Plain-language summary: If you are in the EU/EEA or UK, the GDPR gives you specific rights over your personal data. Because CheckTown does not store your validation inputs, most GDPR data minimisation principles are satisfied by design. This page explains what we do collect and the rights available to you.
1. Data Controller
The data controller for personal data processed through the CheckTown website is:
- Service: CheckTown
- Website:https://check.town
- Contact email:hello@check.town
As data controller, we determine the purposes and means of processing personal data in connection with CheckTown. If you have any questions about how we handle your data, contact us at hello@check.town.
2. Personal Data We Process
Under the GDPR, "personal data" means any information relating to an identified or identifiable natural person. The following table describes what personal data CheckTown processes and why.
| Category | Data Elements | Purpose |
|---|---|---|
| Network identifiers | IP address, user agent string | Rate limiting, security, aggregated analytics |
| Usage data | Pages visited, timestamps, referring URL | Aggregate analytics and service improvement |
| Correspondence | Email address, message content | Responding to support or privacy inquiries |
| Validation inputs | Email/IBAN/phone/etc. submitted for checking | Performing the validation only — not stored after response |
Validation inputs that contain personal data (such as an email address) are processed transiently in memory for the sole purpose of performing the validation. They are not written to any database or log file and are not retained after the response is returned.
3. Legal Bases for Processing
The GDPR requires that every act of processing personal data has a lawful basis (Article 6). Below we identify the legal basis for each category of data we process:
| Processing Activity | Legal Basis | Article |
|---|---|---|
| Processing validation inputs to return a result | Performance of a contract / steps prior to a contract | Art. 6(1)(b) |
| Server logs, rate limiting, security | Legitimate interests (keeping the service secure and fair) | Art. 6(1)(f) |
| Aggregate, anonymised analytics | Legitimate interests (improving the service) — data is anonymised | Art. 6(1)(f) |
| Handling your email correspondence | Performance of a contract / legitimate interests | Art. 6(1)(b) / Art. 6(1)(f) |
We have conducted legitimate interests assessments for all processing activities relying on Art. 6(1)(f) and concluded that our interests do not override your rights and freedoms, given the minimal nature of the data involved and the privacy-preserving architecture of the service.
4. Your Rights Under the GDPR
As a data subject under the GDPR, you have the following rights. Each right is summarised below along with its practical scope in the context of CheckTown.
4.1 Right of Access (Article 15)
You have the right to obtain confirmation of whether we process your personal data, and if so, to receive a copy of it along with supplementary information about how it is processed. To exercise this right, contact us at hello@check.town.
Practical scope: Because we do not retain validation inputs, the data we hold about you is limited to server logs (IP, timestamp, user agent) for up to 90 days and any email correspondence you have sent us.
4.2 Right to Rectification (Article 16)
You have the right to have inaccurate personal data corrected without undue delay. Where appropriate, incomplete data may also be completed.
Practical scope: This applies primarily to any email correspondence we hold. Server logs cannot typically be corrected as they are technical records of actual network events.
4.3 Right to Erasure — "Right to be Forgotten" (Article 17)
You have the right to request the deletion of your personal data when:
- The data is no longer necessary for the purpose for which it was collected.
- You withdraw consent (where processing was based on consent).
- You object to processing based on legitimate interests and there are no overriding legitimate grounds.
- The data has been unlawfully processed.
Contact us at hello@check.town to request deletion. We will respond within 30 days.
4.4 Right to Restriction of Processing (Article 18)
You have the right to request that we restrict processing of your personal data in certain circumstances, for example while the accuracy of the data is contested or while an objection is being assessed.
4.5 Right to Data Portability (Article 20)
Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller.
Practical scope: This right applies primarily to any correspondence data we hold. Technical log data is not typically portable in a meaningful sense.
4.6 Right to Object (Article 21)
You have the right to object at any time to processing based on legitimate interests (Art. 6(1)(f)), including for direct marketing purposes. If you object, we will cease that processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
4.7 Rights Related to Automated Decision-Making (Article 22)
You have the right not to be subject to a decision based solely on automated processing — including profiling — that produces significant legal effects concerning you.
Practical scope: Rate limiting is applied automatically based on IP address behaviour, but this does not constitute a significant legal decision and is technically necessary for the service. We do not conduct any automated profiling or automated decision-making with significant legal effects.
5. How to Exercise Your Rights
To exercise any of the rights described above, please submit a request by email to hello@check.town with the subject line "GDPR Data Request". Please include:
- The right you wish to exercise (access, erasure, portability, etc.).
- Sufficient information for us to identify and locate any data we hold about you (e.g., your IP address or the email address you used to contact us).
We will acknowledge your request within 72 hours and respond fully within 30 days. In complex cases we may extend this by a further 60 days, in which case we will notify you.
We will not charge a fee for handling your request unless it is manifestly unfounded or excessive.
6. International Data Transfers
CheckTown may process data using infrastructure located outside the European Economic Area (EEA). Where transfers to third countries occur, we ensure that appropriate safeguards are in place as required by GDPR Chapter V, including:
- Adequacy decisions — transfers to countries the European Commission has recognised as providing an adequate level of data protection.
- Standard Contractual Clauses (SCCs) — the EU Commission-approved contractual clauses that bind recipients to data protection standards equivalent to those in the EEA.
You may request details of the specific safeguards applied to any international transfer by contacting us at hello@check.town.
7. Data Retention Periods
We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law. Our retention periods are:
| Data Category | Retention Period | Basis |
|---|---|---|
| Validation input values | Not retained — discarded after response | Data minimisation (Art. 5(1)(e)) |
| Server access logs (IP, timestamp, endpoint) | Up to 90 days | Security / legitimate interests |
| Security and abuse logs | Up to 12 months | Legal obligation / legitimate interests |
| Email correspondence | Until resolved, then deleted | Contract / legitimate interests |
At the end of each retention period, data is securely deleted or anonymised.
8. Automated Decision-Making and Profiling
CheckTown does not use automated decision-making processes that produce legal or similarly significant effects on individuals. Rate-limiting decisions (temporary IP blocking) are technical necessity measures and do not constitute significant automated decision-making within the meaning of Article 22 GDPR.
We do not profile individual users for marketing, advertising, or behavioural targeting purposes.
9. Right to Lodge a Complaint with a Supervisory Authority
If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.
A full list of EU Data Protection Authorities is available on the European Data Protection Board website. UK residents may contact the Information Commissioner's Office (ICO).
We encourage you to contact us first at hello@check.town so we have the opportunity to address your concern directly.
10. Contact
For all GDPR-related inquiries, requests, or concerns:
- Email:hello@check.town
- Subject line: "GDPR Data Request" or "GDPR Inquiry"
- Website:https://check.town
We also recommend reading our full Privacy Policy and Cookie Policy for a complete picture of how CheckTown handles personal data.