Mailhardener Privacy Statement

In this privacy policy, we explain how we collect and use your data when using the Mailhardener Suite, visit our website, or otherwise interact with us. Make sure to read the policy carefully.

1. About Mailhardener

We are Mailhardener, we offer the Mailhardener email hardening suite, as well as email hardening consulting service. Mailhardener is a registered trademark of our parent company Mailhardener B.V., registered at the Dutch Chamber of Commerce with registration number 92907814. Our office is at office unit 18 of Caballero Fabriek, Saturnusstraat 60, 2516AH, The Hague, Netherlands.

If you have any questions or concerns, you can contact us at

2. Types of personal data we collect and use

2.1 Name, email address and other identifying data

When you make a Mailhardener account, either for evaluation, personal or professional use, we collect your name and email address. If you set up a paid Mailhardener account, we also collect the name, address and VAT number of your organization.

2.2 Reports

When you use Mailhardener for DMARC (rfc7489) aggregation reports, or for SMTP TLS reporting (rfc8460) then Mailhardener collects and enriches the report data for your domains. These reports contain IP addresses and delivery results. These reports DO NOT contain any personally identifiable information, such as email addresses or the content of the email.

DMARC failure reports (previously known as DMARC forensic reports) may contain personally identifiable information, such as email addresses, email subjects and/or email body text. If you use Mailhardener for aggregating DMARC ruf reports (which is not enabled by default), these reports will be stored on our servers.

2.3 Our communication with you

When you send us an email or chat with us online or via social media, we register your messages.
We register your communication preferences, for example when you subscribe to our newsletter or when you choose to receive alerts regarding your domain (such as DNS changes, or SMTP TLS errors). If you have email alerts enabled (such as DNS change alerts, or SMTP TLS error alerts), then those messages we send are stored for future reference.

3. Third party data sharing

We may share your personal data with third parties in the following cases:

3.1. Payment service

To process payments for your Mailhardener account, we may work with third parties that offer payment services. In many cases, those payment service providers also conduct fraud checks. They operate their own privacy policies in terms of the way in which they use your personal data.

3.2. Exception tracking service

Mailhardener may use third party exception tracking services to track errors on the various Mailhardener applications that make up the Mailhardener Suite. In case an error is encountered while you use the dashboard application, your browser User Agent, IP address and the error message may be sent to, stored by and processed by a third party. We have taken care to scrub any credentials and other personally identifiable information from these reports as they are generated.

4. Retention

We do not keep your personal data for any longer than is necessary. How long your personal data is retained depends on the purposes for which the data is processed and the applicable statutory retention periods. For example: under Dutch law, Mailhardener is obligated to store its financial transaction data for at least 5 years, this may contain your contact information, even after you closed your account.

The retention period of DMARC and SMTP TLS reports depends on your subscription tier.

5. Security

Mailhardener is founded by engineers with personal interest in security and privacy. As such, ensuring the security and confidentiality of your personal data is our priority.

We have put in place all appropriate technical and organizational measures as required by applicable legal provisions (in particular article 32 of the General Data Protection Regulation (GDPR)) to ensure an appropriate level of security and, in particular, to prevent any accidental or unlawful destruction, loss, alteration, disclosure, intrusion of or unauthorized access to these data.

5.1 Responsible disclosure

If you discover a security or privacy vulnerability, please disclose this responsibly via

5.2 Banking transactions

We are required to comply with the Data Security Standard for the Payment Card Industry (the PCI DSS standard) issued by the PCI Security Standards Council (PCI SSC). This standard was created to increase control over cardholder information to reduce the fraudulent use of payment instruments. All our service providers required to process bank card data must comply with the PCI DSS standard. We strive to combat identity theft on the Internet. For this reason, we use, for example, a device for detecting fraudulent payments designed to protect you in the event of loss or theft of your bank card.

5.3 Management of security incidents

There is no such thing as ‘zero risk’ and even if we implement all the security measures recognised as appropriate, unforeseen things can happen. We have specific procedures and resources in place to manage security incidents under the best possible conditions. We have also set up a specific procedure for assessing possible breaches of security that could lead to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to your personal data, for notifying the competent supervisory authority within the period stipulated by applicable law, and for warning you when a breach is likely to result in a high risk to your rights and freedoms. Tests are carried out periodically to verify the functioning of the security installations and adequacy of the procedures and devices deployed.

5. Your rights

You may contact us (see section 1 above) to exercise any of the rights you are granted under applicable data protection laws, including (A) the right to access your data, (B) to rectify your data, (C) to erase your data, (D) to restrict the processing of your data, (E) the right to data portability, and (F) the right to object to processing.

5.1 Right to access

You may ask us whether we collect or use any of your personal data and, if so, to receive access to that data in the form of a copy. Any report processed by Mailhardener can also be downloaded through the Mailhardener dashboard application.

5.2 Right to rectification

You have the right to have your data rectified if it is inaccurate or incomplete. Upon request, we will correct inaccurate personal data about you and, taking into account the purposes of the processing, complete incomplete personal data, which may include the provision of a supplementary statement.

5.3 Right to erasure

You have the right to have your personal data erased. This means that we will delete your data. Erasure of your personal data only takes place in certain cases, as prescribed by law and listed in Article 17 of the General Data Protection Regulation (GDPR). This includes situations where your personal data is no longer necessary for the purposes for which it was originally processed, and situations where your data was processed unlawfully. Due to the way in which we maintain certain services, it may take some time before backup copies are erased.

5.4 Right to restriction of processing

You have the right to obtain a restriction on the processing of your personal data. This means that we will suspend the processing of your data for a certain period. Circumstances which may give rise to this right include situations where the accuracy of your personal data is contested, and we need some time to verify its (in)accuracy. This right does not prevent us from continuing to store your personal data. We will inform you before the restriction is lifted.

5.5 Right to data portability

Your right to data portability entails that you may ask us to provide you with your personal data in a structured, commonly used and machine-readable format, and have such data transmitted directly to another controller, where technically feasible. Upon request and where this is technically feasible, we will transmit your personal data directly to the other controller.

5.6 Right to object

You have the right to object to the processing of your personal data. This means you may ask us to no longer process your personal data. This only applies if the 'legitimate interests' ground (including profiling) constitutes the legal basis for processing (see 4.3 “Legal basis” above). You can object to direct marketing at any time and at no cost to you if your personal data is processed for this purpose, which includes profiling to the extent that it is related to direct marketing. If you exercise this right, we will no longer process your personal data for such purposes.

If you have your browser's Do Not Track (DNT) feature enabled, your visit to our website will not be registered.

6. How this privacy policy is updated

This privacy policy took effect on October 5th 2021 and replaced our previous privacy policy of September 20th 2017. This privacy policy is amended from time to time. We will notify you of any changes before they take effect.

This Agreement remains valid until superseded by a revised agreement mutually endorsed by the stakeholders.

6.1 Document versions

Version Since Changes
1.0 20-09-2017 Initial document release
1.1 05-10-2021 Updated for international compliance, added right to erasure
1.2 28-03-2024 Updated to reflect new legal entity Mailhardener B.V.