Thanks for your reply @Akirin00
This is for everyone...
We are receiving requests (quite possibly from https://www.deseat.me/) from people who are not users in our system. There are though other systems where we keep people's information. For example, Mailchimp - where people's name and email is kept if they signed up to to our newsletter on our website without actually signing up for our service.
For someone like this - who is not a user of our system, has never agreed to the terms of service of our application, but has signed up to receive email, would you still somehow verify them before removing them form mailing lists?
We're treating the "deseat.me" requests as unsubscribe requests too.
None of the ones we've seen yet have come from actual paying customers of the service ... but we still have to check, which takes a little time ... I need to automate that process. Until then I'm reluctant to spend even more time on "verifying" these requests and having back & forth conversations with people who really just want to unsubscribe from marketing campaigns.
I'd like to think that paying customers are smart enough to know that we can't "forget" their commercial transactions with us ... but we'll see