GDPR Commitment

The data controller for all personal data processed through MyDomainRisk is:

Huro Data Technologies Ltd.
Email: support@mydomainrisk.com

We process personal data only where we have a clear lawful basis under UK GDPR Article 6:

• Contract performance (Art. 6(1)(b)) — your email address and domain data are processed to deliver the service you have signed up for.
• Legitimate interests (Art. 6(1)(f)) — IP address and session data are processed to protect the security and integrity of the service and prevent abuse.
• Consent (Art. 6(1)(a)) — non-essential cookies on this marketing site (e.g. Google Ads conversion tracking) are only set after you have given explicit consent via the cookie banner.

Data protection principles are embedded into our product and infrastructure decisions:

• We collect only the minimum personal data required to operate the service.
• Scan results are subject to automatic retention limits (5 per domain on Free; 1,000 total on Pro).
• All data is transmitted over HTTPS. Session cookies are HttpOnly and Secure.
• Access to production data is restricted to authorised personnel only.
• We do not sell personal data or use it for advertising or behavioural profiling.

In accordance with Article 32 of UK GDPR, we implement appropriate technical and organisational measures proportionate to the risk, including:

• Encryption of personal data in transit (HTTPS/TLS).
• HttpOnly, Secure, SameSite session cookies with a 7-day TTL.
• Encrypted database connections and access controls.
• Infrastructure hosted on SOC 2 Type II and ISO 27001 certified providers.
• Single concurrent session enforcement — new logins revoke prior sessions.
• Automated 15-minute inactivity logout.
• Rate limiting across all API endpoints to prevent abuse.
• Dependency vulnerability scanning (pip-audit) on every code commit via CI.

We use a limited number of third-party processors to operate the service. Each is subject to a data processing agreement and provides equivalent data protection guarantees. Our current sub-processors include Stripe (payments), Render (infrastructure), Vercel (frontend hosting), Upstash (Redis cache), and Resend (transactional email). A full list is available in our Privacy Policy.

Under UK GDPR, you have the right to:

• Access (Art. 15) — request a copy of the personal data we hold about you. You can download your data at any time from your account settings.
• Rectification (Art. 16) — ask us to correct inaccurate personal data.
• Erasure (Art. 17) — ask us to delete your account and all associated data.
• Portability (Art. 20) — receive your data in a structured, commonly used format.
• Restriction (Art. 18) — ask us to restrict processing in certain circumstances.
• Objection (Art. 21) — object to processing based on legitimate interests.
• Withdraw consent — where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact support@mydomainrisk.com. We will respond within one calendar month.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach, and will inform affected users without undue delay where required under UK GDPR Article 34.

You have the right to lodge a complaint with the UK supervisory authority if you believe we have not handled your personal data in accordance with UK GDPR:

Information Commissioner’s Office (ICO)
ico.org.uk/make-a-complaint
Telephone: 0303 123 1113

For any questions or requests relating to our GDPR obligations or your personal data: support@mydomainrisk.com