Privacy Policy

Effective Date: January 19, 2026

This Privacy Policy explains how FLGXPL ("Company," "we," "us," or "our") collects, uses, discloses, and protects your personal data when you use DMARCTrust (the "Service"). We handle your data in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR) and the French Data Protection Act.

1. Data Controller

The data controller responsible for your personal data is:

Company: FLGXPL
Address: 231 rue Saint-Honoré, 75001 Paris, France
Registration: 810 794 164 (RCS Paris)
VAT Number: FR28810794164
Email: [email protected]

2. Data We Collect

2.1 Account Information

When you create an account, we collect:

  • Email address
  • Password (stored encrypted using bcrypt)
  • Authentication tokens (if you use Google OAuth)

2.2 Domain and DMARC Data

When you use our monitoring service, we process:

  • Domain names you add to monitor
  • DNS records (DMARC, SPF, DKIM, BIMI) for those domains
  • DMARC aggregate reports (RUA) containing: sending IP addresses, email volume statistics, authentication results, and organizational identifiers
  • DMARC forensic reports (RUF) which may contain email headers, message identifiers, and partial email content

2.3 Usage Data

We automatically collect:

  • IP address and approximate location
  • Browser type and operating system
  • Pages visited and features used
  • Date and time of access
  • Referring website

2.4 Billing Information

When you subscribe to a paid plan, our payment processor (Stripe) collects:

  • Payment card details (processed and stored by Stripe, not by us)
  • Billing address
  • Transaction history

3. Legal Bases for Processing

We process your personal data based on the following legal grounds under GDPR Article 6:

3.1 Performance of Contract (Article 6(1)(b))

  • Providing the DMARC monitoring service
  • Processing DMARC reports
  • Managing your account
  • Processing payments

3.2 Consent (Article 6(1)(a))

  • Marketing communications (optional)
  • Analytics cookies and tracking technologies
  • Marketing and advertising cookies

3.3 Legitimate Interest (Article 6(1)(f))

  • Improving our service based on usage patterns
  • Preventing fraud and ensuring security
  • Sending service-related communications
  • Error monitoring and debugging (via Sentry)

3.4 Legal Obligation (Article 6(1)(c))

  • Retaining billing records for tax purposes
  • Responding to lawful requests from authorities

4. How We Use Your Data

We use your personal data to:

  • Provide, maintain, and improve the Service
  • Process and analyze DMARC reports for your domains
  • Send you alerts about DNS changes or authentication failures
  • Send service-related notifications (first report received, configuration issues)
  • Process payments and manage subscriptions
  • Respond to your support requests
  • Comply with legal obligations
  • Protect against fraud and unauthorized access

5. Data Sharing and Third-Party Processors

We share your data with the following categories of third-party service providers ("Subprocessors") who process data on our behalf:

5.1 Infrastructure Providers

  • OVH (Roubaix, France): Hosting and server infrastructure
  • Cloudflare (USA): CDN, DNS, and DDoS protection
  • Cloudflare R2 (USA): Object storage for blog images

5.2 Payment Processing

  • Stripe (USA): Payment processing and subscription management

5.3 Analytics and Monitoring

  • Google Analytics (USA): Website analytics. The script loads immediately in "consent denied" mode. No identifiable data is collected until you consent.
  • Simple Analytics (Netherlands): Privacy-friendly analytics
  • Sentry (USA): Error monitoring and performance tracking

5.4 Marketing and Advertising

  • Google Ads (USA): Conversion tracking. The script loads immediately in "consent denied" mode. No identifiable data is collected until you consent.
  • Microsoft Advertising / Bing (USA): Conversion tracking. The script loads immediately in "consent denied" mode. No identifiable data is collected until you consent.

5.5 Authentication

  • Google OAuth (USA): Optional sign-in with Google

We require all subprocessors to maintain appropriate security measures and comply with applicable data protection laws. For US-based providers, we rely on Standard Contractual Clauses (SCCs) or their participation in recognized data transfer frameworks.

6. International Data Transfers

Some of our subprocessors are located outside the European Economic Area (EEA), primarily in the United States. When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • EU-US Data Privacy Framework certification (where applicable)
  • Adequacy decisions by the European Commission (where applicable)

6.1 Data Region Selection

During account registration, you may choose a preferred data region (European Union or United States) for the storage of your account data. You can update this preference at any time in your account settings. For technical reasons, changing your data region may take several hours to complete and cannot be performed in real time.

7. Data Retention

We retain your data for the following periods:

Data Type Retention Period
Account information Until account deletion + 30 days
DMARC reports (Free plan) Not retained (discarded)
DMARC reports (Starter plan) 90 days
DMARC reports (Pro plan) 180 days
Raw IMAP emails 7 days (then deleted)
Billing records 10 years (legal requirement)
Processing logs Per your plan retention period
Support requests 3 years

8. Your Rights Under GDPR

If you are in the European Economic Area, you have the following rights:

8.1 Right of Access (Article 15)

You can request a copy of your personal data. Much of your data is already accessible through your dashboard.

8.2 Right to Rectification (Article 16)

You can correct inaccurate personal data through your account settings or by contacting us.

8.3 Right to Erasure (Article 17)

You can request deletion of your personal data. To delete your account and associated data, please contact us at [email protected].

8.4 Right to Restriction (Article 18)

You can request that we limit processing of your data in certain circumstances.

8.5 Right to Data Portability (Article 20)

You can request your data in a machine-readable format. Contact us to request a data export.

8.6 Right to Object (Article 21)

You can object to processing based on legitimate interests. You can manage your DNS alert preferences in your account settings.

8.7 Right to Withdraw Consent

Where processing is based on consent, you can withdraw it at any time. Use our cookie consent settings to manage analytics and marketing preferences.

To exercise any of these rights, please contact us at [email protected]. We will respond within 30 days as required by GDPR.

9. Right to Lodge a Complaint

If you believe we have not handled your personal data properly, you have the right to lodge a complaint with a supervisory authority. For France, the supervisory authority is:

CNIL (Commission Nationale de l'Informatique et des Libertés)
3 Place de Fontenoy, 75007 Paris, France

10. Cookies and Tracking

We use cookies and similar technologies. For detailed information about the cookies we use and how to manage your preferences, please see our Cookie Policy.

11. Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption of data in transit (TLS/HTTPS)
  • Encryption of passwords using bcrypt
  • Regular security assessments
  • Access controls and authentication
  • Automated security scanning with Brakeman
  • Error monitoring and incident response

12. Children's Privacy

Our Service is intended for business use and is not directed to children under 16 years of age. We do not knowingly collect personal data from children.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the "Effective Date." For significant changes, we may also send you an email notification.

14. Contact Us

For questions about this Privacy Policy or our data practices, please contact us:

Email: [email protected]
Address: FLGXPL, 231 rue Saint-Honoré, 75001 Paris, France