Legal

Privacy Policy

Last updated July 7, 2026

TemplateThis is a good-faith template drafted for an open-source project. It is not legal advice and must be reviewed and adapted by qualified counsel before you rely on it in production.

This policy explains how Custom Domain handles personal data when you use our hosted service, embed our widget, connect a domain, or visit our sites. Custom Domain is embed-first infrastructure, so we play two roles: a controller for our own customer accounts and site visitors, and a processor for the end-user and domain data our customers send us. Both are covered below.

1. Who we are and our two roles

Custom Domain ("Custom Domain," "we," "us," or "our") provides open-source custom-domain onboarding for SaaS platforms: automatic DNS configuration, automatic TLS/SSL, a reverse-proxy edge, an optional domain registrar, and monitoring. The software is open source and self-hostable; we also operate a hosted version (the "Service") at app.customdomain.ai.

The operating legal entity, its registered address, and its data protection registrations are to be confirmed by counsel before launch. Under data-protection law we act in two capacities:

  • As a controller, for personal data about our direct customers (the SaaS platforms and developers who hold Custom Domain accounts), prospects, and visitors to our websites — for example, account and billing data and site analytics.
  • As a processor (or sub-processor), for the personal data our customers submit to the Service about theirend-users and domains — for example, the custom domains being connected, DNS records, and end-user identifiers passed through the widget. We process that data only on our customers' documented instructions under the Data Processing Addendum (DPA).

2. Scope

This policy applies to the hosted Service and our public web surfaces. It does not apply to third-party services you reach through the Service (such as your own DNS provider), to our customers' own products, or to deployments you self-host — in a self-hosted install you are the operator and this policy does not govern the data you process (see section 13).

3. Personal data we collect

3.1 Customer account data (we are the controller)

  • Identity and login: name, email address, and either a hashed password or a Google sign-in identifier, managed by our authentication layer.
  • Organization and configuration: workspace/tenant name, applications, API keys (stored only as salted or hashed values), webhook endpoints, team members, and roles.
  • Billing data: plan, subscription status, and usage counts. Card payments are handled by our payment processor (Stripe); we do not receive or store full card numbers.
  • Support and communications: messages you send us and related metadata.

3.2 End-user and domain data (we are the processor)

  • Domain and DNS data: the custom domains being connected, the DNS records we compute and apply, verification status, certificate status, and origin/health information.
  • End-user identifiers: identifiers our customers pass through the embedded widget or API to associate a connection with one of their end-users, plus short-lived, application-scoped tokens.
  • Bring-your-own DNS credentials: when an end-user authorizes automatic DNS changes, the provider access token is used once to apply the requested records and is then discarded — it is not stored.
  • Registrant details (registrar feature only): if a customer uses the domain-purchase feature, the registrant contact information required by the registry (name, postal address, email, phone) is processed to register the domain.

3.3 Technical data (both roles)

  • Session and security: first-party session and CSRF cookies (see the Cookie Policy).
  • Server logs: request method, path, status, and timing. Our request logs are designed to exclude tokens, request bodies, and query strings.
  • Audit events: security- and account-relevant events for integrity and troubleshooting.

We do not use advertising cookies, cross-site trackers, or third-party analytics that profile individuals across sites.

4. How and why we use it (purposes and legal bases)

Where the EU/UK GDPR applies and we act as a controller, we rely on the legal bases below. Where we act as a processor, the legal basis is our customer's, and we process only on their instructions.

PurposeExample dataLegal basis (controller)
Provide and operate the Service (accounts, connecting domains, issuing certificates)Account data, domain/DNS dataPerformance of a contract
Billing and fraud preventionBilling data, usage countsContract; legal obligation
Security, abuse prevention, and service integrityLogs, audit events, IP metadataLegitimate interests (securing the Service)
Product improvement and troubleshootingAggregated usage, error dataLegitimate interests
Service and transactional communicationsEmail, account statusContract; legitimate interests
Marketing emails (where sent)Email, preferencesConsent or legitimate interests, with opt-out
Legal compliance and defense of claimsAs neededLegal obligation; legitimate interests

Where we rely on legitimate interests, we have weighed those interests against your rights. You may object to processing based on legitimate interests (see section 10).

5. When we act as a processor

For end-user and domain data (section 3.2), our customer is the controller and decides the purposes of processing. We:

  • process that data only on the customer's documented instructions;
  • impose confidentiality on personnel with access;
  • apply the technical and organizational measures described in our Security page;
  • engage sub-processors only under written terms and with notice of changes (see the Sub-processors list);
  • assist the customer with data-subject requests and with breach notification; and
  • delete or return the data at the end of the engagement, subject to legal retention.

These commitments are contractual under our Data Processing Addendum. If you are an end-user of one of our customers and want to exercise your rights, please contact that customer (the controller); we will support them in responding.

6. How we share data

We share personal data only as needed to run the Service:

  • Sub-processors: vetted vendors that host, secure, or support the Service — see the current Sub-processorslist (AWS, Stripe, Cloudflare, Let's Encrypt, and the domain registrar, among others).
  • At your direction: the DNS providers and registries you or your end-users choose to connect. Those providers are independent controllers of the data you send them.
  • Legal and safety: where required by law or to protect rights, safety, and the integrity of the Service.
  • Business transfers: in a merger, acquisition, or asset sale, subject to this policy.

We do not sell personal data, and we do not "share" it for cross-context behavioral advertising as those terms are defined under U.S. state privacy laws.

7. International data transfers

We are based in, and primarily host the Service in, the United States (our infrastructure runs in a U.S. region). If you are in the EEA, the UK, or Switzerland, your personal data may be transferred to the United States and other countries.

For such transfers we rely, as applicable, on the EU-U.S. Data Privacy Framework and its UK Extension and Swiss-U.S. framework where a recipient is certified, and otherwise on the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum), supported by a transfer risk assessment. You can request a copy of the relevant transfer safeguards using the contact details in section 15.

8. Data retention

We keep personal data only as long as needed for the purposes above:

  • Account data: for the life of your account, then deleted or anonymized within a reasonable period after closure, except where we must retain records (for example, tax and accounting).
  • End-user/domain data:per our customer's instructions and the DPA; returned or deleted at the end of the engagement.
  • Bring-your-own DNS tokens: not retained — used once and discarded.
  • Logs and audit events: retained for a limited period for security and troubleshooting, then rotated out.

9. Security

We apply technical and organizational measures appropriate to the risk, including encryption in transit, encryption of sensitive secrets at rest, tenant isolation, least-privilege access, and network hardening. Details, and how to report a vulnerability, are on our Security page. No method of transmission or storage is perfectly secure, but we work continuously to protect your data.

10. Your privacy rights

10.1 EEA / UK (GDPR)

Subject to conditions and exemptions, you may have the right to access, rectify, erase, restrict, or object to processing, to data portability, and to withdraw consent. You also have the right to lodge a complaint with a supervisory authority (in the UK, the ICO).

10.2 United States (California and other states)

Depending on your state, you may have the right to know, access, delete, and correct personal information, to opt out of sale/sharing and of certain targeted advertising and profiling, and to limit the use of sensitive personal information — with a right to non-discrimination for exercising them. We do not sell or share personal information for cross-context behavioral advertising. We honor recognized opt-out preference signals, including Global Privacy Control (GPC), where applicable.

10.3 How to exercise your rights

Contact us at [email protected]. We will verify your request and respond within the timeframes required by law. You may use an authorized agent where permitted. If your data was submitted to us by one of our customers (we are the processor), we will refer or assist that customer, who is the controller.

11. Cookies

The console uses only strictly-necessary, first-party cookies (session and security). We do not use advertising or cross-site tracking cookies. See the Cookie Policy for details.

12. Children

The Service is a business tool and is not directed to children. We do not knowingly collect personal data from children under 16 (or the applicable age of digital consent). If you believe a child has provided us personal data, contact us and we will delete it.

13. Self-hosting

If you deploy the open-source software yourself, you operate the software and control the data it processes. In that case we are neither controller nor processor for your deployment, and this policy does not apply to it. You are responsible for your own privacy compliance.

14. Changes to this policy

We may update this policy from time to time. We will change the "last updated" date above and, for material changes, provide a more prominent notice. Continued use of the Service after an update means you accept the revised policy.

15. Contact, Data Protection Officer, and EU/UK representatives

Privacy questions and requests: [email protected]. Our data protection contact can be reached at [email protected].

To be appointed before EU/UK launch: if we target the EEA or UK without an establishment there, we will appoint an Article 27 EU representative and a UK representative and publish their contact details here. Until appointed, these are placeholders for counsel to complete.