Policies · Privacy

Privacy policy

Last updated: 2026-05-23

Macfax is a verification product, not an analytics product. We collect what we need to issue a report, settle disputes, and operate the Service. Nothing more. This policy describes what we collect, why, how long we keep it, who we share it with, and the rights you have over it.

"Macfax," "we," and "us" mean the operator of the Macfax service. "You" means the person whose information is described in this policy. Terms not defined here have the meaning given in the Terms of Service.

1. Information we collect

We collect the following categories of information:

  • Contact information. Your email address, provided at checkout for Premium reports or bulk packs, in support correspondence, or when you request a follow-up (such as a price estimate). The email is the product identifier; there are no usernames or passwords.
  • Payment information. Payment metadata returned by Stripe, including the last four digits of your card, card country, payment status, and any fraud signals Stripe surfaces. We never see, store, or process your full card number. Stripe handles all card data under its own privacy and security commitments at stripe.com/privacy.
  • Diagnostic payload. The result of the seller-side macOS app run, signed inside the Mac's Secure Enclave and bound to a device-specific key fingerprint produced on the same Mac. The payload includes the device's full serial number, model identifier, and hardware-health metrics (SSD wear, battery cycles, memory test results, CPU and GPU burn-in results). It does not include files, browsing history, app usage, or any contents of your home directory.
  • Report metadata. The issue date and status of each Report. The publicly visible Report page shows only the last four digits of the serial; the full serial is held server-side.
  • Append-only device-key tuples. We permanently retain the tuple (device-key fingerprint, serial number, first-seen timestamp) for every Diagnostic. This is what allows the Service to detect swap attempts: if two different serials ever claim the same fingerprint, we surface it. See section 4 below.
  • Communications. Emails you send to support@macfax.com or disputes@macfax.com, including subject, body, and attachments.
  • Anonymous session identifier. A random UUID stored in your browser as a cookie, used to correlate page views within a single browsing session for product analytics. It is not joined to your email, payment, or Report records.
  • Server logs. Routine HTTP request logs (IP address, user-agent, URL, timestamp, response code), used for security, abuse detection, and operating the site.

2. What we do not collect

  • No personal data leaves your Mac during the Diagnostic beyond what is listed above. We do not read files, browsing history, app usage, photos, messages, calendars, or any contents of your home directory.
  • No third-party advertising trackers, retargeting pixels, or cross-site identifiers run on macfax.com.
  • No location data beyond what Stripe collects for fraud detection at checkout.
  • No microphone, camera, contacts, or other sensor data is captured by the macOS app.

3. Why we collect it

We use the information above for the following purposes:

  • To provide the Service. Issue Reports, host the public Report URL, deliver bulk-pack activation tokens, process payments, and respond to support requests.
  • To detect fraud and swap attempts. The append-only device-key tuples and Diagnostic payloads are the data that makes a Macfax Report harder to forge than a screenshot or PDF.
  • To handle disputes. When a buyer-side re-attestation surfaces a mismatch, we use the cryptographic record on file to evaluate the dispute.
  • To send transactional emails. Receipts, Report-ready notifications, takedown notices, refund confirmations, and security alerts.
  • To send follow-ups you ask for. If you opt in to a price-estimate follow-up at the time you publish a Basic Report, we use your email to send that estimate and a small number of closely related updates. Every such email contains an unsubscribe link.
  • To improve the Service. Aggregate counts (Reports issued per month, error rates, page-view counts) inform changes to the product. We do not build user profiles for advertising.
  • To comply with law. Tax records, sanctions and export-control compliance, response to lawful legal process.

4. The append-only device-key registry

The Service is built on top of a device-key-to-serial mapping that is intentionally append-only forever. The moment two different serials claim the same device-key fingerprint, the Service surfaces it. This is one of the integrity properties that makes a Macfax Report harder to forge than a screenshot or PDF.

Concretely, we keep (device-key fingerprint, serial number, first-seen timestamp) tuples permanently, even after a refund or a deletion request. The fingerprint is derived on your Mac and is not, on its own, identifying information about you. When you ask us to delete your data, we delete the link from the tuple to your email; the tuple itself stays, decoupled from any directly identifying information.

5. Who we share information with

We share information only with the providers below, and only as needed to operate the Service:

  • Stripe (payment processing). We send the amount, currency, and your email; Stripe handles the card transaction and returns payment metadata.
  • Vercel (hosting, edge network, CDN). Operates the macfax.com web application and serves Report pages and downloads.
  • Microsoft Azure (database). Hosts the Postgres database that stores Reports, purchases, and the device-key registry.
  • Apple (notarization). The macOS app is notarized by Apple and uses the Mac's Secure Enclave to sign the diagnostic payload at issuance. The Secure Enclave is on-device hardware; the signing key never leaves the Mac and Apple receives no record of individual Diagnostic runs.
  • Email delivery provider. Used to deliver transactional and follow-up emails from support@macfax.com.

We do not sell or rent your personal information. We do not share it with advertisers, data brokers, or marketing networks. We may disclose information when required by law, in response to valid legal process, or when reasonably necessary to prevent fraud or harm.

If Macfax is acquired or merged, your information may transfer to the successor as part of the transaction. We will provide notice through the website or by email if this happens.

6. How long we keep it

  • Email and Report records linked to email: until you ask us to delete them, or seven (7) years after your last activity, whichever is sooner.
  • Payment metadata: at least seven (7) years for tax and accounting purposes. Stripe's own retention is independent and governed by Stripe.
  • Diagnostic payloads (full serial, hardware metrics) linked to email: until you ask us to delete them. After deletion, the device-key tuple persists without the link to your email.
  • Append-only device-key tuples (fingerprint, serial, first-seen timestamp): permanently. These are not directly identifying on their own; see section 4.
  • Session cookie: the cookie expires after thirty (30) days of inactivity.
  • Server logs: ninety (90) days, then deleted or aggregated.
  • Support correspondence: three (3) years from the last message in the thread.

7. Security

We protect data with TLS in transit, encryption at rest for the database, scoped access controls for the operator, secure key handling for Stripe webhook signatures and Apple notarization, and standard hardening of the hosting environment. No system is perfect; we cannot guarantee absolute security, but we take reasonable steps to keep your information safe.

8. Your choices and rights

You have the following rights, subject to limits under applicable law and the append-only-registry exception described in section 4:

  • Access: ask us what personal information we hold about you and to receive a copy.
  • Correction: ask us to correct information that is inaccurate.
  • Deletion: ask us to delete information we hold about you. We will delete your email from purchases, Reports, and internal logs, and the public Report URLs tied to your email will return a not-found response from then on. The append-only device-key tuples (without the link to your email) are retained as described in section 4.
  • Opt out of follow-up emails: use the unsubscribe link in any non-transactional email, or email support@macfax.com. Transactional emails (receipts, takedown notices, refund confirmations) continue even after you unsubscribe from follow-ups.
  • Opt out of sale or sharing: we do not sell or share your personal information for cross-context behavioral advertising. There is nothing to opt out of, but if that ever changes we will provide a clear opt-out before doing so.
  • Non-discrimination: we will not deny you the Service, charge you a different price, or provide a different quality of service because you exercised a privacy right.

To exercise any of these rights, email support@macfax.com from the address you used at checkout or in correspondence. We may need to verify your identity, usually by replying from the same email. We aim to respond within thirty (30) days, and at most within forty-five (45) days, in line with applicable law.

9. California residents

If you live in California, the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"), gives you the rights listed in section 8 above (access, correction, deletion, opt out of sale or sharing, limit use of sensitive information, non-discrimination). The categories of personal information we collect, our purposes, retention, and recipients are listed in sections 1, 3, 5, and 6. We do not sell personal information and do not share it for cross-context behavioral advertising. You may designate an authorized agent to make a request on your behalf; we will require written proof of authorization. If we deny your request, you may appeal by replying to our response.

10. Users outside the United States

Macfax operates from the United States. If you use the Service from outside the US, your information is transferred to and stored in the US and other countries where our providers operate, which may have different data-protection rules than your country. By using the Service, you consent to that transfer.

If you live in a jurisdiction that grants you rights of access, correction, deletion, objection, restriction, or portability (such as the UK or the European Economic Area), you may exercise those rights by emailing support@macfax.com. We will respond in line with applicable law.

11. Children

Macfax is not directed to children under sixteen (16), and we do not knowingly collect information from anyone under that age. If you believe a child has provided information to us, email support@macfax.com and we will delete it.

12. Cookies and similar technologies

macfax.com uses one cookie: an anonymous session identifier for product analytics. There are no advertising cookies, retargeting pixels, or cross-site trackers. You can clear cookies at any time from your browser settings; the Service will still function.

13. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. Material changes will be highlighted at the top of this page or communicated by email to the address on file at least thirty (30) days before they take effect.

14. Contact

Privacy questions, data requests, or anything else covered by this policy: support@macfax.com.