PRIVACY POLICY

1. DATA CONTROLLER

DOMAINator is operated from Israel. For questions regarding your personal data, contact us at support@domainator.co.il.

2. DATA WE COLLECT

Account Data

• Email address, display name, company name, industry, country
• Hashed passwords (bcrypt — we never store plaintext passwords)
• Two-factor authentication secrets (encrypted)

Scan Data

• VPN configuration files (encrypted at rest, deleted upon removal)
• Target IP addresses and domain names
• Scan results, findings, and generated reports
• Credentials discovered during authorized scans (encrypted)

Usage Data

• Login timestamps, IP addresses, session data
• Scan initiation and completion records
• Platform usage analytics

Payment Data

• Payments are processed by LemonSqueezy (Merchant of Record). We do NOT store credit card numbers. See LemonSqueezy's privacy policy for payment data handling.

3. PURPOSE OF PROCESSING

• Service delivery — executing scans, generating reports, managing accounts
• Security — authentication, fraud prevention, abuse detection
• Communication — transactional emails (scan completion, password resets)
• Legal compliance — audit logs, tax records

We do NOT sell personal data. We do NOT use your data for advertising. We do NOT send scan data to AI/LLM services.

4. DATA SECURITY

• All data encrypted in transit (TLS 1.3) and at rest
• VPN configs stored with AES-256 encryption
• Scan environments isolated using Linux network namespaces
• Access controls and audit logging on all systems
• Regular security reviews and vulnerability assessments

5. DATA RETENTION

• Account data — retained while your account is active + 90 days after deletion
• Scan results — retained per your plan's report access duration (24h to permanent)
• VPN configs — deleted when you remove them or when your account is deleted
• Audit logs — retained for 24 months
• Financial records — retained for 7 years (Israeli tax law)

6. YOUR RIGHTS

Under the Israeli Privacy Protection Law and GDPR (for EU residents), you have the right to:

• Access — request a copy of your personal data
• Rectification — correct inaccurate data
• Erasure — request deletion of your data (subject to legal retention requirements)
• Data portability — receive your data in a structured format
• Object — object to processing of your data
• Withdraw consent — for marketing communications at any time

To exercise these rights, email support@domainator.co.il. We will respond within 30 days.

7. COOKIES

We use essential cookies for authentication and session management. These are strictly necessary and do not require consent. We do not use third-party tracking or advertising cookies.

8. THIRD-PARTY SERVICES

• LemonSqueezy — payment processing
• Brevo (Sendinblue) — transactional email delivery
• UserWay — accessibility widget

Each service has its own privacy policy governing its handling of data.

9. DATA BREACH NOTIFICATION

In the event of a data breach that poses a risk to your rights, we will notify the Israeli Privacy Protection Authority and affected users without undue delay, in accordance with the Privacy Protection Regulations (Data Security).

10. INTERNATIONAL TRANSFERS

Your data is stored on servers located in Europe. Israel has an EU adequacy decision, permitting free data flow between EU and Israel. No additional transfer mechanisms are required.

11. CHILDREN

DOMAINator is not intended for use by anyone under 18 years of age. We do not knowingly collect data from minors.

12. CHANGES

We may update this policy. Material changes will be communicated via email or platform notification. Continued use after changes constitutes acceptance.

13. CONTACT

Privacy inquiries: support@domainator.co.il