Privacy notice

Mailstinger is operated by Mike (sole proprietor, DBA Mailstinger) — registered legal address available on request. Mailstinger LLC formation is in progress; this notice will be updated when the entity transition completes.

• Account data — your email, name, password hash, billing identifiers (Stripe customer ID), and your MSP organisation name.
• Domain data — public DNS records for the domains you add: SPF, DKIM, DMARC, BIMI, MTA-STS, TLS-RPT. None of this is private; we resolve it from authoritative DNS.
• DMARC aggregate reports — the XML reports mailbox providers send to yourrua= address, parsed and stored under your tenant. Senders' IPs and pass/fail counts; no message bodies.
• Optional forensic reports — when receivers send ruf= per-failure forwards, we store sanitised metadata (sender, recipient domain, auth result) and redact PII where present.
• Inbound platform mail — messages to support@mailstinger.com /noreply@mailstinger.com are stored encrypted at rest (Fernet) for 90 days, then purged. Bodies are scrubbed for credit-card and SSN-like patterns before encryption.
• Operational logs — request URLs, IP addresses, status codes — kept ≤ 30 days for incident response.

• The contents of your or your tenants' outbound mail.
• Card numbers — payment is handled by Stripe Checkout; cards never touch our servers.
• Cross-site advertising trackers. We use self-hosted Umami; no third-party analytics.

DigitalOcean (US-East), single-region. Encrypted at rest (LUKS + per-row Fernet for sensitive fields). Daily off-host backups encrypted with a separate key.

We do not sell or rent your data. We share data with subprocessors strictly to deliver the service: DigitalOcean (hosting), Cloudflare (DNS + CDN), Stripe (billing), Postmark (when configured as a deliverability fallback), and your own DNS provider (when you choose us as managed-DNS). A subprocessor list is available on request.

Email support@mailstinger.com with subject line "data request" to access, export, or delete your account data. We respond within 30 days. EU/UK residents have additional rights under GDPR/UK-GDPR — same channel applies.

Account + domain config: until you delete your account. DMARC aggregate reports: 90 days by default (configurable per tenant). TLS-RPT reports: 90 days. Forensic (RUF) reports: 90 days. Inbound platform mail: 90 days. Audit log entries: 365 days. Backups overwrite on a 14-day rotation.

support@mailstinger.com. We respond from a real human within 1 business day.