Legal

Privacy Policy

We believe privacy should be easy to understand. This policy
explains exactly what we collect, why, and what you can do about it.

Effective: January 20, 2026

Last Updated: March 9, 2026

Overview

💡

Plain English summary: MonitorDMARC is an email security monitoring service. We collect your account information to provide the service, your payment details go directly to Stripe (we never see your card number), and your DMARC report data is used only to show you insights about your own domains. We do not sell your data. Ever.

This Privacy Policy describes how MonitorDMARC ("we," "us," or "our") collects, uses, stores, and shares information when you use our DMARC monitoring service available at monitordmarc.com and app.monitordmarc.com (collectively, the "Service").

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

Who We Are

MonitorDMARC is operated by Mike W Consulting LLC. ("we," "us," or "our"), based in the United States. MonitorDMARC is a Software-as-a-Service (SaaS) product that receives DMARC aggregate (RUA) and forensic (RUF) reports on behalf of our customers, parses and stores them, and presents the data through a web dashboard.

For purposes of applicable data protection laws, we are the data controller for account information and the data processor for DMARC report data you direct us to receive on your behalf.

Contact information:
Email: privacy@monitordmarc.com
Website: monitordmarc.com

Data We Collect

We collect the following categories of information:

Category	What specifically	How collected
Account information	Name, email address, company name (optional), password (hashed — never stored in plain text)	You provide this when signing up
Billing information	Subscription plan, billing cycle. Card details are handled by Stripe — we never see or store them.	Stripe processes payment; we store subscription metadata only
Domain information	Domain names you add to your account, DNS record values for your monitored domains	You add domains; we retrieve DNS records via automated lookups
DMARC report data	RUA (aggregate) and RUF (forensic) report content sent by mail providers to our receiving addresses	Automatically received via our Microsoft 365 shared mailboxes on your behalf
Usage data	Pages visited, features used, timestamps of actions within the dashboard	Automatically collected when you use the Service
Technical data	IP address, browser type, operating system, referring URL	Automatically collected via server logs
Communications	Content of emails you send us (support requests, etc.)	You provide this when contacting us

⚠️

A note on RUF forensic reports: Forensic reports may contain excerpts of email message headers, subject lines, and sender/recipient addresses from failed authentication events on your domain. This data belongs to you and your domain's email senders. We store it securely and use it only to display it to you in your dashboard.

How We Use Your Data

We use the information we collect for the following purposes:

To provide the Service — processing and displaying your DMARC reports, monitoring DNS records for your domains, sending email alerts when changes or failures are detected
To manage your account — authentication, plan management, billing, and subscription renewals via Stripe
To send transactional emails — welcome emails, trial expiry reminders, alert notifications, and billing receipts (sent via ZeptoMail)
To provide customer support — responding to questions, troubleshooting issues, and improving the Service based on your feedback
To ensure security and integrity — detecting fraud, preventing abuse, and protecting the security of our systems and your data
To improve the Service — analysing aggregate, anonymous usage patterns to understand how features are used and where improvements can be made
To comply with legal obligations — responding to lawful requests from courts or regulatory authorities where required

✅

We do not sell your data. We do not share your personal information or your DMARC report data with third parties for marketing, advertising, or any commercial purpose other than operating the Service for you.

DMARC Report Data - Special Considerations

DMARC report data is the core of what MonitorDMARC processes. Here is how we handle it specifically:

Ownership — Your DMARC report data belongs to you. We process it as a service provider on your behalf, not for our own purposes.
How it arrives — When you update your DMARC DNS record to include our receiving addresses (rua@app.monitordmarc.com and ruf@app.monitordmarc.com), mail providers send reports to those addresses. We receive these via Microsoft 365 shared mailboxes and retrieve them using the Microsoft Graph API.
Parsing and storage — Reports are parsed from XML format and stored in our database, associated with your account and your domain. We store them for the retention period of your plan (1, 2, or 3 years depending on plan, or custom for Enterprise).
Isolation — Your data is logically isolated from other customers' data in our database. Enterprise Dedicated customers receive a physically separate database instance.
No cross-customer analysis — We do not analyse or compare your DMARC data with other customers' data. Reports are displayed only to the account that owns the domain.
Deletion — When your account is cancelled, your DMARC report data is retained for 30 days (to allow reactivation), then permanently deleted.

Third-Party Service We Use

We use a small number of carefully selected third-party services to operate MonitorDMARC. Each receives only the data necessary to perform their specific function:

Stripe

Payment processing & subscription management

Stripe handles all card transactions. We never see or store full card number.

Stripe Privacy Policy ↗

Microsoft 365 / Azure

Email receiving via Graph API

Our DMARC report receiving addresses are hosted as Microsoft 365 shared mailboxes. Microsoft handles email delivery; we retrieve messages via the Microsoft Graph API using OAuth authentication.

Microsoft Privacy Statement ↗

ZeptoMail (Zoho)

Transactional email sending

We use ZeptoMail to send account-related emails (alerts, trial reminders, billing receipts). Your email address is shared with ZeptoMail for this purpose only.

Zoho Privacy Policy ↗

Amazon Web Service (AWS)

Server Hosting & database backups

Our application runs on AWS EC2 instances (US region). Daily encrypted database backups are stored in AWS S3. AWS does not access your data; they provide infrastructure only.

AWS Privacy Notice ↗

GitHub

Source code repository

Our application code is stored in a private GitHub repository. No customer data is stored in or transmitted to GitHub.

GitHub Privacy Statement ↗

Uptime Kumu

Uptime monitoring

We use Uptime Kumu internally to monitor service availability. UptimeRobot only knows our domain name — no customer data is shared.

We do not use any advertising networks, social media trackers, or analytics services that share your data with third parties for advertising purposes.

Cookie and Tracking

MonitorDMARC uses a minimal number of cookies, all of which are necessary to operate the service

Cookie type	Purpose	Can you opt out?
Session cookie	Keeps you logged in while using the dashboard. Expires when you close your browser or after a period of inactivity.	No — this is required for the Service to function
CSRF token cookie	Protects against cross-site request forgery attacks. A security requirement.	No — this is required for security

🍪

We do not use advertising cookies, third-party tracking cookies, Google Analytics, Facebook Pixel, or any similar tracking technology. Our cookies exist solely to operate the Service.

Data Retention

We retain your data for as long as your account is active and for a limited period after cancellation as follows:

Data type	Retention period
Account information	For the life of your account, plus 30 days after cancellation
DMARC report data (Starter plan)	1 year of rolling history
DMARC report data (Professional plan)	2 years of rolling history
DMARC report data (Business plan)	3 years of rolling history
DMARC report data (Enterprise)	Custom — agreed at time of contract
Billing records	7 years (legal and tax compliance requirement)
Server/access logs	90 days, then automatically deleted
Database backups	Retained in encrypted form for 1 year in AWS S3, then automatically deleted
Support communications	3 years from the date of the communication

After account cancellation, all DMARC report data and account information is permanently and irreversibly deleted within 30 days. Billing records are retained for 7 years as required by law.

Data Security

We take reasonable and appropriate measures to protect your information from unauthorised access, disclosure, alteration, or destruction:

Encryption in transit — All data is transmitted over HTTPS/TLS. Our SSL certificates are managed via Let's Encrypt.
Encryption at rest — Database backups stored in AWS S3 are encrypted.
Authentication — Passwords are stored as salted hashes (never in plain text). Microsoft Graph API access uses OAuth 2.0 — no passwords are stored for email retrieval.
Access control — SSH key-only access to our servers; password authentication is disabled. Firewall rules restrict access to necessary ports only.
Automated security updates — Our server is configured to automatically apply security patches.
Intrusion prevention — fail2ban is deployed to block repeated failed login attempts.
Minimal data collection — We collect only what is necessary to provide the Service.

⚠️

No system connected to the internet can be guaranteed 100% secure. While we work hard to protect your data, we cannot guarantee absolute security. If you believe your account has been compromised, please contact us immediately at privacy@monitordmarc.com.

Your Rights

Depending on your location, you may have certain rights regarding your personal data. We honour these requests regardless of where you are located:

👁️

Right to Access

Request a copy of the personal data we hold about you.

✏️

Right to Rectification

Request correction of inaccurate or incomplete personal data.

🗑️

Right to Erasure

Request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements.

📦

Data Portability

Request your DMARC report data in a portable format (JSON or CSV).

🚫

Right to Object

Object to processing of your personal data in certain circumstances.

⏸️

Right to Restriction

Request that we restrict processing of your data while a dispute is resolved.

📧

Opt Out of Marketing

Unsubscribe from any non-essential emails at any time via the unsubscribe link or by contacting us.

❌

Close Your Account

Cancel your account at any time from your dashboard settings. Data is deleted within 30 days.

To exercise any of these rights, email us at privacy@monitordmarc.com. We will respond within 30 days. We may need to verify your identity before fulfilling a request.

California residents (CCPA): We do not sell personal information. You have the right to know what data we collect and request deletion. Contact us at the email above.

EEA/UK residents (GDPR/UK GDPR): You have the right to lodge a complaint with your local supervisory authority if you believe we have not handled your data lawfully.

Children's Privacy

MonitorDMARC is a business-to-business service designed for use by adults operating businesses and organisations. We do not knowingly collect personal information from anyone under the age of 18.

If we become aware that we have inadvertently collected data from a child under 18, we will delete it promptly. If you believe we may have such data, please contact us at privacy@monitordmarc.com.

International Data Transfers

MonitorDMARC is operated from the United States. Our servers are hosted on AWS in the US region. If you are accessing the Service from outside the United States — including from the European Economic Area (EEA), United Kingdom, or other countries — please be aware that your information will be transferred to and processed in the United States.

The United States may not have the same data protection laws as your country. By using the Service, you consent to the transfer of your information to the United States as described in this policy.

For customers in the EEA or UK, we rely on your consent (provided when you sign up) and legitimate interests as the lawful bases for processing your personal data. Where required, we will enter into Standard Contractual Clauses (SCCs) with customers who require them for GDPR compliance — please contact us to discuss.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes to our practices or for legal, operational, or regulatory reasons. When we make material changes, we will:

Update the "Last updated" date at the top of this page
Send a notification email to all active account holders at least 14 days before the changes take effect
Require renewed consent where changes materially affect how we use your data

Your continued use of the Service after the effective date of a revised policy constitutes your acceptance of the updated terms. We encourage you to review this policy periodically.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

📬

MonitorDMARC Privacy Contact
Email: privacy@monitordmarc.com
General: support@monitordmarc.com
Website: monitordmarc.com/contact

We aim to respond to all privacy-related enquiries within 5 business days and to all data subject requests within 30 days.