Privacy Policy - OrionDNS

📌 Key Points: OrionDNS collects minimal data necessary to provide DNS services. DNS records are publicly accessible by design. We do not sell your data. This policy explains our data practices in detail.

1. Introduction & Scope

OrionDNS ("we," "us," "our," or "Company") is committed to protecting your privacy. This Privacy Policy describes how we collect, use, disclose, store, and protect information when you use our DNS hosting and Dynamic DNS (DDNS) services, website, API, and related services (collectively, the "Service").

By using the Service, you consent to the data practices described in this Privacy Policy. If you do not agree with this Privacy Policy, you must discontinue use of the Service immediately.

This Privacy Policy applies to information collected through the Service and does not apply to information collected offline or through third-party services not controlled by OrionDNS.

2. Information We Collect

We collect only the minimum information necessary to provide, maintain, secure, and improve our Service.

2.1 Information You Provide Directly

Account Registration: When you create an account, we collect:

Username: Your chosen username (required);
Email Address: Optional but recommended for account recovery and important notifications;
Password: Stored as a cryptographic hash using Argon2id algorithm. We never store passwords in plain text and cannot retrieve your original password.

DNS Configuration Data: When you use the Service, we store:

Domain names and hostnames: The DNS names you register or configure;
DNS Records: IP addresses (IPv4/IPv6), TXT records, and other DNS record data you configure;
Record Metadata: Timestamps of record creation and last modification;
Update Tokens: API keys and authentication tokens you generate (stored as hashed values).

⚠️ IMPORTANT NOTICE: DNS data is, by definition, public information that is broadcast to the global internet DNS infrastructure. Anyone with access to DNS query tools can view your DNS records. Do not include sensitive, confidential, or personally identifiable information in DNS records.

Abuse Reports: If you submit an abuse report through our reporting system, we collect:

Your name (optional);
Email address;
IP address (automatically collected);
Report details and any attachments or evidence you provide.

2.2 Information Collected Automatically

Connection & Access Logs: To maintain security and prevent abuse, we automatically collect:

IP Addresses: Your IP address when you access the website, log in, register, or update DNS records;
Timestamps: Date and time of access and actions;
User Agent: Browser type, version, and operating system information;
Authentication Events: Login attempts (successful and failed), password changes, and session activity;
DNS Update Requests: IP addresses making DDNS update requests, timestamps, and update status;
Rate Limiting Data: Request counts and patterns to enforce rate limits and prevent abuse.

Retention: Access logs are retained for security and abuse prevention purposes for up to 90 days, after which they may be aggregated, anonymized, or deleted.

Cookies & Session Data:

Session Cookie (PHPSESSID): We use a single, strictly necessary session cookie to maintain your login session. This cookie is essential for authentication and cannot be disabled without losing functionality. The cookie is deleted when you close your browser or log out;
No Tracking Cookies: We do not use advertising cookies, analytics cookies, or third-party tracking cookies;
Do Not Track: We do not track users across third-party websites and do not respond to Do Not Track (DNT) signals as we do not engage in such tracking.

Third-Party Security Services:

Cloudflare Turnstile: We use Cloudflare Turnstile to protect forms from spam and automated abuse. Turnstile may collect browser characteristics and interaction patterns. This data is processed by Cloudflare in accordance with the Cloudflare Privacy Policy.

2.3 Information We Do NOT Collect

We do NOT collect:

Precise geolocation data beyond what can be inferred from IP addresses;
Payment information (if we offer paid services in the future, payments would be processed by third-party processors);
Social media profile data or information from third-party accounts;
Biometric data;
Contents of websites, emails, or services accessed through your DNS records;
Browsing history or search queries beyond our Service;
Sensitive personal information such as health data, financial data, or government identifiers (unless you voluntarily include such information in abuse reports).

3. How We Use Your Information

We use collected information solely for the following legitimate business purposes:

3.1 Service Provision & Operation

Providing DNS resolution and DDNS update services;
Maintaining and managing your account and DNS records;
Processing DNS queries and responding with your configured records;
Authenticating users and maintaining session security;
Enabling API access and DDNS update functionality;
Providing customer support and responding to inquiries.

3.2 Security & Abuse Prevention

Detecting, preventing, and investigating security incidents, abuse, fraud, and illegal activity;
Enforcing rate limits to prevent service abuse and DDoS attacks;
Blocking malicious actors, bots, and automated abuse;
Investigating abuse reports and Terms of Service violations;
Protecting the security and integrity of our infrastructure and users;
Complying with legal obligations and responding to law enforcement requests.

3.3 Service Improvement & Analytics

Monitoring Service performance, uptime, and reliability;
Analyzing aggregated, anonymized usage patterns to improve the Service;
Troubleshooting technical issues and bugs;
Developing new features and services;
Conducting internal research and development.

3.4 Communications

Sending essential Service-related notifications (account security, policy changes, maintenance);
Responding to your inquiries and support requests;
Communicating about abuse reports you submit or that affect your account.

Note: We do not send marketing emails. All communications are transactional or related to Service operation.

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we process personal data based on the following legal bases:

Contractual Necessity: Processing necessary to provide the Service you requested (Article 6(1)(b) GDPR);
Legitimate Interests: Processing necessary for our legitimate interests in operating, securing, and improving the Service, preventing abuse, and protecting against security threats (Article 6(1)(f) GDPR);
Legal Obligations: Processing necessary to comply with legal obligations, including responding to lawful requests from authorities (Article 6(1)(c) GDPR);
Consent: Where required by law, we process data based on your explicit consent, which you may withdraw at any time.

5. Information Sharing & Disclosure

We do not sell, rent, or trade your personal information to third parties. We may share information only in the following limited circumstances:

5.1 Public DNS Infrastructure (By Design)

DNS Records: Your DNS records (hostnames, IP addresses, TXT records) are published to the global public DNS system and are accessible to anyone on the internet who performs DNS queries. This is the fundamental nature of DNS and is necessary for the Service to function.

5.2 Service Providers & Partners

We may share limited data with trusted third-party service providers who assist in operating the Service:

Cloudflare: For security services (Turnstile) and potentially infrastructure services. See Cloudflare Privacy Policy;
Hosting Providers: For server infrastructure and database hosting;
Security Services: For DDoS protection, threat intelligence, and abuse detection.

Service providers are contractually obligated to protect your data and use it only for the purposes we specify. They are prohibited from using your data for their own purposes.

5.3 Legal Requirements & Law Enforcement

We may disclose information if required to do so by law or in good faith belief that such action is necessary to:

Comply with legal obligations, court orders, subpoenas, warrants, or legal process;
Respond to lawful requests from public authorities, including law enforcement or national security agencies;
Enforce our Terms of Service and investigate potential violations;
Protect the rights, property, or safety of OrionDNS, our users, or the public;
Detect, prevent, or address fraud, security, or technical issues;
Prevent imminent harm to persons or illegal activity.

Where permitted by law, we will make reasonable efforts to notify affected users before disclosing their information, unless prohibited by law or court order, or in emergency circumstances.

5.4 Business Transfers

If OrionDNS is involved in a merger, acquisition, asset sale, bankruptcy, or similar business transaction, your information may be transferred as part of that transaction. We will provide notice before your information becomes subject to a different privacy policy.

5.5 Aggregated & Anonymized Data

We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you. This data may be used for research, analytics, marketing, or shared with third parties for various purposes.

5.6 With Your Consent

We may share your information with third parties when you explicitly consent to such sharing.

6. Data Retention

We retain your information only as long as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements.

Retention Periods:

Account Data: Retained for the duration of your active account. Upon account deletion or termination, account data may be deleted immediately or retained for up to 90 days for security and abuse prevention purposes;
DNS Records: Retained while your account is active. Upon account deletion, DNS records are deleted and removed from our DNS servers, subject to DNS caching by third-party resolvers (beyond our control);
Access Logs: Retained for up to 90 days for security purposes, then deleted or aggregated/anonymized;
Abuse Reports: Retained for up to 3 years to track patterns and protect against recurring abuse;
Legal Holds: Information subject to legal holds, investigations, or litigation may be retained until the matter is resolved;
Backup Data: Data in backups is retained according to our backup retention schedule (typically 30-90 days) and is deleted according to our data lifecycle policies.

7. Data Security

We implement reasonable and appropriate technical, administrative, and physical security measures designed to protect your information from unauthorized access, disclosure, alteration, and destruction. Security measures include:

7.1 Technical Safeguards

Encryption: HTTPS/TLS encryption for data in transit between your browser and our servers;
Password Security: Passwords are hashed using Argon2id, a memory-hard, state-of-the-art password hashing algorithm recommended by security experts;
Access Controls: Strict access controls limiting who can access backend systems and databases;
Database Security: Secure database configurations with authentication and encryption;
Rate Limiting: Rate limiting and throttling to prevent brute-force attacks and abuse;
CSRF Protection: Cross-Site Request Forgery (CSRF) tokens to prevent unauthorized actions;
Security Monitoring: Logging and monitoring of security events and anomalous activity.

7.2 Organizational Safeguards

Employee access to personal data is restricted on a need-to-know basis;
Regular security assessments and updates to address vulnerabilities;
Incident response procedures for security breaches.

7.3 Limitations & Your Responsibility

No Absolute Security: While we strive to protect your information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security and are not liable for security breaches, unauthorized access, or data loss beyond our reasonable control.

Your Responsibility: You are responsible for:

Maintaining the confidentiality of your account credentials;
Using strong, unique passwords;
Logging out after using shared or public computers;
Reporting suspected security issues or unauthorized access immediately.

8. International Data Transfers

Service Location: The Service is operated from Israel. If you access the Service from outside Israel, your information will be transferred to, stored, and processed in Israel and potentially other countries where we or our service providers operate.

Cross-Border Transfers: Data protection laws in Israel and other countries may differ from those in your jurisdiction. By using the Service, you consent to the transfer of your information to countries outside your country of residence, including Israel, which may have different data protection rules.

EEA/UK/Swiss Users: For users in the European Economic Area, United Kingdom, or Switzerland, we rely on the following mechanisms for lawful data transfers:

Standard Contractual Clauses (SCCs) approved by the European Commission;
Adequacy decisions by the European Commission (where applicable);
Other lawful transfer mechanisms as determined by applicable data protection laws;
Your explicit consent to the transfer.

9. Your Privacy Rights

Depending on your location, you may have certain rights regarding your personal information:

9.1 General Rights (All Users)

Access: You can access your account information and DNS records through your account dashboard;
Correction: You can update or correct your account information and DNS records at any time through the dashboard;
Deletion: You can delete your DNS records and request account deletion. Note that DNS records in third-party caches may persist temporarily;
Object to Processing: You can object to certain processing of your data by discontinuing use of the Service.

9.2 Additional Rights for EEA/UK/Swiss Users (GDPR)

If you are located in the EEA, UK, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR):

Right of Access: Request confirmation of whether we process your data and obtain a copy;
Right to Rectification: Request correction of inaccurate or incomplete data;
Right to Erasure ("Right to be Forgotten"): Request deletion of your data in certain circumstances;
Right to Restriction: Request restriction of processing in certain circumstances;
Right to Data Portability: Request a copy of your data in a structured, machine-readable format;
Right to Object: Object to processing based on legitimate interests;
Right to Withdraw Consent: Where processing is based on consent, withdraw consent at any time;
Right to Lodge a Complaint: Lodge a complaint with your local data protection authority (supervisory authority).

9.3 California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Right to Know: Request disclosure of personal information we collect, use, disclose, and sell (we do not sell personal information);
Right to Delete: Request deletion of personal information we hold about you;
Right to Opt-Out: Opt out of the sale or sharing of personal information (we do not sell or share for cross-context behavioral advertising);
Right to Correct: Request correction of inaccurate personal information;
Right to Limit Use of Sensitive Information: Limit use of sensitive personal information (we do not collect or use sensitive information for purposes requiring limitation rights);
Right to Non-Discrimination: Exercise privacy rights without discriminatory treatment.

California Consumer Requests:

Categories of Personal Information Collected: See Section 2 of this Privacy Policy;
Purpose of Collection: See Section 3 of this Privacy Policy;
Categories of Third Parties: See Section 5 of this Privacy Policy;
Sale of Personal Information: We do NOT sell personal information and have not sold personal information in the preceding 12 months;
Sharing for Targeted Advertising: We do NOT share personal information for cross-context behavioral advertising.

9.4 Other U.S. State Privacy Rights

Residents of Virginia, Colorado, Connecticut, Utah, and other U.S. states with comprehensive privacy laws may have similar rights. Contact us to exercise your rights.

9.5 Exercising Your Rights

To exercise any of these rights, please contact us through our Abuse Report system and clearly describe your request. We will respond within the timeframes required by applicable law (typically 30-45 days).

Verification: To protect your privacy, we will verify your identity before fulfilling requests. Verification may require you to log into your account or provide identifying information.

Authorized Agents: You may designate an authorized agent to submit requests on your behalf. We will require proof of authorization.

10. Children's Privacy

Age Restriction: The Service is not intended for children under the age of 18 (or the age of majority in your jurisdiction). We do not knowingly collect personal information from children.

If we become aware that we have collected personal information from a child without proper parental consent, we will take steps to delete such information promptly. If you believe a child has provided us with personal information, please contact us immediately.

11. Third-Party Websites & Services

The Service may contain links to third-party websites or integrate with third-party services. This Privacy Policy does not apply to third-party websites or services. We are not responsible for the privacy practices or content of third parties.

Third-Party Privacy Policies: We encourage you to review the privacy policies of any third-party services you use:

Cloudflare Privacy Policy

12. Do Not Track (DNT) Signals

We do not track users across third-party websites and do not respond to Do Not Track (DNT) browser signals. We do not engage in cross-site tracking or behavioral advertising.

13. Data Breach Notification

In the event of a data breach that compromises your personal information, we will notify affected users and applicable regulatory authorities in accordance with applicable law. Notifications will be provided without undue delay and will include information about the breach, potential consequences, and measures taken.

Limitations: We are not liable for data breaches resulting from factors beyond our reasonable control, including sophisticated cyberattacks, zero-day vulnerabilities, or third-party failures.

14. Changes to This Privacy Policy

We reserve the right to modify this Privacy Policy at any time. Changes will be effective immediately upon posting the updated Privacy Policy on this page with a new "Last Updated" date.

Notification of Material Changes: If we make material changes that significantly affect your rights or how we process your data, we will provide additional notice (such as via email to registered users or a prominent notice on the website) prior to the changes taking effect.

Your Responsibility: You are responsible for periodically reviewing this Privacy Policy. Continued use of the Service after changes are posted constitutes acceptance of the modified Privacy Policy.

15. Contact Information & Data Protection Officer

General Inquiries: For questions about this Privacy Policy, data practices, or to exercise your privacy rights, please contact us through our Abuse Report system (select "Privacy Inquiry" as the report type) or email us at Contact Email

Data Protection Officer (DPO): For GDPR-related inquiries, you may contact our Data Protection Officer through the same system.

EEA/UK/Swiss Representative: For users in the European Economic Area, United Kingdom, or Switzerland, our representative contact information will be provided upon request.

Supervisory Authority: EEA/UK/Swiss users have the right to lodge a complaint with their local data protection authority (supervisory authority) if they believe their rights have been violated.

16. Specific Jurisdictional Disclosures

16.1 Nevada Residents

Nevada residents may opt out of the sale of personal information under applicable Nevada privacy laws. We do not sell personal information as defined under such laws. If you have questions, contact us.

16.2 Canadian Residents

Canadian residents have rights under PIPEDA (Personal Information Protection and Electronic Documents Act) similar to those described above. Contact us to exercise your rights.

16.3 Australian Residents

Australian residents have rights under the Privacy Act 1988 (Cth). You may contact the Office of the Australian Information Commissioner (OAIC) with complaints.

17. Legal Disclaimers

No Liability for Third Parties: We are not responsible for the privacy practices, security measures, or data handling of:

Third-party DNS resolvers, ISPs, or network infrastructure;
Websites, servers, or services accessed through DNS records you configure;
User-generated content or activities conducted using our Service;
Security breaches or unauthorized access beyond our reasonable control.

DNS Caching: DNS records are cached by third-party resolvers and ISPs according to Time-To-Live (TTL) values. Even after you delete records from OrionDNS, cached copies may persist for the duration of the TTL. We have no control over third-party caching behavior.

Limitation of Liability: To the maximum extent permitted by law, we are not liable for any damages arising from privacy incidents, data breaches, unauthorized access, or misuse of data beyond our reasonable control. See our Terms of Service for complete limitation of liability provisions.

18. Consent

By using the Service, you consent to the collection, use, disclosure, and processing of your information as described in this Privacy Policy. If you do not consent, you must discontinue use of the Service immediately.

For processing activities that require explicit consent, we will obtain such consent separately and you may withdraw consent at any time (subject to legal and contractual restrictions).

By using OrionDNS, you acknowledge that you have read, understood, and agree to this Privacy Policy.

🔒 Privacy Policy