Privacy policy

Last updated: 2026-05-18

Who we are (the data controller)

Artificial Systems SRL is the data controller for the personal data we process through DomainCare.

• Legal name: Artificial Systems SRL
• Trade register number: J2024001677058
• VAT number: RO42509655
• Registered office: Oradea Citadel, Building I, Oradea, Romania
• Privacy contact: privacy@domaincare.io
• Supervisory authority: Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP), the Romanian National Supervisory Authority for Personal Data Processing. Website: anspdcp.ro

What we collect

Account data

• Your email address and display name.
• The organisation name, if you provide one.
• Authentication metadata: short-lived magic-link tokens (expire 10 minutes after we send them), or OAuth tokens (encrypted at rest) when you sign in with Google or GitHub.
• We do not collect or store passwords.

Domain monitoring data

• Domain names you ask us to monitor.
• Notification routing preferences (channels, severity rules, mutes, overrides).
• Maintenance windows and quiet hours.

Check results we collect on your behalf

• HTTP response metadata: status codes, latency, redirect chains, content-type, response headers.
• TLS certificate fields: issuer, subject, validity dates, fingerprints, cipher and protocol version.
• DNS records (A, AAAA, CNAME, MX, NS, TXT, SOA, CAA, PTR) returned for the domain.
• WHOIS / RDAP registration metadata.
• robots.txt and sitemap.xml contents.
• Performance data from Lighthouse runs (via Google PageSpeed Insights API).
• Open ports detected by our published port-scan probe set.
• Blacklist status returned by public DNSBLs.

We never ingest the body of pages you serve, your customer data, or content behind authentication. Every probe is a request a normal browser, mail server, or DNS resolver could make on its own.

Operational data

• Server and firewall logs include IP addresses, request paths, user-agents, and timing data as part of standard network operation. These logs are retained for 30 days for security, debugging, and DDoS protection. IP addresses in these logs are not linked to your user account and are not used for marketing.
• Your sign-in sessions record the IP address and user-agent at the time of authentication for security and fraud-detection purposes (for example, detecting unauthorised access from an unfamiliar location). This data is associated with your account and is retained for the lifetime of the session (up to 7 days). It is not used for marketing or behavioural profiling.
• Product analytics events (what features you used, what you clicked) collected via PostHog. We use this data in aggregate to identify rough edges in the product, never to single out individuals.
• Error stack traces captured by PostHog for diagnostic purposes when something breaks.

Billing data

Stripe processes all payments and holds your billing information. We never see, store, or log:

• Full card numbers
• CVC or security codes
• Bank account details

Stripe returns to us only the last four digits, card brand, and country code, which we display in your billing page. Stripe holds your full billing details (including name and billing address) under its own privacy policy.

Legal bases for processing (GDPR)

If you are in the European Union, European Economic Area, or United Kingdom, we process your personal data on the following legal bases under Article 6 GDPR:

• Performance of a contract (Art 6(1)(b)): for account creation, monitoring services, alerts, billing, and customer support.
• Legitimate interests (Art 6(1)(f)): for service security, fraud prevention, abuse detection, server operation logs, and aggregated product analytics.
• Consent (Art 6(1)(a)): for optional product analytics cookies and for any future direct marketing.
• Legal obligation (Art 6(1)(c)): for invoice retention and tax records under Romanian law.

How we use your data

• To run your checks, fire alerts, and render reports in your dashboard.
• To deliver transactional email (alerts, billing receipts, security notices, account changes).
• To detect abuse signals and protect the service.
• For aggregate, anonymised product analytics so we know what to build next.
• To respond to your support questions.

We do not sell or share personal data for advertising. We do not run cross-site tracking on your behalf.

Subprocessors

DomainCare relies on a small set of vetted third parties to operate. Each one receives only the data needed for its role. We have written data processing agreements in place with all subprocessors that receive personal data.

Material additions to this list will be announced by email at least 14 days in advance.

International data transfers

Your account data is stored on a server in Romania (EU). Some subprocessors operate globally:

• Stripe and SMTP2GO are US-headquartered with global operations.
• PostHog is EU-hosted (your data tenant runs in the EU).
• Vercel operates at the edge across global regions, processing only ephemeral request metadata.
• Google (OAuth and PageSpeed) and GitHub (OAuth) are US-headquartered.

Where personal data is transferred outside the European Economic Area, we rely on the European Commission's Standard Contractual Clauses (SCCs) under Implementing Decision (EU) 2021/914. For transfers from the United Kingdom, we rely on the UK International Data Transfer Addendum to the EU SCCs, as published by the Information Commissioner's Office.

Retention

• Active domains: check history is retained for 12 months on a rolling window. Older results are aggregated and the raw rows are purged.
• Deleted domains: 30-day grace period for undo, after which all history is permanently purged.
• Notification delivery log: retained for 90 days for audit and debugging.
• Server and application logs: 30 days.
• Session authentication records (IP address, user-agent): retained for the lifetime of the session, up to 7 days. Deleted when the session expires or when you sign out.
• Account deletion: personal data is removed immediately. Anonymised aggregates and tax-relevant billing records are retained for 7 years to comply with Romanian accounting and tax law.

Your rights under GDPR

If you are in the EU, EEA, or UK, you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete data.
• Delete your data (the right to erasure).
• Restrict how we process your data in certain cases.
• Export your data in a structured, machine-readable format (data portability).
• Object to processing based on legitimate interests.
• Withdraw consent at any time, where processing is based on consent.

You can exercise access, export, and deletion rights directly from Settings → Account:

• Export: a full JSON dump of your account and check history.
• Delete: irreversible removal of your account and associated data.

For correction, restriction, objection, or any other request, email privacy@domaincare.io. We respond within 30 days.

If you are not satisfied with our response, you have the right to lodge a complaint with your supervisory authority. In Romania, that is ANSPDCP (anspdcp.ro). In other countries, contact your national data protection authority.

California consumer rights (CCPA / CPRA)

This section applies only to California residents.

Under the California Consumer Privacy Act, as amended by the California Privacy Rights Act, you have the right to:

• Know what personal information we collect about you and how we use it.
• Delete your personal information.
• Correct inaccurate personal information.
• Opt out of the sale or sharing of your personal information.
• Limit the use of sensitive personal information.
• Non-discrimination for exercising your rights.

Categories of personal information collected in the last 12 months

Sources, purposes, and recipients

• Sources of personal information: directly from you (signup, settings), automatically (your use of the service), and from third parties (OAuth providers, Stripe).
• Business purposes: providing the service, billing, security, debugging, and product improvement.
• Categories of third parties we share with: the subprocessors listed in our subprocessor table above.

Sale and sharing

We do not sell or share your personal information as those terms are defined under the CCPA. We have not done so in the 12 months prior to this policy. There is no opt-out required because we do not sell or share. You can confirm this at /legal/do-not-sell.

Exercising your rights

Email privacy@domaincare.io with the subject "California Privacy Request." You may use an authorised agent; you will be asked to provide evidence of authorisation.

We verify identity through account login plus email confirmation. We respond within 45 days, with a possible extension to 90 days for complex requests.

United Kingdom

If you are in the United Kingdom, your data is processed under UK GDPR. Cross-border data transfers from the UK to recipients outside the UK and EEA rely on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses.

You have rights equivalent to those listed in the GDPR section above. To exercise them, contact privacy@domaincare.io. You may lodge complaints with the UK Information Commissioner's Office (ico.org.uk).

Cookies and similar technologies

We use a small number of cookies. None of them are used for advertising, cross-site tracking, or fingerprinting.

Strictly necessary cookies

These cookies are set without consent because the service does not function without them.

Analytics cookies (opt-in)

These cookies require your explicit consent through our cookie banner. They are not set unless you opt in. You can withdraw consent at any time through the cookie banner or by emailing privacy@domaincare.io.

We do not use advertising cookies, social tracking pixels, or fingerprinting techniques. We do not use session replay.

Our cookie consent banner is provided by Cookie-Script. The banner appears on first visit and you can change your preferences at any time through the cookie settings link in the page footer.

No automated decision-making

We do not make decisions about you based solely on automated processing that produce legal effects or significantly affect you, within the meaning of Article 22 GDPR.

The only automated process that affects your service access is the suspension procedure for failed payments. The procedure is described in our Terms of Service (section 6.8). You retain the right to contact us at any time during that process to dispute the suspension or to request human review.

Decisions involving suspected abuse, fraud, or violation of our terms are reviewed by a human before any action is taken.

Children

DomainCare is not directed at, and we do not knowingly collect personal data from, individuals under the age of 16.

We require account holders to be at least 16 years old. By creating an account and accepting our Terms of Service, you confirm you meet this age requirement.

We do not implement an automated age verification system. A credit card payment processed by Stripe is required to subscribe to a paid plan, which provides a practical safeguard against underage subscriptions.

If you believe we have inadvertently collected personal data from someone under 16, contact privacy@domaincare.io and we will delete it without delay.

Security

We protect your data with:

• TLS 1.2+ for all traffic in transit.
• Encryption at rest for backups and authentication credentials.
• Hardened application containers.
• Principle of least privilege between services.
• Rate limits on authentication and API endpoints.
• Regular security review of subprocessors and dependencies.

We monitor our own infrastructure with DomainCare itself. The service status page is at /status.

Vulnerability disclosures should be sent to security@domaincare.io.

Personal data breach notification

If we discover a personal data breach affecting your data, we will notify the relevant supervisory authority within 72 hours where required under GDPR Article 33.

Where a breach is likely to result in a high risk to your rights and freedoms, we will notify you directly without undue delay. The notification will describe what happened, the categories of data affected, the likely consequences, and the measures we are taking in response.

Changes to this policy

We may update this policy from time to time. Material changes (changes that affect how we collect, use, or protect your personal data) will be announced by email at least 14 days before they take effect.

Contact

• Privacy and data requests: privacy@domaincare.io
• General support: hello@domaincare.io
• Security disclosures: security@domaincare.io