Legal

Privacy Policy

Last updated: February 22, 2026 Â - Applies to all DomainRisk.io users worldwide.

1. Identity & Contact of the Data Controller

DomainRisk.io ("we", "us", "our") acts as the data controller for all personal data processed in connection with the provision of the domain risk monitoring platform. For any privacy-related inquiry, request, or complaint, please contact us via our contact page. We will respond to data subject requests within the timeframe required by applicable law (30 days under GDPR, extendable by two further months for complex requests).

2. Data We Collect

We collect and process the following categories of personal and operational data:

2.1 Account & Identity Data

  • Email address (used for login, alerts, and billing communications)
  • Password (stored as a salted cryptographic hash — never in plain text)
  • Display name or organization name, if provided
  • Plan type, subscription status, and billing period

2.2 Domain Monitoring Data

  • Domain names you add to the platform
  • Results of WHOIS, DNS, SSL, email-authentication (SPF, DKIM, DMARC), and subdomain scans — all sourced from publicly available records
  • Historical scan snapshots and change-detection logs
  • Security scores and finding classifications

2.3 Usage & Technical Data

  • Log data: IP address, browser type, operating system, pages visited, timestamps
  • Session identifiers (stored in an encrypted, HTTP-only cookie)
  • API usage metrics and plan consumption counters
  • Alert delivery logs (email open/delivery events where applicable; webhook delivery status)

2.4 Payment Data

Payment card data is processed exclusively by Stripe, Inc. and is never stored on our servers. We receive from Stripe only a payment method token, a customer reference ID, and billing metadata (last 4 digits of card, brand, expiry). Full card numbers are never transmitted to or stored by DomainRisk.io.

3. Data We Do Not Collect

We do not collect, process, or store any of the following:

  • Special categories of personal data (health, biometric, racial or ethnic origin, political opinions, religious beliefs, etc.)
  • Data from minors under 16 years of age — the Service is not directed at children
  • Full payment card numbers, CVVs, or bank account details
  • Content of your emails, internal communications, or files outside the Service
  • Third-party advertising identifiers for ad targeting (e.g., Meta Pixel, LinkedIn Insight Tag)

4. Purposes & Legal Bases for Processing

PurposeLegal Basis (GDPR Art. 6)
Account creation & authenticationContract performance (Art. 6(1)(b))
Delivering domain scan results & alertsContract performance (Art. 6(1)(b))
Processing payments & issuing invoicesContract performance & legal obligation (Art. 6(1)(b)(c))
Sending transactional emails (alerts, reports, billing)Contract performance (Art. 6(1)(b))
Service security, abuse prevention, fraud detectionLegitimate interests (Art. 6(1)(f))
Improving platform reliability & performanceLegitimate interests (Art. 6(1)(f))
Compliance with legal obligations (tax, audit)Legal obligation (Art. 6(1)(c))
Non-essential cookies (if accepted)Consent (Art. 6(1)(a))

5. Data Sharing & Processors

We do not sell, rent, or trade your personal data to third parties for commercial purposes. We share data only with the following categories of processors, strictly for service delivery:

  • Stripe, Inc. — payment processing. Subject to Stripe's Privacy Policy. Stripe is PCI-DSS certified.
  • Cloud infrastructure provider — hosting, database, and storage services under a Data Processing Agreement compliant with GDPR Chapter IV.
  • Transactional email provider — for delivering alert emails, billing notifications, and PDF reports.
  • WHOIS/DNS/SSL data providers — public data infrastructure; no personal data is transmitted to these providers beyond query parameters (domain names).

All sub-processors are bound by data processing agreements that require them to protect personal data at least to the standard required by applicable law.

We may disclose personal data if required by law, court order, or regulatory authority, or if necessary to protect the rights, property, or safety of DomainRisk.io, our users, or third parties.

6. International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA) or United Kingdom, we ensure that appropriate safeguards are in place as required by GDPR Chapter V. These safeguards may include Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions, or other recognized transfer mechanisms. You may request information about the specific mechanisms used for any such transfer by contacting us.

7. Data Retention

We retain personal data only for as long as necessary for the purposes outlined in this policy, subject to applicable legal requirements:

  • Account data — retained for the duration of your account plus up to 90 days after deletion to allow for account recovery and to fulfil outstanding obligations.
  • Domain scan history — retained according to your plan tier (30 or 60 days of rolling history while your account is active).
  • Billing & invoicing records — retained for 10 years as required by applicable accounting and tax law.
  • Security and access logs — retained for up to 12 months for fraud prevention and incident investigation.
  • Deleted account data — personal data is purged within 90 days of account deletion, except for records subject to legal retention obligations.

8. Cookies

We use strictly necessary cookies to operate the Service, plus optional analytics cookies only when you provide consent. We do not use advertising or ad-targeting cookies. For full details, please read our Cookie Policy.

9. Your Rights

Subject to applicable law and certain exceptions, you have the following rights in relation to your personal data:

  • Right of access (Art. 15 GDPR) — you may request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16) — you may request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17) — you may request deletion of your data, subject to legal retention obligations.
  • Right to restriction of processing (Art. 18) — you may request that we restrict processing of your data in certain circumstances.
  • Right to data portability (Art. 20) — you may request your data in a structured, machine-readable format.
  • Right to object (Art. 21) — you may object to processing based on legitimate interests, including for direct marketing purposes.
  • Right to withdraw consent (Art. 7(3)) — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
  • Right to lodge a complaint — you have the right to lodge a complaint with your national supervisory authority (e.g., the CNIL in France, the ICO in the UK, or the relevant DPA in your country of residence).

To exercise any of these rights, please contact us via our contact page. We may ask you to verify your identity before processing your request.

10. Security Measures

We implement appropriate technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include, but are not limited to:

  • Encryption of data in transit using TLS 1.2 or higher
  • Encryption of sensitive data at rest (passwords hashed with bcrypt or equivalent)
  • Access controls and principle of least privilege for internal systems
  • Regular security reviews of infrastructure and third-party integrations
  • Isolated user data with role-based access controls

No method of electronic transmission or storage is 100% secure. While we strive to protect your personal data, we cannot guarantee absolute security. In the event of a data breach affecting your rights and freedoms, we will notify you and the relevant supervisory authority within the timeframes required by applicable law.

11. Children's Privacy

The Service is not intended for individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that a child under 16 has provided us with personal data, we will delete such data promptly. If you believe a child has submitted data to us, please contact us immediately.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on the platform at least 14 days before taking effect. The "Last updated" date at the top of this page reflects the most recent revision. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

13. Contact & Data Protection Requests

For all privacy inquiries, data subject requests, or to exercise your GDPR rights, please contact us via our contact page. Please include "Privacy Request" in the subject field and describe your request clearly. We will acknowledge receipt within 72 hours and provide a full response within the legally required timeframe.