Privacy Policy#

Last updated: February 18, 2026

This Privacy Policy describes how domani.sh ("we", "us", "our", "the Service") collects, uses, stores, and protects your personal information when you use our website, API, CLI tool, and related services.

By using domani.sh, you consent to the practices described in this policy. If you do not agree, please do not use the Service.

1. Information We Collect#

1.1 Account Information#

When you create an account, we collect:

  • Email address - used for account identification, transactional emails (purchase confirmations, magic link sign-in), and critical service notifications.

We do not collect your name, phone number, physical address, or any other personal identifiers beyond your email.

1.2 Payment Information#

When you add a payment method to purchase domains, payment processing is handled entirely by Stripe, Inc. We do not store, process, or have access to your full credit card number, CVV, or billing address. We only receive and store:

  • A Stripe Customer ID (an opaque identifier)
  • Whether you have an active payment method on file (boolean)
  • Transaction records (domain purchased, amount charged, date)

1.3 Domain Registration Data#

When you purchase a domain through our Service, we store:

  • The domain name
  • Registration and expiration dates
  • DNS records you configure
  • WHOIS contact information as required by ICANN regulations

Domain registration is subject to the policies of the relevant domain registry and ICANN (the Internet Corporation for Assigned Names and Numbers).

1.4 API Usage Data#

When you interact with our API, we collect:

  • API token identifiers and last-used timestamps
  • Request metadata (endpoint, timestamp, IP address, response status code)
  • Rate limiting counters (stored in memory, not persisted)

1.5 Automatically Collected Data#

When you visit our website, we may collect:

  • IP address (used for rate limiting on authentication endpoints)
  • Browser user agent string (in server logs)
  • Referring URL

We do not use analytics trackers, advertising pixels, or third-party tracking scripts. We do not use Google Analytics or similar services.

1.6 Referral Data#

If you participate in our referral program, we store:

  • Your unique referral code
  • Records of domains purchased using your code (domain name, date, commission amount)
  • Commission payment status

We do not reveal the identity of referred users to referrers. Referral records contain only domain names and commission amounts.

2. How We Use Your Information#

We use your information exclusively for:

  • Service operation - authenticating requests, processing domain purchases, managing DNS records, sending transactional emails
  • Payment processing - charging your payment method for domain purchases via Stripe
  • Security - rate limiting, fraud detection, abuse prevention
  • Legal compliance - ICANN domain registration requirements, tax obligations, responding to lawful requests
  • Service communications - purchase confirmations, expiration notices, critical security alerts

We do not use your information for:

  • Marketing or promotional emails (unless you explicitly opt in)
  • Advertising or ad targeting
  • Behavioral profiling or analytics
  • Sale or rental to third parties

3. Third-Party Services#

We share data with the following third-party services, solely as necessary to operate the Service:

| Service | Purpose | Data shared | |---------|---------|-------------| | Stripe | Payment processing | Email, Stripe Customer ID, payment amounts | | Resend | Transactional email delivery | Email address, email content | | Domain registrar | Domain registration and DNS | Domain name, DNS records, WHOIS data | | Vercel | Application hosting | Server logs (IP, user agent, timestamps) |

Each third-party service is bound by its own privacy policy and data processing agreements. We do not share your data with any services beyond those listed above.

4. Data Storage and Security#

4.1 Storage#

Your data is stored in a PostgreSQL database hosted on secure, encrypted infrastructure. All data is encrypted at rest and in transit (TLS 1.2+).

4.2 API Keys#

API keys are stored as cryptographic tokens. They are generated using a cryptographically secure random number generator and use the format domani_sk_ followed by 32 random characters.

4.3 Security Measures#

We implement the following security measures:

  • All connections encrypted via HTTPS/TLS
  • API authentication via Bearer tokens
  • Per-user, per-endpoint rate limiting
  • No storage of raw payment credentials (delegated to Stripe)
  • Serverless architecture with no persistent server state

4.4 Breach Notification#

In the event of a data breach affecting your personal information, we will notify affected users via email within 72 hours of discovery, as required by applicable law.

5. Data Retention#

| Data type | Retention period | |-----------|-----------------| | Account information (email) | Until account deletion | | API tokens | Until revoked by user or account deletion | | Domain registration records | Duration of domain ownership + 1 year after expiration | | Transaction records | 7 years (tax/legal compliance) | | Server logs (IP, user agent) | 30 days | | Rate limiting data | In-memory only, not persisted |

6. Your Rights#

Depending on your jurisdiction, you may have the following rights:

6.1 All Users#

  • Access - Request a copy of all data we hold about you
  • Correction - Request correction of inaccurate data
  • Deletion - Request deletion of your account and associated data (subject to legal retention requirements and active domain registrations)
  • API token management - Create, list, and revoke API tokens at any time via the API or dashboard
  • Export - Request an export of your data in a machine-readable format

6.2 EU/EEA Users (GDPR)#

In addition to the above, EU/EEA users have the right to:

  • Data portability - Receive your data in a structured, commonly used format
  • Restrict processing - Request restriction of processing under certain conditions
  • Object to processing - Object to processing based on legitimate interests
  • Lodge a complaint - File a complaint with your local data protection authority

Our lawful basis for processing is:

  • Contract performance - Processing necessary to provide the Service (account management, domain registration, payment processing)
  • Legitimate interests - Security, fraud prevention, service improvement
  • Legal obligation - ICANN requirements, tax compliance

6.3 California Users (CCPA)#

California residents have the right to:

  • Know what personal information is collected and how it is used
  • Request deletion of personal information
  • Opt out of the sale of personal information (we do not sell personal information)
  • Non-discrimination for exercising privacy rights

To exercise any of these rights, contact us at privacy@domani.sh.

7. Cookies#

The domani.sh website uses only strictly necessary cookies for authentication session management. We do not use:

  • Tracking cookies
  • Third-party cookies
  • Advertising cookies
  • Analytics cookies

No cookie consent banner is required because we only use essential cookies that are necessary for the Service to function.

8. International Data Transfers#

Your data may be processed in the United States and other countries where our service providers operate. When data is transferred outside your jurisdiction, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) where required under GDPR.

9. Children's Privacy#

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 16, we will delete it promptly.

10. Changes to This Policy#

We may update this Privacy Policy from time to time. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page
  • Notify registered users via email for significant changes
  • Post the updated policy at domani.sh/privacy

Your continued use of the Service after changes constitutes acceptance of the updated policy.

11. Contact#

For privacy-related inquiries, data requests, or complaints:

Email: privacy@domani.sh

We aim to respond to all requests within 30 days, or sooner where required by applicable law.