iWelcome resend activation and password reset flows, are always saying an email has been sent, no matter if the email exists or not. Why doesn’t iWelcome tell the end user that they entered an unknown username or email address? Google and facebook do have such a message.

GDPR regulations demand privacy by design. As a consequence iWelcome has designed the (re)send password reset process and the resend activation email process, such that it always pretends that the requested email is sent. In this way no information is leaked to an unknown person whether or not the account/email is registered. iWelcome thinks the Facebook/Google approach may not be compliant with GDPR regulations.

Furthermore, one could argue that "almost everybody is on Facebook or is using Google", whereas the same does not apply to iWelcome's customers; the point is that privacy would not be violated to the same degree.