Privacy Policy

The data controller for personal data processed through the Service is:

Huro Data Technologies Ltd.
Email: support@mydomainrisk.com

We collect the following personal data:

• Email address — provided when you create an account. Used to send magic link sign-in emails and scan report emails.
• Domain names you scan — the domains you add to your account and submit for security assessment.
• Scan results — the security findings and scores generated by the Service for your domains.
• IP address — recorded in server access logs as part of normal web server operation.
• Session cookie — an HttpOnly session cookie with a 7-day TTL is set upon sign-in to maintain your authenticated session.

We do not collect payment card details directly. Payment information is handled entirely by Stripe.

• Contract performance (Article 6(1)(b)) — processing your email address and domain data is necessary to provide you with the Service.
• Legitimate interests (Article 6(1)(f)) — we process IP address data and session information to protect the security and integrity of the Service and prevent fraud and abuse.

• Providing and operating the Service, including running domain security scans.
• Sending you magic link emails to authenticate your sign-in.
• Sending scan report emails where you have requested them.
• Processing payments and managing subscriptions via Stripe.
• Maintaining server security logs and investigating abuse.
• Improving the Service using anonymised, aggregated scan data.

We do not sell your personal data to third parties, and we do not use your data for advertising or behavioural profiling.

To provide the Service, we share data with the following third-party processors:

• Stripe — payment processing and subscription management. stripe.com/privacy
• Resend — transactional email delivery (magic link and scan report emails).
• Shodan — internet exposure data. Domain names and IP addresses may be queried to identify exposed services.
• Have I Been Pwned (HIBP) — breach data. Your domain is queried to identify associated email addresses in known data breaches.
• Google Safe Browsing — malware and phishing detection.
• URLScan.io — URL reputation and web content safety analysis.
• AbuseIPDB — IP reputation checking against reported malicious activity.
• Ransomwatch — ransomware leak site monitoring.
• CIRCL (Computer Incident Response Centre Luxembourg) — CVE vulnerability data.
• ip-api.com — IP geolocation and ASN data.
• Google DNS-over-HTTPS — DNS resolution for scanned domains.

• Account data — retained while your account is active.
• Scan results — up to 10 per domain (Free) or 5,000 total (Pro); results beyond these limits are automatically removed.
• Server access logs — retained for a limited period for security and operational purposes.

Upon account closure, your account data and all associated scan results are permanently deleted. Contact support@mydomainrisk.com to request account deletion.

You have the following rights in relation to your personal data:

• Access — request a copy of the data we hold about you.
• Rectification — ask us to correct inaccurate data.
• Erasure — ask us to delete your personal data.
• Portability — request your data in a machine-readable format.
• Restriction — ask us to restrict processing in certain circumstances.
• Objection — object to processing based on legitimate interests.

To exercise these rights, contact support@mydomainrisk.com. You may also lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk.

The Service uses a single essential HttpOnly session cookie (7-day TTL) that is required for authenticated sessions. We do not use tracking, advertising, or analytics cookies in the application.

The marketing site (mydomainrisk.com) may use cookies for Google Ads conversion tracking to measure advertising performance. You can accept or decline these cookies using the consent banner shown on your first visit.

Some third-party processors listed in Section 5 are located outside the UK and EEA. Where personal data is transferred to such countries, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved under UK GDPR, or equivalent transfer mechanisms.

We implement appropriate technical and organisational measures to protect your personal data, including HTTPS encryption in transit, HttpOnly session cookies, and database access controls. In the event of a notifiable personal data breach, we will inform the ICO within 72 hours and notify affected users where required.

We may update this Privacy Policy from time to time. Material changes will be communicated to registered users by email or in-app notice. The effective date at the top of this page reflects when the policy was last updated.

This Privacy Policy is governed by the laws of England and Wales.

Questions or requests relating to this Privacy Policy or your personal data: support@mydomainrisk.com