TL;DR
- We collect what's needed to run the service. Nothing more.
- We never sell your data. We never train AI/ML on your reports.
- We never use the content of your DMARC reports for any purpose other than rendering your dashboard.
- You can export everything, then delete your account, at any time.
- Servers are operated by Cloudflare across their global edge. EU-pinning available on Business plans.
Who is the data controller
DMARCify GmbH, Bergmannstraße 102, 10961 Berlin, Germany. Contact: privacy@dmarcify.dev.
When you sign up, you also act as a controller (or processor) for the personal data inside your own DMARC reports. We act as your processor for that data. See our Data Processing Addendum.
What we collect
Account data: your email, optional display name, OAuth identifiers (if you sign in via GitHub or Google), session tokens, audit timestamps.
Organisation data: org name, member roles, invitations, monitored domain list, the live DMARC TXT record we observe on your domain (for drift detection).
DMARC report data: the contents of aggregate XML reports sent to your per-domain mailbox by mail receivers (Google, Microsoft, Yahoo etc.). This includes source IPs, row counts, SPF/DKIM verdicts, alignment outcomes, and (when receivers include them) the header-From domain.
IP enrichment cache: reverse-DNS hostname, ASN, ASN organisation, and country code per source IP. Cached globally so we don't hit upstream resolvers for IPs we've already seen.
Technical telemetry: standard server logs (request path, status, latency, country) retained for 30 days for incident response. We do not log full request bodies and we do not run behavioural analytics on the dashboard.
Why we collect it
We process the above to:
- Provide and operate the DMARCify service (contractual basis, GDPR Art. 6(1)(b)).
- Send transactional and account-management email (Art. 6(1)(b)).
- Send opt-in marketing email — only if you've opted in. You can opt out from every email (Art. 6(1)(a)).
- Investigate abuse, fraud, and service outages (legitimate interest, Art. 6(1)(f)).
- Comply with our legal obligations, including tax and accounting law (Art. 6(1)(c)).
Retention
DMARC reports follow your plan's retention window: 30 days (Free), 12 months (Pro), or 24 months (Business). Older reports are deleted automatically.
Account and organisation data is kept while your account is active. Once you delete your account, all data is removed within 30 days, subject to legal retention (e.g. invoices for tax purposes are kept for 10 years per German HGB §257).
The IP enrichment cache is per-IP, not per-customer, and refreshed periodically. Cache entries are not linked to your account.
Your rights (GDPR)
If you're in the EU, EEA, UK, or Switzerland, you have the right to:
- Access the personal data we hold about you.
- Correct inaccurate data.
- Erase your data ("right to be forgotten").
- Restrict or object to certain processing.
- Receive your data in a portable format on request.
- Withdraw consent at any time, without affecting prior processing.
- Lodge a complaint with your local supervisory authority. Ours is the Berlin BlnBDI.
Most of these can be exercised directly from the dashboard. For anything else, email privacy@dmarcify.dev and we'll respond within 30 days.
International transfers
DMARCify uses Cloudflare's global edge network. Data may be processed outside the EU/EEA. Where it is, we rely on the EU Commission's Standard Contractual Clauses and Cloudflare's adequacy commitments. Business customers can request EU-only data residency.
Changes to this policy
We'll announce material changes by email at least 30 days before they take effect. The "effective date" at the top of this page always reflects the current version.
Contact
Data Protection Officer: dpo@dmarcify.dev
General privacy questions: privacy@dmarcify.dev