Privacy Policy

As of: June 2026

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

A data protection officer is not legally required and has not been appointed.

2. General notes on data processing

This statement informs about the processing of personal data when visiting this website, when using the offered DNS resolvers (DNS-over-TLS and DNS-over-HTTPS) and when using the authoritative DNS hosting for your own zones.

3. Processing when accessing the website

When accessing this website, technically necessary server logs are processed by the hosting provider. These may contain:

• IP address of the requesting device
• Date and time of the request
• Requested URL and HTTP status code
• Amount of data transferred
• User agent (browser, operating system)
• Referrer (previously visited page)

Legal basis: Art. 6 (1) lit. f GDPR (legitimate interest in the secure and stable operation of the website).

Storage period: These logs are stored for a maximum of 14 days and then automatically deleted, unless security incidents require longer retention.

4. Processing when using the DNS resolvers

When using the DNS resolvers offered, DNS queries via DNS-over-TLS (DoT) or DNS-over-HTTPS (DoH) are accepted and forwarded to authoritative nameservers. The IP address of the requesting device is technically required to deliver the response.

No persistent storage (no logging) of DNS queries or associated IP addresses takes place. No analysis of individual users' query behaviour is performed.

Anonymised technical metrics (e.g. queries per second, response times, error rates) may be collected and evaluated to ensure operation. These metrics do not allow conclusions about individual users or queries.

To prevent abuse (e.g. DNS amplification attacks, bot traffic), suspicious IP addresses may be cached briefly and temporarily blocked. This data is used solely to ensure proper operation and is deleted once the cause has been resolved.

Legal basis: Art. 6 (1) lit. f GDPR (legitimate interest in the provision, security and stability of the service).

5. Recipients of the data

No personal data is transferred to third parties, with the exception of:

• authoritative nameservers, to which DNS queries must technically be forwarded in order to perform the resolution;
• competent authorities within the framework of a legal obligation (e.g. § 100a StPO, § 113 TKG, where applicable). Since no logs exist, corresponding requests can usually not be answered.

6. Transfer to third countries

The servers of the service are operated in Germany and the United Kingdom. No further transfer to third countries actively takes place. However, resolving DNS queries may technically require communication with authoritative nameservers worldwide.

7. Cookies and audience measurement

This website does not set any first-party cookies for tracking or analytics purposes and does not embed any advertising networks or third-party social-media plug-ins.

Audience measurement with Umami

For the statistical analysis of visitor numbers, the privacy-friendly web analytics service "Umami" (Umami Software, Inc., Wilmington, Delaware, USA) is used. Umami works without cookies and does not perform any cross-device recognition. Only aggregated, anonymised usage data is processed:

• page visited (path and title)
• referring URL (referrer)
• browser type, operating system and device category (derived from the user agent)
• approximate country of origin (derived from the IP address; the IP address itself is not stored)
• screen / viewport size and language

A single visitor is identified only for the current session by an anonymous, daily rotating hash of the IP address and user agent. No profiling takes place; conclusions about individual natural persons are not possible.

Legal basis: Art. 6 (1) lit. f GDPR (legitimate interest in privacy-friendly audience measurement to improve the offering). Since no information stored on the end device is read or stored within the meaning of § 25 (1) TTDSG, no consent is required.

Processor / third country: Umami Cloud processes the data mentioned within the European Union. The provider itself is based in the USA; a transfer to the USA cannot be ruled out in the course of contract performance and is based on the EU Standard Contractual Clauses pursuant to Art. 46 (2) lit. c GDPR.

Objection: You can prevent collection by Umami by enabling "Do Not Track" in your browser, using an ad or tracking blocker, or blocking the domain cloud.umami.is.

8. Your rights

Towards the controller, you have the following rights:

• Information (Art. 15 GDPR)
• Correction (Art. 16 GDPR)
• Deletion (Art. 17 GDPR)
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Objection to processing (Art. 21 GDPR), in particular against processing on the basis of Art. 6 (1) lit. f GDPR

Due to the deliberately minimal data processing (no logging), individual rights may effectively run empty as no personal data about you is held.

9. Right to lodge a complaint

You have the right to lodge a complaint with a data protection supervisory authority. The Bavarian State Office for Data Protection Supervision (BayLDA), Promenade 18, 91522 Ansbach, is in particular responsible.

10. Processing when registering a user account

Anyone who creates an optional user account on this website provides the following personal data, which is stored in the service database:

• First and last name
• Email address (used for sign-in and confirmation emails)
• Password (stored exclusively as a salted bcrypt hash, never in clear text)
• Timestamp of consent to the privacy policy and to the terms of use
• Preference whether technical service emails should be received (incl. timestamp of last change)
• Technical session data (IP address, user agent, creation and expiry time) used to secure sign-in

Legal basis: Art. 6(1)(b) GDPR (performance of a contract / pre-contractual measures) for master data and authentication; Art. 6(1)(a) GDPR (consent) for receiving technical service emails. Consent can be withdrawn at any time in the profile.

Technical service emails: Cover only explicitly requested emails on technical topics (e.g. planned maintenance windows, outages, security-relevant notices). No advertising use takes place and no data is shared with third parties for marketing purposes.

Retention: Account data is stored as long as the account exists. After deletion of the account, all related data is removed without delay; subsequent restoration is no longer possible.

11. Processing when using DNS hosting

Anyone who uses the optional service for authoritative hosting of their own DNS zones provides data that is stored persistently in the service database and in the nameserver software used (PowerDNS). The following is processed in particular:

• the hosted domain names (zones) and all DNS records created within them, including their contents;
• organisations, their members and assigned roles or permissions (name and email address of the members);
• invitations to organisations (email address of the invited person, status and time);
• data used to prove domain ownership (e.g. verification token, check log, expected nameservers);
• change and activity logs (audit logs) for zones and organisations: which action was performed by which account and when, including IP address and user agent;
• the assignment of the plans used (subscriptions) to the account or organisation.

Legal basis: Art. 6(1)(b) GDPR (provision of the hosting service offered free of charge to the user) and Art. 6(1)(f) GDPR (legitimate interest in security, accountability and abuse prevention, in particular with regard to the audit logs).

Responsibility for content: The user is solely responsible for the DNS records created in the hosted zones and the content reachable through them. The operator does not carry out any content review.

Public nature of authoritative DNS data: Authoritative DNS records are by their nature publicly retrievable. Anyone creating a record deliberately makes the information contained therein (e.g. hostnames, IP addresses) publicly accessible.

Retention: Zones, records and related data are stored as long as the respective zone or account exists. After deletion of a zone or the account, the related data is removed without delay. Audit logs may be retained beyond this for a limited period for security and accountability purposes.

12. Changes to this privacy policy

This statement may be adapted in case of changes to the service or the legal situation. The respective current version is available on this page.

See also: Terms of Use · Acceptable Use Policy · Imprint