Privacy policy

This privacy policy informs you about the nature, scope, and purpose of the processing of personal data when using DNS Beacon. It applies to the website, the web app, and the DynDNS update endpoint. Terms such as "personal data" are to be understood within the meaning of the GDPR. The German version of this policy is the legally binding one.

Data controller

The controller within the meaning of Art. 4(7) GDPR is the operator named in the legal notice. You can reach us via the email address and phone number listed there. We have not appointed an external data protection officer; there is no legal obligation to do so.

→ Provider details in the legal notice

Overview

We process personal data only to the extent necessary to provide our service or on another applicable legal basis. The central processing activities are: account creation and login, storage of your hostnames and the associated IP addresses, sending verification and notification emails, and short-lived server logs for security. We pass data only to processors that are necessary to provide the service (hosting, email delivery, bot protection, certificate authority); these are named individually below.

Server logs

When you access our website and API, our server processes standard connection data: IP address, timestamp, requested URL, HTTP status, submitted user agent. These logs are technically unavoidable and are processed for the purposes of defending against attacks, detecting abuse, and error analysis. The legal basis is Art. 6(1)(f) GDPR (legitimate interest in secure operation). Logs are automatically deleted after 14 days unless a specific incident requires longer retention.

Account, login, and security

For registration we process your email address and — if you choose classic sign-up — a hashed password (bcrypt, cost 12). Optionally, you can store a display name. To verify your email address, we send you a one-time confirmation link. For sign-in we issue short-lived access tokens (JWT, valid for 1 hour) and refresh tokens (valid for 7 days, stored only as a hash on our side). These tokens are placed in your browser's local storage; we do not set classic cookies for this purpose. On logout, password change, or account disablement, all active refresh tokens are revoked. Optionally you can enable two-factor authentication (TOTP); we then store the TOTP secret and SHA-256 hashes of your backup codes. Additionally or alternatively, you can register passkeys (WebAuthn/FIDO2); per passkey we store the public key, the signature counter, and a label. Alternatively, you can sign in via Google, GitHub, or Microsoft. The data we receive from each provider is listed below under Processors. The legal basis for all processing in this section is Art. 6(1)(b) GDPR (performance of a contract); for security features, additionally Art. 6(1)(f) GDPR (legitimate interest in protecting your account).

DynDNS updates and IP history

The core of our service is updating DNS records with your current IP address. Each update is stored together with the following data: the affected hostname, the submitted IPv4 and IPv6 address, the IP address of the update client, the user agent, a timestamp, and the result (success / no change / error). This processing is strictly necessary to provide the service (Art. 6(1)(b) GDPR). Ongoing storage of the IP history additionally serves error and abuse analysis (Art. 6(1)(f) GDPR). The retention period depends on your plan: Free 7 days, Pro 90 days, Business 365 days. Older entries are deleted automatically. When you delete your account, all your update logs are deleted. For abuse prevention and to respond to law-enforcement requests, administrators may perform IP-based searches within the current retention window. Such accesses are logged.

Hostnames, DNS records, and custom domains

For each hostname, you can manage TXT, MX, and CNAME records yourself in addition to A/AAAA records. This data is stored in our database and forwarded to the respective DNS provider so it can be resolved publicly. If you connect your own domain (BYOD), we store the provider API credentials required for management encrypted (AES-256-GCM) in our database. When you delete the domain or your account, those credentials are deleted; we also attempt to remove records we set at the provider. Legal basis: Art. 6(1)(b) GDPR.

TLS certificates and Certificate Transparency logs

When you request an SSL certificate for a hostname, we issue it via the ACME interface of Let's Encrypt. The hostname and our ACME contact email are transmitted to Let's Encrypt for this purpose. We store the issued private key encrypted (AES-256-GCM) in our database, unless you upload your own CSR. Certificate authorities are legally required to enter every issued certificate into public Certificate Transparency logs. Among other things, the hostname (including all SANs) becomes publicly visible. We have no influence over this; it is an industry standard and a prerequisite for trusted browser certificates. Legal basis: Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(c) GDPR (CT publication as a legal obligation of the certificate authority).

Team workspaces and invitations

When you create an organization, its name, a URL slug, and the owner are stored. Per member we store the role (Owner/Admin/Member/Viewer) and the join date. Invitations are sent by email with a time-limited token; the token itself is stored only as a hash on our side. Invited email addresses are kept until the invitation is revoked or expires. Legal basis: Art. 6(1)(b) GDPR; for sending the invitation email to third parties, additionally our legitimate interest and that of the inviting user (Art. 6(1)(f) GDPR).

Notifications (email, webhook, web push)

You can create notification channels to be informed about events (IP change, host offline, certificate renewal failed, certificate expiring soon). Depending on the channel, we store: for email the recipient address; for webhook the destination URL and an HMAC secret; for web push the push endpoint URL and the encryption keys provided by your browser. For web push, the push service of your browser vendor (typically Google for Chrome/Android, Mozilla for Firefox, Apple for Safari) receives the notification payload in encrypted form; routing is anonymous via the endpoint. Delivery and error logs are stored for traceability. When you deactivate a channel or delete your account, the channel data is deleted. Legal basis: Art. 6(1)(b) GDPR (you configure the notification yourself).

GitHub Sponsors

If you support us via GitHub Sponsors and link your account with your GitHub account, we receive — via a webhook from GitHub — your GitHub user ID, your login name, the sponsorship amount, and status changes. We store this data in order to automatically activate your tier or downgrade you back to Free when sponsorship ends. We store the original webhook payload for traceability and to prevent duplicate processing. Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

Bot protection (Cloudflare Turnstile)

On the registration, login, and password-reset pages, we use Cloudflare Turnstile to defend against automated requests. A verification token is exchanged between your browser and Cloudflare; we verify the token server-side via a request to Cloudflare. For this purpose, Cloudflare may perform a risk assessment based on connection characteristics. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in abuse prevention). Further information at https://www.cloudflare.com/privacypolicy/.

Usage analytics (Umami Analytics)

To improve our service in line with actual needs and to operate it securely, we collect pseudonymous usage statistics with Umami, a privacy-friendly analytics software that we self-host on our own infrastructure. No cookies are set and no cross-device identifiers are formed. We record page views and anonymous feature-usage events (e.g. "hostname created", "certificate issued", "plan limit reached"). Any additional data stored with an event is strictly categorical (e.g. plan tier, provider type) and contains no hostnames, domains, IP addresses, or e-mail addresses. Your IP address is processed only transiently server-side to derive a daily-rotating, non-reversible identifier and an approximate country of origin; the IP address itself is not stored. Because we self-host Umami, this data is not transmitted to any third party. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in providing our service securely and in line with actual needs). No automated decision-making or profiling takes place.

Cookies and local storage

We do not set tracking cookies; our usage analytics is cookieless (see the preceding section). In your browser we only place technically necessary data in local storage: your access and refresh token for the logged-in session, your language preference, and possibly a push subscription if you enable web push notifications. This data leaves your browser only as part of authenticated API calls.

Retention and deletion

We store personal data only as long as necessary for the respective purpose: • Account, hostnames, domains, certificates, API keys: until you delete your account. • Update logs (IP history): plan-dependent — 7 / 90 / 365 days. • Server logs: 14 days. • Refresh tokens: 7 days from issuance, then automatically invalid. • Audit logs (security and administrative events): until account deletion, except entries we need to retain longer for traceability (e.g. after security incidents). • Certificate history: as long as a certificate is active; expired private keys are removed during cert rotation. • GitHub Sponsors data: as long as you are a sponsor and for an appropriate grace period after termination. You can delete your account at any time; we then remove your data cascadingly and attempt to remove DNS records we set at your provider and to revoke active certificates.

Obligation to provide data

Providing your email address is mandatory for creating and using an account. Without this data we cannot provide the service. All other entries (display name, 2FA, passkeys, notifications, custom domains) are voluntary.

Automated decision-making

No automated decision-making within the meaning of Art. 22 GDPR, including profiling, takes place. Plan limits (e.g. the maximum number of hostnames) are rule-based and do not involve any evaluation of your person.

Processors and recipients

To provide the service we use the following processors. With each we have concluded a data processing agreement (DPA) in accordance with Art. 28 GDPR. Third-country transfers are made on the basis of Standard Contractual Clauses (SCCs) or — where available — an adequacy decision (EU-US Data Privacy Framework).

Your rights as a data subject

You have the following rights vis-à-vis us at any time:

• •Access (Art. 15 GDPR): You can request information about the data we process about you.
• •Rectification (Art. 16 GDPR): You can request the correction of inaccurate or incomplete data.
• •Erasure (Art. 17 GDPR): You can request the deletion of your data, subject to any statutory retention obligations. Self-deletion of your account is available in the dashboard.
• •Restriction (Art. 18 GDPR): You can request restriction of processing if the accuracy of the data is disputed or processing appears unlawful.
• •Data portability (Art. 20 GDPR): You can receive the data concerning you in a structured, commonly used, machine-readable format.
• •Objection (Art. 21 GDPR): You can object to processing based on legitimate interests.
• •Withdrawal of consent (Art. 7(3) GDPR): Where processing is based on your consent, you can withdraw it at any time with effect for the future.

To exercise these rights, an informal message to the email address listed in the legal notice is sufficient.

Right to lodge a complaint with the supervisory authority

You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data violates the GDPR. The authority competent for us is: The State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg Lautenschlagerstraße 20, 70173 Stuttgart, Germany https://www.baden-wuerttemberg.datenschutz.de