Beta testing is now live. We are looking for beta testers - use the contact form to sign up.
DMARCHubDMARCHub
Draft. Final versions of all legal pages will be in place before public launch, following solicitor review.

Privacy Notice

Last updated 2026-05-27.

1. Who we are

DMARCHub is a service operated by Inside Technology Ltd, a company registered in England and Wales (company number 10442174, VAT number GB239614981), whose registered office is Fairways House Offices, Mount Pleasant Road, Southampton, Hampshire, SO14 0QB. We are the data controller for the personal data we process about you when you use DMARCHub.

We are registered with the Information Commissioner's Office under registration number (ICO registration TBC pre-launch).

2. What we collect

We process the following categories of personal data:

  • Account data: your name, email address, and the identifier your identity provider (Microsoft Entra ID, with Google Workspace planned) returns when you sign in. We never see or store your password.
  • Company profile: your organisation's legal name, registered company number, VAT number (if you provide one), postal address, and a contact phone number. We collect these during onboarding so we can verify your account, raise accurate invoices, and meet our KYC obligations.
  • Domain and DMARC report data: the DMARC aggregate (RUA) and forensic (RUF) reports that mail receivers send about your domain. These contain sending IP addresses, mail authentication results, and metadata about messages sent claiming to be from your domain. We scrub the body, subject, and recipient details from forensic reports on receipt.
  • Billing data: the company profile fields above plus a billing email address and a list of people you have nominated to receive invoice notifications (their name and email). Card details go directly to Stripe; we never see them.
  • Usage data: which pages you visit, how often, and how the service is performing for you. We do not use third-party advertising trackers.

3. Lawful basis

We rely on the following lawful bases under the UK GDPR:

  • Contract performance: most of what we do is to provide the DMARCHub service you have subscribed to.
  • Legitimate interest: we process operational and usage data to keep the service running well and to investigate abuse, on the basis of our legitimate interest in operating a reliable service.
  • Legal obligation: we retain invoices indefinitely to meet HMRC record-keeping requirements.

4. How we use it

We use your data to provide DMARCHub: ingest your DMARC reports, give you a dashboard, notify you about anomalies, bill you for paid plans, and respond to support requests. We do not sell your data, share it with advertisers, or use it to train machine-learning models.

5. Who we share it with

We rely on the following data processors:

  • Microsoft Azure (UK South region): hosting infrastructure and managed Postgres.
  • Microsoft Graph: to access the dedicated reporting mailbox we provision for your domain.
  • Cloudflare: DNS for our reporting domain (dmcrpt.io) and TLS termination for our application.
  • Stripe: payment processing. Card data is held by Stripe, not us.
  • Xero: accounting. Invoice metadata (organisation name, amount, reference) is synced to our Xero ledger.
  • SMTP2GO: transactional email delivery (welcome, invoice, alert messages).

We have data-processing agreements with each of these suppliers and we have reviewed their security posture.

6. Retention

Physical retention (how long we store your data) is set centrally and applies to all customers regardless of plan. How far back you can view your reports inside the portal (visible history) depends on your subscription plan; upgrading reveals older history instantly because nothing was ever deleted.

  • Parsed DMARC reports (aggregate and forensic): physically retained 3 years from receipt. Visible history per plan - Free 3 months, Starter 12 months, Pro 3 years. Forensic reports have personally identifying information removed at ingest.
  • Summary statistics (used for the dashboard and trend charts): physically retained 5 years, visible per the plan above.
  • Raw DMARC report files (XML/zip): 30 days from receipt. Short-term safety net for reprocessing; not surfaced in the portal.
  • TLS-RPT reports: 3 years from receipt.
  • Email audit log: 36 months from sending.
  • Account data: held while your account is active; soft-deleted on closure with a 30-day recovery window, then hard-deleted.
  • Invoices: retained indefinitely as required by HMRC.

7. Your rights

Under UK GDPR you have the right to access, rectify, erase, restrict, or port your personal data, and to object to processing. To exercise any of these rights, email [email protected]. We respond within one calendar month.

If you believe we have mishandled your personal data, you have the right to complain to the Information Commissioner's Office (ico.org.uk).

8. International transfers

Your data stays in the UK. We host in Microsoft Azure UK South and our data processors keep your data in the UK or EEA. We will update this notice before introducing any transfer outside the UK/EEA.

9. Contact

Privacy questions: [email protected]
General contact: [email protected]