Privacy Policy
Last updated June 2026
AuthDrift is built to hold as little personal data as the product allows. This page explains what we collect, why, how long we keep it, and your rights under the GDPR.
What we collect
- Account data — your email address and display name, mirrored from our identity provider when you sign in, plus your account and any teammates you invite.
- Monitored domains — the domains you add, their DNS-derived posture snapshots, and detected drift events.
- DMARC reports — aggregate (RUA) reports you route to AuthDrift, including the sending IP addresses they name. We ignore forensic (RUF) reports.
- Public checks — every free public check is stored anonymously: the domain and its results, with no personal data. The only trace of the caller is a one-way keyed hash of their IP address, kept to detect abuse — it cannot be reversed to an IP.
- Waitlist — if you ask to be alerted, the email address and domain you submit.
Why we collect it
To run the service you asked for: authenticate you, monitor your domains, send the drift alerts and reports you configure, and protect the service from abuse. We do not sell personal data or use it for advertising.
Where it is hosted
AuthDrift and its database are hosted in the European Union. Sign-in is handled by our EU-hosted identity provider, and transactional email (alerts, reports, invitations) is sent through a transactional-email provider. These subprocessors receive only the data needed to perform their function.
How long we keep it
Posture history and drift events are retained for 30 days during the free MVP, after which older history is trimmed automatically. Anonymous public-check records are kept on a rolling window. When you delete a domain it is removed from monitoring and its history is purged after a short grace period.
Deleting your data
An account owner can delete the entire account from Settings → Delete account. This is a hard purge: the account, its domains, snapshots, drift history, DMARC reports, reports, alert channels, members, and sessions are irreversibly deleted, and any identity left with no other account is removed too. There is no recovery and no retention beyond what the law requires.
Your rights
Under the GDPR you can access, correct, export, or erase your personal data, and object to or restrict its processing. The account owner can action most of this directly in the app; for anything else, contact us and we will respond within the statutory timeframe.