Courtesy translation. This is an unofficial English translation of our German privacy policy. The legally binding version is the German original.

Privacy Policy

Last updated: 2026-05-17

Contents
  1. Controller
  2. Principles of Processing
  3. Purposes of Processing and Legal Bases
  4. Recipients / Data Processors
  5. Retention Period
  6. Your Rights
  7. Security of Processing
  8. Changes to this Policy

1. Controller

Mailantis
Bockgasse 3, 4020 Linz, Austria
VAT ID: ATU 80124036
Phone: +43 (732) 29-70-03
Email: [email protected]

Data Protection Officer: Jan Hofer (Managing Director), reachable at [email protected].

2. Principles of Processing

We process personal data only to the extent necessary to provide our services, to comply with legal obligations or to safeguard legitimate interests. Processing is carried out in accordance with the GDPR and the Austrian Data Protection Act.

3. Purposes of Processing and Legal Bases

3.1 Provision of the Website (mailantis.com)

When you access the website, we process technically necessary data (IP address, date, page visited, referrer, user agent). Legal basis: legitimate interest pursuant to Art. 6(1)(f) GDPR (secure operation).

For statistical reach measurement we use Google Analytics (Google Ireland Limited). Processing only takes place after your explicit consent via the cookie banner. Legal basis: consent pursuant to Art. 6(1)(a) GDPR. You may withdraw consent at any time with effect for the future.

3.1a Self-Check Tools (tool pages and full check)

When you run a DNS or TLS self-check on mailantis.com (SPF, DKIM, DMARC, MX, BIMI, MTA-STS, TLS-RPT, DNSSEC), we transmit a record per checked domain to our API (cert-api.mailantis.com) containing the following fields: the checked domain, check type, language preference (de/en), timestamp, your IP address, a two-letter country code derived from that IP, and a randomly generated session ID. Processing takes place via our edge provider Deno Land Inc., edge PoP Frankfurt. Your user agent and any other device identifier are not stored. Purpose: aggregated usage statistics to improve the free self-check tool and abuse detection. Legal basis: legitimate interest pursuant to Art. 6(1)(f) GDPR. Retention: 90 days for individual events and sessions, 13 months for aggregated counters.

3.2 Account and SaaS Usage (app.mailantis.eu)

Upon registration, we process account data (name, email, company, VAT ID where applicable). Legal basis: contract performance (Art. 6(1)(b) GDPR).

During use, we process DMARC aggregate reports (header data, sender IPs). Forensic reports may contain personal data (email addresses); pseudonymised by default. Legal basis: legitimate interest for spoofing defence.

3.3 Contact

When you contact us, we process the information provided (name, email, request). Legal basis: pre-contractual measure or legitimate interest (Art. 6(1)(b)/(f) GDPR).

3.4 Newsletter

Newsletter sign-up requires explicit consent. Legal basis: consent (Art. 6(1)(a) GDPR). Withdrawal possible at any time via the unsubscribe link.

4. Recipients / Data Processors

We engage the following sub-processors:

ProviderLocationPurpose
Stripe Payments Europe Ltd.Ireland (EU)Payment processing
Sectigo Ltd.UK / EU operationsS/MIME certificate issuance
Cloudflare Inc.EU tier (static frontend)CDN, DDoS protection
Google Ireland Limited (Google Analytics)Ireland (EU) / processing also in the USAReach measurement for the marketing website (only after consent)
Deno Land Inc.USA (Edge PoP Frankfurt)Hosting of the self-check API (cert-api.mailantis.com)

Data processing agreements (DPAs) are in place and available on request. For transfers to Google in the USA, the EU Standard Contractual Clauses pursuant to Art. 46 GDPR and the EU-US Data Privacy Framework adequacy decision apply; additionally, the data subject's consent is required.

5. Retention Period

  • Server logs: 14 days
  • Self-check tool events: 90 days; aggregated counters: 13 months
  • Account data: for the duration of the contractual relationship + statutory retention periods
  • DMARC aggregate reports: configurable 30 / 90 / 365 days depending on the plan
  • Forensic reports: 30 days, opt-out available
  • Accounting / invoices: 7 years (§132 Austrian Federal Fiscal Code / BAO)

6. Your Rights

You have the right to:

  • Access (Art. 15 GDPR)
  • Rectification (Art. 16)
  • Erasure (Art. 17)
  • Restriction of processing (Art. 18)
  • Data portability (Art. 20)
  • Object to processing based on legitimate interests (Art. 21)
  • Lodge a complaint with the supervisory authority (in AT: dsb.gv.at)

Please direct requests to [email protected]. We will respond within the statutory one-month period.

7. Security of Processing

We implement technical and organisational measures pursuant to Art. 32 GDPR: TLS encryption, encryption at rest, multi-factor authentication, audit logs, regular penetration tests, employee awareness training.

8. Changes to this Policy

We reserve the right to amend this privacy policy to reflect changes in legal or factual circumstances. We will actively communicate material changes by email to registered users.

For privacy-related questions: [email protected]