Privacy policy

Who is responsible

The controller for personal data processed through the service is ChatDomain, operator of chatdomain.ai. Questions, access requests, and deletion requests can be sent to privacy@chatdomain.ai.

What we collect

Account data

• Email address and optional display name (required to sign in and receive account notifications).
• Hashed credentials or OAuth identifiers from your sign-in provider.
• Organization membership and role, if you belong to one.
• Optional two-factor authentication secrets, stored encrypted.

Usage data

• Domain queries, chat messages, and watchlist entries you create in the app.
• API and MCP request metadata: timestamp, endpoint, response status, request size, and IP address.
• Basic device and browser metadata from request headers (user agent, language).
• Error logs and performance traces generated while serving your requests.

Optional integrations

• If you connect an X (Twitter) account for mention monitoring, we store the OAuth tokens and the public mentions we reply to on your behalf. You can disconnect at any time.

Why we use it

• To operate the service — authenticate you, run domain lookups, execute chats, and render results.
• To keep the service reliable — diagnose errors, prevent abuse, and enforce rate limits.
• To communicate with you — transactional email (magic links, verification, security alerts).
• To improve the product — aggregated, non-identifying analytics on which features are used.
• To comply with legal obligations and to defend against fraud or misuse.

We do not sell your personal data, we do not share it with advertisers, and we do not use your prompts or chats to train third-party AI models.

Legal bases (EU/UK)

• Contract — processing necessary to provide the service you signed up for (accounts, searches, chats, watchlists, API access).
• Legitimate interests — keeping the service secure, preventing abuse, and improving it in ways that do not override your rights.
• Consent — optional integrations such as X mention monitoring, or non-essential analytics where required by local law. You can withdraw consent at any time.
• Legal obligation — retaining records we are required to keep by law.

Who processes data on our behalf

We use a small set of trusted sub-processors. Each is bound by contractual data protection terms.

• Vercel — hosting, edge routing, and deployment logs.
• Managed Postgres provider — primary application database (accounts, watchlists, chats).
• Inngest — background workflows such as domain-availability refresh and mention streams.
• Better Auth — session and authentication plumbing, running inside our own application.
• AI providers (for example Anthropic, via the Vercel AI Gateway) — to generate suggestions and chat responses. Prompts and completions are transmitted for the duration of the request; providers are contractually prohibited from training on our traffic.
• Email delivery provider — to send magic links, verification emails, and security notifications.
• Upstream registrars and registries — we pass the specific domain you search to availability and pricing APIs (for example GoDaddy, Netim, Sedo, Vercel, public WHOIS/RDAP). Only the domain string is shared, not your identity.

International transfers

Our infrastructure is primarily hosted in the United States and the European Union. Where data is transferred out of the EU/UK, we rely on Standard Contractual Clauses or equivalent safeguards published by the European Commission and the UK ICO.

Retention

• Account data is retained for as long as your account is active.
• Chat history and watchlists are retained until you delete them or delete your account.
• API request logs are retained for up to 90 days for security and debugging.
• Email logs are retained for up to 30 days.
• Backups are rotated on a rolling 30-day cycle.

When you delete your account we remove personal data from the primary database within 30 days, except where we are required to retain specific records by law.

Cookies and similar technologies

We use a small number of strictly-necessary cookies for authentication (session cookies, CSRF tokens) and for remembering UI preferences such as theme. We do not set third-party advertising or tracking cookies. Any optional analytics cookies, where used, require your consent.

Your rights

Depending on where you live, you may have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data or complete incomplete data.
• Delete your data ("right to be forgotten").
• Restrict or object to certain processing.
• Receive your data in a portable, machine-readable format.
• Withdraw any consent you previously gave.
• Lodge a complaint with your local data protection authority.

Most of these you can exercise directly from the user settings. For anything that is not available in the app, email privacy@chatdomain.ai and we will respond within 30 days.

Security

We encrypt data in transit with TLS and at rest through our database and backup providers. Credentials are hashed with modern algorithms. Access to production systems is restricted to a small number of operators, audit-logged, and protected by multi-factor authentication.

No system is perfectly secure. If we become aware of a breach that affects your personal data, we will notify you and, where required, the relevant authority within the timeframes mandated by law.

Children

The service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

Changes to this policy

We will update this policy when our processing changes or when the law requires. The "Last updated" date at the top reflects the most recent revision. For material changes we will notify account holders by email or an in-app banner before the change takes effect.

Contact

Privacy questions: privacy@chatdomain.ai. General questions: hello@chatdomain.ai. See also the Terms of Service.