Compliance

How we treat data and what you can use it for.

Straight answers to the questions B2B buyers, procurement reviewers, and counsel actually ask before signing.

Email validation methodology

Every email we deliver passes a Mail Exchange (MX) check at the moment of pull. We verify the receiving domain accepts mail before the row hits your CSV, which filters out dead domains and typo addresses. The check is performed against live DNS records, not a cached reputation database.

If you need stricter validation (per-mailbox SMTP verification), pair our output with a verifier like NeverBounce or ZeroBounce at delivery time.

Phone numbers — TCPA

Phone numbers in the dataset are general business contact numbers. They are not consented for SMS, auto-dial, or pre-recorded messages. The US Telephone Consumer Protection Act (TCPA) requires prior express consent for those uses; penalties run $500–$1,500 per violation.

Manual one-to-one calls during normal business hours are typically permitted, but local rules vary — confirm with your counsel for your specific use case.

Cold email — CAN-SPAM

These are B2B business contacts. US CAN-SPAM permits unsolicited commercial email if your message: (1) accurately identifies the sender, (2) uses a non-deceptive subject line, (3) includes a working opt-out mechanism, and (4) lists a valid physical postal address.

Honor opt-outs within 10 business days. Use a dedicated sending domain, warm it before scaling, and respect bounces in your sequencer — these are best-practice deliverability steps, not legal requirements.

CCPA & California residents

California's Consumer Privacy Act gives residents the right to know what data we hold about them, the right to delete that data, and the right to opt out of sale. We honor verified CCPA requests within 45 days. To exercise these rights for any contact in our index, email admin@geolayer.io with the contact's email or business name.

GDPR & non-US data

GeoLayer's index is US-only. We do not currently market to or process EU-resident contact data through this platform. If you ingest a GeoLayer CSV into a downstream tool that processes EU data, the GDPR posture of that downstream tool is your responsibility — see our Terms.

Removal requests

Any contact may request removal from our index by emailing admin@geolayer.io. We suppress the contact across our entire pipeline (cache, future bundle generations, future API responses) within 7 days, and we send a confirmation when the suppression is in place.

Resale, redistribution, scraping

CSV exports and API responses are for the buyer's own use. Resale, redistribution to third parties, scraping our endpoints, or training third-party AI/ML systems on our data is not permitted. Bundle CSVs include a notice file restating this.

Security

API keys are scoped per account, rotatable by request (self-serve rotation is on the roadmap). All connections to our endpoints are TLS-only. Subscriber data is stored on managed Postgres (Neon) with automated backups. We do not store buyer-side payment information; Stripe handles the entire payment surface.

Anything else

For a Data Processing Addendum, an MSA, a SOC 2 status update, or anything procurement asks for: email admin@geolayer.io with the document and we'll route it within one business day.

This page summarizes our compliance posture in plain English. The binding language lives in the Terms and Privacy Policy.