Privacy Policy
Last updated: 2026-05-26
What we collect
- Account data: your email address (required for magic-link login), team name, and the timestamps of your sessions.
- Payment data: if you subscribe to a paid plan, Stripe collects and stores your billing details. Sendvery never sees your card number — we only store the Stripe customer / subscription identifiers, plan name, and renewal status.
- DMARC reports: aggregate XML reports sent to us by mailbox providers (Google, Microsoft, Yahoo, …) for the domains you choose to monitor. These reports contain sender IPs, alignment results, and per-source pass/fail counts — they do not contain message bodies or recipient addresses.
- IMAP / POP3 credentials: if you connect your own mailbox so we can fetch reports directly, your username and password (or OAuth2 refresh token) are stored encrypted at rest. We only use them to download messages from the report folder you configure.
- AI prompt data: when you enable the AI Insights add-on, we send an anonymised summary of your DMARC data (counts, percentages, top-N sending sources by FQDN where present) to Anthropic. We do not send email addresses, message contents, or your account identifiers.
- Sentry crash data: if the application errors, we capture the PHP stack trace, request path, and Sendvery user ID. We strip request bodies and form payloads so credentials and report contents never leave the application.
- Contact form submissions: if you fill in the contact form at
/about/contactwe store the name, email address, subject, and message you submit, plus the submitting IP address and browser user-agent for spam-attribution purposes. These rows persist to our database so the conversation has a durable audit trail and so the founder can reply outside the original session.
Why we collect it
We collect the minimum data necessary to operate Sendvery: authenticate you, ingest the DMARC reports you ask us to monitor, bill paid plans, and fix bugs. We do not sell your data, we do not run advertising, and we do not share data with third parties beyond the sub-processors listed below.
Data retention
- Account data: retained while your account is active and for 30 days after you delete the account, so that an accidental deletion can be reversed.
- DMARC reports: retention is tied to your plan — Free 30 days, Personal 1 year, Pro 2 years, Business unlimited. When you downgrade, older reports are not deleted immediately; they become read-only and a contractual purge runs once your plan's retention window passes.
- Sentry crash data: retained for 30 days, then automatically purged by Sentry.
- Stripe payment data: retained by Stripe according to Stripe's own retention policy — we keep only the references (customer / subscription IDs) for as long as your account exists.
- Contact form submissions: retained for 24 months from submission so the founder can search past correspondence and follow up on long-tail threads, then purged. Older inquiries can be deleted earlier on request via privacy@sendvery.com.
- Backups: daily encrypted database backups retained for 30 days, then rotated.
Sub-processors
| Name | Purpose | Data shared | Location |
|---|---|---|---|
| Stripe | Payment processing and subscription billing | Email address, billing address, subscription status | USA and EU (SCCs in place) |
| Anthropic | AI-powered insights generation (when enabled by user) | Anonymised DMARC summary data — no email addresses or personal data | USA. Data is processed under Anthropic's API terms. Enabled only when AI Insights is active on your plan. |
| Sentry | Error tracking and crash reporting | Error messages, PHP stack traces, request paths | EU and USA (Sentry EU endpoint used where possible) |
| Hetzner | Infrastructure hosting | All application data stored on Hetzner servers | European Union (Germany) |
Your GDPR rights
If you are located in the European Union, you have the following rights under GDPR. To exercise any of them, contact privacy@sendvery.com:
- Right to access — request a copy of every piece of personal data we hold about you.
- Right to rectification — correct anything inaccurate.
- Right to erasure — ask us to delete your account and the personal data tied to it (subject to the contractual retention window on DMARC reports while a paid plan is in force).
- Right to data portability — receive your data in a machine-readable format (JSON / CSV export).
- Right to object — object to any processing where the legal basis is our legitimate interest (we will stop unless we can demonstrate compelling grounds).
- Right to restrict processing — pause our use of your data while a dispute is being resolved.
- Right to lodge a complaint — file a complaint with your local data-protection authority. In the Czech Republic that is the Úřad pro ochranu osobních údajů (uoou.cz).
Children
Sendvery is a B2B product. It is not directed at anyone under 16 and we do not knowingly collect data from children. If you believe a minor has created an account, please contact us so we can delete it.
Contact
Privacy questions: privacy@sendvery.com. Data controller: Jan Mikeš, OSVČ (self-employed), Czech Republic.