Privacy Policy.
Last Updated: March 2026
Plain English Summary
1. We don't want your data. We purposely designed this software so that your domain portfolio, pricing strategies, and API keys live solely on your personal Cloudflare account.
2. We cannot see your passwords. Everything is encrypted locally in your browser using AES-256 before it ever hits the internet.
3. Anonymous, Operational Telemetry. We track basic app versions and an anonymized ID to ensure your infrastructure is healthy. We never track your domain names, registrars, or pricing data. Your business remains strictly your own.
At mgr.domains, privacy is not a feature; it is the core foundational architecture of our software. This Privacy Policy details the strict limitations on data collection enforced by our Zero-Knowledge design.
1. The "Trust No One" Data Model
Unlike traditional Software-as-a-Service (SaaS) products, mgr.domains operates as a decentralized, Bring Your Own Keys (BYOK) application. When you install mgr.domains, you deploy a Cloudflare Worker and a private D1 Database to your personal Cloudflare account.
Because of this architecture, we do not host, store, or have any administrative access to your database. Your domain portfolio, financial metrics, and registrar API connections are physically beyond our reach.
2. What We Explicitly Do NOT Collect
Through the use of local, client-side encryption (AES-256 + PBKDF2), the following data is mathematically impossible for us to access, collect, or monetize:
Your Master Password: It is never transmitted to any server in plaintext.
Your API Keys: GoDaddy, Namecheap, Dan.com, and OpenAI API keys are encrypted in your browser before transit.
Your Portfolio Assets: We do not know which domains you own, your buy/sell prices, or your renewal schedules.
3. The Data We Actually Process
We collect the absolute minimum data necessary to maintain software health, process optional licenses, and communicate updates:
3.1 Voluntary Communications: If you join our newsletter or contact our support team, we will store your email address and message history solely to reply to you.
3.2 Operational Telemetry (The "Heartbeat"): To ensure the software functions correctly and to measure overall active installations, your local app sends a secure, anonymous "ping" to our central proxy (auth.mgr.domains) when you boot it up. This payload contains absolutely zero portfolio data. It strictly includes:
Client ID: A one-way cryptographic hash of your Account ID (to count unique installations without knowing who you are).
System Health: Your current Frontend and Backend software versions (to detect failed auto-updates across our user base).
Environment: Your platform type (Web vs. Desktop application).
3.3 Licensing Data (Phase 2): If you purchase an optional "Founder License", our third-party payment processor (Lemon Squeezy) handles the transaction. Our authentication proxy utilizes the hashed Client ID mentioned above to verify your license status. This proxy cannot access your private D1 workspace.
4. Third-Party Services
While we don't hold your data, the software relies on infrastructure provided by third parties. You are subject to their respective privacy policies:
Cloudflare, Inc: Hosts your private Worker and D1 Database.
Lemon Squeezy: Processes optional license payments securely.
AI Providers (OpenAI, Anthropic): If you utilize the AI Advisor tools, your requests are processed via a "Courier Pattern". Your API key is decrypted locally, attached to a temporary header (`X-Temporary-Key`), consumed by your Worker for a single request, and immediately discarded. It is never stored in plaintext on your database.
5. Cookies and Tracking
Our public marketing website uses minimal, strictly necessary cookies to function. The core application (your private dashboard) uses browser `localStorage` strictly for maintaining your cryptographic session state and persisting your chosen UI theme (e.g., Light/Dark mode). We do not use cross-site tracking pixels or invasive analytics within your private workspace.