Privacy Policy

Effective date: October 24, 2025

Who we are

Dmarc Defender LLC ("Dmarc Defender," "we," "us," or "our") provides a B2B email security and DMARC reporting service (the "Service"). We are a Michigan limited liability company.

Contact: support@dmarcdefender.io

This Policy describes how we collect, use, disclose, and protect personal information when organizations ("Customers") use the Service. We primarily process data in our role as a service provider/processor on behalf of our Customers.

Information we collect

1) Account & Billing Information

  • Admin/user identifiers (name, work email, company)
  • Authentication data (hashed passwords or SSO identifiers)
  • Billing details (handled by Stripe; we do not store full card numbers)

2) Customer Content (DMARC Data)

  • DMARC Aggregate (RUA) reports and, if you enable it, forensic (RUF) reports that mail receivers send per your DNS policy
  • Associated metadata present in those reports (e.g., sending IPs, domains, pass/fail dispositions, alignment results)

Ownership: Customer owns Customer Content; we process it to provide the Service.

3) Usage & Device Data (limited)

Basic logs and diagnostic data (e.g., request timestamps, IP address, user agent) for security, troubleshooting, and reliability.

4) Support & Communications

Messages and attachments you send to support@dmarcdefender.io or through in-product forms.

5) Cookies & Analytics

  • We use essential cookies necessary for login/session
  • We use Vercel Analytics for simple, privacy-respecting analytics that does not store user-level personal data

How we use information (purposes)

We use information to:

  • provide, operate, and maintain the Service;
  • process and present DMARC reports and insights;
  • secure the Service, prevent fraud/abuse, and troubleshoot;
  • provide Customer support and communicate service updates;
  • bill for paid plans and manage accounts;
  • comply with legal obligations and enforce terms;
  • improve the Service (e.g., performance, features) using aggregated/de-identified data.

We do not use Customer Content (e.g., your DMARC reports) to train machine-learning models unless you explicitly opt in.

Legal bases (EEA/UK users)

Where the GDPR/UK GDPR applies, we rely on:

  • Contract (Art. 6(1)(b)) to provide the Service;
  • Legitimate interests (Art. 6(1)(f)) for security, diagnostics, and product improvement using aggregated/de-identified data;
  • Consent (Art. 6(1)(a)) where required (e.g., non-essential cookies—currently not used).

When acting as a processor for Customer Content, Customers determine the legal basis and our processing is under their instructions.

How we share information

We share personal information only as needed to operate the Service:

Service Providers / Sub-processors

  • Vercel – hosting and edge delivery; also privacy-respecting analytics
  • Stripe – payments processing
  • Sentry – client side error tracking and monitoring

(We will update this list as vendors change.)

  • Legal/Safety – If required by law, or to protect rights, safety, or the Service.
  • Business Transfers – In connection with a merger, acquisition, or asset sale, subject to continued protection of the data.

We do not sell personal information and we do not share it for cross-context behavioral advertising.

International transfers

We process data primarily in the United States. When transferring personal data from the EEA/UK to the U.S. or other countries, we rely on appropriate safeguards (e.g., EU Standard Contractual Clauses and the UK Addendum) and implement technical and organizational measures to protect the data.

Retention

  • Account & billing data: retained for the life of the account and up to 90 days after closure, unless a longer period is required for legal/accounting reasons.
  • Logs/diagnostics: typically 30–90 days.
  • DMARC reports (Customer Content): retained for 3 months or until Customer requests deletion (see "Your choices & rights"), subject to any legal obligations.
  • Support communications: retained for 3 months after resolution.

We may retain aggregated/de-identified data that does not identify an individual or Customer.

Security

We implement reasonable technical and organizational measures to protect personal information, including encryption in transit/at rest where applicable, access controls, and least-privilege practices. No method of transmission or storage is 100% secure.

In the event of a data breach that affects your personal information, we will notify you via email at the address associated with your account within the timeframes required by applicable law.

Automated decision-making

We do not use automated decision-making or profiling that produces legal or similarly significant effects.

Your choices & rights

  • Access, correction, deletion: Customers can request access to, correction of, or deletion of personal information and Customer Content.
  • Data deletion: You can request deletion of your data at support@dmarcdefender.io.
  • EEA/UK: You may have rights to object/restrict processing and to data portability. You also have the right to lodge a complaint with your local supervisory authority.
  • US (e.g., CA/VA/CO/CT/UT): You may have rights to know/access, correct, and delete personal information, and to opt out of "sales" or "sharing" (we do neither). You may appeal a denial of your request by replying to our decision email.

We will verify your identity before fulfilling requests and respond within applicable timeframes.

Cookies & tracking

We use only essential cookies required for authentication and core functionality. Our analytics implementation via Vercel does not store user-level personal data and does not require non-essential cookies. We currently do not respond to "Do Not Track" signals but will honor applicable Global Privacy Control (GPC) signals if we introduce any setting to which GPC applies.

Children

Our Service is for business use and is not directed to children under 13. We do not knowingly collect children's personal information. If we learn we have, we will delete it.

Third-party services and links

The Service may include features or links that integrate with third-party services (e.g., Stripe for payments). Those services' privacy policies govern their handling of personal information.

Changes to this Policy

We may update this Policy from time to time. If we make material changes, we will notify Customer admins by email or in-app and update the "Effective date" above. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.

Contact us

Questions or requests about privacy?
Email: support@dmarcdefender.io
Data Protection Officer: stuart@dmarcdefender.io