Privacy Policy

Last updated: May 9, 2026

Who We Are

DomainLens Pro ("the app") is operated by Aegyrix LLC ("we", "us", "our"), a Pennsylvania limited liability company. Aegyrix LLC is the data controller for the limited personal data described below. Contact: domainlenspro.com/support.

Summary

• The app works fully without an account. Without sign-in, no personal data leaves your device.
• We do not use analytics, advertising SDKs, or third-party trackers in the app.
• We do not sell, rent, or share personal data with anyone for marketing.
• Optional Google Sign-In stores only your email and display name on our backend, solely to sync your scan history.
• You can delete your data and your account at any time.

What the App Collects

Domain queries you scan are sent from your device directly (or via our scan backend) to public services so we can return results. The only data transmitted is the domain, IP, or URL you choose to scan. We do not record what you scan unless you are signed in and choose to save scan history.

Optional sign-in. If you choose to sign in, the app supports five methods: Sign in with Apple, Google, Microsoft, GitHub, and email one-time code (a 6-digit code sent to the address you enter — no password). You only ever use one. Whichever you choose, the only personal data we receive and store is the email address and display name returned by that provider, plus an opaque provider-issued user identifier so we can recognize you on next sign-in. We do not collect or store passwords. We do not request access to your contacts, calendar, files, social graph, or any other data from these providers.

Sign in with Apple — note on private email relay. If you use Apple's private-relay email option, we receive the relay address Apple generates for you, never your real email. Replies we send to that address are forwarded by Apple to your real inbox.

Scan history (signed-in users only). When signed in, scan results you choose to save are encrypted in transit (TLS 1.2+) and at rest (AES-256) on our backend, retained for up to 90 days, and deletable at any time from inside the app. The list of domains you have scanned, taken together, constitutes a per-account search history in the sense Apple uses that term in its App Store privacy questionnaire; it is linked to your account, used solely to power the in-app history and re-scan features, and never sold, rented, shared with advertisers, or used to build a profile about you.

Crash diagnostics (signed-in users only). If the app encounters an unhandled error, the app sends a single crash report to api.domainlenspro.app containing: the redacted exception message and stack trace, the device model name, the platform (iOS, macOS, Android, Windows), and the app version. The report is associated with your account so we can correlate the fix with the user who hit the bug. Before the report leaves your device it is run through our in-app log redactor, which removes OAuth codes, JWTs, Bearer tokens, provider-issued secrets, RFC 1918 / loopback / link-local IP addresses, and any infrastructure or brand identifiers. Public IP addresses are preserved so the bug report carries useful network context. Crash reports are used solely to fix bugs (“App Functionality” in Apple’s taxonomy); they are never used for analytics, marketing, ad targeting, or tracking. Signed-out users send no crash reports at all.

Locally on your device. Theme, language, and preference settings, and any reports you export (JSON, CSV, Markdown, HTML, Plain Text, AI Prompt, PDF) are stored on your device by your explicit action. We never receive a copy.

What This Website Collects

The marketing website at domainlenspro.com serves static pages and runs no analytics or advertising. The only personal data processing happens on the support page, where we collect:

• The name, email address, subject, and message you enter, so we can reply.
• Your IP address and browser user-agent at the moment of submission, used only to detect abuse and rate-limit submissions.
• A short-lived dlp_csrf cookie (HttpOnly, SameSite=Strict, 1 hour) used solely for cross-site request forgery protection — it contains no tracking identifiers.
• A Cloudflare Turnstile challenge to block bots; Turnstile may set its own short-lived technical cookies as described in Cloudflare's privacy policy. We receive only a pass/fail signal, not your Cloudflare profile.

Support submissions are emailed to our internal support inbox and retained while needed to handle your request, then deleted. We do not use any information you submit for marketing.

Third-Party Services Your Scans Reach

To answer a scan, the app or our scan backend contacts public Internet services. The query they receive is the domain, IP, or URL you submitted — never your name, email, account, or location:

• Public DNS resolvers — A, AAAA, MX, NS, TXT, SOA, CNAME, CAA, DNSSEC, HTTPS/SVCB
• RDAP / WHOIS registries — registration metadata
• crt.sh — Certificate Transparency log lookups
• NVD (NIST National Vulnerability Database) — CVE lookups for detected technology
• DNSBL services — IP/domain reputation
• The target server itself — TLS handshake, HTTP headers, exposure probes

These services have their own privacy policies. We do not control how they handle the queries you send.

Data Retention

We keep personal data only as long as it serves the purpose it was collected for, then delete it. Specific schedules:

• Anonymous scans (no sign-in) — Not stored. Results live in memory on your device only and are discarded when you close the app.
• Scan history (signed-in users) — Up to 90 days rolling. Records older than 90 days are automatically and permanently deleted from our backend each day. You can also delete individual scans, or wipe all history, at any time from inside the app.
• Account record (email + display name + provider user ID) — Retained while your account is active. You can delete your account at any time from inside the app (Profile → Danger Zone → Delete My Account). When you do, the account is signed out immediately and scheduled for permanent deletion 7 days later. During that 7-day grace window the account remains inaccessible to anyone (including you), and you can restore it just by signing back in. After 7 days, the account and all associated scan history, preferences, and linked sign-in providers are permanently and irreversibly deleted from our backend. Accounts with no sign-in for 6 consecutive months are auto-scheduled for the same 7-day deletion window after a 30-day notice email.
• Support form submissions — Retained in our internal support inbox while needed to handle your request, and deleted within 90 days of resolution.
• Marketing-site server logs (IP, user-agent, request timestamp) — Retained for up to 30 days for security and abuse-prevention purposes, then automatically rotated and deleted.
• CSRF cookie (dlp_csrf) — Expires 1 hour after issuance.
• Cloudflare Turnstile technical cookies — Managed by Cloudflare; typically expire within 30 minutes. See Cloudflare's privacy policy.
• Locally exported reports and preferences — Stored on your device for as long as you keep them. We never receive a copy and cannot delete them remotely.
• Encrypted backups — Follow the same retention windows above; deletion requests propagate to backups within 35 days.

If a legal obligation (for example, a tax record, a court order, or an active fraud investigation) requires us to keep specific data longer than the schedules above, we retain only what the obligation requires and delete the rest.

Legal Basis (GDPR / UK GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, our legal bases are:

• Consent — sign-in via Apple, Google, Microsoft, GitHub, or email one-time code; support form submission.
• Legitimate interests — abuse prevention, fraud detection, securing the service (IP and user-agent logging on the support form, rate limiting, Turnstile).
• Contract — providing scan-history sync to signed-in users.

Your Rights

Subject to applicable law, you have the right to:

• Access — request a copy of the personal data we hold about you.
• Correction — ask us to correct inaccurate data.
• Deletion — delete individual scans or wipe all scan history at any time from inside the app, or use Profile → Danger Zone → Delete My Account to schedule your full account for permanent deletion (7-day grace window, restore by signing back in).
• Portability — request export of your scan history (the app already provides JSON/CSV export).
• Objection / restriction — ask us to stop or limit processing.
• Withdraw consent — at any time, by signing out or contacting us.
• Lodge a complaint — with your local data-protection authority.

To exercise any right, send us a request through domainlenspro.com/support. We respond within 30 days.

California Residents (CCPA / CPRA)

We do not sell or share your personal information as those terms are defined under the California Consumer Privacy Act, and we have not done so in the preceding 12 months. We do not use personal information for cross-context behavioral advertising. California residents have the same access, deletion, and correction rights described above and the right not to be discriminated against for exercising them.

Children's Privacy

DomainLens Pro is not directed to children under 13 (or under 16 in the EEA / UK). We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, contact us and we will delete it.

International Transfers

We are based in the United States. If you access the service from outside the United States, your data is transferred to and processed in the United States. We rely on appropriate safeguards including Standard Contractual Clauses where required.

Security

The app pins TLS to our scan backend. Data in transit uses TLS 1.2+ with modern AEAD ciphers and post-quantum hybrid key exchange where the server supports it. Stored personal data is encrypted at rest with AES-256. Access to backend systems is restricted by least-privilege controls and audited. No system is perfectly secure; if we ever discover a breach affecting your data, we will notify you and the relevant authorities as required by law.

App Distribution

DomainLens Pro is distributed via the Apple App Store for iPhone, iPad, and Mac, and (coming soon) the Microsoft Store for Windows. Apple and Microsoft may collect data related to app installation, crashes, and updates as described in Apple's Privacy Policy and the Microsoft Privacy Statement. We receive only aggregate, non-identifying download and crash metrics from these stores.

Changes to This Policy

We may update this policy from time to time. Material changes will be reflected on this page with an updated date. Continued use of the app or website after the effective date constitutes acceptance of the revised policy.

Contact

Questions, requests, or complaints? Reach us at domainlenspro.com/support. We typically reply within one business day.

Aegyrix LLC · Pennsylvania, USA · governing law: Commonwealth of Pennsylvania.