DomainCheckr — Privacy Policy

Last updated: 12 April 2026

DomainCheckr is operated by MWBM Partners Ltd. This policy explains what data we collect, how we use it, and your rights.

1. Data We Collect

1.1 Data You Provide

• Domain names and IP addresses you enter for WHOIS/RDAP lookups.
• API keys if you use the authenticated JSON API.

1.2 Data Collected Automatically

• IP address — used for rate limiting to prevent abuse. IP addresses are stored as one-way hashes, not in plain text.
• Session data — a session cookie is used for CSRF protection and rate limiting. It contains no personal information.
• Server logs — standard web server logs may record IP addresses, timestamps, and requested URLs for operational and security purposes.

1.3 Data Stored in Your Browser

The following data is stored in your browser's localStorage and never sent to our servers:

• Lookup history — your last 10 looked-up domains.
• WHOIS timeline — snapshots of parsed WHOIS data for change tracking.
• Watch list — domains you choose to monitor for expiry.
• Theme preference — your selected colour theme (light/dark/colourblind/auto).
• Language preference — your selected display language.

You can clear all browser-stored data at any time using your browser's settings or the "Clear history" button in the application.

2. How We Use Your Data

• Domain lookups — to query public WHOIS/RDAP registries, DNS servers, and SSL certificate authorities on your behalf.
• Rate limiting — to prevent abuse and ensure fair access for all users.
• Caching — lookup results are cached for up to 15 minutes to improve performance and reduce load on external registries.
• Usage statistics — aggregate, anonymised lookup counts (total lookups, cache hit rates, popular domains) may be tracked for operational monitoring. No personally identifiable information is included.

3. Third-Party Services

When you perform a lookup, the domain or IP you enter may be sent to the following external services:

• Public WHOIS servers — via the system whois command.
• RDAP — via rdap.org, a public RDAP aggregation service.
• IP geolocation — via ip-api.com for server location data.
• Google Safe Browsing — if configured, to check for known malicious domains.
• VirusTotal — if configured, for domain reputation data.
• Have I Been Pwned — if configured, for data breach information.
• Thum.io — if enabled, for website screenshot previews.
• QR Server — via api.qrserver.com for QR code generation.

Each third-party service is subject to its own privacy policy. We do not control what data these services retain.

4. Cookies

We use a single session cookie (PHP session ID) for:

• CSRF (Cross-Site Request Forgery) protection
• Session-based rate limiting

This cookie is HttpOnly, SameSite=Lax, and Secure (when served over HTTPS). It does not track you across websites and is deleted when you close your browser. We do not use advertising or analytics cookies.

5. Do Not Track (DNT)

We respect the Do Not Track signal sent by your browser. You can enable DNT in your browser's privacy settings at any time. When DNT is enabled (DNT: 1), the Service will:

• Skip all optional third-party requests (website screenshots, QR code generation via external APIs, IP geolocation lookups).
• Skip third-party security checks (Google Safe Browsing, VirusTotal, Have I Been Pwned) — these send the queried domain to external services.
• Disable anonymous usage statistics tracking (lookup counts, popular domains).
• Send a Tk: N (not tracking) response header to confirm compliance.

Please note: Enabling DNT will result in some features being unavailable or returning reduced data. Core lookup functionality remains unaffected, but supplementary features that rely on third-party services will be skipped. For a full list of what is and isn't available when DNT is enabled, please see Section 5 of our Terms of Service.

6. Data Retention

• Cached lookups — automatically expire after 15 minutes.
• Rate limit records — automatically cleaned up within minutes of expiry.
• Server logs — retained according to standard hosting provider policies.
• Browser data — persists until you clear it. We have no access to it.

7. Your Rights

You have the right to:

• Clear your browser-stored data at any time.
• Use the tool without providing any personal information (domain names are public registry data).
• Request information about any data we hold related to your IP address.

8. Security

We implement the following security measures:

• CSRF token protection on all form submissions
• Input validation and sanitisation to prevent injection attacks
• Rate limiting (per-session and per-IP) to prevent abuse
• Security headers (CSP, X-Frame-Options, X-Content-Type-Options)
• API keys stored as SHA-256 hashes, never in plain text
• Session hardening (HttpOnly, SameSite, secure cookies, periodic regeneration)

9. Changes to This Policy

We may update this policy from time to time. The "Last updated" date at the top will reflect the most recent revision.

10. Contact

For privacy-related enquiries, please contact MWBM Partners Ltd.