← Back to DMARC Digest
Privacy Policy
Effective date: June 30, 2026 · Last updated: June 30, 2026
GDPR · CCPA · NIST SP 800-53 Compliant
Plain-language summary: You upload your DMARC XML reports. We parse them, generate a summary using AI, and produce a PDF. The files and PDF are deleted within 1 hour. We do not store, sell, or share your email routing data with anyone (except the AI model that generates the narrative — see below).
What We Process
- DMARC XML report files you upload — these may contain IP addresses of servers that sent email on behalf of your domain. These are used solely to generate your digest report.
- Hashed IP address of your browser session (one-way SHA-256) — used only for rate limiting. Raw IP is never stored.
- Generated PDF report — stored for up to 1 hour, then permanently deleted.
What We Do Not Collect
- No email content — DMARC reports contain metadata only (sender IPs, authentication results), never message content.
- No account, name, or email address required.
- No tracking cookies or analytics.
- No persistent storage of your uploaded XML files.
Third-Party AI Processing
Aggregated statistics from your DMARC report (domain name, message counts, pass/fail rates, and anonymous sender IP data) are sent to Anthropic's Claude API to generate the narrative section of your report. Raw XML files are never sent — only structured summary data.
Anthropic's handling is governed by their Privacy Policy. If your reports contain sensitive internal IP infrastructure, consider reviewing Anthropic's API data use policy before uploading.
Data Retention
- Uploaded XML files: processed in memory, never written to disk.
- PDF reports: auto-deleted after 1 hour.
- Rate-limit records (hashed IP + timestamp): purged after 24 hours.
- Audit logs (hashed IP, event type only): retained 30 days, then purged.
Your Rights (GDPR / CCPA)
Because we do not retain your uploaded data or link it to an identity, there is no persistent personal data to access or delete. Contact us if you have concerns — we will respond within 72 hours.
Security Controls
- XML parsing via defusedxml — prevents XXE injection, billion-laughs, and external entity attacks
- File upload validation: type checking, 5 MB size limit, decompression bomb protection
- All traffic via HTTPS/TLS 1.2+
- HTTP security headers: HSTS, CSP, X-Frame-Options, X-Content-Type-Options
- Rate limiting per anonymized IP
Compliance
- GDPR (EU) — lawful basis: legitimate interest; data minimization; storage limitation
- CCPA (California) — no sale of personal information
- NIST SP 800-53 Rev. 5 — SC-8, AU-2, SI-10, AC-17
- OWASP Top 10 — injection, XXE, SSRF, broken access control protections in place
- CAN-SPAM / email law — this tool processes authentication metadata only, not email content
Contact
Security issues or privacy concerns: privacy@dmarcdigest.app