This Privacy Policy describes how Drakaro (“we,” “us,” or “our”) collects, uses, and handles your information when you use our email threat protection service (“Service”). We built Drakaro to be as privacy-preserving as possible — we only collect what we need to protect your inbox.
| Data | Why we collect it | Retained? |
|---|---|---|
| Name, email address, profile picture | Account creation via Google or Microsoft Sign-In | Until you delete your account |
| Gmail or Microsoft Outlook OAuth refresh token | To access your inbox for scanning (read & modify only) | Until you disconnect your inbox |
| Scan statistics (emails scanned, threats blocked) | Displayed on your dashboard | Until you delete your account |
| Threat records (sender, subject line, date, threat reason) — all plans | Displayed in your threat viewer so you can review flagged emails | Up to 2 weeks, then auto-removed |
| All domains & URLs extracted from emails — Free plan | Threat intelligence, service improvement, and commercial use | See Section 3 |
| Malicious URLs only — Basic plan; Malicious & suspicious URLs — Pro, Ultra plans | Threat intelligence and collective security improvement | See Section 3 |
| Billing information | Payment processing for Basic and Pro plans | Managed by our payment processor; we do not store card details |
Threat metadata (all plans): When Drakaro detects a malicious or suspicious email, we store a minimal record containing the sender address, subject line, date, and the reason it was flagged (e.g., “phishing domain detected”). This is displayed in your threat viewer on the dashboard. The full message body is never stored. Threat records are automatically removed after 2 weeks.
Attachment scanning (Basic, Pro, and Ultra plans): Incoming email attachments are temporarily transferred to a secure isolated environment for malware scanning. Attachments are permanently deleted immediately after the scan completes — typically within seconds. They are never retained, indexed, or accessible to Drakaro staff. Free plan users’ attachments are never scanned.
Basic, Pro, and Ultra plan users: URLs determined to be safe are not logged or retained — zero data retention on clean scan results. However, URLs determined to be malicious or suspicious are retained across all plans (including paid) for threat intelligence purposes. These URLs are stripped of personally identifiable information and may be included in aggregated, anonymized threat feeds shared with enterprise security partners. No email content, sender information, or account details are ever included in threat feeds.
If you do not want your safe URL data used commercially, upgrade to the Basic plan or higher at any time from your dashboard.
Advanced URL scanning (Pro and Ultra plans): Pro and Ultra plan users receive a second layer of URL threat analysis using commercial URL reputation services. URLs extracted from your emails are submitted to these services in real time for threat lookup. They receive only the URL being checked — never your identity, email content, or account information.
We do not use your data for advertising, we do not build behavioral profiles, and we do not share your personal information with third parties except as described in this policy. Threat intelligence shared with partners contains only anonymized threat indicators (malicious URLs, domains, and attack signatures) — never user identities, email content, or account information.
To provide the Service, we work with a small number of carefully selected third-party providers. We do not disclose the specific vendors that power our threat detection engine, as that information is proprietary. All providers we use are contractually required to handle data securely and in accordance with applicable privacy laws.
| Category | Purpose |
|---|---|
| Email provider APIs | Connecting to your Gmail or Outlook inbox to scan incoming messages and manage quarantine |
| Threat intelligence providers | Real-time lookup of domains and URLs against commercial threat databases to identify phishing, malware, and spam. These services receive only the domain or URL being checked — never your identity or email content. |
| Payment processor | Secure processing of subscription payments for paid plans. We do not store your payment card details — all billing data is handled directly by our payment provider. |
| Cloud infrastructure | Hosting, database storage, and execution of our scanning infrastructure. All data is encrypted at rest and in transit. |
| Edge network & delivery | Traffic routing, DDoS protection, and fast delivery of the Drakaro application. |
You may request a list of our sub-processors by contacting us at support@drakaro.com.
We take security seriously. All data in transit is encrypted with TLS. Data at rest is stored with encryption enabled. Access to production systems is restricted and protected by multi-factor authentication. Our API enforces session-based access controls on every request.
No system is 100% secure. If you discover a security vulnerability, please contact us responsibly at support@drakaro.com.
You have the right to:
If you are in the European Economic Area (EEA), you have additional rights under GDPR including the right to object to processing and the right to lodge a complaint with your local supervisory authority.
Drakaro is not directed at children under the age of 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.
We may update this Privacy Policy from time to time. We will notify you of material changes by email or via a notice on your dashboard at least 14 days before changes take effect. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.
For privacy-related questions or data requests:
Drakaro
Email: support@drakaro.com
Website: https://drakaro.com