OnlyDMARC Ltd ("OnlyDMARC", "we", "us", "our") is a company registered in New Zealand and the Cayman Islands. We operate the OnlyDMARC platform — a DMARC aggregation and monitoring service — accessible at onlydmarc.com and related sub-domains.
We act as a data controller in respect of personal data we collect directly from you (e.g. your account details). We may act as a data processor where we handle data on your behalf as part of delivering the service (e.g. processing DMARC report data that relates to your email infrastructure).
When you create an account we collect your name, work email address, company name, and a hashed password. If you upgrade to a paid plan we also collect billing contact details. We do not store full card numbers — payments are processed by our PCI-DSS compliant payment provider.
We collect information about how you use the platform including pages visited, features used, search queries within the app, and configuration changes. This helps us improve the product and troubleshoot issues.
To deliver the core service, we ingest, parse, and store the DMARC aggregate (RUA) and forensic (RUF) reports sent to the receiving addresses we provision for you. This data typically contains sending IP addresses, authentication results, and message counts — it generally does not contain personal data about your end users, but may vary depending on your senders.
We automatically collect IP addresses, browser type, device type, referring URLs, and access timestamps in server and application logs. Logs are retained for up to 90 days for security and debugging purposes.
If you contact us by email or via the in-app contact form, we retain that correspondence to help resolve your query and improve our support processes.
Where UK GDPR or EU GDPR applies, we process your data under the following legal bases:
We do not sell, rent, or trade your personal data. We share data only in the following limited circumstances:
We retain your account data for as long as your account is active. If you close your account, we delete or anonymise your personal data within 90 days, unless we are required to retain it longer for legal, tax, or fraud-prevention purposes.
DMARC report data is retained in accordance with your chosen plan. You may configure retention periods within the platform settings. Reducing retention will permanently delete older data.
We take appropriate technical and organisational measures to protect your data, including encryption in transit (TLS 1.2+) and at rest (AES-256), access controls, regular security assessments, and incident response procedures. See our Security page for more detail.
No transmission over the internet is 100% secure. If you have reason to believe your data has been compromised, please contact us immediately at security@onlydmarc.com.
Our infrastructure is hosted in the European Economic Area (EEA). Where we use sub-processors outside the EEA, we ensure adequate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent UK mechanisms under the UK GDPR.
Subject to applicable law, you have the following rights regarding your personal data:
To exercise any right, contact us at privacy@onlydmarc.com. We will respond within 30 days. You also have the right to lodge a complaint with a supervisory authority — in the UK this is the Information Commissioner's Office (ICO).
We use cookies and similar tracking technologies for authentication, security, preferences, and analytics. The key cookies we set are described below.
Strictly necessary cookies are essential for the Service to function and cannot be disabled. They include authentication tokens, session identifiers, and CSRF tokens. No personal profiling is performed with these cookies.
Functional cookies remember your preferences to provide a more personalised experience — for example, your preferred theme, dashboard layout, or notification settings. These can be disabled but may affect the quality of the experience.
Analytics cookies help us understand how visitors use our marketing website. This data is aggregated and anonymised. These are optional and require your consent.
| Name | Category | Duration | Purpose |
|---|---|---|---|
| od_session | Necessary | Session | Authenticates your session. Deleted when the browser is closed. |
| od_csrf | Necessary | Session | CSRF protection token to prevent cross-site request forgery attacks. |
| od_remember | Necessary | 30 days | Persistent login token when "Remember me" is selected. |
| od_prefs | Functional | 1 year | Stores UI preferences such as theme, timezone, and layout settings. |
| od_consent | Necessary | 1 year | Records your cookie consent choices. |
| od_anon_id | Analytics | 90 days | Anonymous identifier used for aggregate analytics. Does not identify individuals. |
When you first visit OnlyDMARC, you will be presented with a cookie consent banner allowing you to choose which optional cookies to accept. You can update your preferences at any time via your account settings. You may also control cookies through your browser settings — note that disabling strictly necessary cookies will prevent you from signing in.
Instructions for managing cookies: Chrome, Firefox, Safari, Edge.
Our service is intended for professional use and is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with data, please contact us and we will delete it promptly.
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page and, for material changes, notify you via email or an in-app notice. Continued use of the service after changes take effect constitutes acceptance of the revised policy.
If you have any questions or concerns about this policy or our data practices, please contact our Data Protection Officer:
OnlyDMARC Ltd
Email: privacy@onlydmarc.com
Postal address: Please think of the environment and don't send pieces of paper packed inside a package of other paper to people.