Privacy Policy

Account information: When you create an account, we collect your name, email address, and organization details through our authentication provider (Kinde).

DMARC report data: We collect and process DMARC aggregate reports from IMAP inboxes you configure. These reports contain email authentication metadata — specifically IP addresses, sending domains, SPF/DKIM results, and message volume counts. DMARC aggregate reports do not contain personal email content, subject lines, or message bodies.

Usage data: We collect standard usage information such as pages visited, features used, and browser/device information to improve our service.

Payment information: If you subscribe to a paid plan, payment processing is handled by our payment provider. We do not store credit card numbers or bank account details on our servers.

We use your information to:

• Provide, operate, and maintain the dmarco platform
• Process and analyze DMARC aggregate reports for your domains
• Identify and attribute email senders through IP enrichment and DNS lookups
• Send you service-related notifications and alerts you have configured
• Respond to your requests and provide customer support
• Improve and develop new features for the platform

Your data is stored in secure, managed databases. We implement appropriate technical and organizational measures to protect your information against unauthorized access, alteration, disclosure, or destruction.

DMARC report data is retained according to your plan's retention period (7 days for Starter, 180 days for Growth, 365 days for Enterprise). Data beyond the retention period is automatically deleted.

IMAP credentials for your DMARC inboxes are stored encrypted at rest.

We do not sell, rent, or share your personal information or DMARC data with third parties for marketing purposes.

We use the following third-party services to operate the platform:

• Kinde — Authentication, user management, and subscription billing. Kinde uses Stripe as its payment processor.
• Stripe — Payment processing for subscription plans (accessed via Kinde, or directly for annual billing arrangements).
• Sentry — Error tracking and application monitoring. Sentry collects technical error data (stack traces, browser information, request metadata) to help us identify and fix issues. It does not collect DMARC report content.
• MaxMind — IP geolocation and ASN data for sender enrichment. IP addresses from DMARC reports are looked up locally against a MaxMind database. No data is sent to MaxMind.
• Infrastructure providers — Cloud hosting, database, and DNS services.

These providers only access your data as necessary to perform their services and are bound by their own privacy policies.

We use cookies that are strictly necessary for the platform to function. We do not use third-party tracking cookies, advertising cookies, or analytics cookies.

Cookies we use:

• Session cookies — Used to maintain your authenticated session. These are httpOnly, secure, and expire when your session ends or after the configured session duration.
• Authentication cookies — Set by our authentication provider (Kinde) during the login flow to manage your identity and organization context. These are httpOnly and expire after 29 days.

Because we only use essential cookies required for the service to function, we are not required to obtain cookie consent under GDPR/ePrivacy regulations. We display a brief informational notice about our cookie use for transparency.

You have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate information
• Request deletion of your account and associated data
• Export your DMARC report data
• Object to processing of your information

To exercise any of these rights, contact us at the email address below.