DMARC Labs
Privacy-first by design

Privacy Policy

Last updated: April 24, 2026

TL;DR — The short version

  • Your DMARC XML files are processed entirely in RAM. Nothing is ever written to disk.
  • Sessions and all associated data are automatically deleted after 1 hour.
  • We do not use advertising trackers, analytics cookies, or third-party marketing pixels.
  • We do not sell, rent, or share your data with anyone.
  • No account or sign-up is required.

1. Who we are

DMARC Labs is a free, privacy-first tool for analyzing DMARC aggregate (rua) XML reports. The service is operated by an individual developer and is not affiliated with any corporation. For questions, use the contact form.

2. What data we collect and why

2.1 Uploaded files

When you upload a DMARC XML report (or compressed .gz / .zip containing one), the file content is received by our API server and held exclusively in process memory for the duration of your session. It is never written to any database, object store, log file, or persistent medium. Once your session ends — either when you click "Purge Data", close the tab, or 1 hour elapses — the in-memory data is destroyed and is unrecoverable.

2.2 IP addresses in your report

IP addresses extracted from your DMARC report are sent to the ip-api.com geolocation and ASN lookup service solely to enrich your analysis results (organisation name, country, threat classification). We do not log or retain these IP addresses. ip-api.com's own privacy policy applies to those requests.

2.3 Feedback submissions (optional)

If you submit a rating or feedback comment via the in-app feedback widget, the content (emoji rating + optional text) is sent to our moderation email address. No personal identifier is attached; the submission is entirely voluntary.

2.4 Access requests (optional)

If you submit a "Request higher limits" form, we collect your name and email address solely to respond to your request. This information is not used for marketing and is deleted after the request is resolved.

2.5 Server logs

Our hosting infrastructure (Fly.io) may retain standard HTTP access logs (IP address, user agent, request path, status code) for up to 7 days for operational debugging. These logs are not analysed for commercial purposes.

3. Cookies & tracking

DMARC Labs does not use cookies, local storage, or any client-side persistent identifiers. There are no analytics scripts (e.g. Google Analytics), advertising pixels, or social media tracking widgets on this site.

The temporary session token used to associate your upload with your analysis result is stored only in React component state (in-memory in your browser tab). It is never written to localStorage, sessionStorage, or a cookie.

4. Legal basis for processing (GDPR)

DMARC Labs is accessible globally. For users in the European Economic Area (EEA) and the United Kingdom, our legal basis for processing is:

  • Legitimate interests (Art. 6(1)(f) GDPR) — for processing uploaded file content and IP addresses to provide the requested analysis service. Our legitimate interest is delivering the analysis you explicitly requested.
  • Consent (Art. 6(1)(a) GDPR) — for optional feedback and access-request submissions, where you voluntarily provide personal information.

Because we do not retain any personal data beyond the 30-minute session window (or immediate purge on request), the data minimisation, storage limitation, and right to erasure principles under GDPR are satisfied by design.

5. Your rights (GDPR / UK GDPR)

As a data subject you have the following rights. Given our ephemeral architecture, most are satisfied automatically:

Right of accessYou can view all data in your session at any time via the results page.
Right to erasureClick "Purge Data" at any time to instantly delete your session. All data is auto-deleted after 1 hour regardless.
Right to restrictionYou may stop using the service at any time; no further processing occurs after session expiry.
Right to portabilityDownload your results as CSV at any time before the session expires.
Right to objectContact us at devashish.singh12@gmail.com if you have objections to any processing.
Right to lodge a complaintYou may lodge a complaint with your national supervisory authority (e.g. the ICO in the UK, or your local DPA in the EU).

6. Data transfers

IP-address lookup requests are processed by ip-api.com, whose servers may be located outside the EEA. These requests contain only the IP addresses from your DMARC report — no personal data belonging to you as the user. No transfer of personal data to third countries occurs.

7. Security

All data in transit is encrypted via TLS 1.2+. Our API enforces file-size limits, rate limiting, strict CORS policies, and security headers (CSP, HSTS, X-Frame-Options) via the Helmet middleware. In-memory session data is isolated per session ID (a cryptographically random UUID v4).

8. Children

DMARC Labs is not directed at children under the age of 16. We do not knowingly collect personal information from children.

9. Changes to this policy

We may update this Privacy Policy to reflect changes in our practices or for legal reasons. When we do, we will update the "Last updated" date at the top of this page. Continued use of the service after changes are posted constitutes acceptance of the updated policy.

10. Contact

For privacy-related enquiries, please use our contact form. We aim to respond within 5 business days.

Chat on WhatsApp