Privacy Policy
Privacy policy for mxio.io — how we collect, use, and protect your data.
1. Introduction
This Privacy Policy describes how mxio ("we", "us", "our") collects, uses, and protects information when you use mxio.io ("the Service"). By using the Service, you agree to the practices described in this policy.
2. Information We Collect
Account Information
When you create an account, we collect:
- Email address — used for authentication, notifications, and account recovery
- Display name (optional) — used for personalization within the dashboard
- Authentication credentials — passkey public keys, TOTP secrets (encrypted at rest), recovery code hashes
Usage Data
We automatically collect:
- Domain queries — the domains and tools you use (for monitoring features and caching)
- IP address — used for rate limiting, session security, and abuse prevention
- User agent — browser and device information for session management
- Timestamps — when you access the Service and perform actions
Billing Information
Payment processing is handled entirely by Stripe. We do not store credit card numbers, bank account details, or other payment credentials on our servers. Stripe's handling of your payment information is governed by the Stripe Privacy Policy.
We store a reference to your Stripe customer ID and subscription status to manage plan features.
Email Analytics
When we send digest report emails and lifecycle marketing emails (tips, updates, milestones), we include a small invisible image (a "tracking pixel") to detect whether the email was opened. This helps us understand email deliverability and improve the email experience. The data collected is minimal:
- What we record: whether the email was opened and when (first open only)
- What we do NOT record: your IP address, device information, location, or any other data from the open event
Open tracking applies to digest report emails and lifecycle marketing emails only. It does not apply to alert notifications, authentication emails, or billing emails. If you disable digest reports (by setting your frequency to "none" in notification settings, or by clicking the unsubscribe link in any digest email), no further digest tracking pixels are sent. If you disable marketing emails (by toggling off "Tips & Updates" in notification settings, or by clicking the unsubscribe link in any marketing email), no further marketing tracking pixels are sent.
Marketing Preferences
If you opt in to marketing communications during account setup, we record your consent. You can change this preference at any time in your account settings or by unsubscribing from any marketing email.
AI-Powered Explanations (Beta)
When you use the AI explanation feature, the following data is sent to third-party AI providers for analysis:
- Domain name being checked
- DNS records and check results (e.g., SPF record contents, MX records, DKIM selectors)
- Check type (which tool generated the results)
This data is sent via API to Anthropic (Claude) and/or OpenAI (GPT) to generate plain-English explanations of your results. Under both providers' API terms, data submitted via API is not used for model training.
AI-generated explanations are stored in our database and associated with your account. They are automatically deleted after 30 days and are also deleted when you delete your account.
No private credentials, authentication tokens, or email message contents are sent to AI providers — only publicly queryable DNS data and the structured results of our analysis tools.
3. How We Use Your Information
We use collected information to:
- Provide the Service — authenticate you, run tools, monitor domains, send alerts
- Improve the Service — analyze usage patterns, identify bugs, optimize performance
- Communicate with you — send notification alerts you've configured, digest reports, account-related emails, and (only with your consent) marketing communications
- Measure email deliverability — detect whether digest report and lifecycle marketing emails were successfully delivered and opened (see "Email Analytics" above)
- Enforce our Terms — detect abuse, enforce rate limits, prevent unauthorized access
- Process billing — manage subscriptions and plan enforcement via Stripe
We do not sell your personal information to third parties.
4. Cookies and Local Storage
The Service uses:
- localStorage — to store your session token for authentication (same-origin, not accessible by third parties)
- Essential cookies — for session management if required by infrastructure
We do not use advertising cookies or third-party tracking scripts. We do not use Google Analytics or similar analytics platforms that track individual users across sites.
5. Third-Party Services
The Service integrates with the following third parties:
| Service | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing | Email, subscription plan |
| Cloudflare | CDN, DNS hosting, DDoS protection | IP address (via request routing) |
| DB-IP | IP geolocation lookups | IP addresses queried (not linked to accounts) |
| Public DNS servers | DNS queries for tool results | Domain names queried |
| Anthropic | AI-powered explanations (Beta) | Domain names, DNS records, check results |
| OpenAI | AI-powered explanations (Beta) | Domain names, DNS records, check results |
Each third party processes data according to their own privacy policies. AI provider data is sent via API and is not used for model training under their respective API terms.
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Account information | Until account deletion |
| Session data | 30 days from last activity |
| Domain monitoring data | Duration of active monitoring + 30 days |
| Health check history | Per plan limits (7-365 days) |
| Notification history | 90 days |
| Tool query results (anonymous) | 24 hours (cache) |
| AI-generated explanations | 30 days |
| Aggregate analytics | Indefinitely (anonymized) |
When you delete your account, your personal data is removed within 30 days. Anonymized, aggregate data may be retained indefinitely.
7. Data Security
We protect your data through:
- Encryption in transit — all connections use TLS 1.2+
- Encryption at rest — TOTP secrets are encrypted with AES-256-GCM
- Hashed tokens — session tokens and recovery codes are stored as SHA-256 hashes
- Passkey security — WebAuthn credentials use public-key cryptography; private keys never leave your device
- Rate limiting — API endpoints are rate-limited to prevent brute-force attacks
- Access controls — admin actions are logged to an audit trail
No system is 100% secure. If we discover a data breach that affects your personal information, we will notify you as required by applicable law.
8. Your Rights
Depending on your jurisdiction, you may have the following rights:
GDPR (EU/EEA Users)
- Access — request a copy of the personal data we hold about you
- Rectification — request correction of inaccurate data
- Erasure — request deletion of your data ("right to be forgotten")
- Portability — request your data in a machine-readable format
- Objection — object to processing based on legitimate interests
- Withdrawal of consent — withdraw marketing consent at any time
Email tracking and ePrivacy: Digest report emails and lifecycle marketing emails contain tracking pixels (see "Email Analytics" in section 2). Under the ePrivacy Directive, this may require consent depending on jurisdiction. You can disable digest emails at any time via your notification settings or the unsubscribe link in any digest email, and you can disable marketing emails by toggling off "Tips & Updates" in notification settings or clicking the unsubscribe link in any marketing email. No further tracking occurs for disabled categories. We are reviewing this mechanism with legal counsel to ensure compliance across EU/EEA jurisdictions.
CCPA (California Users)
- Right to know — what personal information is collected and how it's used
- Right to delete — request deletion of your personal information
- Right to opt out — opt out of the sale of personal information (we do not sell personal information)
- Non-discrimination — we will not discriminate against you for exercising your rights
To exercise any of these rights, contact us at privacy@mxio.io.
9. Marketing Communications
We only send marketing emails (product updates, new features, tips) if you have explicitly opted in. You can:
- Opt in during account setup or in your account settings
- Opt out at any time by clicking "Unsubscribe" in any marketing email or updating your preferences in Settings
- Transactional emails (authentication, alerts you configured, billing) are not marketing and will be sent regardless of your marketing preference
10. Children's Privacy
The Service is not intended for users under the age of 16. We do not knowingly collect personal information from children. If we discover that we have collected information from a child, we will delete it promptly.
11. International Data Transfers
The Service is operated from the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States. We take appropriate safeguards to protect your data in accordance with applicable data protection laws.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify registered users of material changes via email or in-app notification. The "Last Updated" date at the top of this page indicates when the policy was last revised.
13. Contact
For privacy-related questions or to exercise your data rights:
- General support: support@mxio.io
- Privacy & data rights: privacy@mxio.io
You can also reach us through our contact page.
This Privacy Policy will be reviewed by legal counsel periodically. Last substantive update: 2026-02-26.