Skip to main content
ShieldMarc

Privacy Policy

Last updated: 15 March 2026

1. Who We Are

ShieldMarc ("we", "us", or "our") is the data controller for personal data collected through the ShieldMarc platform.

For data protection enquiries, contact us at [email protected].

2. What Data We Collect

We collect the following categories of personal data:

  • Account information: email address and hashed password when you create an account.
  • Organisation data: organisation name, domain names you add for monitoring, and team member email addresses you invite.
  • DMARC report data: aggregate DMARC reports (RUA) and forensic reports (RUF) sent to your ShieldMarc reporting address. Aggregate reports contain sender IP addresses, domain names, and authentication results. Forensic reports may additionally contain sender and recipient email addresses and message headers - but never email body content.
  • Monitoring data: SSL certificate details (issuer, expiry, SANs), DNS record snapshots, SPF/DKIM verification results, and uptime check results for domains you register with the Service.
  • Payment information: billing details are collected and processed by Stripe. We store only your Stripe customer ID and subscription ID - never your card number.
  • Audit logs: records of significant account actions (logins, configuration changes, member invites) including timestamps and IP addresses, for security and accountability purposes.

3. How We Use Your Data

We use your personal data to:

  • Provide, maintain and improve the Service.
  • Process payments and manage subscriptions.
  • Send transactional emails (account confirmation, password resets, billing receipts).
  • Send alert and notification emails (SSL expiry warnings, DNS changes, uptime incidents, DMARC policy issues).
  • Monitor domain security on your behalf (SSL, DNS, DMARC, uptime).
  • Respond to support requests.
  • Comply with legal obligations.

4. Legal Basis for Processing

Under the UK GDPR, we process your data on the following lawful bases:

  • Contract: processing necessary to perform our contract with you (providing the Service).
  • Legitimate interest: improving the Service, preventing fraud, and ensuring security.
  • Legal obligation: complying with applicable laws and regulations.

5. Data Sharing

We share personal data only with the following sub-processors:

  • Cloud database & authentication provider: hosted in the EU. Processes account data and authentication under our instructions.
  • Stripe (payments): processes payment data under their own privacy policy. PCI-DSS Level 1 certified.
  • Microsoft (email delivery): processes recipient email addresses to deliver transactional and alert emails on our behalf via Microsoft Graph API.
  • Cloudflare (bot protection): processes IP addresses and browser signals during login and sign-up via Turnstile CAPTCHA to prevent automated abuse.

We do not sell your personal data. We do not share data with advertisers or data brokers.

6. Data Retention

We retain your account data for as long as your account is active. If you delete your account, your personal data and organisation membership are removed immediately. DMARC report data is retained for 365 days, then automatically purged; Enterprise customers may negotiate extended retention as part of a custom plan. Audit logs are retained for 12 months. Residual data in backups is overwritten within the normal backup rotation cycle (up to 30 days).

7. Your Rights

Under the UK GDPR, you have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate or incomplete data.
  • Erase your data ("right to be forgotten").
  • Restrict processing of your data.
  • Port your data to another service. Contact [email protected] to request a machine-readable export of your data.
  • Object to processing based on legitimate interest.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

8. Cookies

We use only essential cookies required for the Service to function (authentication session, active organisation). Cloudflare Turnstile may set a short-lived cookie during login and sign-up to verify you are a real user. We do not use tracking cookies, analytics cookies, or advertising cookies.

9. Security

We implement appropriate technical and organisational measures to protect your data, including encryption in transit (TLS), encrypted storage, access controls, audit logging, and regular security reviews.

10. International Transfers

Your data is primarily stored and processed in the EU. Some sub-processors (Stripe, Microsoft, Cloudflare) may process data in the United States or other jurisdictions. Where data is transferred outside of the UK and EU, we ensure appropriate safeguards are in place (e.g. Standard Contractual Clauses or UK International Data Transfer Agreements).

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

12. Complaints

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.