Privacy Policy

What We Collect and Why

We only collect what we need to provide the service. Here's what that means in practice.

Identity and access

When you sign up for Ray, we ask for your email address and a display name. That's it. We use your email to send you magic links, alerts, and important account notifications. We do not collect passwords because Ray uses passwordless authentication exclusively (passkeys and magic links).

DMARC aggregate reports

This is the core of what Ray processes. DMARC aggregate reports are XML files that mailbox providers (Gmail, Microsoft, Yahoo, and others) send to the address in your DMARC DNS record. These reports contain:

• Source IP addresses that sent email using your domain
• Message counts per source IP
• SPF and DKIM authentication results
• DMARC policy evaluation outcomes
• The reporting organization and the time period covered

These reports do not contain email content, subject lines, recipient addresses, or attachments. Ray never sees the content of your emails.

It's worth noting that DMARC aggregate reports contain information about third-party infrastructure (the IP addresses and networks that sent mail using your domain). This data originates from mailbox providers, not from you, and Ray processes it solely for the purpose of helping you understand and secure your email authentication.

DNS records

Ray performs DNS lookups against your domains to check SPF, DKIM, DMARC, MTA-STS, TLS-RPT, and BIMI records. This is publicly available data that anyone can query. We store the results to track changes over time and alert you when something changes.

Geolocation data

We resolve source IP addresses from your DMARC reports to approximate geographic locations (country, city) and network information (ASN, organization name). This helps you identify where email is being sent from on your behalf. We use the MaxMind GeoLite2 database for this, and no data is sent to MaxMind.

Audit logs

We log security-relevant events: authentication attempts, membership changes, domain operations, role changes, and API key operations. Each log entry includes a timestamp, source IP, the action performed, and who performed it. Audit logs are retained for 365 days and are immutable (they cannot be modified or deleted by anyone, including organization owners).

Cookies

Ray uses essential cookies for authentication and session management only. We do not use tracking cookies, analytics cookies, or advertising cookies. We do not run any third-party analytics or tracking scripts on our site.

What we don't collect

We want to be explicit about what Ray does not collect:

• Email content, subjects, or attachments
• Passwords (we don't support password-based authentication)
• Tracking or analytics data
• Advertising identifiers
• Data from third-party data brokers

When We Access or Share Your Information

To provide the service

Your data is processed by our infrastructure subprocessors (listed below) as necessary to run the service. We do not sell your data, use it for advertising, or share it with third parties for their own purposes.

When required by law

We may disclose your information when required by law, subpoena, or other legal process. If permitted, we will notify you before doing so. We have never received a national security order or been involved in a gag order.

If the company is acquired

If Ray is acquired by or merged with another company, we will notify you well before any of your personal information is transferred or becomes subject to a different privacy policy.

Your Rights

We apply these rights to all customers regardless of location, not just those in the EU or California.

• Right to Know. You have the right to know what personal information we collect about you and how we use it.
• Right of Access. You can access all your data through the dashboard and API at any time.
• Right to Correction. You can update your account information at any time.
• Right to Erasure. You can request deletion of your personal data. We will delete your data within 30 days of the request, except where we have a legal obligation to retain it.
• Right to Portability. All data accessible through the dashboard is also available through the API in standard formats. There are no export fees.
• Right to Object. You can object to our processing of your personal data. We will comply unless we have compelling legitimate grounds.
• Right to Complain. You have the right to lodge a complaint with a supervisory authority in your jurisdiction.

To exercise any of these rights, contact privacy@meetray.io.

How We Secure Your Data

All data is encrypted at rest using AWS KMS with dedicated encryption keys. All data in transit is encrypted with TLS. Our backend services are written in Rust, which prevents entire classes of memory safety vulnerabilities at compile time. All infrastructure is defined as code and deployed through CI/CD. For a detailed breakdown, see our security page.

Data Retention

DMARC report data is retained for up to 365 days across all plans. You can configure a shorter retention period in your account settings.

Raw report files are stored in S3 with KMS encryption and follow the same retention schedule. Audit logs are retained for 365 days regardless of plan tier. When you cancel your account, we retain your data for 30 days to allow for export, then permanently delete it.

Subprocessors

We use the following third-party services to operate Ray:

• Amazon Web Services (AWS) - Infrastructure (compute, storage, database, authentication, encryption). Data is stored in the US.
• SendGrid (Twilio) - Transactional email delivery (alerts, magic links). SendGrid processes your email address for delivery purposes only.
• Stripe - Payment processing (credit card and ACH). Stripe processes your name, email address, and billing information.

Location of Data

Ray is operated from the United States. All data is stored in AWS regions within the United States. If you are located outside the US, your data will be transferred to and processed in the US.

Changes to This Policy

We may update this privacy policy from time to time. We will notify you of significant changes by email at least 30 days before they take effect. Minor clarifications or formatting changes may be made without notification.

Contact

Have questions about this privacy policy? Contact privacy@meetray.io.