Privacy Policy.

Last Updated: May 15, 2026

Introduction

Authex Labs (“Authex,” “we,” “us”) is operated by HemanthVA Ventures LTD, a Scottish limited company registered in Glasgow. This policy describes how we collect, use, and protect information when you use authexlabs.com and the Authex email security platform (the “Service”).

HemanthVA Ventures LTD is the data controller for all customers. By using the Service, you agree to the practices described here. If you do not, please do not use the Service.

Information We Collect

We collect only what is needed to operate the Service:

  • Account data. Name, email, organisation name, and a hashed password. Billing details are handled by Stripe; we do not store card numbers.
  • Domain data. Domains you scan or monitor, the DNS records we retrieve, and the resulting reports and scores.
  • Usage and technical data. Pages viewed, features used, IP address, browser, and operating system. Used to operate the Service and detect abuse.
  • Communications. Support tickets, emails, and feedback you send us.

How We Use Information

  • Operate the Service, run scans, deliver reports, and provide monitoring and enforcement tools.
  • Detect and prevent abuse, fraud, and unauthorised access.
  • Respond to support requests and account communications.
  • Send transactional emails (results, alerts, billing). Marketing emails only with consent and always with a one-click unsubscribe.
  • Comply with applicable law.
  • Improve the Service using aggregated, anonymised usage data.

DNS and Email Data

We query publicly available DNS records (SPF, DKIM, DMARC, MTA-STS, TLS-RPT, BIMI). Querying public DNS is equivalent to any standard lookup. We store scan results so you can see history and change detection over time.

We may publish aggregate, anonymised statistics from scan data for research (e.g. enforcement rates by country). Aggregated data cannot identify individual users.

Authex never accesses, reads, or stores the content of email messages. The Service operates only at the DNS and authentication-protocol level. DMARC aggregate reports contain metadata about email delivery, not message content.

Data Sharing

We do not sell personal information. We share it only in these limited cases:

  • Sub-processors. Service providers that help us operate the platform (payment processing, hosting, email delivery, analytics). The current list is in the .
  • Legal requirements. Where required by law, regulation, or a valid legal process.
  • Business transfers. If Authex is acquired or merges, your information may transfer. We will notify you in advance.

Data Security

We implement appropriate technical and organisational measures to protect personal data, including encryption in transit and at rest, access controls, and rate limiting. No system is perfectly secure; we cannot guarantee absolute security.

Data Retention

We retain personal data only as long as needed to provide the Service or as required by law:

  • Account data. For the life of your account, plus 30 days after deletion to allow recovery.
  • Scan results. Up to 24 months for active accounts. Anonymised aggregates may be retained longer.
  • DMARC reports. Aggregate reports (no message content): up to 24 months. Forensic reports that include addresses: tokenised at 90 days, deleted at 180 days.
  • Usage and technical data. Up to 12 months.
  • Support records. Up to 24 months.

Your Rights

You can request access, correction, deletion, or a portable copy of your personal data, and you can opt out of marketing at any time. UK and EEA residents have additional rights under the UK GDPR and GDPR, including the right to restrict or object to processing, withdraw consent, and lodge a complaint with a supervisory authority (in the UK, the ICO). California residents have rights under the CCPA, including the right to know, delete, and opt out of sale (we do not sell personal information).

To exercise any right, email privacy@authexlabs.com. We respond within 30 days.

International Transfers

Some of our sub-processors are based outside the UK and EEA. For transfers from the UK, EEA, or Switzerland we rely on the UK International Data Transfer Addendum and the European Commission's Standard Contractual Clauses, or on adequacy decisions where they apply. Details are in the .

Cookies

See the for the cookies we use and how to manage them.

Children

The Service is not intended for anyone under 16. We do not knowingly collect data from children. If you believe a child has provided us data, email privacy@authexlabs.com and we will delete it.

Changes

We may update this policy. Material changes are announced by email to account holders and posted here with a new effective date.

Contact

  • Email: privacy@authexlabs.com
  • Post: HemanthVA Ventures LTD, Clyde Offices, 2nd Floor, 48 West George Street, Glasgow G2 1BP, Scotland, United Kingdom

Have questions?

If you have any questions about our privacy policy, please contact our legal team.

Contact Legal