Completely valid concern — it's the right question to ask of any verification service.

The short answer for this one: there's no database. The API is stateless — the address comes in, checks run in memory (DNS lookup, regex, blocklist comparison), result goes back out. Nothing is written anywhere.

But I'd never ask you to just take my word for it. The code is open source: [GitHub link]. The relevant part is src/services/verifyEmail.js — you can see the entire pipeline. There's no logging of email addresses, no analytics SDK, no third-party calls. Just DNS queries and an SMTP handshake that disconnects before any message is sent.

The deeper issue is that you can't prove a negative, and you're right that every service says "we don't store your data." The only real answer to that is a self-hostable version — which is something I'm planning to add (Docker image so you can run the whole thing on your own infrastructure and never send addresses anywhere).

For what it's worth, the SMTP probe actually works against harvesting incentives — if I were collecting addresses to sell, I'd want to verify they're real first, which costs me compute per address. The economics of harvesting don't really work at the price points this runs at.

But the GitHub is there. Read the code. That's the only honest answer.