From the GDPR standpoint, you are in total breach and anyone that is using your service on a large scale is in breach.
The reason is that GET instead of POST. You should NOT ask your users to submit emails by using GET but ONLY by using POST.
Because you are using GET, ALL email addresses remain the the Cloudflare loggers and who knows what other server loggers.
Please switch it to POST!
Thank you for this kool service!
Too bad that rate limiting to 1.5 seconds does not help us to deliver a service for companies based on your API :/
From a data protection perspective (regardless of which local regulation you choose), the issue is not GET versus POST (or any other verb), the issue is where the data passes through and if it's retained. Cloudflare logs are highly transient, as are the Azure Storage logs when the underlying data structure is queried. GET is the semantically correct verb for retrieving an entity and there are a whole bunch of reasons why it makes more sense, including being able to share a link like this: https://email@example.com
As for the rate limit, vote on this idea, it's coming 🙂 https://haveibeenpwned.uservoice.com/forums/275398-general/suggestions/39837802-create-different-pricing-for-different-rate-limits
The sharing mechanism you have mentioned does not have any connection with what I was saying about API.
GET and POST are for webpages. They are a history old features long before REST concept. To link REST concept to GET and POST I believe is wrong.
Regarding GDPR, any of your users that are using the service on large scale, when they query your service, they are not able to control who is the receiver of the data and who is storing or not, the data, Cloudflare, Azure or you. This is exclusively because you are using GET instead of POST for an API.
The next step might be that you will get pawned because of all emails that are being queried on your service. Because for sure, those emails are valid.
But it is more to this, the sharing mechanism you have described, because on the page https://firstname.lastname@example.org there is Google Analytics installed, you have the email inside Google Analytics, something that the user clearly did not agree when he was typing his email on your website and something that you should actively disclose into your term: "if you type your email address, for sure it will get stored in Google Analytics". :)