Privacy Policy

Last updated: 2025-09-06

This Privacy Policy explains how Domainnest (operated by Frontier Algorithmics UG (haftungsbeschränkt)) (“we”, “us”, “our”) collects and processes personal data when you visit our website, join our waitlist/newsletter, or use our application and related services. We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable German law, including the Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz (TDDDG) for cookies and similar technologies.

1) Controller and Contact

Controller
Frontier Algorithmics UG (haftungsbeschränkt)
c/o COCENTER
Koppoldstr. 1
86551 Aichach, Germany

Email for privacy inquiries: privacy@domainnest.de

(If applicable) Data Protection Officer (DPO): [Name, email]

2) Scope

This Policy applies to:

Our public website and landing pages (incl. waitlist/newsletter forms),
Our web application and related backend services,
Customer support and communications (e.g., email),
Transactional and marketing communications we send.

This Policy does not apply to third-party websites, services, or integrations that we do not control. Their privacy practices are governed by their own policies.

3) Categories of Data We Process

Depending on your interactions with us, we may process:

Identification & contact data (e.g., name, email, company, role) — when you join the waitlist, subscribe to the newsletter, sign up for the app, or contact support.
Account & authentication data — sign-in/out, session identifiers, password hashes (managed by our auth provider), related security logs.
Technical & usage data — IP address, device and browser info, language, referral URLs, timestamps, and log files necessary to provide and secure the service.
Payment & billing data — name, email, billing address, payment method tokens, transaction metadata (processed by our payment providers; we do not store full card numbers).
Support content — messages and files you send to us.

We do not intentionally collect special categories of data (Art. 9 GDPR) or data about criminal convictions (Art. 10 GDPR).

4) Purposes and Legal Bases

We process personal data only where we have a lawful basis:

Provide and operate the site/app (create/manage accounts, deliver features, ensure availability and functionality): Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(f) GDPR (legitimate interests, e.g., operating and improving our services).
Security, fraud/abuse prevention, debugging, incident response (e.g., rate-limiting, bot protection, monitoring uptime/errors): Art. 6(1)(f).
Transactional communications (e.g., sign-up confirmations, invitations, critical service messages, billing notifications): Art. 6(1)(b) and Art. 6(1)(f).
Marketing/newsletter (only with your opt-in): Art. 6(1)(a) (consent). You may withdraw consent at any time (see Section 11).
Legal obligations (e.g., tax/accounting, responding to lawful requests): Art. 6(1)(c).

Where we rely on legitimate interests, we consider your reasonable expectations and conduct a balancing test; you may object (Section 10).

5) Cookies and Similar Technologies (TDDDG)

We use cookies and similar technologies as described in our Cookie Policy below.

Strictly necessary cookies/technologies required to deliver a service you explicitly requested (e.g., session/authentication via Supabase Auth, load balancing, security) operate without consent under § 25(2) TDDDG.
Non-essential tools (e.g., analytics or marketing) run only with your consent via our cookie banner/consent tool. You can change your choices anytime at /cookie-preferences.

Payments: If you use Stripe and/or Lemon Squeezy checkouts, their widgets or hosted pages may set strictly-necessary cookies during checkout for fraud prevention and completing the transaction; these are controlled by the respective provider.

6) Recipients and Processors (Vendors)

We use carefully selected service providers acting as processors (or, where applicable, independent controllers) to operate parts of our service:

Hosting & DNS: IONOS/STRATO (EU-based hosting; data centers in Germany/EU; TÜV/ISO-27001 certified).
Supabase Cloud (managed Postgres, Auth, Storage), hosted on AWS in eu-central-1 (Frankfurt) for this project.
Email delivery: Resend (transactional and, where applicable, newsletter emails).
Payments:
- Stripe — used where Domainnest is the merchant. Stripe generally acts as our processor under a DPA; for some activities (e.g., fraud prevention/financial compliance) Stripe may act as an independent controller.
- Lemon Squeezy — used in two modes:
  1. Merchant of Record (MoR) for some sales: Lemon Squeezy is the seller/merchant of record and an independent controller for payment, billing, tax/VAT determination and remittance, fraud/abuse prevention, chargebacks, and compliance. We receive purchaser data necessary to provision access/fulfilment.
  2. Processor model for other flows (e.g., embedded checkout/billing without MoR features): Lemon Squeezy acts as our processor under its DPA; in limited cases it may act as an independent controller for its own compliance obligations.

We sign appropriate data processing agreements (DPAs) with our processors. Roles may differ by product/feature; the applicable vendor privacy notice/DPA governs details.

7) International Data Transfers

Where providers are located outside the EU/EEA or process data from there, we rely on lawful transfer mechanisms such as: (i) EU adequacy decisions (e.g., the EU-U.S. Data Privacy Framework where the recipient is certified); and/or (ii) the EU Standard Contractual Clauses (SCCs 2021/914), with supplementary measures where appropriate.

Examples for our stack:

Supabase Cloud (AWS eu-central-1/Frankfurt): primary storage remains in the EU. Certain optional features (e.g., edge runtimes/functions outside the EU) may involve limited cross-border access depending on configuration.
Stripe: EU entities (e.g., Ireland) with necessary intra-group transfers (including to the U.S.) under adequacy/SCCs.
Lemon Squeezy: MoR/processor services may involve U.S. processing; transfers rely on DPF certification (where applicable) and/or SCCs.
IONOS/STRATO: hosting in Germany/EU by default.

You can obtain a copy of relevant transfer safeguards by contacting us.

8) Retention

We retain personal data only as long as necessary for the purposes above, unless a longer period is required by law. Examples:

Account data: retained while your account is active and for a reasonable period thereafter for support, security, and recordkeeping.
Marketing: until you withdraw consent or we consider your consent expired due to inactivity.
Support content: as long as needed to handle your request and for quality assurance.
Billing/transaction records: retained as required by commercial and tax laws. In Germany this generally means: 10 years for accounting books/annual financial statements; 8 years (from 1 January 2025) for booking documents (e.g., invoices/payment records); 6 years for commercial correspondence and similar records.

We define specific retention periods/criteria in our internal retention schedule.

9) Your Rights

Subject to the conditions and limitations in the GDPR, you have the right to:

Access your data (Art. 15),
Rectification (Art. 16),
Erasure (Art. 17),
Restriction (Art. 18),
Portability (Art. 20), and
Object to processing based on legitimate interests or to direct marketing (Art. 21).

Where processing is based on consent, you may withdraw it at any time (Section 11). You also have the right to lodge a complaint with a supervisory authority (Section 12).

10) How to Exercise Your Rights / Objection to Marketing

To exercise your rights, contact us at privacy@domainnest.de. For newsletter/marketing emails, you can also click the unsubscribe link in any message. If you object to processing based on legitimate interests, please describe the specific processing so we can assess your request.

Where we rely on consent (e.g., analytics or newsletters), you may withdraw it at any time via /cookie-preferences (for cookies) or via the unsubscribe mechanism (for emails). Your withdrawal does not affect the lawfulness of processing before withdrawal.

12) Supervisory Authority (Right to Complain)

You can contact your local supervisory authority. For our registered office in Bavaria, the competent authority is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18, 91522 Ansbach, Germany
Web: https://www.lda.bayern.de

13) Children’s Privacy

Our services are not directed to children. If we offer information society services directly to children and rely on consent, we obtain parental authorization where required. In Germany, children under 16 cannot lawfully consent on their own for such services.

If you believe a child has provided us personal data without appropriate authorization, please contact us so we can take appropriate steps.

14) Security

We implement appropriate technical and organizational measures to protect personal data, including access controls/least-privilege, encryption in transit, secure development practices, logging and monitoring, and supplier risk management.

15) Automated Decision-Making

We do not use personal data for decisions based solely on automated processing (including profiling) that produce legal or similarly significant effects.

16) Changes to This Policy

We may update this Policy from time to time. We will post the updated version here with a new “Last updated” date. Where required by law, we will inform you in advance and, where applicable, request your consent.

17) Additional Notices

We may provide additional privacy notices for specific features, events, or programs. Those notices supplement (and, where they conflict, supersede) this Policy.

18) Contact

For questions about this Policy or our data practices, contact:
Frontier Algorithmics UG (haftungsbeschränkt)
c/o COCENTER, Koppoldstr. 1, 86551 Aichach, Germany
Email: privacy@domainnest.de

Last updated: 6 September 2025

This Cookie Policy explains how Domainnest (Frontier Algorithmics UG (haftungsbeschränkt)) uses cookies and similar technologies on our website and app. It supplements our Privacy Policy.

1) Legal Basis and Scope

We apply Germany’s Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz (TDDDG), in particular § 25 (storage/access to information on end-user devices), and the GDPR. We obtain opt-in consent for any non-essential cookies/technologies. Strictly necessary cookies used to provide a service you explicitly requested do not require consent.

2) Your Choices

On first visit, our banner lets you accept, reject, or customize non-essential categories.
You can change your selection at any time at /cookie-preferences.
Browser settings and Global Privacy Control (GPC) signals are honored where technically feasible.

3) Categories We Use

Used to provide the site/app and requested features:

Authentication/session (Supabase Auth) — maintains your login session and protects endpoints.
Load balancing/availability (hosting: IONOS/STRATO) — distributes traffic across servers to keep the site responsive.
Security — CSRF protection, rate-limiting.

Remembers choices such as language or UI settings.

Measures usage (page views, events) to improve the product. Currently: none enabled by default. If enabled later (e.g., Plausible/PostHog/GA4), we will disclose provider details below.

Helps measure campaign effectiveness or show relevant content. Currently: none enabled by default. If enabled later (e.g., ad pixels), we will disclose provider details below.

4) Detailed Table (actual cookies in use)

Category	Name	Provider	Purpose	Lifetime
Strictly necessary	`sb-access-token`	Supabase (@supabase/ssr)	Authentication access token for logged-in users	Short-lived (~1 hour)
Strictly necessary	`sb-refresh-token`	Supabase (@supabase/ssr)	Refresh token to maintain session (rotated)	Long-lived; per auth policy
Strictly necessary	`csrfSecret`	Domainnest (edge-csrf)	CSRF protection for form and action requests	Session
Preferences	`lang`	Domainnest	Remember selected language	Up to 12 months
Preferences	`theme`	Domainnest	Remember theme (light/dark/system)	Up to 12 months

5) Managing Cookies

You can:

use /cookie-preferences to update consent;
configure your browser to block or delete cookies; and
(where supported) use GPC to signal your privacy choices.

Blocking strictly necessary cookies may impair core functionality (e.g., sign-in).

6) Changes

We may update this Cookie Policy to reflect changes to our use of cookies/SDKs. We will post the updated version with a new Last updated date.

7) Contact

For questions about this Cookie Policy:
Frontier Algorithmics UG (haftungsbeschränkt)
c/o COCENTER, Koppoldstr. 1, 86551 Aichach, Germany
Email: privacy@domainnest.de

Privacy Policy

Our privacy policy and how we use your data

Privacy Policy

1) Controller and Contact

2) Scope

3) Categories of Data We Process

4) Purposes and Legal Bases

5) Cookies and Similar Technologies (TDDDG)

6) Recipients and Processors (Vendors)

7) International Data Transfers

8) Retention

9) Your Rights

10) How to Exercise Your Rights / Objection to Marketing

11) Consent Management

12) Supervisory Authority (Right to Complain)

13) Children’s Privacy

14) Security

15) Automated Decision-Making

16) Changes to This Policy

17) Additional Notices

18) Contact

Cookie Policy (TDDDG-compliant)

1) Legal Basis and Scope

2) Your Choices

3) Categories We Use

3.1 Strictly necessary (no consent)

3.2 Preferences (consent)

3.3 Analytics (consent)

3.4 Marketing (consent)

4) Detailed Table (actual cookies in use)

5) Managing Cookies

6) Changes

7) Contact