Summary: DomainGuard collects minimal data necessary to provide the service. We do not sell your data, do not track personal browsing, and do not store passwords. Employee data is limited to hashed machine identifiers and login page hostnames for audit purposes only.
Contents
1. Who we are
DomainGuard ("we", "us", "our") provides an enterprise browser extension and cloud management platform that helps IT administrators enforce corporate email domain policies across managed devices.
We operate the website at domainguard.co, the admin console at app.domainguard.co, and the API at api.domainguard.co.
For questions about this policy, contact us at privacy@domainguard.co.
2. What data we collect
2.1 Administrator account data
When an IT administrator creates a DomainGuard account, we collect:
- Email address
- Organisation name
- Password (stored as a bcrypt hash — never in plaintext)
- Azure AD tenant ID (if using Microsoft SSO login)
- Billing information (processed and stored by Stripe — we never store card details)
2.2 Domain policy configuration
IT administrators define domain rules (e.g. "on slack.com, require @contoso.com"). This configuration data is stored and associated with your organisation account.
2.3 Audit log data (from the browser extension)
When the DomainGuard browser extension is deployed on an employee's device, the following events are logged:
- Event type — e.g. "rule_match", "policy_sync"
- Site hostname — e.g. "slack.com" (not the full URL, not page content)
- Hashed machine identifier — a randomly generated UUID specific to that browser installation, stored as a one-way hash. It cannot be used to identify a specific person.
- Timestamp
What we do NOT collect from employees: We never collect passwords, email addresses typed by employees, full URLs, page content, browsing history, keystrokes, or any personal data beyond what is listed above.
2.4 Website visitor data
When you visit domainguard.co we may collect standard web server logs including IP address, browser type, and pages visited. This data is used solely for security and performance monitoring and is not sold or shared.
3. How we use your data
We use the data we collect to:
- Provide and operate the DomainGuard service
- Authenticate administrators and manage access
- Deliver domain policy rules to browser extensions
- Provide audit logs to IT administrators within their organisation
- Process subscription payments via Stripe
- Send transactional emails (account setup, billing receipts)
- Respond to support requests
- Improve the service based on aggregate usage patterns
We do not use your data for advertising, profiling, or any purpose beyond providing the DomainGuard service.
4. Data storage and security
All DomainGuard data is stored on servers hosted by Railway (railway.app) in the United States. Data is encrypted in transit using TLS 1.2 or higher.
Security measures we employ include:
- Passwords stored using bcrypt hashing (never plaintext)
- API tokens stored as SHA-256 hashes (never plaintext)
- Short-lived JWT tokens for authentication (1-hour expiry)
- Organisation data is strictly isolated — no cross-tenant data access
- Rate limiting on all API endpoints
- HTTPS enforced on all connections
5. Data sharing
We do not sell, rent or trade your personal data. We share data only with the following trusted service providers who process it on our behalf:
- Railway — cloud hosting and database infrastructure
- Stripe — payment processing (governed by Stripe's own privacy policy)
- Microsoft Azure — SSO authentication for admin logins
We may disclose data if required by law, court order, or to protect the rights and safety of DomainGuard and its users.
6. Data retention
We retain data for the following periods:
- Audit log events — 30 days (Starter), 90 days (Pro), 1 year (Enterprise)
- Administrator account data — retained while the account is active, deleted within 30 days of account closure
- Billing records — retained for 7 years as required by UK financial regulations
- API tokens — hashed tokens are retained until revoked or the organisation is deleted
7. Your rights
Under UK GDPR and the Data Protection Act 2018, you have the following rights:
- Right of access — request a copy of the data we hold about you
- Right to rectification — request correction of inaccurate data
- Right to erasure — request deletion of your personal data
- Right to portability — request your data in a machine-readable format
- Right to object — object to processing of your personal data
- Right to restrict processing — request that we limit how we use your data
To exercise any of these rights, contact us at privacy@domainguard.co. We will respond within 30 days.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
8. Cookies
The DomainGuard website (domainguard.co) does not use tracking or advertising cookies. The admin console (app.domainguard.co) uses browser localStorage to store your authentication session — this is essential for the service to function and does not track you across other websites.
9. Children's privacy
DomainGuard is an enterprise service intended for use by organisations and their IT administrators. We do not knowingly collect personal data from anyone under the age of 16. If you believe a child has provided us with personal data, please contact us at privacy@domainguard.co.
10. Changes to this policy
We may update this privacy policy from time to time. We will notify administrators of material changes by email at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.
Continued use of DomainGuard after changes take effect constitutes acceptance of the updated policy.
11. Contact us
For any privacy-related questions or requests:
- Email: privacy@domainguard.co
- Website: domainguard.co