1. Purpose and scope
This policy explains how CaptainDNS (the "Service", "we") processes users' personal data ("you", "User") during authentication, when using DNS resolution features, and when viewing/sharing technical logs.
2. Plain-language summary
- We use Auth0 for authentication.
- We maintain an internal profile (email, name, nickname, locale, avatar, etc.) and technical logs describing API calls (including IP address and payloads).
- The "resolve watch" feature stores DNS metadata (qname, qtype, resolver, response hashes/summaries, diffs, latency, timestamps).
- In the browser, we only use functional storage (language cookie, localStorage, sessionStorage) that is never used for marketing.
- Data stays hosted in the EU/EEA on secure, GDPR-compliant infrastructure.
- Some third parties may receive data depending on what you use: Auth0 (identity) and public DNS resolvers (Cloudflare, Google, Quad9, AdGuard, NextDNS).
- You keep all your GDPR rights (access, rectification, erasure, etc.) and can revoke a public log link via support.
3. Data processed, purposes and legal bases
A. Authentication and profile
Data processed
- Auth0 tokens and returned attributes
- Local profile
- Front→back synchronisation
Purposes
- Create and keep your account/profile up to date.
- Deliver the Service and your display preferences.
Legal basis (GDPR art. 6)
- Contract performance (art. 6‑1‑b): provide the expected access and features.
- Legitimate interest (art. 6‑1‑f): secure sign-in flows (tokens, technical verifications).
B. Backend technical logs
Data processed
- Middleware: method, route, status, duration, IP address (from
X-Forwarded-For,X-Real-IPor supplied by the frontend), JSON payloads (request/response or truncated preview), error code/text, source (anonymous/authenticated), user identifier (if available), timestamps, optional public token for sharing. - Frontend endpoints:
/api/requests/history-token/[requestId](checks if apublic_tokenexists and returns a summary: timestamp, route, status, error code)./api/request-history/[token](proxy for the redacted view, no-cache)./api/requests/recent(up to 50 recent calls for an authenticated user, after cleaning expected fields).
Purposes
- Operations, diagnostics, security, abuse prevention, support, proof of service, Service improvement.
- Provide an optional log-sharing feature (token).
Legal basis
- Legitimate interest (art. 6‑1‑f): keep the Service secure and reliable.
- Contract performance (art. 6‑1‑b): let you review your history or share a redacted view when you enable it.
C. Resolve watches (monitoring)
Data processed
- Owner (profile), original DNS request (qname, qtype, resolver), subsequent observations (response hashes, min/max TTL, JSON diff, anomaly indicators, timestamps).
Purpose
- Provide DNS monitoring and change/anomaly detection.
Legal basis
- Contract performance (art. 6‑1‑b).
D. Browser-side storage (functional only)
Data and duration
NEXT_LOCALEcookie: 180 days,SameSite=Lax,Secureoption; stores the selected language. The home page can also readAccept-Languageto guide visitors without a cookie.- localStorage (HistoryService, up to 500 events per host/qtype pair): timestamp, host, type, resolver, status code, latency, textual responses. (Reminder: readable by any script running on the page.)
- sessionStorage: anti-repeat keys (request hash) and timestamp, cleared after use or ~15 seconds.
Purposes
- Strictly functional comfort (language persistence, repeat-request prevention).
- No advertising tracking.
Legal basis
- ePrivacy exemption for strictly necessary cookies/storage.
- Legitimate interest (art. 6‑1‑f): keep the experience stable and prevent abuse.
E. Outbound calls to public DNS resolvers
Data transmitted
- Domain names and parameters needed for the DNS queries you initiate (which may, depending on context, contain identifying elements).
- Vendors: Cloudflare, Google, Quad9, AdGuard, NextDNS, etc. (depending on the preset you choose).
Purpose
- Execute your DNS queries and return the results/analysis.
Legal basis
- Contract performance (art. 6‑1‑b).
4. Recipients and categories of recipients
- Authorised internal team (need-to-know): operations, support, security.
- Processors (contracts, DPA/SCC in place):
- Hosting & PostgreSQL database (EEA).
- Auth0 (Okta) for authentication and API.
- Independent recipients (acting as separate controllers for your DNS queries): Cloudflare, Google, Quad9, AdGuard, NextDNS.
- Email/support providers (when you contact support).
We never sell data and we never transfer it for advertising purposes.
5. Transfers outside the EEA
Our core infrastructure (application and PostgreSQL) is hosted in the EEA. We make best efforts to configure Auth0 and other processors in EU regions.
If, exceptionally, a transfer outside the EEA is required (e.g. resolver routing, Auth0 operations), it is covered by appropriate safeguards (GDPR art. 46) such as Standard Contractual Clauses (SCCs) with supplementary measures, or relies on a derogation (art. 49) when the request is made at your initiative and necessary to deliver the Service.
6. Retention periods
| Category | Duration | Notes |
|---|---|---|
| Profile | While the account is active + 30 days after deletion, then active data removed; backups retained for up to 90 days maximum. | Required for account management and minimal audit trail. |
| API logs | Up to 180 days (rolling). Extension possible up to 12 months for incidents/legal duties, then deletion or anonymisation. | Covers IP, payloads, status, errors, tokens. |
| Resolve watches | As long as the watch is active. After deactivation/deletion: purged within 30 days; aggregates/anonymised copies possible. | Detailed diffs/observations kept 6 months max. |
| Public sharing token | No automatic expiry yet: valid until revoked via support (see § 7). | Optional; configurable expiry may be added later. |
NEXT_LOCALE cookie | 180 days | Strictly functional. |
| localStorage (DNS history) | Local storage only (not sent to the server); you can clear it anytime. | Up to 500 events per host/qtype pair. |
| sessionStorage (anti-repeat) | ~15 seconds, then cleaned after use. | Ephemeral, functional. |
Operational note: once automatic purges kick in, they delete/anonymise records that reach their retention limit. Backups follow limited retention with restricted access.
7. Sharing logs via public link
The Service lets you share a redacted log view through a URL that contains a public token:
- Generation/view: the API returns a filtered view that removes sensitive keys (
email,password,cookie, etc.) and forces no-cache headers. - Scope: anyone holding the URL can see the corresponding redacted log.
- Revocation: to invalidate a token, contact support at [support@…] with the log ID or public URL. We delete the log or revoke the token, making the link unusable.
- Limits: despite the no-cache header, third parties may have copied the content; revocation blocks new API fetches but cannot erase external copies.
8. Security
We apply industry-standard technical and organisational measures:
- Encryption in transit (TLS) and at rest (encrypted volumes).
- Access controls (least privilege), environment isolation, access logging.
- Endpoint hardening, rate limiting, anomaly detection.
- Server-side secret management, rotation, protected storage.
- Restricted access to logs containing IP/payloads; encrypted exports when needed.
- Code reviews and dependency monitoring.
If a data breach occurs, we notify the competent authority (e.g. CNIL) within 72 hours when required, and affected individuals if there is a high risk.
9. Your rights
Under Articles 15‑22 GDPR, you have:
- Right of access to your data.
- Right to rectification and erasure ("right to be forgotten").
- Right to restriction and objection (especially for processing based on legitimate interest).
- Right to portability (data you provided, in a structured format).
- Right to post-mortem directives (France).
To exercise your rights: write to contact@captaindns.com with proof of identity. We reply within one (1) month (extendable by two (2) months for complex requests, with notice).
You may submit a complaint to the CNIL (www.cnil.fr) or your local authority.
10. Managing cookies and local storage
- Disable/purge: delete the
NEXT_LOCALEcookie, clear localStorage (DNS history) and sessionStorage via your browser settings. - Consequences: disabling can degrade some features (language, anti-repeat).
- No advertising nor profiling through these mechanisms.
11. Frontend dependencies and network calls
Next.js API routes act as a proxy: they add X-Frontend-User-IP (derived from X-Forwarded-For, X-Real-IP or Forwarded) and, when available, the Auth0 access token in Authorization. The proxy authenticates with the backend using a dedicated service token.
These headers are processed solely for security and reliable routing (legal basis: legitimate interest).
12. Children
The Service is not intended for users under 15 (France) without compliant parental consent (GDPR art. 8). If you believe a minor has provided data, contact us for deletion.
13. Automated decisions
No decisions producing legal effects are taken solely on the basis of automated processing of your data.
14. Updates to this policy
We may update this policy to reflect legal or technical changes. In case of a material change, we will inform you by email or in-app and, where required, seek your consent.
15. Contact details
- Controller: ESPIERRE SAS, 60 RUE FRANCOIS IER, 75008 PARIS, FRANCE
- DPO: Matthieu ESPAZE, matthieu@espierre.fr
- Support & public-link revocation: contact@captaindns.com
- GDPR requests: contact@captaindns.com
Annex A - List of processors and third parties
- Auth0 (Okta): identity provider (authentication).
- Hosting / PostgreSQL DB: Fly.io.
- DNS resolvers (independent controllers): Cloudflare, Google, Quad9, AdGuard, NextDNS, etc. (depending on your settings).
- Email/support: Google Workspace.
Annex B - Legal bases by purpose (cheat sheet)
- Contract performance (6‑1‑b): account creation/management, DNS features, resolve watches, providing history and its shared view (when you trigger it).
- Legitimate interest (6‑1‑f): security (technical logs, IP, anti-repeat), abuse prevention, Service improvement, functional comfort (language cookie).
- Consent: not required for strictly functional cookies/storage (ePrivacy exemption).
Practical notes
- API log purge: 180-day rolling retention, extended only for investigations/legal duty (max. 12 months) before deletion or anonymisation.
- Internal access to full logs (IP/payloads) is strictly limited; encrypted exports are used when needed.
- Public token sharing: keep it temporary and revoke it as soon as the need ends (support: contact@captaindns.com).
- Local storage: readable by any script running on the page; avoid storing sensitive data there.
- Third-party DNS: the domain names you enter are sent to the selected resolvers; check their policies for details.
Final notices
This policy is part of our Record of Processing Activities and our Security Program. It will be updated if the architecture evolves (e.g. automatic sharing-token expiry).
Last updated: 04 November 2025