Privacy Policy
Last updated: April 5, 2026
Domainless ("we," "our," "the Platform") is operated by J&G Studios.
This Privacy Policy explains what data we collect, how we use it, and
your rights regarding that data.
1. Data We Collect
| Data Type |
What |
Why |
| Account info |
Email, username, hashed password |
Authentication and account recovery |
| Profile info |
Bio, avatar image, cosmetic preferences |
Displaying your profile to others |
| Public posts |
Text, images, links, visibility setting |
Displaying content in feeds |
| Encrypted content |
Ciphertext of DMs and friends-only posts |
Delivery to recipients (we cannot read this) |
| Social graph |
Friends, followers, blocks |
Content visibility, feed filtering, moderation |
| Transactions |
Coin purchases, amounts, timestamps |
Purchase history, fraud prevention |
| Usage data |
IP address, request timestamps, error logs |
Security, rate limiting, debugging |
| Reports |
Reporter ID, reason, reported content/user |
Content moderation |
2. End-to-End Encryption
Domainless uses end-to-end encryption (E2EE) for direct messages and
friends-only posts. This is a core privacy commitment:
-
We cannot read your encrypted messages or friends-only
posts.
We store only the ciphertext.
-
Encryption keys are generated in your browser using the Web Crypto API
(ECDH P-256 + AES-GCM).
-
Your private key is stored only in your browser's localStorage.
We never receive or store your private key.
-
Your public key is stored on our server to enable key exchange with
other users.
-
If you clear your browser data, your private key is permanently lost
and encrypted content becomes unrecoverable.
What is NOT encrypted: Public posts, follower-only
posts, comments, stories, usernames, profile info, and image files
uploaded to posts or DMs.
3. How We Use Your Data
-
To operate the Platform: Display your content,
deliver messages, manage your account
-
To process payments: Coin purchases via Stripe (we do
not store card details)
-
To enforce our Terms: Review reports, moderate
content, prevent abuse
-
To improve the Platform: Aggregate usage statistics
(e.g., daily active users, posts per day)
-
To protect security: Rate limiting, error logging,
blocking malicious activity
4. Data We Do NOT Collect
- We do not use third-party analytics or tracking scripts
- We do not serve advertisements
-
We do not sell, rent, or share your data with third parties for
marketing
-
We do not use cookies for tracking (only browser localStorage for
authentication)
-
We do not perform behavioral profiling or algorithmic content ranking
5. Payment Processing
Coin purchases are processed by Stripe. When you make a
purchase:
-
Your payment details (card number, billing address) are sent directly
to Stripe and never touch our servers
-
We receive a transaction confirmation with the amount and a Stripe
transaction ID
-
Stripe's
Privacy Policy
applies to payment data
6. Image Uploads
Images uploaded to posts, profiles, or DMs are stored on our server in
the /uploads/ directory. Image files are:
-
Not encrypted — even in DMs, image files are stored
as-is
-
Accessible via direct URL if someone knows the filename (random
filenames provide obscurity, not security)
-
Not automatically deleted when the associated post or message is
deleted (cleanup happens periodically)
7. Data Retention
-
Account data: Retained until you delete your account
-
Posts and comments: Retained until deleted by you or
removed by moderation
-
Encrypted messages: Retained indefinitely (we cannot
read them, so we cannot selectively delete based on content)
-
Stories: Automatically expire after 24 hours and are
no longer served, but may remain in the database
-
Server logs: Retained for 30 days, then deleted
-
Backups: Database backups are retained for 7 days
8. Your Rights
You have the right to:
-
Access your data: View your profile, posts, messages,
and account information through the Platform
-
Delete your content: Delete individual posts and
comments at any time
-
Delete your account: Contact us to request full
account deletion
-
Block users: Prevent specific users from seeing your
content or contacting you
-
Export your keys: Back up your E2EE encryption keys
from your browser
-
Control visibility: Choose who sees each post
(Public, Followers, Friends Only)
9. Data Security
We take the following measures to protect your data:
- All connections are encrypted in transit via HTTPS (TLS)
- Passwords are hashed with bcrypt (10 rounds)
- Private message content is end-to-end encrypted
- Authentication uses JWT tokens with strong secrets
- Rate limiting prevents brute-force attacks
- CORS is restricted to our domain
No system is perfectly secure. We cannot guarantee absolute security,
but we are committed to protecting your data with industry-standard
practices.
10. Children's Privacy
Domainless is not intended for children under 13. We do not knowingly
collect data from children under 13. If we learn that we have collected
data from a child under 13, we will delete the account and associated
data promptly.
11. Where Data Is Stored
All data is stored on a self-hosted server located in the United States.
Data is not transferred to or stored in other countries. Backups are
stored locally on the same server.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes
will be communicated via the Platform. The "Last updated" date at the
top reflects the most recent revision.
13. Contact
For privacy questions, data requests, or account deletion, contact us at
the email associated with J&G Studios or through the Platform's
reporting system.