Privacy Policy | dontpoke.me

What We Collect (And Why)

1. Account Information

If you create an account

What we collect:

Email address (for login and alerts)
Password (hashed with bcrypt, we never see the plaintext)
Account tier (Free, Pro, or Business)
Subscription status (via Stripe)

Why we collect it: To let you log in and access paid features; to send breach alerts and monitoring notifications (Pro/Business only); to process payments and manage subscriptions.

What we DON'T collect: Real name (optional, not required), phone number, physical address, or any other personal details.

2. Tool Usage Data

What we collect:

Inputs you submit (domains, URLs, emails, IP addresses)
Analysis results (breach data, DNS records, SSL certificates, etc.)
Timestamps of when you used each tool
Which tools you used

Why we collect it: To perform the analysis you requested; to show your search history (Free: 7 days, Pro: 90 days, Business: 1 year); to power monitoring & alerts (Pro/Business features); to improve tool accuracy and performance.

What we DON'T do: Build advertising profiles; sell your search data to third parties; cross-reference your searches with other users; share your inputs with data brokers.

Logged-out usage: If you use tools without an account, we process your request but do not store the inputs or results after completing your analysis.

3. Monitoring Jobs

Pro/Business only

What we collect: Targets you choose to monitor (domains, emails); baseline snapshots; change history (what changed and when); alert preferences (email, webhook URLs).

Why we collect it: To continuously check your monitored targets for changes; to send you alerts when we detect changes; to show you historical changes over time.

Your control: You can delete any monitoring job at any time. Deleting a job removes all associated historical data. You control alert frequency and channels.

4. Payment Information

What we collect: Payment method details (stored by Stripe, not us); billing email (if different from account email); transaction history (subscription start/end dates, amounts).

Why we collect it: To process your Pro/Business subscription; to send receipts and invoices; to manage billing disputes and refunds.

What we DON'T collect: Credit card numbers (Stripe handles this); bank account details; full payment card information.

Important: We use Stripe for payment processing. Stripe is PCI-DSS compliant and handles all sensitive payment data. We never see or store your full card number. Read Stripe's privacy policy.

5. Server Logs

What we collect: IP addresses (hashed after 24 hours); user agent strings; requested URLs; timestamps; HTTP status codes.

Why we collect it: To detect and prevent abuse (rate limiting, DDoS protection); to debug technical issues; to understand usage patterns; to comply with legal requirements.

Retention: Raw logs kept for 30 days, then deleted. Aggregated analytics (no IP addresses) kept indefinitely.

6. Analytics

What we track: Page views; tool usage (which tools, how often); conversion events (signups, upgrades); error rates (to identify bugs).

How we track it: Self-hosted analytics (no Google Analytics, no third-party trackers). IP addresses are hashed immediately (we cannot identify individuals). No cross-site tracking, no fingerprinting, no advertising pixels.

What this means: We see "500 people used Breach Scanner today" but we can't see "John Doe from 192.168.1.1 searched for [email protected] at 3:47pm."

How We Use Your Data

Primary uses:

Tool operation — Process your searches and return results
Account management — Let you log in, access Pro/Business features
Monitoring & alerts — Check your monitored targets, send notifications
Billing — Process payments, send receipts
Product improvement — Understand which features are useful, fix bugs

We never:

Sell your data to advertisers, data brokers, or anyone else
Use your searches for marketing or profiling
Share your data with third parties for their purposes
Track you across other websites
Build shadow profiles
Monetize your information beyond your subscription fee

Third-Party Services We Use

To provide our tools, we query external services. We do not control their privacy practices.

Tool infrastructure:

RDAP servers (domain registration data) — Various registries
Cloudflare DNS-over-HTTPS — Cloudflare Privacy
SSL Labs API (SSL/TLS analysis) — Qualys
Certificate Transparency logs — crt.sh, SSLMate
Have I Been Pwned (breach data) — HIBP Privacy
Threat intel feeds — URLhaus, PhishTank, AbuseIPDB, AlienVault OTX

Business services:

Stripe (payment processing) — Stripe Privacy
Email sending (alerts and receipts) — Server-based (no third-party email service)

When you use a tool, your query (domain, URL, email) is sent to these services to get results. We don't add tracking parameters or share unnecessary information with them.

Data Retention

Data type	Retention	Why
Account info	Until you delete your account	To provide service
Search history (Free)	7 days	Feature limitation
Search history (Pro)	90 days	Pro tier benefit
Search history (Business)	1 year	Business tier benefit
Monitoring data	Until you delete the job	Ongoing monitoring
Server logs (raw)	30 days	Security, debugging
Analytics (aggregated)	Indefinitely	No personal data
Payment records	7 years	Legal requirement (tax)

You can delete: Individual searches (via dashboard); monitoring jobs (via dashboard); your entire account (via account settings).

Account deletion: When you delete your account, we permanently remove your email and password, all search history, all monitoring jobs, and all personal preferences.

What we keep (anonymized): Payment transaction records (legal requirement); aggregated analytics (no personal identifiers).

Cookies & Local Storage

Cookies we use:

Session cookie (logged-in state) — Required for authentication
CSRF token (security) — Prevents cross-site attacks

We do NOT use: Advertising cookies; tracking cookies; third-party analytics cookies; social media cookies.

Browser storage: Some tools may use localStorage or sessionStorage to remember preferences (e.g. dark mode, default tool settings). This data stays on your device, is never sent to our servers, and can be cleared via your browser settings.

Your Privacy Rights

Depending on where you live, you may have legal rights regarding your data:

Access (GDPR Article 15, CCPA) — Request a copy of the data we hold about you.
Correction (GDPR Article 16) — Update incorrect information in your account settings.
Deletion (GDPR Article 17, CCPA) — Delete your account and associated data (see retention exceptions above).
Portability (GDPR Article 20) — Export your search history and monitoring data in JSON/CSV format.
Opt-out (CCPA) — Stop receiving marketing emails (we don't send marketing emails anyway, only service alerts).
Do not sell (CCPA) — We don't sell your data. Period. You're already opted out by default.

How to exercise your rights:

Log into your account → Settings → Privacy Controls
Or email us: [email protected]
We'll respond within 30 days (GDPR/CCPA requirement)

Security Practices

We take security seriously (it's literally our brand). Here's how we protect your data:

Encryption: HTTPS/TLS 1.3 for all connections; bcrypt password hashing (cannot be reversed); encrypted database backups.

Access control: Principle of least privilege; no production database access without audit logging; two-factor authentication for admin accounts.

Infrastructure: Regular security updates (patches within 7 days); automated backups (daily, 30-day retention); rate limiting (prevents abuse and DDoS).

Monitoring: Intrusion detection; failed login tracking (account lockout after 5 attempts); audit logs (all admin actions logged).

Breach notification: If we ever experience a data breach affecting your personal information, we'll notify you via email within 72 hours (GDPR requirement) and report to relevant authorities.

Read our full Security Practices →

Children's Privacy

dontpoke.me is not directed at children under 13 (or 16 in the EU). We do not knowingly collect information from children. If you believe a child has provided us with personal information, contact us and we'll delete it immediately.

International Users

Our servers are located in: United States.

If you're accessing dontpoke.me from outside this jurisdiction, your data may be transferred internationally. By using our service, you consent to this transfer.

EU/EEA users: We comply with GDPR. Your data is processed lawfully under: Legitimate interest (Article 6(1)(f)) — Providing requested tools; Contract performance (Article 6(1)(b)) — Paid subscriptions; Consent (Article 6(1)(a)) — Optional monitoring features.

Changes to This Policy

We may update this privacy policy when we add new features, change data practices, or comply with new laws.

When we update: We'll change the "Last updated" date at the top; we'll notify Pro/Business users via email for material changes; continued use after changes means you accept the new policy.

Significant changes (e.g. new third-party services, data sharing) will include a 30-day notice period before taking effect.

Contact Us

Questions about privacy? Email: [email protected] — Response time: Within 48 hours (usually faster).

Data requests (access, deletion, etc.): Use "Privacy Controls" in your account settings, or email [email protected] with your account email.

Security issues: Email: [email protected] — We take vulnerability reports seriously and respond quickly.

The Bottom Line

TL;DR:

We collect what we need to run the tools you use
We don't sell your data or use it for ads
You can delete your account and data anytime
We're transparent about third-party services
We use self-hosted analytics (no Google tracking)
Your privacy is why we built this in the first place

We're not lawyers, but we're honest: This privacy policy is written in plain English because we respect your time. If you want the legal details, read the full text above. If you have questions, ask us directly.