Privacy Policy
Effective Date: June 27, 2026  ·  Last Updated: July 4, 2026

This Privacy Policy describes how Drakaro (“we,” “us,” or “our”) collects, uses, and handles your information when you use our email threat protection service (“Service”). We built Drakaro to be as privacy-preserving as possible — we only collect what we need to protect your inbox.

1. What We Collect

DataWhy we collect itRetained?
Name, email address, profile picture Account creation via Google or Microsoft Sign-In Until you delete your account
Gmail or Microsoft Outlook OAuth refresh token To access your inbox for scanning (read & modify only) Until you disconnect your inbox
Scan statistics (emails scanned, threats blocked) Displayed on your dashboard Until you delete your account
Threat records (sender, subject line, date, threat reason) — all plans Displayed in your threat viewer so you can review flagged emails Up to 2 weeks, then auto-removed
All domains & URLs extracted from emails — Free plan Threat intelligence, service improvement, and commercial use See Section 3
Malicious URLs only — Basic plan; Malicious & suspicious URLs — Pro, Ultra plans Threat intelligence and collective security improvement See Section 3
Billing information Payment processing for Basic and Pro plans Managed by our payment processor; we do not store card details

2. What We Never Collect

We never store the full content of your emails — no message bodies, recipient addresses, or attachments beyond what is described below. Email content is processed in memory during a scan and immediately discarded.

Threat metadata (all plans): When Drakaro detects a malicious or suspicious email, we store a minimal record containing the sender address, subject line, date, and the reason it was flagged (e.g., “phishing domain detected”). This is displayed in your threat viewer on the dashboard. The full message body is never stored. Threat records are automatically removed after 2 weeks.

Attachment scanning (Basic, Pro, and Ultra plans): Incoming email attachments are temporarily transferred to a secure isolated environment for malware scanning. Attachments are permanently deleted immediately after the scan completes — typically within seconds. They are never retained, indexed, or accessible to Drakaro staff. Free plan users’ attachments are never scanned.

3. Domain, URL & Scan Data by Plan

Free plan users: When we scan your emails, we extract all domains and URLs found in links (e.g., “malicious-site.xyz”). On the Free plan, all URL and domain strings — regardless of whether they are determined to be safe, suspicious, or malicious — are logged and may be shared with or sold to third parties, including cybersecurity and threat intelligence partners. This data may include a record of which domains or URLs were encountered in connection with your account. No email content — no subject lines, message bodies, or sender information — is ever included. This is how the Free plan is supported at no cost.

Basic, Pro, and Ultra plan users: URLs determined to be safe are not logged or retained — zero data retention on clean scan results. However, URLs determined to be malicious or suspicious are retained across all plans (including paid) for threat intelligence purposes. These URLs are stripped of personally identifiable information and may be included in aggregated, anonymized threat feeds shared with enterprise security partners. No email content, sender information, or account details are ever included in threat feeds.

If you do not want your safe URL data used commercially, upgrade to the Basic plan or higher at any time from your dashboard.

Advanced URL scanning (Pro and Ultra plans): Pro and Ultra plan users receive a second layer of URL threat analysis using commercial URL reputation services. URLs extracted from your emails are submitted to these services in real time for threat lookup. They receive only the URL being checked — never your identity, email content, or account information.

4. How We Use Your Data

We do not use your data for advertising, we do not build behavioral profiles, and we do not share your personal information with third parties except as described in this policy. Threat intelligence shared with partners contains only anonymized threat indicators (malicious URLs, domains, and attack signatures) — never user identities, email content, or account information.

5. Third-Party Services

To provide the Service, we work with a small number of carefully selected third-party providers. We do not disclose the specific vendors that power our threat detection engine, as that information is proprietary. All providers we use are contractually required to handle data securely and in accordance with applicable privacy laws.

CategoryPurpose
Email provider APIs Connecting to your Gmail or Outlook inbox to scan incoming messages and manage quarantine
Threat intelligence providers Real-time lookup of domains and URLs against commercial threat databases to identify phishing, malware, and spam. These services receive only the domain or URL being checked — never your identity or email content.
Payment processor Secure processing of subscription payments for paid plans. We do not store your payment card details — all billing data is handled directly by our payment provider.
Cloud infrastructure Hosting, database storage, and execution of our scanning infrastructure. All data is encrypted at rest and in transit.
Edge network & delivery Traffic routing, DDoS protection, and fast delivery of the Drakaro application.

You may request a list of our sub-processors by contacting us at support@drakaro.com.

6. Data Security

We take security seriously. All data in transit is encrypted with TLS. Data at rest is stored with encryption enabled. Access to production systems is restricted and protected by multi-factor authentication. Our API enforces session-based access controls on every request.

No system is 100% secure. If you discover a security vulnerability, please contact us responsibly at support@drakaro.com.

7. Your Rights

You have the right to:

If you are in the European Economic Area (EEA), you have additional rights under GDPR including the right to object to processing and the right to lodge a complaint with your local supervisory authority.

8. Data Retention

9. Children’s Privacy

Drakaro is not directed at children under the age of 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or via a notice on your dashboard at least 14 days before changes take effect. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

11. Contact

For privacy-related questions or data requests:

Drakaro
Email: support@drakaro.com
Website: https://drakaro.com