Privacy Policy
Last updated: March 9, 2026
This Privacy Policy describes how domani.run (“we”, “us”, “our”) collects, uses, stores, and protects your personal information when you use our website, API, CLI tool, MCP server, and related services.
By using domani.run, you consent to the practices described in this policy.
1. Information We Collect
1.1 Account Information
When you create an account, we collect your email address, used for account identification, transactional emails, and magic link sign-in. No other personal information is required.
1.2 Payment Information
Payment processing is handled entirely by Stripe, Inc. We do not store your full credit card number, CVV, or billing address. We only receive a Stripe Customer ID, whether you have an active payment method, and transaction records.
1.3 Domain Registration Data
When you register a domain, we store the domain name, registration and expiration dates, DNS records, and WHOIS contact information as required by ICANN. WHOIS privacy is enabled by default.
1.4 API Usage Data
We collect API token identifiers, last-used timestamps, request metadata (endpoint, timestamp, IP, status code), and rate limiting counters (in-memory only).
1.5 Automatically Collected Data
When you visit our website, we may collect IP address (for rate limiting), browser user agent, and referring URL. We do not use analytics trackers, advertising pixels, or third-party tracking scripts.
1.6 Referral Data
If you participate in our referral program, we store your unique referral code, records of domains purchased using your code (domain name, date, commission amount), and commission payment status. We do not reveal the identity of referred users to referrers.
1.7 Email Data
When you use programmatic email, we store mailbox addresses, message content (sender, recipient, subject, body, headers), delivery status, and webhook URLs. Email delivery is processed through Resend.
1.8 USDC Payment Data
When you pay with USDC, we store the blockchain transaction hash, chain identifier (Base or Ethereum), USDC amount, and wallet address. Transaction hashes are verified on-chain and can only be used once.
1.9 Webhook Data
When you create webhooks, we store endpoint URLs, subscribed event types, signing secrets (hashed), and delivery history (status, response codes, timestamps).
1.10 Parking Analytics
When domain parking is enabled, we collect anonymized visitor analytics: page views, daily view counts, and referrer data. No personally identifiable visitor information is stored.
1.11 Marketplace Data
When you use the marketplace, we store listing prices and inquiry data (name, email, offer amount, message) submitted by potential buyers.
2. How We Use Your Information
We use your information exclusively for:
- Service operation - authenticating requests, processing purchases, managing DNS, sending transactional emails
- Payment processing - charging your payment method via Stripe
- Security - rate limiting, fraud detection, abuse prevention
- Legal compliance - ICANN requirements, tax obligations
- Service communications - purchase confirmations, expiration notices, security alerts
We do not use your information for marketing (unless you opt in), advertising, behavioral profiling, or sale to third parties.
3. Third-Party Services
We share data with the following services, solely as necessary to operate:
| Service | Purpose | Data shared |
|---|---|---|
| Stripe | Payment processing | Email, Customer ID, amounts |
| Resend | Email delivery and programmatic email | Email address, message content |
| Domain registrar | Domain registration and DNS | Domain name, DNS records, WHOIS data |
| Vercel | Application hosting | Server logs (IP, user agent, timestamps) |
We do not share your data with any services beyond those listed above.
4. Data Storage and Security
4.1 Storage
Your data is stored in a PostgreSQL database on secure, encrypted infrastructure. All data is encrypted at rest and in transit (TLS 1.2+).
4.2 Security Measures
- All connections encrypted via HTTPS/TLS
- API authentication via Bearer tokens
- Per-user, per-endpoint rate limiting
- No storage of raw payment credentials
- Serverless architecture with no persistent server state
4.3 Breach Notification
In the event of a data breach, we will notify affected users via email within 72 hours of discovery.
5. Data Retention
| Data type | Retention |
|---|---|
| Account information (email, WHOIS contact) | Until account deletion |
| API tokens | Until revoked or account deletion |
| Domain registration records | Duration of ownership + 1 year |
| Transaction records (card and USDC) | 7 years (tax/legal compliance) |
| Server logs (IP, user agent) | 30 days |
| Rate limiting data | In-memory only, not persisted |
| Referral records | Until account deletion |
| Email messages | Until deleted or account deletion |
| Mailbox metadata | Until deleted or account deletion |
| Webhook URLs and delivery history | Until deleted or account deletion |
| Parking analytics | 90 days (rolling), aggregated indefinitely |
| Marketplace inquiries | 1 year |
6. Your Rights
6.1 All Users
- Access - request a copy of all data we hold about you
- Correction - request correction of inaccurate data
- Deletion - request deletion of your account and associated data
- Export - request an export in a machine-readable format
6.2 EU/EEA Users (GDPR)
Additional rights: data portability, restrict processing, object to processing, lodge a complaint with your local data protection authority. Our lawful basis for processing is contract performance, legitimate interests (security, fraud prevention), and legal obligation (ICANN, tax compliance).
6.3 California Users (CCPA)
California residents have the right to know what information is collected, request deletion, and opt out of the sale of personal information. We do not sell personal information.
To exercise any of these rights, contact privacy@domani.run.
7. Cookies
domani.run uses only strictly necessary cookies for authentication session management. We do not use tracking, third-party, advertising, or analytics cookies.
8. International Data Transfers
Your data may be processed in the United States. When data is transferred outside your jurisdiction, we ensure appropriate safeguards are in place, including Standard Contractual Clauses where required under GDPR.
9. Children's Privacy
The Service is not directed at individuals under 16. We do not knowingly collect personal information from children.
10. Changes
We may update this policy at any time. Material changes will be communicated by updating this page and notifying registered users via email. Continued use constitutes acceptance.
11. Contact
For privacy-related inquiries: privacy@domani.run
We aim to respond to all requests within 30 days.