Legal

Privacy policy

Last updated: 5 May 2026

i-dmarc is a DMARC monitoring service operated by inoc8 Pty Ltd(“we”, “us”), a company registered in the Republic of South Africa. We take your privacy seriously and comply with the Protection of Personal Information Act, 4 of 2013 (“POPIA”).

This policy explains what personal information we collect, why we collect it, how we use and protect it, and the rights you have over it.

Information we collect

Account information

When you sign up for an i-dmarc account we collect your name, business email address, company name, and an encrypted hash of your password. If you enable multi-factor authentication we also store the encrypted secret used to verify one-time codes.

DMARC report data

We process the aggregate (RUA) and forensic (RUF) DMARC reports sent to the unique reporting endpoint we generate for each of your domains. These reports contain technical metadata — sending IP addresses, SPF and DKIM authentication results, message counts, and disposition decisions — sent by mailbox providers such as Google, Microsoft, and Yahoo. They do not contain message bodies or recipient addresses.

Usage and diagnostic data

We log the IP addresses of authentication attempts, audit-log events (such as account creation, login, and policy changes), and basic browser metadata to operate the service securely. We do not use third-party advertising or behavioural tracking.

How we use your information

  • To provide and maintain the service you have signed up for.
  • To authenticate access, prevent fraud, and detect abuse.
  • To send you transactional messages (account verification, security alerts, billing notices).
  • To produce the dashboards, reports, and alerts you have configured.
  • To respond to your support requests.

We do not sell your data. We do not use your data to train machine-learning models for unrelated purposes.

Where your data is stored

Customer data is stored on infrastructure located in Africa, with encrypted backups held within the same region. Data is encrypted at rest using AES-256 and in transit using TLS 1.2 or higher.

Sub-processors

We rely on a small number of carefully selected sub-processors to operate the service. Each is bound by a written agreement requiring compliance with POPIA and the GDPR.

  • Amazon Web Services (af-south-1) — primary hosting, storage, and email receiving.
  • Cloudflare — CDN, DNS, and DDoS protection.
  • Resend — transactional email delivery (account, alerts).
  • Stripe — payment processing for paid subscriptions.

Data retention

DMARC report data is retained according to your subscription plan (30 days on Starter, 12 months on Growth and MSP). Account audit logs are kept for 24 months. When you cancel your subscription we delete your customer data within 30 days unless we are required by law to keep it longer.

Your rights under POPIA

  • Request a copy of the personal information we hold about you.
  • Ask us to correct or delete information.
  • Withdraw consent for any processing that relies on consent.
  • Object to processing or lodge a complaint with the Information Regulator of South Africa.

To exercise any of these rights, write to us at privacy@i-dmarc.com. We will respond within 30 days.

Information Officer

Our Information Officer can be contacted at privacy@i-dmarc.com.

inoc8 Pty Ltd · Registered in the Republic of South Africa · Trading as i-dmarc · hello@i-dmarc.com