DMARCit

Privacy Policy

Effective date: April 6, 2026
Last updated: April 6, 2026

This Privacy Policy explains how Cadmos LLC ("DMARCit," "we," "us," or "our") collects, uses, shares, and protects information when you use the DMARCit platform and related services (the "Service"). This Policy applies to visitors to our website and to all registered users of the Service.

Our Data Processing Addendum ("DPA") applies automatically to any customer whose use of the Service involves our processing of personal data on their behalf. Where the DPA applies, it governs that processing and takes precedence over this Policy to the extent of any conflict.

1. Information We Collect

1.1 Account Data

When you create an account, we collect your name, email address, and password (stored in hashed form). We support multiple authentication methods: email and password (primary), SSO/SAML via your organization's identity provider (domain-based), and optional multi-factor authentication (MFA) using time-based one-time passwords (TOTP). If you use SSO, we receive basic profile information from your identity provider.

1.2 Organization Data

You may create or join an organization within the Service. We store your organization name, member list, roles, and related configuration.

1.3 Billing Data

When you subscribe to a paid plan, payment information (such as credit card details) is collected and processed by our payment processor, Stripe. We do not store full credit card numbers. We receive from Stripe a record of your subscription status, plan type, billing history, and a truncated card identifier for display purposes.

1.4 Domain and DNS Data

When you add a domain to the Service, we store the domain name and associated DNS configuration (DMARC, SPF, DKIM records). If you use Hosted SPF, we store and publish SPF records on your behalf.

1.5 DMARC Aggregate Report Data (RUA)

The Service receives DMARC aggregate reports sent by mail receivers (such as Google, Microsoft, Yahoo, and others) to the RUA address you configure. These reports contain summary data about email authentication results, including sending IP addresses, message counts, SPF/DKIM alignment results, and the reporting organization. Aggregate reports do not typically contain message content or recipient addresses.

1.6 DMARC Forensic/Failure Report Data (RUF)

The Service allows you to configure a RUF (forensic/failure report) address in your DMARC DNS records. Important: DMARCit does not currently receive or process RUF reports. While RUF addresses can be configured through the Service's DNS guidance, no RUF data is ingested, stored, or displayed by the Service.

RUF reports may contain email headers and, depending on the generating mail system, portions of message body content, including sender and recipient email addresses, subject lines, timestamps, IP addresses, and other message metadata. Because of the potentially sensitive nature of RUF data, you should carefully consider whether to enable RUF reporting. The content and detail level of RUF reports is determined by the sending mail receiver and is outside our control.

1.7 Usage and Device Data

We collect information about how you interact with the Service, including pages visited, features used, browser type, device type, IP address, and timestamps. We use this data to operate, maintain, and improve the Service. We do not use third-party analytics or advertising trackers.

1.8 IP Geolocation Data

To enrich DMARC report data with sender organization information, we look up sending IP addresses using a third-party IP intelligence service (currently IPinfo). This processing occurs server-side. Results are cached to reduce external lookups.

1.9 Cookies and Local Storage

We use cookies and browser local storage for the following purposes:

  • Authentication session cookies (essential): Set by our authentication provider (Supabase) to maintain your logged-in session. These are HTTP-only, server-set cookies.
  • Payment session cookies (essential): Set by Stripe when you access the checkout or billing portal.
  • UI preference storage (functional): We use browser localStorage to remember your sidebar collapsed/expanded state and your most recently selected organization. This data stays in your browser and is not transmitted to our servers.

We do not use advertising cookies, third-party analytics cookies, or tracking pixels.

2. How We Use Information

We use the information we collect to:

  • Provide, operate, and maintain the Service
  • Process and display DMARC reports and authentication analytics
  • Manage your account, organization, and subscription
  • Process payments and manage billing through Stripe
  • Send transactional communications (invitations, alerts, account notices)
  • Provide customer support
  • Detect, prevent, and address technical issues, abuse, or security incidents
  • Improve the Service and develop new features
  • Comply with legal obligations

3. Legal Bases for Processing (UK/EU Users)

If you are located in the United Kingdom or European Economic Area, our legal bases for processing your personal data include:

  • Contract performance: Processing necessary to provide the Service under our Terms of Service.
  • Legitimate interests: Processing for service improvement, security, and abuse prevention, where our interests are not overridden by your rights.
  • Legal obligations: Processing required to comply with applicable laws.
  • Consent: Where you have provided explicit consent for a specific processing purpose, which you may withdraw at any time.

4. How We Share Information

We do not sell your personal data. We share information only in the following circumstances:

4.1 Service Providers (Subprocessors)

We use third-party service providers to help us operate the Service. These providers process data on our behalf and are contractually obligated to protect it. See our Subprocessors page for the current list.

4.2 Within Your Organization

Information you submit to the Service is accessible to other members of your organization based on their assigned roles. If you are managed by an MSP, consultant, or reseller, the managing organization may have access to your domain data and reports.

4.3 Legal Requirements

We may disclose information if required to do so by law, regulation, legal process, or governmental request, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

4.4 Business Transfers

In connection with a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the successor entity. We will notify you of any such change.

5. Data Retention and Deletion

We retain your data for as long as your account is active or as needed to provide the Service. Specific retention periods:

  • Account data: Retained while your account is active and for a 30-day grace period after account or organization deletion.
  • DMARC report data: Retained for 12 months from the date of ingestion, or until you delete it, whichever comes first.
  • RUF forensic data: DMARCit does not currently receive or process RUF reports. No RUF data is ingested or stored.
  • SPF cache data: Retained for 90 days.
  • Raw DMARC report emails (S3): Retained for 7 days after processing, then automatically deleted.
  • Billing records: Retained as required by tax and accounting law.
  • Server and application logs: Retained for 90 days.

After termination of your account, you may request a data export within 30 days. Following that period, we will promptly delete or anonymize your Customer Data, except where retention is required by law.

6. International Data Transfers

The Service is operated from the United States. If you access the Service from outside this region, your data may be transferred to and processed in the United States.

For transfers of personal data from the EU or UK to the United States, we rely on Standard Contractual Clauses (Module 2: Controller to Processor) as approved by the European Commission, and the UK International Data Transfer Addendum where applicable. See our Data Processing Addendum for details.

7. Security

We implement commercially reasonable technical and organizational measures to protect your data, including encryption in transit (TLS), access controls, and secure infrastructure. However, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security.

If you become aware of a security vulnerability or incident affecting your account, please contact us promptly at security@dmarcit.io.

8. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate data.
  • Deletion: Request deletion of your personal data, subject to legal retention requirements.
  • Portability: Request a machine-readable export of your data.
  • Restriction: Request that we limit processing of your data in certain circumstances.
  • Objection: Object to processing based on legitimate interests.
  • Withdraw consent: Where processing is based on consent, withdraw your consent at any time.

To exercise any of these rights, contact us at privacy@dmarcit.io. We will respond within the timeframe required by applicable law (typically 30 days).

For EU/UK users: You have the right to lodge a complaint with your local data protection supervisory authority.

9. Children

The Service is not directed to individuals under 18. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us and we will take steps to delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the Service at least 30 days before the changes take effect. We encourage you to review this Policy periodically.

11. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at:

Cadmos LLC
PO Box 231, Cullman, AL 35056
Privacy inquiries: privacy@dmarcit.io
General inquiries: legal@dmarcit.io

Cadmos LLC does not currently have a Data Protection Officer or EU/UK representative. If you have questions about data protection, contact privacy@dmarcit.io.