Privacy Policy

D3 – Domain Due Diligence is operated by Veniatis, a company registered in the Netherlands. Veniatis Siriusstraat 4 7622 VZ Borne The Netherlands Email: [email protected] Veniatis acts as the data controller for personal data processed in connection with your account and the provision of the Service. For any privacy-related questions or requests, please contact us at the address above.

We collect the following categories of personal data: 2.1 Account data • Full name • Email address • Hashed password (bcrypt — we never store plaintext passwords) • Account creation timestamp • Email verification status 2.2 Billing and transaction data • Payment method details (processed and stored by Mollie B.V. — we receive only a payment token and transaction status, not full card numbers) • Invoice data (name, address, VAT number if applicable) • Transaction history and credit balance 2.3 Usage data • Scan history (domains scanned, scan products used, timestamps) • Credit consumption records • Dashboard and feature usage events • IP address and User-Agent at login and scan submission 2.4 Communications • Messages submitted via the contact form • Support correspondence 2.5 Scan input data • Domain names you submit for scanning. Note: domain names are not personal data unless they directly identify a natural person (e.g. firstname-lastname.com). We do not require you to submit personal data as scan input. 2.6 Technical data • Session tokens (stored as secure HTTP-only cookies) • Error logs and performance monitoring data (anonymised where possible)

We process your personal data on the following legal bases: • Contract (Article 6(1)(b)): Processing your account data, billing data and scan history is necessary to provide the Service you have contracted for — creating an account, running scans and generating reports. • Legitimate interests (Article 6(1)(f)): We process usage data, IP addresses and technical logs to maintain the security and integrity of the Service, prevent abuse, detect fraud and improve performance. Our legitimate interests are balanced against your rights — we minimise the data collected and retention periods. • Legal obligation (Article 6(1)(c)): We retain certain financial records (invoices, payment records) for the period required by Dutch tax law (7 years). • Consent (Article 6(1)(a)): Where we process data for purposes beyond the above (e.g. marketing communications), we will obtain your explicit consent. You may withdraw consent at any time without affecting the lawfulness of prior processing.

We use your personal data exclusively for the following purposes: • Providing and operating the Service (account management, scan execution, report generation) • Processing payments and issuing invoices • Communicating with you about your account, billing and support requests • Detecting and preventing abuse, fraud and security incidents • Complying with legal obligations (tax records, regulatory requirements) • Improving the Service through anonymised usage analytics We do not use your personal data for automated decision-making or profiling that produces legal or significant effects. We do not sell, rent or trade your personal data to any third party.

We share personal data with the following categories of third-party processors, strictly for the purpose of providing the Service: 5.1 Payment processing Mollie B.V. (Netherlands) processes payment transactions. Mollie is a licensed Payment Institution under Dutch financial services law and complies with PCI DSS. Mollie's privacy policy is available at mollie.com/privacy. 5.2 Infrastructure and hosting The Service is hosted on dedicated infrastructure located in the European Union. Our hosting provider processes data only as a data processor under a DPA. 5.3 Email delivery Transactional emails (email verification, payment receipts, alerts) are sent via a third-party email delivery service operating within the EU or with appropriate GDPR safeguards. 5.4 Error monitoring We use anonymised error monitoring to detect and diagnose technical issues. Personal identifiers are stripped or pseudonymised before transmission to monitoring services. We do not share personal data with advertising networks, analytics platforms that track you across third-party sites, or data brokers. We do not use Google Analytics or similar tracking tools.

Veniatis and its primary processors operate within the European Economic Area (EEA). We do not routinely transfer personal data outside the EEA. Where a third-party processor is located outside the EEA (e.g. certain cloud infrastructure components), we ensure that appropriate safeguards are in place, including: • Standard Contractual Clauses (SCCs) approved by the European Commission • Adequacy decisions under GDPR Article 45 • Binding Corporate Rules where applicable You may request a copy of the safeguards applicable to any specific transfer by contacting us.

We retain personal data for the following periods: • Account data: For the duration of your account, plus 12 months after account deletion (to allow recovery and resolve disputes). After 12 months, personal data is pseudonymised — your email and name are replaced with opaque identifiers, while transaction and audit records are retained for legal compliance. • Billing and financial records: 7 years from the transaction date, as required by Dutch tax law (Algemene wet inzake rijksbelastingen). • Scan history and reports: For the duration of your account. You may delete individual reports at any time. Upon account deletion, reports are retained in pseudonymised form for 12 months then permanently deleted. • IP address and session logs: 90 days, then automatically deleted. • Contact form submissions: 24 months from submission, unless required for ongoing support or legal matters. • Audit logs: 24 months (required for security and compliance purposes).

As a data subject under GDPR, you have the following rights: 8.1 Right of access (Article 15) You may request a copy of the personal data we hold about you, information on how it is processed and to whom it has been disclosed. 8.2 Right to rectification (Article 16) You may request correction of inaccurate or incomplete personal data. Most account data can be updated directly in your account settings. 8.3 Right to erasure (Article 17) You may request deletion of your personal data where: it is no longer necessary for the purpose it was collected; you withdraw consent (where consent was the legal basis); or you object to processing and we have no overriding legitimate grounds. This right is subject to legal retention obligations (e.g. financial records). 8.4 Right to restriction (Article 18) You may request that we restrict processing of your data while a dispute about accuracy or the legal basis for processing is resolved. 8.5 Right to data portability (Article 20) You may request your personal data in a structured, commonly used, machine-readable format (JSON) for transfer to another service. This applies to data you provided to us and that we process by automated means. 8.6 Right to object (Article 21) You may object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests. 8.7 Right not to be subject to automated decisions (Article 22) We do not make automated decisions that produce legal or similarly significant effects based on your personal data. 8.8 Right to withdraw consent (Article 7) Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing. To exercise any of these rights, please contact us at [email protected]. We will respond within 30 days. In complex cases, we may extend this to 90 days with notice. We do not charge a fee for exercising these rights unless requests are manifestly unfounded or excessive. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl, or with the supervisory authority in your EU member state of residence.

D3 uses a minimal number of cookies and similar technologies: 9.1 Strictly necessary cookies • Session cookie: An HTTP-only, Secure session token required to maintain your authenticated session. This cookie is deleted when your session ends or after 30 days of inactivity and does not track you across other websites. • CloudFlare cookies: CloudFlare (under a Data Processing Agreement) sets security cookies required for DDoS protection and bot detection. These are strictly functional and do not track users across websites. 9.2 What we do not use We do not use: • Google Analytics or similar cross-site tracking • Facebook Pixel or other social media tracking • Advertising cookies or remarketing pixels • Fingerprinting or other non-cookie tracking technologies • Third-party consent management platforms 9.3 Cookie notice Because we use only strictly necessary cookies, no consent banner is legally required under Dutch and EU ePrivacy rules. We inform you of cookies used via this policy.

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction or alteration: • All data in transit is encrypted using TLS 1.2 or 1.3 • Passwords are hashed using bcrypt with an appropriate cost factor — plaintext passwords are never stored • Session tokens are HTTP-only, Secure and SameSite=Strict cookies • Database access is restricted to application-level service accounts with minimal permissions • Scan reports carry SHA-256 evidence hashes to detect tampering • Administrative access requires multi-factor authentication • We perform regular dependency audits and security reviews • The Service is hosted on infrastructure located within the EU In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Dutch Data Protection Authority within 72 hours and, where required, notify affected individuals without undue delay.

The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us without appropriate consent, please contact us and we will delete it promptly.

If you use D3 to process personal data on behalf of your clients or organisation (for example, scanning domains that contain personal data, or using the Service within an enterprise context), you may act as a data controller and Veniatis acts as your data processor. A Data Processing Agreement (DPA) compliant with GDPR Article 28 and the European Commission's Standard Contractual Clauses is available on request for business customers. Please contact us to request a DPA.

We may update this Privacy Policy from time to time to reflect changes in the Service, applicable law or our processing practices. Material changes will be communicated by email or via an in-app notification at least 14 days before they take effect. The date of the most recent revision is shown at the top of this page. Your continued use of the Service after the effective date of any changes constitutes acceptance of the revised policy.

For any privacy-related question, request or complaint, please contact us: Veniatis Siriusstraat 4 7622 VZ Borne The Netherlands Email: [email protected] We aim to respond to all requests within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the Dutch Data Protection Authority: Autoriteit Persoonsgegevens PO Box 93374 2509 AJ The Hague The Netherlands www.autoriteitpersoonsgegevens.nl EU residents may also use the European Commission's Online Dispute Resolution platform: https://ec.europa.eu/consumers/odr