v0.1 · Last updated April 2026

Privacy Policy

Draft policy. Operational while we complete counsel review before enterprise sales.

What we collect

  • Account data: email address (used for sign-in and billing).
  • Domain metadata: hostnames you register, verification state, monitoring tier.
  • Google Search Console: read-only OAuth refresh token (encrypted at rest), top-page URLs and aggregate click/impression counts for your verified domains. We do not access your Google account outside the Search Console scope.
  • DMCA notices: publicly-available notice data from the Lumen Database, joined to your domains.
  • Operational logs: request logs, error traces, notification delivery status. Retained 30 days.
  • Payment data: handled by Stripe. We store only the Stripe customer ID and subscription status. We never see your card details.

How we use it

To operate the Service: authenticate you, monitor your domains for DMCA activity, classify notices, match them to high-value URLs via GSC, send notifications, and bill you. We do not sell data. We do not profile you for advertising.

Where it lives

Infrastructure is Cloudflare (D1 SQLite, R2 object storage, KV, Workers). Default region is the EU. Operational emails go via Resend (EU region). AI drafting calls go to Anthropic (US). We send the content of the notice and your provided facts. No account identifiers are included in prompts.

Third parties that process data

  • Cloudflare: hosting, storage, compute
  • Stripe: payments and subscription billing
  • Resend: transactional email
  • Anthropic: AI-assisted drafting
  • Google: Search Console OAuth
  • Lumen Database: publicly-available DMCA notices
  • Cal.com: expert-consultation scheduling

Your rights (GDPR + equivalents)

You can access, export, correct, or delete your data at any time from the app. For requests we can't self-serve (e.g. deletion requests after account closure), email privacy@dmcaboss.com and we'll respond within 30 days.

Cookies

We use one HttpOnly cookie to keep you signed in. We do not use advertising or tracking cookies. Aggregate product analytics are collected via Cloudflare Web Analytics, which does not set cookies or store personal data.

Data retention

  • Account data: until you delete your account, then purged within 30 days.
  • DMCA notices: 90 days in hot storage, then archived to encrypted cold storage.
  • Operational logs: 30 days.
  • Billing records: 7 years (tax-law requirement).

Security

GSC refresh tokens are AES-GCM encrypted with a key held only in Cloudflare Workers Secrets. Session tokens are signed HMAC-SHA256 and revocable server-side. All transport is TLS 1.2+. Stripe webhooks are signature-verified.

Contact

Data controller: Ivana Flynn, 10 Granada Apartment, Qawra Coast Road, Qawra SPB 1904, Malta. VAT MT25977802. Email: privacy@dmcaboss.com.