Privacy Policy

The data controller for personal data processed through the Service is:

Huro Data Technologies Ltd.
Email: support@mydomainrisk.com

We collect the following personal data:

• Email address — provided when you create an account. Used to send magic link sign-in emails and scan report emails.
• Domain names you scan — the domains you add to your account and submit for security assessment.
• Scan results — the security findings, verdicts and risk ratings generated by the Service for your domains.
• IP address — recorded in server access logs as part of normal web server operation.
• Session cookie — an HttpOnly session cookie with a 7-day TTL is set upon sign-in to maintain your authenticated session.

We do not collect payment card details directly. Payment information is handled entirely by Stripe.

• Contract performance (Article 6(1)(b)) — processing your email address and domain data is necessary to provide you with the Service.
• Legitimate interests (Article 6(1)(f)) — we process IP address data and session information to protect the security and integrity of the Service and prevent fraud and abuse.

• Providing and operating the Service, including running domain security scans.
• Sending you magic link emails to authenticate your sign-in.
• Sending scan report emails where you have requested them.
• Processing payments and managing subscriptions via Stripe.
• Maintaining server security logs and investigating abuse.
• Improving the Service using anonymised, aggregated scan data.

We do not sell your personal data to third parties, and we do not use your data for advertising or behavioural profiling.

To provide the Service, we share data with the following third-party processors:

• Stripe — payment processing and subscription management. For UK customers our contracting entity is Stripe Payments Europe Limited (Ireland), which onward-transfers to Stripe LLC (United States) under its own intra-group safeguards. stripe.com/privacy
• Resend — transactional email delivery (magic link and scan report emails).
• Shodan — internet exposure data. Domain names and IP addresses may be queried to identify exposed services.
• Have I Been Pwned (HIBP) — breach data. Your domain is queried to identify associated email addresses in known data breaches.
• Google Safe Browsing — malware and phishing detection.
• URLScan.io — URL reputation and web content safety analysis.
• AbuseIPDB — IP reputation checking against reported malicious activity.
• Ransomwatch — ransomware leak site monitoring.
• CIRCL (Computer Incident Response Centre Luxembourg) — CVE vulnerability data.
• ip-api.com — IP geolocation and ASN data.
• Google DNS-over-HTTPS — DNS resolution for scanned domains.
• Render — application hosting and managed PostgreSQL database (Oregon, United States). Stores account email addresses, tracked domains, scan history and subscription metadata.
• Upstash — managed Redis cache (United States). Holds short-lived rate-limit counters, session-related state and scan-engine cached values.
• Vercel — frontend hosting (United States) for both the marketing site and the application UI.
• Anthropic— Claude API used for the in-app AI assistant, the “Explain this report” flow, authenticity analysis, and (on Pro authenticity scans) visual brand-impersonation analysis described in the next section. For UK customers our contracting entity is Anthropic Ireland Limited (Ireland), which onward-transfers to Anthropic PBC (United States) for model inference under its own intra-group safeguards.

On the authenticity app, Pro scans may perform additional visual analysis of public page assets already loaded by the scanned page. Relevant images and the scanned domain name may be sent to our AI provider to help identify brand-impersonation evidence. The result can be used as supporting evidence in the user-facing verdict.

The captured images are stored on our infrastructure (Render Persistent Disk in the United States) alongside the AI’s analysis. Storage is indefinite by default to support our threat-intelligence research and any subsequent published security findings. Aggregated and anonymised statistics drawn from this dataset (e.g. “the most-impersonated brands this quarter”) may be published as security research; before publication, individual records can be flagged for anonymisation so the impersonating domain is masked.

This processing is part of the Pro authenticity service the user subscribed to; the secondary research-and-publication purpose rests on our legitimate interest in preventing phishing harm to the wider public. The feature does not run on Free-tier scans or the public peek widget. A hard monthly cost cap and a per-user daily cap are enforced in code. You can request deletion of any specific scan’s evidence, or opt out of the visual analysis entirely while remaining a Pro subscriber, by emailing support@mydomainrisk.com.

To detect broken surfaces (CORS, CSP, network or server faults) without waiting for a user report, the marketing site reports browser-side errors (window.error, unhandled promise rejections, Content Security Policy violations) to the MyDomainRisk backend, which stores aggregated counts and a recent-events buffer in Redis (Render KV, US-hosted, transfer safeguarded under the EU-US Data Privacy Framework UK Extension plus Standard Contractual Clauses).

Each event stores: the HTTP status code (if any), the page path (query string stripped), a truncated error message (≤200 chars; no stack traces), a SHA-256 hash of the visitor’s IP keyed with our internal authentication secret (16-char prefix; non-reversible without that secret), and the user-agent string truncated to 160 chars. No raw IP, no cookies, no form contents, and no scanned domain names are stored in the error monitoring records. The marketing site has no user accounts, so no user identifier is associated.

Retention: 7 days on the per-day counter keys (Redis TTL); the recent-events list is capped at 500 entries (oldest evicted).

Lawful basis: legitimate interests (UK GDPR Art. 6(1)(f)) — service-integrity monitoring and rapid incident detection.

• Account data — retained while your account is active.
• Scan results — up to 5 per domain on Free. Pro and MSP retain up to 50 security scans and 10 authenticity investigations per domain; results beyond these limits are automatically removed.
• Server access logs — retained for a limited period for security and operational purposes.

Upon account closure, your account data and all associated scan results are permanently deleted. Contact support@mydomainrisk.com to request account deletion.

You have the following rights in relation to your personal data:

• Access — request a copy of the data we hold about you.
• Rectification — ask us to correct inaccurate data.
• Erasure — ask us to delete your personal data.
• Portability — request your data in a machine-readable format.
• Restriction — ask us to restrict processing in certain circumstances.
• Objection — object to processing based on legitimate interests.

To exercise these rights, contact support@mydomainrisk.com. You may also lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk.

The Service uses a single essential HttpOnly session cookie (7-day TTL) that is required for authenticated sessions. We do not use tracking, advertising, or analytics cookies in the application.

The marketing site (mydomainrisk.com) may use cookies for Google Ads conversion tracking to measure advertising performance. You can accept or decline these cookies using the consent banner shown on your first visit.

Some of the sub-processors listed in Section 5 are located outside the United Kingdom. We describe them in two tiers below, reflecting the legal basis for each transfer.

Direct UK–to–US transfers

Personal data is transferred directly to processors based in the United States: Render (Oregon), Upstash, Vercel, and Resend (account email, scan history, request metadata, email delivery). Each is self-certified under the UK Extension to the EU–US Data Privacy Framework, which provides an adequacy-equivalent legal basis under UK GDPR Article 45, and each also incorporates the UK Standard Contractual Clauses (or the UK IDTA) in its Data Processing Agreement as a fallback under UK GDPR Article 46.

Personal data is also transferred to Have I Been Pwned (US/AU), Google Safe Browsing (US), URLScan.io (Germany), AbuseIPDB (US), and Shodan (US) for scan-engine purposes. These transfers involve domain names, IP addresses, and (for HIBP) email addresses queried against breach data; each transfer relies on the UK Standard Contractual Clauses where applicable.

Transfers to EEA contracting entities (with onward US processing)

For UK customers, our contracts with Stripe and Anthropicare with their EEA-incorporated entities — Stripe Payments Europe Limited (Ireland) and Anthropic Ireland Limited respectively. The first-tier transfer in each case is from the United Kingdom to Ireland, an adequate destination under the UK’s adequacy decision for the EEA, and therefore does not require an Article 46 transfer mechanism. Each EEA entity may then onward-transfer personal data to its US affiliate (Stripe LLC and Anthropic PBC respectively) for processing; that onward leg is governed by the EEA entity’s own intra-group safeguards (Standard Contractual Clauses and, where relevant, Data Privacy Framework certification) under EU GDPR.

We carry out a Transfer Impact Assessment for each non-UK transfer of personal data, in line with ICO guidance. A current copy of our sub-processor list with transfer-mechanism detail (including DPA references, SCC module versions, and DPF certification status) is available on request from support@mydomainrisk.com.

We implement appropriate technical and organisational measures to protect your personal data, including HTTPS encryption in transit, HttpOnly session cookies, and database access controls. In the event of a notifiable personal data breach, we will inform the ICO within 72 hours and notify affected users where required.

We may update this Privacy Policy from time to time. Material changes will be communicated to registered users by email or in-app notice. The effective date at the top of this page reflects when the policy was last updated.

This Privacy Policy is governed by the laws of England and Wales.

Questions or requests relating to this Privacy Policy or your personal data: support@mydomainrisk.com