Privacy Policy
Last updated: April 28, 2026
This is a small free service. We collect the minimum we need to run it. This document tells you what we collect, why, and what we do with it.
What we collect
- Account data: email address, username, and a hashed password (we never store your plain password).
- Subdomain data: the subdomains you claim, the DNS records you create, and timestamps for both.
- Audit log: a record of significant actions on your account (login, claim, release, DNS edits) along with the IP address and user agent that performed them. Used for abuse handling and account recovery.
- Session cookies: a single first-party cookie that keeps you logged in. No third-party cookies.
- Server logs: standard web server access logs (IP, request line, response status, user agent). Rotated and deleted after 30 days.
What we don't collect
- No analytics, advertising, or tracking pixels.
- No data sold to or shared with marketers.
- No fingerprinting.
Third parties
We use Cloudflare to operate DNS for the parent domains. When you create or edit a DNS record, that record is sent to Cloudflare's API. Cloudflare's privacy policy applies to that data: cloudflare.com/privacypolicy.
If you proxy a record through Cloudflare, traffic to your subdomain passes through Cloudflare's network. They will see the IP addresses of your visitors.
We do not use other third-party services to operate the registration platform itself.
How long we keep data
- Account data: until you delete your account.
- Subdomain and DNS data: until you release the subdomain or your account is closed.
- Audit log: 12 months, then deleted.
- Web server logs: 30 days, then deleted.
Your rights
You can request a copy of your data, correction of inaccurate data, or deletion of your account by emailing [email protected]. If you are in the EU, UK, or California, you have additional rights under GDPR, UK GDPR, and CCPA respectively, including the right to lodge a complaint with a supervisory authority.
Security
Passwords are hashed with argon2id. Sessions are stored server-side. The service runs over HTTPS only. No system is perfectly secure, but we try.
Children
This service is not directed at children under 13 and we do not knowingly collect data from them. If you believe a child has registered, email [email protected] and we will delete the account.
Changes
If we change this policy materially, we'll update the date at the top and, where reasonably possible, notify users by email.