1. Who We Are
Domandata, LLC (“Domandata”, “we”, “us”, “our”) operates the Domandata platform at domandata.net — a survey-builder designed for academic and professional research. We are a small, founder-operated company committed to responsible handling of your data.
2. Information We Collect
Account information
When you sign up with an email address and password, or sign in with Google or ORCID, we collect your name, email address, and (where provided by the OAuth provider) a profile picture. We store this information to identify your account and to communicate with you about the Service.
Survey content and response data
Survey blocks, questions, logic flows, and response data you create or collect are stored on your behalf in our database. We do not access, analyse, or share this content except as necessary to operate the Service or as required by law.
Usage and analytics data
We use PostHog to collect pseudonymous product analytics — page views, feature interactions, and performance metrics — linked to a pseudonymous user identifier (your internal account ID, not your email address). We use this data solely to understand aggregate product usage and improve the Service. We do not sell this data and we do not send raw survey response content to PostHog.
Security and audit logs
We log security-relevant events — including successful and failed sign-in attempts, account permission changes, data exports, and administrative actions — along with associated IP addresses and browser user-agent strings. These logs are used to detect and investigate security incidents and are retained for at least one year. Logs are accessible only to Domandata personnel with a need to know and are not accessible to other users.
Error and diagnostic data
We use Sentry to capture application errors and performance data to help us identify and fix bugs. Sentry is configured to strip authentication headers, session cookies, and request body payloads before transmission, so that survey content and credentials are not included in error reports.
Cookies and local storage
We set session cookies to keep you signed in and use browser local storage for UI preferences (such as theme and editor settings). No third-party advertising cookies are used. You can clear cookies and local storage via your browser settings, though this will sign you out.
3. How We Use Your Information
- Authenticate your account and maintain your session.
- Deliver the survey-building and response-collection service.
- Send transactional emails (account confirmation, security notices, onboarding) via Resend.
- Understand aggregate usage patterns to improve the product.
- Detect, investigate, and prevent abuse, fraud, and security incidents.
- Comply with applicable legal obligations.
We do not use your survey response data for advertising, model training, or any purpose other than operating the Service.
4. Data Sharing
We do not sell, rent, or trade your personal information. We share data only with the sub-processors listed below, each engaged under data protection agreements consistent with applicable law.
User-directed integrations
You may optionally connect Domandata to third-party platforms such as the Open Science Framework (OSF). When you do, we store your access token for that platform encrypted in our database using AES-256-GCM. We use that token solely to perform the actions you explicitly request — for example, pushing a survey instrument or codebook to your OSF project. No respondent response data is included in any such transfer; only researcher-authored materials (questions, answer options, flow diagrams, and codebook metadata) are transmitted. Data you transmit to a third-party platform is subject to that platform's own privacy policy. You can disconnect an integration at any time from Settings → Account, which permanently deletes the stored token.
We may also disclose your information if required by law, court order, or governmental authority, or to protect the rights, property, or safety of Domandata, our users, or the public.
5. Data Retention and Deletion
Account and survey data is retained for the lifetime of your account. When you delete your account — which you can do directly from Settings → Account → Delete account — your account, all surveys, and all associated response data are permanently deleted from our production database. Deletion is confirmed before your request is marked complete.
Residual copies in encrypted database backups are retained only for the duration of our backup retention window (up to 24 hours of point-in-time recovery) and are not restored except for disaster recovery purposes. Once that window elapses, deleted data is no longer recoverable from any backup.
Pseudonymous analytics data and security audit logs may be retained for longer periods for security, compliance, and product improvement purposes, provided they do not contain raw survey response content or unredacted personal identifiers.
If you need assistance with account deletion or a data deletion request, contact us at privacy@domandata.net.
6. Security
We take the security of your data seriously and implement the following controls:
- Encryption in transit: All data transmitted between your browser and our servers uses HTTPS with TLS 1.2 or higher. Internal service-to-service communication also uses encrypted channels.
- Encryption at rest: All data stored in our database (Supabase) is encrypted at rest using industry-standard encryption.
- Authentication: Authentication is handled by Supabase. We do not store passwords in plaintext. TOTP-based multi-factor authentication (MFA) is available for all accounts and can be enforced at the workspace level.
- Access controls: Access to your data follows a role-based model. Internal staff access to production systems is restricted to authorised personnel, requires MFA, and is logged.
- Audit logging: Security-relevant events are logged to an append-only audit log accessible only via service-role credentials.
- Secrets management: Domandata system credentials (database passwords, service API keys) are stored in dedicated secrets managers (Doppler, Bitwarden) and are never committed to source control. User-provided credentials — such as LLM API keys or third-party integration tokens — are stored encrypted in the database using AES-256-GCM with per-user key derivation and are never returned to the client in plaintext.
No system is perfectly secure. If you discover a security vulnerability, please report it to security@domandata.net.
7. Your Rights
Depending on your jurisdiction you may have the right to access, correct, export, or delete your personal data, or to object to or restrict certain processing. Key actions you can take directly:
- Access and correction: View and update your account information in Settings → Account.
- Account deletion: Permanently delete your account and all associated data in Settings → Account → Delete account.
- Data export: Export your survey response data at any time from the survey responses view.
For any other privacy requests — including data portability, restriction of processing, or questions about our data handling — contact us at privacy@domandata.net. We will respond within a reasonable timeframe and in any event within the period required by applicable law.
8. Children
The Domandata platform is not directed at children under 13. We do not knowingly collect personal information from anyone under 13. If you believe a child under 13 has provided us with personal information, please contact us at privacy@domandata.net and we will delete it promptly.
Survey creators are responsible for complying with applicable laws — including COPPA and UK GDPR — when designing surveys that may be completed by minors.
9. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes we will revise the effective date at the top of this page and, where practical, provide advance notice by email or in-app notification. Continued use of the Service after an updated Policy takes effect constitutes your acceptance of the updated Policy.
10. Chrome Browser Extension
The Domandata Offline Editor Chrome extension enables offline editing of your surveys. Here is how it handles data:
- What it stores:The extension caches your survey content (questions, blocks, logic flows) in your browser's local IndexedDB storage so it is available when you are offline. It also stores a small amount of session context in browser local storage to reconstruct the editor UI.
- Where it stays: All cached data lives entirely on your own device. It is never sent to any third party.
- How it syncs: Edits made offline are queued locally and sent only to the Domandata API (domandata.net) once you reconnect — the same destination as normal online edits.
- What it cannot access: The extension only activates on domandata.net survey editor pages. It does not read your browsing history, other websites, passwords, or any data outside the Domandata app.
- Removal: Uninstalling the extension removes all locally cached survey data from your device.
11. Contact
For privacy-related questions, requests, or concerns, contact us at privacy@domandata.net.
For security vulnerability reports, contact security@domandata.net.