Privacy Policy

1. Who we are

Expirity ("Expirity", "we", "us", "our") operates the domain monitoring platform available at expirity.io. This Privacy Policy explains how we collect, use, store and protect information about you when you use our website, application and services (collectively, the "Service").

For the purposes of applicable data protection law, Expirity is the data controller of your personal data.

2. Data we collect

2.1 Information you provide directly

• Account information: your name, email address and password when you register.
• Billing information: payment is processed by PayPal. We do not store credit card numbers or full payment details on our servers. We receive a transaction reference and subscription status from PayPal.
• Domain data: the domain names and associated settings you add to your account for monitoring purposes.
• Notification preferences: email addresses, Slack webhook URLs, Discord webhook URLs and other alert destinations you configure.
• Support communications: any messages you send to our support team.

2.2 Information collected automatically

• Log data: IP address, browser type, operating system, pages visited, time and date of access, and referring URL.
• Usage data: features used, domains monitored, alert frequency and other product interaction data used to improve the Service.
• Cookies and similar technologies: see Section 8 for details.

2.3 Information from third parties

• Registrar integrations: when you connect a registrar (Namecheap, Cloudflare, GoDaddy, Route 53), we access only the domain list and expiry data necessary to populate your dashboard. We do not store registrar credentials beyond the encrypted API tokens required for the integration.
• Public WHOIS and RDAP data: we query publicly available WHOIS and RDAP records as part of the monitoring service. This data is used solely to detect changes and send you alerts.

3. How we use your data

We use the data we collect to:

• Create and maintain your account and provide the Service.
• Monitor the domains you have added and send you the alerts you have configured.
• Process payments and manage your subscription via PayPal.
• Send transactional emails (account confirmation, password reset, billing receipts).
• Respond to support requests and improve the Service based on feedback.
• Detect, investigate and prevent fraudulent or unauthorised activity.
• Send product update emails (you can opt out at any time).
• Comply with our legal obligations.

We do not use your data for advertising, profiling or any purpose unrelated to providing the Service.

4. Legal basis for processing (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data under the following legal bases:

• Contract performance: to provide the Service you have signed up for, including monitoring, alerting and account management.
• Legitimate interests: to improve the Service, prevent fraud and ensure security, where these interests are not overridden by your rights.
• Legal obligation: to comply with applicable laws and regulations.
• Consent: for optional marketing communications. You may withdraw consent at any time.

5. Sharing your data

We do not sell your personal data. We share it only in the following limited circumstances:

5.1 Service providers

We engage trusted third-party providers to help operate the Service. Each is bound by confidentiality obligations and permitted to use your data only to provide their specific service:

• Hosting and infrastructure: cloud infrastructure providers for servers, storage and databases.
• Payment processing: PayPal for subscription billing. PayPal's privacy policy governs data processed on their platform.
• Email delivery: a transactional email provider to send account and alert emails on our behalf.
• Error monitoring: a software error-tracking service to help us diagnose bugs.

5.2 Legal requirements

We may disclose your data if required to do so by law, court order or governmental authority, or to protect the rights, property or safety of Expirity, our users or the public.

5.3 Business transfers

If Expirity is acquired, merges with another entity, or sells all or part of its assets, your data may be transferred as part of that transaction. We will notify you via email and provide a prominent notice on the Service before your data is transferred and becomes subject to a different privacy policy.

6. Data retention

We retain your personal data for as long as your account is active or as needed to provide the Service. Specifically:

• Account data: retained for the duration of your account and deleted within 30 days of account deletion.
• Domain monitoring data: change history is retained according to your plan (30 days on Starter, 1 year on Pro and Agency) and deleted upon account deletion.
• Billing records: retained for 7 years as required by financial regulations, even after account deletion.
• Log data: retained for up to 90 days for security and debugging purposes.

You may request deletion of your account and all associated data at any time from your account settings or by emailing privacy@expirity.io.

7. Security

We implement industry-standard technical and organisational measures to protect your data, including:

• Encryption of data in transit using TLS 1.2 or higher.
• Encryption of sensitive data at rest (API tokens, passwords hashed using bcrypt).
• Access controls limiting who within our team can access user data.
• Regular security reviews and dependency audits.

No method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security. In the event of a data breach affecting your rights and freedoms, we will notify you and relevant authorities as required by applicable law.

8. Cookies

We use cookies and similar tracking technologies to operate and improve the Service. Cookies we use include:

• Strictly necessary cookies: required for authentication, session management and security. These cannot be disabled.
• Preference cookies: remember your settings such as billing period preference and notification configuration.
• Analytics cookies: help us understand how the Service is used. We use privacy-respecting analytics and do not share this data with advertising networks.

You can control cookies through your browser settings. Disabling non-essential cookies will not affect the core functionality of the Service. For full details, see our Cookie Policy.

9. Your rights

Depending on your location, you may have the following rights regarding your personal data:

• Access: request a copy of the personal data we hold about you.
• Correction: request correction of inaccurate or incomplete data.
• Erasure: request deletion of your data ("right to be forgotten"), subject to legal retention obligations.
• Restriction: request that we restrict processing of your data in certain circumstances.
• Portability: receive your data in a structured, machine-readable format.
• Objection: object to processing based on legitimate interests or for direct marketing.
• Withdraw consent: where processing is based on consent, withdraw it at any time without affecting prior lawful processing.

To exercise any of these rights, email us at privacy@expirity.io. We will respond within 30 days. If you are in the EEA or UK and believe your rights have not been respected, you have the right to lodge a complaint with your local data protection authority.

10. Children's privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data without parental consent, please contact us at privacy@expirity.io and we will take steps to delete such information promptly.

11. International data transfers

Your data may be transferred to and processed in countries outside your own, including countries that may not provide the same level of data protection as your home country. Where we transfer data from the EEA or UK to third countries, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission, or we rely on an adequacy decision.

12. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (to the address associated with your account) and by posting a prominent notice on our website at least 14 days before the change takes effect. The "Last updated" date at the top of this page will always reflect the most recent revision.

Your continued use of the Service after the effective date constitutes acceptance of the updated policy. If you do not agree with the changes, you may delete your account before the effective date.

13. Contact us