← Back to SendCanary

Privacy Policy

Last updated: March 25, 2026

We built SendCanary to protect your email, not to harvest your data. This policy explains what we collect, why we collect it, and what we will never do.

What we collect

Account information. Your name, email address, company name, and domain when you sign up. We need this to create your account and contact you about your service.

DNS records. We read your domain's public DNS records (DMARC, SPF, DKIM, MX, NS) to assess your email security and configure protection. These records are already public. Anyone can look them up.

DMARC aggregate reports. Email providers (Google, Microsoft, Yahoo) send us XML reports about emails sent using your domain. These reports contain IP addresses, sending domains, and pass/fail results. They do not contain email content, subject lines, or recipient addresses.

OAuth tokens. If you connect a provider (Google Workspace, Microsoft 365, SendGrid), we store encrypted access tokens to read your domain configuration. We use the minimum scope required and never read your email content.

Payment information. Stripe handles all payment processing. We never see or store your credit card number. We store your Stripe customer ID to manage your subscription.

What we do with it

• Configure and monitor your email authentication (DMARC, SPF, DKIM)
• Identify who sends email as your domain
• Send you monthly proof reports and anomaly alerts
• Process your payment through Stripe

That's the complete list.

What we will never do

• Sell your data to anyone
• Share your data with advertisers
• Read your email content (we literally cannot; DMARC reports don't contain it)
• Track you across the web
• Use tracking pixels in our emails to you
• Install cookies for advertising purposes
• Give your data to "partners" for "marketing purposes"

Data storage and security

Your data is stored on servers in Germany (Hetzner) with encrypted connections. OAuth tokens are encrypted at rest using AES-256-GCM with per-tenant encryption keys. We use HTTPS everywhere. Our database is not accessible from the public internet.

Data retention

We keep your DMARC reports for 12 months to provide trend analysis and monthly proof reports. If you delete your account, we delete your data. If you use the Big Red Button to remove SendCanary from your DNS, your protection continues independently and we stop receiving reports.

Third-party services

• Stripe for payment processing
• Supabase for authentication
• Resend for transactional emails (alerts, reports)
• Cloudflare for DNS hosting and CDN

Each of these has their own privacy policy. We chose them because they don't do creepy stuff with your data either.

Your rights

You can export your data, delete your account, or disconnect any provider at any time from your dashboard. No "call to cancel." No retention tricks. If you want something we haven't covered, email john@travise.net and we'll sort it out.

Changes

If we change this policy, we'll email you about it. We won't sneak changes in and hope you don't notice.