Back to Domandata

Legal

Privacy Policy

Effective date: May 30, 2026

This Privacy Policy explains how Domandata, LLC collects, uses, shares, and protects information about you when you use the Domandata platform.

1. Who We Are

Domandata, LLC (“Domandata”, “we”, “us”, “our”) operates the Domandata platform at domandata.net — a survey-builder designed for academic and professional research. We are a small, founder-operated company committed to responsible handling of your data.

2. Information We Collect

Account information

When you sign up with an email address and password, or sign in with Google or ORCID, we collect your name, email address, and (where provided by the OAuth provider) a profile picture. We store this information to identify your account and to communicate with you about the Service.

Survey content and response data

Survey blocks, questions, logic flows, and response data you create or collect are stored on your behalf in our database. We do not access, analyse, or share this content except as necessary to operate the Service or as required by law.

Usage and analytics data

We use PostHog to collect pseudonymous product analytics — page views, feature interactions, and performance metrics — linked to a pseudonymous user identifier (your internal account ID, not your email address). We use this data solely to understand aggregate product usage and improve the Service. We do not sell this data and we do not send raw survey response content to PostHog.

Security and audit logs

We log security-relevant events — including successful and failed sign-in attempts, account permission changes, data exports, and administrative actions — along with associated IP addresses and browser user-agent strings. These logs are used to detect and investigate security incidents and are retained for at least one year. Logs are accessible only to Domandata personnel with a need to know and are not accessible to other users.

Error and diagnostic data

We use Sentry to capture application errors and performance data to help us identify and fix bugs. Sentry is configured to strip authentication headers, session cookies, and request body payloads before transmission, so that survey content and credentials are not included in error reports.

Cookies and local storage

We set session cookies to keep you signed in and use browser local storage for UI preferences (such as theme and editor settings). No third-party advertising cookies are used. You can clear cookies and local storage via your browser settings, though this will sign you out.

3. How We Use Your Information

  • Authenticate your account and maintain your session.
  • Deliver the survey-building and response-collection service.
  • Send transactional emails (account confirmation, security notices, onboarding) via Resend.
  • Understand aggregate usage patterns to improve the product.
  • Detect, investigate, and prevent abuse, fraud, and security incidents.
  • Comply with applicable legal obligations.

We do not use your survey response data for advertising, model training, or any purpose other than operating the Service.

4. Data Sharing

We do not sell, rent, or trade your personal information. We share data only with the sub-processors listed below, each engaged under data protection agreements consistent with applicable law.

Supabase
Purpose
Database and authentication infrastructure
Data Shared
All account and survey data
Vercel
Purpose
Application hosting and edge delivery
Data Shared
Request data, server logs
Resend
Purpose
Transactional email delivery
Data Shared
Email address, email content
PostHog
Purpose
Product analytics
Data Shared
Pseudonymous usage events (no survey content)
Sentry
Purpose
Error monitoring and diagnostics
Data Shared
Error events (credentials and body payloads stripped)
Google
Purpose
OAuth sign-in and reCAPTCHA abuse prevention
Data Shared
OAuth tokens, reCAPTCHA signals
ORCID
Purpose
OAuth sign-in for researchers
Data Shared
OAuth tokens, public ORCID profile data

User-directed integrations

You may optionally connect Domandata to third-party platforms such as the Open Science Framework (OSF). When you do, we store your access token for that platform encrypted in our database using AES-256-GCM. We use that token solely to perform the actions you explicitly request — for example, pushing a survey instrument or codebook to your OSF project. No respondent response data is included in any such transfer; only researcher-authored materials (questions, answer options, flow diagrams, and codebook metadata) are transmitted. Data you transmit to a third-party platform is subject to that platform's own privacy policy. You can disconnect an integration at any time from Settings → Account, which permanently deletes the stored token.

We may also disclose your information if required by law, court order, or governmental authority, or to protect the rights, property, or safety of Domandata, our users, or the public.

5. Data Retention and Deletion

Account and survey data is retained for the lifetime of your account. When you delete your account — which you can do directly from Settings → Account → Delete account — your account, all surveys, and all associated response data are permanently deleted from our production database. Deletion is confirmed before your request is marked complete.

Residual copies in encrypted database backups are retained only for the duration of our backup retention window (up to 24 hours of point-in-time recovery) and are not restored except for disaster recovery purposes. Once that window elapses, deleted data is no longer recoverable from any backup.

Pseudonymous analytics data and security audit logs may be retained for longer periods for security, compliance, and product improvement purposes, provided they do not contain raw survey response content or unredacted personal identifiers.

If you need assistance with account deletion or a data deletion request, contact us at privacy@domandata.net.

6. Security

We take the security of your data seriously and implement the following controls:

  • Encryption in transit: All data transmitted between your browser and our servers uses HTTPS with TLS 1.2 or higher. Internal service-to-service communication also uses encrypted channels.
  • Encryption at rest: All data stored in our database (Supabase) is encrypted at rest using industry-standard encryption.
  • Authentication: Authentication is handled by Supabase. We do not store passwords in plaintext. TOTP-based multi-factor authentication (MFA) is available for all accounts and can be enforced at the workspace level.
  • Access controls: Access to your data follows a role-based model. Internal staff access to production systems is restricted to authorised personnel, requires MFA, and is logged.
  • Audit logging: Security-relevant events are logged to an append-only audit log accessible only via service-role credentials.
  • Secrets management: Domandata system credentials (database passwords, service API keys) are stored in dedicated secrets managers (Doppler, Bitwarden) and are never committed to source control. User-provided credentials — such as LLM API keys or third-party integration tokens — are stored encrypted in the database using AES-256-GCM with per-user key derivation and are never returned to the client in plaintext.

No system is perfectly secure. If you discover a security vulnerability, please report it to security@domandata.net.

7. Your Rights

Depending on your jurisdiction you may have the right to access, correct, export, or delete your personal data, or to object to or restrict certain processing. Key actions you can take directly:

  • Access and correction: View and update your account information in Settings → Account.
  • Account deletion: Permanently delete your account and all associated data in Settings → Account → Delete account.
  • Data export: Export your survey response data at any time from the survey responses view.

For any other privacy requests — including data portability, restriction of processing, or questions about our data handling — contact us at privacy@domandata.net. We will respond within a reasonable timeframe and in any event within the period required by applicable law.

8. Children

The Domandata platform is not directed at children under 13. We do not knowingly collect personal information from anyone under 13. If you believe a child under 13 has provided us with personal information, please contact us at privacy@domandata.net and we will delete it promptly.

Survey creators are responsible for complying with applicable laws — including COPPA and UK GDPR — when designing surveys that may be completed by minors.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes we will revise the effective date at the top of this page and, where practical, provide advance notice by email or in-app notification. Continued use of the Service after an updated Policy takes effect constitutes your acceptance of the updated Policy.

10. Chrome Browser Extension

The Domandata Offline Editor Chrome extension enables offline editing of your surveys. Here is how it handles data:

  • What it stores:The extension caches your survey content (questions, blocks, logic flows) in your browser's local IndexedDB storage so it is available when you are offline. It also stores a small amount of session context in browser local storage to reconstruct the editor UI.
  • Where it stays: All cached data lives entirely on your own device. It is never sent to any third party.
  • How it syncs: Edits made offline are queued locally and sent only to the Domandata API (domandata.net) once you reconnect — the same destination as normal online edits.
  • What it cannot access: The extension only activates on domandata.net survey editor pages. It does not read your browsing history, other websites, passwords, or any data outside the Domandata app.
  • Removal: Uninstalling the extension removes all locally cached survey data from your device.

11. Contact

For privacy-related questions, requests, or concerns, contact us at privacy@domandata.net.

For security vulnerability reports, contact security@domandata.net.