Privacy Policy

Domainless ("we," "our," "the Platform") is operated by J&G Studios. This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data.

1. Data We Collect

Data Type	What	Why
Account info	Email, username, hashed password	Authentication and account recovery
Profile info	Bio, avatar image, cosmetic preferences	Displaying your profile to others
Public posts	Text, images, links, visibility setting	Displaying content in feeds
Encrypted content	Ciphertext of DMs and friends-only posts	Delivery to recipients (we cannot read this)
Social graph	Friends, followers, blocks	Content visibility, feed filtering, moderation
Transactions	Wallet transfers, amounts, timestamps	Purchase history, fraud prevention
Usage data	IP address, request timestamps, error logs	Security, rate limiting, debugging
Reports	Reporter ID, reason, reported content/user	Content moderation

2. End-to-End Encryption

Domainless uses end-to-end encryption (E2EE) for direct messages and friends-only posts. This is a core privacy commitment:

• We cannot read your encrypted messages or friends-only posts. We store only the ciphertext.
• Encryption keys are generated in your browser using the Web Crypto API (ECDH P-256 + AES-GCM).
• Your private key is stored only in your browser's localStorage. We never receive or store your private key.
• Your public key is stored on our server to enable key exchange with other users.
• If you clear your browser data, your private key is permanently lost and encrypted content becomes unrecoverable.

What is NOT encrypted: Public posts, follower-only posts, comments, stories, usernames, profile info, and image files uploaded to posts or DMs.

3. How We Use Your Data

• To operate the Platform: Display your content, deliver messages, manage your account
• To process payments: Wallet transfers via Stripe (we do not store card details)
• To enforce our Terms: Review reports, moderate content, prevent abuse
• To improve the Platform: Aggregate usage statistics (e.g., daily active users, posts per day)
• To protect security: Rate limiting, error logging, blocking malicious activity

4. Data We Do NOT Collect

• We do not use third-party analytics or tracking scripts
• We do not serve advertisements
• We do not sell, rent, or share your data with third parties for marketing
• We do not use cookies for tracking (only browser localStorage for authentication)
• We do not perform behavioral profiling or algorithmic content ranking

5. Payment Processing

Wallet transfers are processed by Stripe. When you make a purchase:

• Your payment details (card number, billing address) are sent directly to Stripe and never touch our servers
• We receive a transaction confirmation with the amount and a Stripe transaction ID
• Stripe's Privacy Policy applies to payment data

6. Image Uploads

Images uploaded to posts, profiles, or DMs are stored on our server in the /uploads/ directory. Image files are:

• Not encrypted — even in DMs, image files are stored as-is
• Accessible via direct URL if someone knows the filename (random filenames provide obscurity, not security)
• Not automatically deleted when the associated post or message is deleted (cleanup happens periodically)

7. Data Retention

• Account data: Retained until you delete your account
• Posts and comments: Retained until deleted by you or removed by moderation
• Encrypted messages: Retained indefinitely (we cannot read them, so we cannot selectively delete based on content)
• Stories: Automatically expire after 24 hours and are no longer served, but may remain in the database
• Server logs: Retained for 30 days, then deleted
• Backups: Database backups are retained for 7 days

8. Your Rights

You have the right to:

• Access your data: View your profile, posts, messages, and account information through the Platform
• Delete your content: Delete individual posts and comments at any time
• Delete your account: Contact us to request full account deletion
• Block users: Prevent specific users from seeing your content or contacting you
• Export your keys: Back up your E2EE encryption keys from your browser
• Control visibility: Choose who sees each post (Public, Followers, Friends Only)

9. Data Security

We take the following measures to protect your data:

• All connections are encrypted in transit via HTTPS (TLS)
• Passwords are hashed with bcrypt (10 rounds)
• Private message content is end-to-end encrypted
• Authentication uses JWT tokens with strong secrets
• Rate limiting prevents brute-force attacks
• CORS is restricted to our domain

No system is perfectly secure. We cannot guarantee absolute security, but we are committed to protecting your data with industry-standard practices.

10. Age Requirement

Domainless is intended for users aged 18 and older. We do not knowingly collect data from anyone under 18. By creating an account, you confirm that you are at least 18 years old. If we learn that a user is under 18, we will delete the account and associated data promptly.

11. Where Data Is Stored

All data is stored on a self-hosted server located in the United States. Data is not transferred to or stored in other countries. Backups are stored locally on the same server.

12. California Consumer Privacy Act (CCPA / CPRA)

If you reside in California, the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA") provides additional rights regarding your personal information. J&G Studios is the "business" under the CCPA for the purposes of operating Domainless.

Categories of personal information we collect

See Section 1 above. In CCPA terminology this maps to: identifiers (email, username, IP), commercial information (Wallet transfers), internet activity (request logs), inferences drawn from that data (none — we do not perform behavioral profiling).

Sale or sharing

We do not sell your personal information. We do not "share" your personal information for cross-context behavioral advertising. We have not done so in the preceding twelve months and have no plans to.

Your CCPA rights

• Right to know. You can request a copy of the personal information we have about you, including the categories collected, the sources, the purpose of collection, and any third parties we have disclosed it to.
• Right to delete. You can request deletion of your personal information, subject to limited exceptions for legal obligations and account-recovery windows.
• Right to correct. You can request that we correct inaccurate personal information.
• Right to limit use of sensitive personal information. Beyond the inherent limitations of our zero-PII-tracking design, you can affirmatively restrict any sensitive PI usage by contacting us.
• Right to non-discrimination. Exercising any of these rights will not result in any change to the service we provide you.

To exercise any of these rights, contact us at privacy@domainless.fun or use the on-platform takedown tool (Section 14 below). We will verify your identity by matching the request to an authenticated session or to a confirmed email address on file. We respond within 45 days; if more time is needed, we will notify you in writing within the initial 45-day window.

13. General Data Protection Regulation (GDPR / UK GDPR)

If you reside in the European Economic Area, the United Kingdom, or Switzerland, the GDPR (and its UK and Swiss analogues) provides the rights below. J&G Studios acts as the data controller for your personal data; we do not currently engage non-essential processors beyond Stripe (payments) and Let's Encrypt (TLS).

Lawful basis for processing

• Contract (Art. 6(1)(b)) — for operating your account, delivering messages, processing transactions you initiate.
• Legitimate interest (Art. 6(1)(f)) — for security, abuse detection, rate limiting, and aggregate analytics that contain no personally identifying data.
• Consent (Art. 6(1)(a)) — for any optional feature you explicitly opt into (e.g., push notifications, email alerts). You can withdraw consent at any time in account settings.
• Legal obligation (Art. 6(1)(c)) — for response to lawful subpoenas, DMCA notices, and tax reporting.

Your GDPR rights

• Access (Art. 15) — request a copy of your personal data.
• Rectification (Art. 16) — correct inaccurate data.
• Erasure (Art. 17, "right to be forgotten") — request deletion, subject to legal-retention exceptions.
• Restriction of processing (Art. 18) — pause processing during a dispute or while data is being verified.
• Portability (Art. 20) — receive your data in a structured, machine-readable format.
• Object (Art. 21) — object to legitimate- interest-based processing on grounds relating to your particular situation.
• Withdraw consent (Art. 7(3)) — at any time, without affecting the lawfulness of processing performed before withdrawal.
• Lodge a complaint (Art. 77) — with your local supervisory authority (e.g., the ICO in the UK, the CNIL in France). We would prefer you contact us first so we can make it right.

International transfers

Our servers are located in the United States. If you access the platform from the EEA / UK / Switzerland, your data is transferred to the U.S. in the course of operating your account. We rely on the EU-U.S. Data Privacy Framework where applicable; if you require alternate safeguards (Standard Contractual Clauses, etc.) please contact us.

14. The Domainless Takedown Tool

Beyond the rights we are obligated to honor under CCPA and GDPR, every Domainless account ships with a free, on-platform takedown tool at domainless.fun/antidoxx. It auto-generates CCPA / GDPR / state-law deletion letters targeted at common third-party data brokers — companies unrelated to us that have collected your information from public records, scraping, or commercial data exchanges.

Free use is unmetered for self-service drafting and sending. A subscription tier ("Erase Pro") automates re-checks and re-submissions on a schedule. Either way, the tool is for operating against third-party brokers — not against Domainless itself, since we hold very little of your data to begin with.

15. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via the Platform. The "Last updated" date at the top reflects the most recent revision.

16. Contact

For privacy questions, data requests, or account deletion, email privacy@domainless.fun or use the in-app reporting system. CCPA-specific requests can be sent to the same address; please include "CCPA Request" in the subject. GDPR-specific requests can be sent to the same address with "GDPR Request" in the subject.