LoginGet Started

Outbound Security

DMARC Monitor

Active Visibility

SPF Analyzer

Sender Identity

DKIM Validator

Cryptographic Security

BIMI Suite

Brand Verification

Inbound Security

MTA-STS

Enforced Encryption

TLS-RPT

Delivery Reporting

Utilities

Domain Audit

FREE

Full Security Check

SVG Converter

FREE

BIMI Automation

PricingContact Us

Privacy Policy

Last updated 24/02/2026

1.0 Introduction and Scope

This Privacy Policy outlines the commitment of SentraDMARC ("SentraDMARC," "we," "us") to protecting the personal data of our users. SentraDMARC provides web security and compliance services, specializing in the management of DMARC policies to protect domains from common threats such as phishing and spoofing.

This policy applies to all personal data processed by SentraDMARC in its capacity as a Data Controller. This includes data collected from visitors to our website (sentradmarc.io), individuals who use our free tools like the Analyzer, registered users of our free trial and paid services, and individuals who contact us for support or other inquiries. This policy also explains our role as a Data Processor when we handle data on behalf of our clients.

In adherence with data protection best practices, including recommendations from supervisory authorities such as the French Data Protection Authority (CNIL), this policy is structured in a layered format. We provide summary tables and clear headings to allow you to quickly find the information most relevant to you. Each summary is followed by a more detailed explanation for those who require a deeper understanding. Our goal is to ensure this information is concise, transparent, intelligible, and easily accessible, in line with the principles of the General Data Protection Regulation (GDPR).

2.0 About Us and How to Contact Us: The Data Controller

2.1 Identity of the data controller

For the purposes of the GDPR and other applicable data protection laws, the Data Controller responsible for the processing activities described in this policy is:

2.2 Contact information for privacy matters

For any questions, concerns, or requests related to your personal data and the exercise of your privacy rights, please contact us through our dedicated email: contact@sentradmarc.io. Using this dedicated address ensures that your inquiry is directed to the team responsible for data protection matters for a timely and appropriate response.

2.3 Data Protection Officer (DPO)

The GDPR requires the appointment of a Data Protection Officer (DPO) for organizations whose core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale.

SentraDMARC's services involve the automated analysis of potentially millions of DMARC reports on behalf of our clients to generate security policies. These reports may contain personal data of end-users, such as IP addresses. This activity could be construed as regular and systematic monitoring on a large scale.

In recognition of these obligations and our commitment to the highest standards of data governance, SentraDMARC has conducted the necessary internal analysis.

We have designated an internal team, reachable at contact@sentradmarc.io, to handle all data protection responsibilities and ensure our ongoing compliance. We continuously review this determination as our services and processing activities evolve.

Addressing our DPO status directly reflects our commitment to the principle of accountability under the GDPR, providing transparency and assurance to our clients and their end-users.

3.0 Key Definitions

To ensure this policy is clear and easy to understand, we have defined some key terms that will be used throughout the document.

  • Personal Data: Any information relating to an identified or identifiable natural person ('Data Subject'). This includes direct identifiers like a name or email address, as well as indirect identifiers such as an IP address, an online identifier (like a cookie ID), or a website URL visited by the person, where such information can be linked back to them.
  • Processing: Any operation or set of operations performed on Personal Data, whether by automated means or not. This includes collection, recording, organization, structuring, storage, analysis, use, disclosure by transmission, and erasure.
  • Data Subject: The individual to whom the Personal Data relates. In the context of this policy, this can be a Client or an End-User.
  • Client: The individual, company, or other legal entity that registers for and uses SentraDMARC's services, including free trials and paid subscriptions. Our direct contractual relationship is with the Client.
  • End-User: An individual who visits or interacts with a website or web application owned or operated by one of our Clients. SentraDMARC has no direct relationship with End-Users.
  • Data Controller: The natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
  • Data Processor: The natural or legal person who processes Personal Data on behalf of the Data Controller.

The distinction between "Client" and "End-User" is fundamental to this policy. It allows for a clear and precise explanation of our different roles and responsibilities concerning the data of each group, a key component of fulfilling our transparency obligations.

4.0 Our Data Protection Roles: A Crucial Distinction

SentraDMARC operates in two distinct legal capacities under the GDPR: as a Data Controller and as a Data Processor. Understanding this dual role is essential to understanding how we handle personal data and which parts of this policy apply to you.

4.1 SentraDMARC as a Data Controller

We act as a Data Controller when we determine the "why" and "how" of data processing for our own business purposes. This applies to data relating to our own website visitors and our direct Clients.

We are the Data Controller for the following categories of Personal Data:

  • Client Account Information: When a Client registers for a free trial or a paid account, we collect information such as name, email address, and a hashed password. This is necessary to create and manage the account, provide our services, and authenticate the Client.
  • Billing and Subscription Information: For paid services, we collect information necessary to process payments and manage subscriptions. This is handled by a third-party payment processor.
  • Website Visitor Data: When you visit sentradmarc.io, we process technical data such as your IP address and browser information, and we use cookies for analytics and site functionality.
  • Free Tool Usage Data: When you use our free Analyzer tools, we process the domain or policy you submit, along with your IP address, to provide you with the requested security analysis.
  • Communication Data: When you contact our sales or support teams via our contact form or email, we process your name, contact details, and the content of your message to respond to your inquiry.

4.2 SentraDMARC as a Data Processor

We act as a Data Processor when we process Personal Data on behalf of our Clients and under their instructions. In this scenario, the client is the Data Controller.

This role primarily applies to the processing of DMARC Reports.

  • How it Works: Our service provides clients with a reporting endpoint. The Client configures their domain's DNS records to send DMARC Reports to this endpoint. These reports contain data about the emails sent from the Client's domain.
  • Data Processed: The data within these reports, which may include IP addresses, is considered Personal Data. We process this data solely to provide our security analysis and policy-building services to the Client.
  • The Client's Responsibility as Data Controller: As the Data Controller for their End-Users' data, our Client is solely responsible for ensuring they have a lawful basis (e.g., legitimate interest) to collect this data and to instruct us to process it. The Client is also responsible for informing their End-Users about this processing in their own privacy policy.
  • Data Processing Agreement (DPA): Our relationship with the Client in this context is governed by a legally binding Data Processing Agreement (DPA). This DPA sets out our obligations as a Processor, including our duties to only process data on the Client's instructions, to implement appropriate security measures, and to assist the Client in fulfilling their own GDPR obligations.

By clearly delineating these roles and the Client's responsibilities, we not only fulfill our own legal obligations but also act as a compliance partner. This proactive approach helps our Clients understand their own duties and manage their compliance risks effectively.

5.0 Personal Data We Process: Purposes and Lawful Bases

Under the GDPR, every processing activity must be justified by a specific "lawful basis" as defined in Article 6. Processing is only lawful if at least one of these bases applies. SentraDMARC primarily relies on the following three lawful bases for its activities as a Data Controller:

  • Performance of a Contract (Article 6(1)(b)): When processing is necessary to fulfill our contractual obligations to you or to take steps at your request before entering into a contract.
  • Legitimate Interests (Article 6(1)(f)): When we have a legitimate business interest in processing your data, provided that this interest is not overridden by your own rights and interests.
  • Consent (Article 6(1)(a)): When you have given us clear, affirmative consent to process your personal data for a specific purpose.

5.1: Summary of Our Data Processing Activities (as a Data Controller)

When you...Categories of Personal Data We ProcessOur Purpose for ProcessingOur Lawful Basis
Browse our website (sentradmarc.io)IP Address, Browser/Device Information, Cookie Identifiers, Usage DataTo operate, secure, and analyze the performance of our website, and to deliver a functional user experience.Legitimate Interest
Use our free Analyzer toolsWebsite URL, Submitted Policy & HeadersTo provide the requested security analysis and report, and to improve our tools by analyzing common configurations and errors.Legitimate Interest
Register for a Free Trial or Paid AccountName, Email Address, Password (hashed)To create and manage your account, authenticate you, provide our services, and communicate essential service-related information.Performance of a Contract
Use our Paid ServicesClient account and usage data, configuration data, generated policies, billing information.To deliver, maintain, bill for, and improve the services you have contracted for, including providing support and ensuring service functionality.Performance of a Contract
Contact our Support or Sales TeamsName, Email Address, Phone Number (optional), Company Name, Content of your message.To respond to your inquiry, provide customer support, and manage our business relationship with you.Legitimate Interest

6.0 Automated Processing and the Builder

SentraDMARC's services leverage intelligent automation to simplify security for our Clients. This section provides transparency about how this automated processing works and how it relates to data protection law.

6.1 How the Builder Works

The Builder is a tool designed to automatically generate an optimized Policy for a Client's domain. It functions by analyzing the Reports that the Client's domain sends to our reporting endpoint over a period of time (e.g., 1-90 days). By processing these reports, the system can identify which external domains and resources are legitimately required for the domain to send email correctly. It then combines this analysis with security best practices to recommend a new, more secure Policy.

6.2 Automated Decision-Making under GDPR Article 22

GDPR Article 22 grants individuals the right not to be subject to a decision based solely on automated processing which produces legal effects concerning them or similarly significantly affects them.

The automated processing performed by the Builder does not fall under the scope of Article 22 for the following reasons:

  • No Legal or Significant Effect on Individuals: The output of the Builder is a technical recommendation for a security policy. This recommendation is provided to our Client (a domain administrator or developer), not the End-User. The policy itself governs which resources a domain can send email; it does not result in a legal effect or a similarly significant effect on the End-User.
  • Human Intervention: The process is not solely automated. The Builder includes an "interactive review wizard" and an "approval workflow" that requires the Client to review, assess, and approve the recommended policy before implementation. The Client retains full control and is the ultimate decision-maker.

6.3 Safeguards and Recommendations

While not strictly governed by Article 22, we recognize the importance of transparency and safeguards for advanced automated systems. We have implemented the following measures:

  • Purpose Limitation: The violation report data is processed for the sole purpose of generating a policy for the specific Client who is the source of that data. The data is not used to profile End-Users or for any other purpose.
  • Data Minimization and Aggregation: The system is designed to identify patterns from aggregated data rather than focusing on the activities of a single End-User.
  • Mitigating the Risk: The Builder is not a generative large language model, but a rule-based analysis engine. The risk is minimal, and it is further mitigated by the Client's review process.

7.0 Cookies and Tracking Technologies

We use cookies and similar tracking technologies on our website sentradmarc.io to enable functionality, analyze performance, and for marketing purposes.

7.1 Types of Cookies We Use

  • Strictly Necessary Cookies: Essential for the website to function. We process data for these based on our Legitimate Interest.
  • Performance and Analytics Cookies: Allow us to count visits and traffic sources.
  • Functional Cookies: Enable enhanced functionality and personalization.
  • Targeting Cookies: May be set by advertising partners to show relevant adverts on other sites.

8.0 Data Sharing and Disclosure (Sub-processors)

We do not sell your personal data. We only share it with third-party service providers (sub-processors) who help us operate our business. We require them to uphold strict standards.

Our categories of sub-processors include:

  • Cloud Hosting and Infrastructure: Hosted with OVHcloud (France).
  • Payment Processing: We use Stripe (USA). We do not store full credit card details.
  • Analytics and Performance Monitoring: We use PostHog (EU).
  • Email and Communication Tools: We use Brevo (EU).
Sub-ProcessorPurposeLocation
OVHcloudCloud hosting and infrastructureFrance
StripePayment processingUSA
PostHogAnalytics and monitoringEU
BrevoEmail deliveryEU

9.0 International Data Transfers

Our commitment is to keep your data within the European Economic Area (EEA) whenever possible.

9.1 Primary Data Storage

All core service data is stored and processed on servers provided by OVHcloud, located within the European Union.

9.2 Safeguards for Other Transfers

When we transfer data outside the EEA, we ensure it is lawful and secure by using a recognized transfer mechanism under the GDPR.

10.0 Data Security

We have implemented technical and organizational measures to protect personal data, including:

  • Encryption: TLS for data in transit; sensitive data encrypted at rest.
  • Access Control: Restricted to authorized personnel on a need-to-know basis.
  • Pseudonymisation: Hashing passwords.
  • System Resilience: High availability infrastructure with regular backups.
  • Regular Testing: Vulnerability scans and security assessments.
  • Data Breach Response Procedure: Formal procedure for incident response and notification.

11.0 Data Retention

We keep personal data for no longer than necessary for the purposes for which it was collected.

11.1: Our Data Retention Periods

Type of DataRetention PeriodJustification
Client Account DataDuration of active subscription. Deleted after termination.Performance of Contract; Legal obligations.
Data from AnalyzerIndefinitely.Legitimate Interest (reviewing results).
Violation ReportsRolling 90 days.Necessary for Builder functionality.
Anonymized Statistical DataIndefinitely.Legitimate Interest (not personal data).
Contact/Support InquiriesIndefinitely.Legitimate Interest (history/quality control).

12.0 Your Data Protection Rights

SentraDMARC is committed to upholding your rights:

  • The Right to be Informed
  • The Right of Access
  • The Right to Rectification
  • The Right to Erasure
  • The Right to Restrict Processing
  • The Right to Data Portability
  • The Right to Object
  • Rights in Relation to Automated Decision-Making

12.1 How to Exercise Your Rights

Submit your request to contact@sentradmarc.io. We will respond within one month.

12.2 An Important Note for End-Users

If you are an End-User of a Client's website, the Data Controller is the owner of that website. You must direct your request to them.

13.0 Children's Privacy

Our services are for professional audiences and not intended for individuals under 16. We do not knowingly collect personal data from children under 16.

14.0 Changes to This Privacy Policy

We may update this policy periodically. We will update the "Last Updated" date and provide notice for material changes. We encourage periodic review.