs
Exceptions: Billing records retained 7 years (tax law requirement)

4. Right to Portability (Article 20)

Receive your data in machine-readable format.

How: Export via Dashboard or API: GET /api/v1/gdpr/export
Format: JSON (structured, machine-readable)
Response Time: Immediate (automated export)

5. Right to Object (Article 21)

Object to processing of your personal data.

How: Email [email protected]
Response Time: 30 days maximum
Scope: Right to object to processing based on legitimate interest

6. Right to Restrict Processing (Article 18)

Request temporary halt of data processing.

How: Email [email protected]
Response Time: 30 days maximum
Effect: Data stored but not actively processed

What Data We Collect

Personal Data (Account)

Email address (for account creation and API key delivery)
Company name (optional, provided by you)
Billing information (processed by Stripe, not stored by ValidKit)

Email Addresses for Validation (NOT STORED)

Important: Email addresses submitted for validation are NEVER stored permanently.

Processed in-memory only during validation
Immediately discarded after response
Hashed (SHA-256) before logging for debugging
No email PII in application logs

API Usage Data

API request timestamps and response times
Usage statistics (aggregated, anonymized)
Error logs (with hashed emails only)
Trace IDs for multi-agent request tracking

How We Protect Your Data

Data Minimization

We only collect what's necessary to provide the service

Storage Limitation

30-day maximum retention for cached validation data

Email Hashing

Email addresses hashed (SHA-256) before logging

Encryption

TLS 1.3 for all data in transit, AES-256 at rest

Access Control

API key authentication, role-based access, principle of least privilege

For more details, see our Security page.

Data Retention

Data Type	Retention Period	Auto-Deletion
Cached validation results	30 days maximum	Yes
Application logs	30 days	Yes
Account data	Until account deletion + 30 days	Yes
Billing records	7 years (tax law requirement)	No
Email addresses for validation	Never stored	N/A

International Data Transfers

Processing Location

Primary data processing occurs in the United States (Vercel US East region).

EU Adequacy & Safeguards

Transfer Mechanism: Standard Contractual Clauses (SCCs) - EU Commission Decision 2021/914
Supplementary Measures: Encryption in transit (TLS 1.3), data minimization, hashed logging
SCC Copy: Available upon request via [email protected]

UK Transfers

UK Addendum to Standard Contractual Clauses available upon request for UK customers.

Data Breach Notification

In the event of a data breach affecting your personal data:

Notification Timeline: Within 72 hours of discovery (GDPR Article 33)
Notification Method: Email to your registered address
Authority Notification: We will notify relevant data protection authorities (ICO, CNIL, etc.)
Information Provided: Nature of breach, data affected, remediation steps

Legal Basis for Processing

We process your personal data under the following legal bases:

Contract Performance (GDPR Article 6.1(b))

To provide the email validation service you signed up for

Legitimate Interest (GDPR Article 6.1(f))

For fraud prevention and service improvement

Consent (GDPR Article 6.1(a))

For marketing communications (opt-in required, can be withdrawn anytime)

Data Processing Agreement (DPA)

For B2B customers using ValidKit API to validate email addresses:

When you use our API, we act as a Data Processor on your behalf (you are the Data Controller).

Our Data Processing Agreement (DPA) complies with GDPR Article 28 requirements.

View our Data Processing Agreement →

Contact & Complaints

Data Protection Contact

Email: [email protected]
Response Time: 30 days maximum

Supervisory Authority

If unsatisfied with our response, you have the right to lodge a complaint with your local Data Protection Authority:

EU/EEA: Your local Data Protection Authority - Find your DPA
UK: Information Commissioner's Office (ICO) - ico.org.uk

Last Updated: November 25, 2025
For our complete privacy practices, see our Privacy Policy.

GDPR Compliance