Privacy Policy

• Account & workspace. The email address you sign in with, and your membership in a workspace (organization). Sign-in is passwordless, so we do not collect or store passwords.
• Domains & scan results. The domains you add and the results of scanning their public DNS — SPF, DKIM, DMARC, MX, and BIMI records, the computed health score, and the generated diagnosis.
• DMARC aggregate reports. When you enable monitoring, mailbox providers send DMARC aggregate reports to a per-domain address we generate. These reports can include sending-source IP addresses. We ingest and store them so you can review them; you can also upload reports manually.
• Billing status. Your subscription state, mirrored from our payment processor. We do not store card numbers — payment details are handled entirely by the processor.

We rely on a small set of trusted service providers to run the product. Each processes only the data needed for its role:

• a cloud database and backend host, for account, workspace, and scan data;
• a payment processor, for billing;
• a transactional-email provider, for sign-in codes, alerts, and digests;
• an AI provider, which generates the diagnosis from your scan results; and
• an inbound email-routing provider, which receives DMARC aggregate reports.

These providers act as processors on our behalf under appropriate data-protection terms.

Where data-protection law requires a legal basis, we rely on:

• Performance of a contract — to provide the service you sign up for;
• Legitimate interests — to secure, operate, and improve the service and prevent abuse; and
• Consent — for optional marketing, where applicable, which you can withdraw at any time.

Some of our service providers are located outside your country, including the United States. Where personal data is transferred across borders, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses.

If you are in the EEA or UK, you have the right to:

• access the personal data we hold about you;
• have inaccurate data corrected;
• have your data erased;
• receive your data in a portable format;
• restrict or object to certain processing; and
• lodge a complaint with your local supervisory authority.

To exercise any of these, email us at the address below.

If you are a California resident, you have the right to know what personal information we collect, to access and delete it, to correct it, and to opt out of its sale or sharing. We extend these rights to all US users.

We do not sell or share your personal information, and we do not use it for cross-context behavioural advertising. To exercise your rights, email us at the address below.

Deleting a domain removes its scan history and any stored DMARC records for that domain. We otherwise retain data only as long as needed to run the service:

• scan history: up to [N] months;
• DMARC aggregate reports: up to [N] months;
• billing records: up to [7] years, where required for tax and accounting; and
• account and workspace data: until you delete your account, plus a short backup window.

To delete your account or your entire workspace, contact us and we will remove your data. Some records may be retained where required for legal, accounting, or fraud-prevention reasons.

We use a small amount of privacy-respecting product analytics and error monitoring [confirm: PostHog / Sentry] to understand usage and fix problems. Visitors in regions that require it are asked for consent before any non-essential cookies are set.

Inbox Vital is a business tool and is not directed to children. We do not knowingly collect personal data from anyone under 16 (or under 13 in the United States). If you believe a child has provided us data, contact us and we will delete it.

Inbox Vital is operated by [ENTITY]. Questions about your data, or want it deleted? Email us at hello@inboxvital.com .