trustyourinbox
← All legal

Privacy Policy

Last updated: 2026-04-29

This policy describes what data trustyourinbox collects, why we collect it, who we share it with, and your rights. Plain English, no legalese theater. If something here is unclear, email dmistry@yourhostdirect.com and we'll fix it.

Who we are

trustyourinbox is a DMARC monitoring service operated by a sole founder. We do not share data with advertisers. We do not run behavioral tracking for advertising. The product is built around the principle that what you publish in DNS is yours, and what flows through DMARC reports is yours.

What we collect

From customers who sign up:

  • Account info — your email address and any name you provide, managed by Clerk (our authentication provider). We see what Clerk sees.
  • Domain names you add to monitor.
  • DMARC aggregate reports sent to your unique RUA address. These XML reports contain sending IPs, alignment results, and message counts — they do not contain message bodies, recipients, subject lines, or any private email content. They are themselves designed to be aggregate data only.
  • Audit log entries for actions you take in the dashboard (domain added, paused, deleted, sender identified, digest preferences changed, etc.).
  • Plan + billing info when paid tiers launch (handled by Stripe).

From anonymous visitors using our public tools:

  • Domain names you paste into the DMARC audit, SPF tester, or DKIM verifier. These are public-DNS lookups; we don't store them long-term.
  • IP address for rate limiting (10 audits per hour per IP). Stored in memory only, evicted within an hour.
  • Aggregate page-view data via Cloudflare Web Analytics — no cookies, no cross-site tracking, no per-user identifiers.

What we don't collect

  • Message bodies, recipient addresses, subject lines, or any PII from inside emails.
  • Tracking cookies for advertising. The only cookies we set are Clerk's session cookie (essential for authentication).
  • Third-party trackers (Google Analytics, Facebook Pixel, Mixpanel, etc.).
  • Personally identifiable behavioral data linked to your identity for marketing.

Who we share it with

We use a small number of trusted vendors to operate the service:

  • Clerk — authentication. Stores your email + password hash + session.
  • Cloudflare — hosting, DNS, R2 (raw RUA reports for 7 days), Workers, Email Routing.
  • Neon — Postgres database hosting.
  • Anthropic — Claude API for plain-English summaries on dashboard pages and the AI audit. We send domain names + parsed DMARC tags, not message content.
  • Resend — outbound transactional email (digest reports, alerts).
  • Stripe — payment processing (when paid tiers launch). They see card details; we don't.

We do not sell data. We do not share customer data with anyone outside the vendors listed above. We comply with lawful requests for data only when legally required, and will notify the affected customer unless legally prohibited.

How long we keep it

  • Account data — while your account is active, plus 30 days after deletion (then permanently purged).
  • Raw .eml files in Cloudflare R2 — 7 days, then auto-deleted by lifecycle rule. We only persist the parsed report data, not the raw mail.
  • Parsed DMARC reports — kept while your workspace is active, deleted with your workspace.
  • Audit log — kept while your workspace is active.
  • AI audit / SPF / DKIM tool inputs — not persisted; only the IP address is held in memory for rate limiting (max 1 hour).

Your rights

You can:

  • See and edit your account info via the dashboard or by contacting us.
  • Export your data — email us and we'll provide a JSON export within 7 days.
  • Delete your account at any time. Soft-deleted domains are hard-purged after 7 days; account data is purged after 30 days.
  • Object to specific data uses by emailing us.

Residents of the EU/UK have the rights described under GDPR (access, rectification, erasure, portability, objection). California residents have rights under CCPA. We treat all customers to the higher of any applicable standard.

Children

trustyourinbox is intended for business use. We do not knowingly collect data from anyone under 13. If you believe a child has signed up, contact us and we'll delete the account.

Changes to this policy

If we materially change what we collect or how we use it, we'll email customers in advance and update the "Last updated" date at the top. Material changes apply only prospectively.

Contact

Questions, requests, or concerns: dmistry@yourhostdirect.com. We reply within 2 business days.

See also: Terms of Service · Acceptable Use Policy · Security.