Legal
Privacy policy.
Last updated: 8 June 2026
1. Who we are
dmarcula is operated by Dmarcula ApS ("dmarcula", "we", "us"), a company registered in Denmark. We provide DMARC monitoring, reporting, and alerting for email-sending domains. This policy explains what personal data we process, why, and the rights you have under the EU General Data Protection Regulation (GDPR) and Danish data protection law.
For your account information we act as a data controller. For the DMARC report data we ingest on behalf of an organization whose domains you monitor, we act as a data processor — the organization is the controller, and our processing is governed by our agreement with them (a Data Processing Agreement is available on request).
2. Data we process
- Account data — your name, email address, a securely hashed password, organization name, and your role within it.
- DMARC report data — aggregate (RUA) and failure (RUF) reports sent to us by mailbox providers about your domains. These contain sending source IP addresses, authentication results (SPF, DKIM, DMARC), message counts, and the envelope/header domains involved. IP addresses can constitute personal data under GDPR, so we treat report data accordingly.
- Microsoft 365 connection data — if you connect a Microsoft 365 tenant, we store the OAuth tokens needed to read your verified domain list and to ingest reports from your designated mailbox. On-demand Exchange message traces, where used, are fetched live and never stored.
- Technical and usage data — request logs, IP addresses, and error diagnostics generated when you use the service.
- Communications — emails you send us, and any email address you submit to our waitlist or notification forms.
3. How we use your data
- To provide the service — ingesting, parsing, and presenting your DMARC reports.
- To send the alerts and notifications you configure.
- To secure the platform, prevent abuse, and diagnose errors.
- To respond to support requests and contact you about your account.
- To comply with our legal obligations.
4. Legal bases (GDPR Art. 6)
- Performance of a contract — to deliver the service you sign up for.
- Legitimate interests — to keep the platform secure and reliable.
- Consent — for optional features such as community threat-intelligence sharing and any privacy-friendly analytics. You may withdraw consent at any time.
- Legal obligation — where the law requires us to retain or disclose data.
5. Community threat intelligence
We may contribute anonymized, aggregated signals — such as sending-source reputation and email-service-provider fingerprints — back to the wider DMARC community to help everyone identify abuse faster. This is opt-in. We never share your tenant identity, your domain-level data, or any message content, and the shared signals cannot be traced back to you.
6. Sub-processors
We rely on a small set of trusted providers to run the service. Where data is processed outside the EU/EEA, that transfer is covered by appropriate safeguards (such as Standard Contractual Clauses or the EU–US Data Privacy Framework).
| Provider | Purpose | Location |
|---|---|---|
| Heroku (Salesforce) | Application hosting & database | EU (Ireland) |
| Cloudflare | DNS, CDN, DDoS protection | Global edge |
| Postmark | Transactional email delivery | United States |
| Microsoft 365 | Report ingestion from your tenant (where connected) | Your tenant region |
| Papertrail (SolarWinds) | Application log management | United States |
| Sentry | Error monitoring | United States |
| Plausible Analytics | Cookieless website analytics | EU (Germany) |
7. How long we keep data
DMARC report data is retained for the retention window of your plan, after which it is deleted. Account data is kept while your account is active and for a limited period afterwards to meet legal and accounting requirements, then deleted or anonymized. You can request deletion at any time (see Section 9).
8. Where your data is processed
Our application and database are hosted in the European Union (Heroku's Ireland region). Some sub-processors listed above operate from outside the EU/EEA under the safeguards described in Section 6.
9. Your rights
Under GDPR you have the right to:
- access the personal data we hold about you;
- have inaccurate data corrected;
- have your data deleted ("right to be forgotten");
- restrict or object to certain processing;
- receive your data in a portable format;
- withdraw consent where processing relies on it.
To exercise any of these, email privacy@dmarcula.com. You also have the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet).
10. Cookies
We use only strictly necessary cookies — a session cookie to keep you logged in and a security token to protect forms. These do not track you and do not require a consent banner. We do not use advertising or third-party tracking cookies. For usage analytics we use Plausible Analytics, an EU-hosted, cookieless service that sets no cookies and collects no personal data — so no consent banner is required.
11. Children
dmarcula is a business tool not intended for children, and we do not knowingly collect data from anyone under 16.
12. Changes to this policy
We may update this policy as the service evolves. We will revise the "last updated" date above and, for material changes, notify you by email or in-app.
13. Contact
Questions about this policy or your data? Email privacy@dmarcula.com.