Our commitment: DomainGuard is designed with data minimisation principles at its core. We collect only what is necessary to provide the service, store it securely, and give you full control over it.
Our role under GDPR
Under the UK GDPR and EU GDPR, DomainGuard acts in different capacities depending on the context:
Data Controller
We are the Data Controller for administrator account data — the email addresses, organisation names and billing information of IT administrators who use our service.
Data Processor
We act as a Data Processor for audit log data generated by the browser extension on your employees' devices. Your organisation is the Data Controller for that employee data, and we process it on your behalf according to your instructions (your domain policy configuration).
Legal basis for processing
- Contract performance — processing administrator account data to provide the service you have subscribed to
- Legitimate interests — processing audit log data to provide the security and compliance features of the service
- Legal obligation — retaining billing records as required by UK financial regulations
What data we process
We process the minimum data necessary to provide DomainGuard. See our Privacy Policy for full details. In summary:
- Administrator email addresses and organisation names
- Hashed machine identifiers (cannot identify individuals)
- Login page hostnames where rules were triggered
- Event timestamps and rule match records
We do not process passwords, email addresses typed by employees, browsing history, or any sensitive personal data.
Your rights under GDPR
Right of access
Request a copy of all personal data we hold about you within 30 days.
Right to rectification
Request correction of any inaccurate personal data we hold.
Right to erasure
Request deletion of your personal data ("right to be forgotten").
Right to portability
Receive your data in a structured, machine-readable format.
Right to object
Object to processing of your data based on legitimate interests.
Right to restrict
Request that we limit how we use your personal data.
To exercise any of these rights, email privacy@domainguard.co. We will respond within 30 days.
Data transfers
DomainGuard stores data on servers hosted by Railway in the United States. We rely on Standard Contractual Clauses (SCCs) as the legal mechanism for transferring personal data outside the UK and EEA.
Stripe (our payment processor) and Microsoft Azure (our SSO provider) are also US-based and operate under their own adequacy frameworks and SCCs.
Data retention
- Audit logs: 30 days (Starter), 90 days (Pro), 1 year (Enterprise)
- Administrator account data: retained while account is active, deleted within 30 days of closure
- Billing records: 7 years as required by UK law
Data breach notification
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the ICO within 72 hours of becoming aware of it, and affected organisations without undue delay.
Contact our Data Protection team
For all GDPR-related requests and queries:
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe we have not handled your data appropriately.