Sender Guardian logo Sender Guardian GET STARTED

Privacy Policy & Data Safety Declaration

Effective Date: December 9, 2025

Operator:

Sender Guardian is a specialized service of Workflow Advisors LLC, a New York State limited liability company (“Workflow Advisors”, “Sender Guardian”, “we”, “us”, or “our”).

This Privacy Policy explains how we collect, use, and protect information when you:

  • Visit senderguardian.com or related pages (the “Site”); and
  • Engage us to provide email authentication, DMARC, and deliverability services (the “Services”).

We treat privacy as part of security infrastructure. Our goal is to help you comply with bulk-sender rules and protect your revenue without unnecessarily exposing your customers’ data.

1. Our Core “Guardian” Protocols

We apply a set of operational constraints designed to minimize risk for you and your customers.

1.1 DMARC Aggregate Only (No DMARC Forensic / RUF by Default)

  • Aggregate (RUA) reports only. As part of our standard configuration, we request DMARC aggregate (RUA) reports only. These reports contain technical metadata about email flows (sending IPs, sending domains, alignment/authentication results, and message counts).
  • No forensic (RUF) reports in standard service. We do not request DMARC forensic (“RUF”) reports by default. These reports can include portions of email headers and content and may contain personal data.
  • If you explicitly request RUF. If a client requests that we enable RUF:
    • We will document that request in writing.
    • We will configure RUF to minimize content where possible.
    • We will handle any resulting data as highly sensitive and limit retention to what is necessary for the specific investigation.

1.2 AI & Data-Training Safety

We use Large Language Models (“LLMs”) to assist with wording and explanations, not to build profiles on your customers.

  • Purpose. We may use AI tools to:
    • Summarize technical findings (e.g., DMARC/SMTP issues) in plain language.
    • Draft portions of reports, emails, or documentation directed to you.
  • What we do not send. In our standard processes, we do not send to general-purpose AI tools:
    • Your full customer lists.
    • Email message bodies.
    • Raw log exports that include customer message content.
  • Data-training safeguards. We either:
    • (a) use AI providers that contractually commit not to train on customer data; or
    • (b) configure tools to disable training on content we submit; or
    • (c) restrict what we send so it contains only redacted or generalized technical information.

We do not authorize any AI provider to use your data for training general models for their other customers.

If you prefer that we not use AI tools at all with your account, you may request an “AI-free” mode for your engagement and we will honor that request.

1.3 Delegated Access as the Default

  • No passwords as a standard practice. We do not ask for, nor do we rely on, your primary username/password credentials for:
    • Domain registrars and DNS providers.
    • Shopify stores.
    • Email service providers (e.g., Klaviyo, Google Workspace, Microsoft 365).
  • Delegated access only. We work through:
    • DNS delegation, sub-accounts, or role-based access at your registrar or DNS host.
    • Shopify Collaborator accounts.
    • Admin roles in ESPs and related platforms.
  • Exceptions (if absolutely necessary). If there is no technical way to use delegated access with a legacy provider:
    • We will discuss the risk with you.
    • Any credential sharing must be explicitly agreed in writing.
    • Access will be time-limited and revoked immediately after the work is complete.

This approach keeps you in control and ensures that platforms can log and audit our activity.

2. Information We Collect

We distinguish between three main categories of data:

  • Website & marketing data – about visits to senderguardian.com.
  • Client account & service data – about you and your infrastructure.
  • Payment data – handled by our payment processor.

2.1 Information You Provide Voluntarily

When you fill out our intake forms or otherwise contact us, we may collect:

  • Identification and contact details:
    • Name.
    • Business email address.
    • Company/brand name.
    • Role or job title (if provided).
  • Technical and business context:
    • Primary sending domain(s).
    • Shopify store URL.
    • ESP/Email provider choices (e.g., Klaviyo, Google Workspace, Microsoft 365).
    • Approximate sending volume.
  • Service communications:
    • Emails and other messages you send us.
    • Any screenshots, logs, or configuration exports you choose to share.

This data is collected primarily via:

  • Forms hosted on our website; and
  • Direct communication via email or other channels you initiate.

2.2 Information Collected Automatically (Site Analytics)

When you visit the Site, we use Google Analytics 4 (GA4) to collect standard website analytics, which may include:

  • Pages visited, time on page, and navigation flows.
  • Browser and device type.
  • General geographic region (city/country level, not precise coordinates).
  • Referring URLs and campaign parameters (if applicable).

We use this data in aggregated form to understand traffic patterns and improve our content and marketing.

2.3 Service & Infrastructure Data

When you engage us for the Services, we may process:

  • DNS configuration details you or your providers make available to us:
    • SPF, DKIM, DMARC, MX, and related DNS records.
    • Other DNS records relevant to email routing and security (e.g., TLSRPT).
  • DMARC aggregate reports (RUA) received and processed via Uriports:
    • Sending IP addresses and hostnames.
    • Sending domains and alignment/authentication results.
    • Approximate message volumes per source.
    • Results of SPF, DKIM, and DMARC checks.
  • Third-party telemetry:
    • Gmail Postmaster Tools metrics (where you grant access).
    • Outlook/Hotmail SNDS/JMRP data (where enabled).
    • Similar mailbox provider telemetry where applicable.

We treat these data sources as “Service Data” – used strictly to diagnose and maintain your email authentication and deliverability posture.

2.4 Payment Information

We use Stripe to process payments. When you pay us:

  • Stripe receives your payment card details directly.
  • We do not store your full payment card number or CVV on our own systems.
  • We may receive limited billing information from Stripe (e.g., last 4 digits, card type, billing email, transaction timestamps) for invoicing and accounting.

3. Our Technology Stack (Sub-processors)

We rely on third-party providers (“Sub-processors”) to operate the Site and Services. We select vendors that are widely used, professionally managed, and provide security commitments appropriate to their role.

As of the Effective Date, key providers include:

Provider Purpose Primary Location / Notes
Cloudflare, Inc. DNS hosting, web security, and website hosting Global network / US-based company
Uriports B.V. DMARC aggregate (RUA) and related telemetry EU-based (Netherlands, GDPR-compliant)
Google LLC Google Workspace (email, docs) & GA4 analytics US-based, data centers globally
Stripe, Inc. Payment processing US-based, global payment infrastructure

Where we act as a service provider for clients subject to data protection laws, we rely on these vendors as sub-processors under appropriate contractual terms (e.g., DPAs, SCCs/IDTA where relevant).

4. How We Use Your Information

We use the data described above only for legitimate business purposes, including:

  • To provide and improve the Services, including:
    • Analyzing your SPF/DKIM/DMARC configuration and related telemetry.
    • Diagnosing deliverability issues and identifying unauthorized senders.
    • Implementing and maintaining authentication and DMARC policies as agreed.
  • To communicate with you, including:
    • Sending deliverability reports and recommendations.
    • Responding to questions and support requests.
    • Providing administrative notices about your account and our terms.
  • To operate and improve the Site, including:
    • Understanding how visitors use senderguardian.com.
    • Evaluating content performance and interest in our services.
  • To process payments and maintain business records, including:
    • Invoicing and transaction confirmation.
    • Accounting, tax, and record-keeping.
  • To protect security and prevent abuse, including:
    • Detecting unusual or unauthorized access to client infrastructure.
    • Investigating suspected misuse of our Services.

We do not:

  • Sell your personal data.
  • Share your data with third parties for their own independent advertising or marketing purposes.

5. Cookies and Similar Technologies

Our Site may use cookies or similar technologies in connection with:

  • Essential functionality (e.g., maintaining sessions where applicable).
  • Analytics (via GA4), which uses cookies or equivalent identifiers to understand how visitors use the Site.

You can control cookies and local storage through your browser settings. Disabling cookies may affect some aspects of the Site’s functionality, but should not affect your ability to contact us or engage our Services.

We currently do not use third-party advertising networks on the Site.

6. Legal Basis & Roles

Depending on your jurisdiction, our legal bases for processing may include:

  • Performance of a contract (providing the Services you request).
  • Legitimate interests (e.g., securing email infrastructure, preventing abuse, understanding Site usage).
  • Compliance with legal obligations (e.g., accounting, tax records).

In general:

  • For Site & marketing data, we act as an independent controller.
  • For Service Data (e.g., DMARC reports processed on your behalf), we typically act as your processor/service provider, following your instructions as set out in our engagement agreement.

If you require a specific data processing addendum (e.g., for GDPR or similar regimes), we can provide one upon request.

7. Data Retention

We retain data only as long as reasonably necessary for the purposes described in this Policy, including:

  • Client account and service records: for the duration of our engagement and a reasonable period thereafter, typically up to 3–7 years, to:
    • Maintain accurate business records.
    • Comply with tax and accounting obligations.
    • Defend against potential legal claims.
  • DMARC and related telemetry: kept as long as necessary to maintain and analyze your email authentication posture, generally no longer than required for trend analysis, risk assessment, and reporting cadence.
  • Website analytics data: retained according to GA4’s configuration and anonymization settings.
  • Payment and transactional records: maintained as required by applicable law.

You may request deletion of certain data (see Section 8). In some cases we may be required to retain specific records despite such a request (e.g., for legal compliance).

8. Your Rights

Your rights may vary depending on your jurisdiction, but typically include the ability to:

  • Request access to personal data we hold about you.
  • Request correction of inaccurate or incomplete personal data.
  • Request deletion of personal data, subject to legal and contractual limitations.
  • Object to or request restriction of certain processing.
  • Request a copy of your personal data in a portable format, where required by law.

To exercise any of these rights, contact us at [email protected] or [email protected]. We may need to verify your identity before fulfilling your request.

If you believe your privacy rights have been violated, you may also have the right to lodge a complaint with your local data protection authority.

9. Security

We take reasonable technical and organizational measures to protect the data we handle, including:

  • Using reputable infrastructure providers with robust security programs (Cloudflare, Google, Uriports, Stripe, etc.).
  • Enforcing access controls and least-privilege access for accounts used to manage DNS, email, and client environments.
  • Using multi-factor authentication (MFA) where supported by vendors.
  • Encrypting network communications using HTTPS/TLS.
  • Monitoring for unusual access and promptly revoking access that is no longer needed.

No system can guarantee absolute security, but our business depends on maintaining trustworthy infrastructure, and we design our practices with that in mind.

10. International Transfers

We are based in the United States and may process data in the US and other countries where our vendors operate.

  • Data processed by Uriports is typically stored and processed within the EU.
  • Data processed by Cloudflare, Google, and Stripe may be stored or processed in multiple regions.

Where required, we rely on appropriate safeguards (e.g., Standard Contractual Clauses, UK IDTA, or equivalent mechanisms) offered by our vendors for cross-border transfers.

11. Children’s Privacy

Our Site and Services are intended for businesses and professionals, not for children.

We do not knowingly collect personal data from children under the age of 16. If you believe a child has provided us with personal data, please contact us at [email protected] and we will delete such information as required by law.

12. Changes to This Policy

We may update this Privacy Policy from time to time as our Services and legal obligations evolve.

  • When we make material changes, we will update the “Effective Date” at the top of this page.
  • In some cases, we may provide additional notice (e.g., by email or a notice on the Site) if required by law.

Your continued use of the Site or Services after an updated Policy is posted constitutes your acceptance of the changes.

13. Contact Us

If you have any questions about this Policy or our data protection practices, contact:

Workflow Advisors LLC (d/b/a Sender Guardian)

Email: [email protected]

Alternate: [email protected]