[bunker]/domains

Privacy policy

We don't store more than we need.

Effective: 2026-05-01

Privacy isn't a feature here — it's the floor. This policy is the complete list of what we collect, why, and what we do with it. If something you'd expect to see is missing, that's because we don't collect it.

1. What we collect

  • Email address — to log you in and to contact you about your domains.
  • Pseudonym — chosen at signup. Used as a display handle. Not your legal name.
  • Password (hashed) — argon2id, salted. We never see the plaintext.
  • Payment metadata — crypto transaction ID, amount, currency. Not your wallet address. Provided to us by OxaPay.
  • IP address — first-seen on signup, subsequent on login. Stripped to /16 (IPv4) or /48 (IPv6) after 7 days.
  • Browser metadata — user-agent string, country code (via Cloudflare CF-IPCountry), session timestamps. Used for security alerts.
  • Login history — last 12 months of successful and failed login attempts, surfaced to you in your dashboard.
  • Domain registration data — what you tell the registry. WHOIS privacy hides this from the public WHOIS where supported.

2. What we don't collect

  • Legal name.
  • Government-issued ID.
  • Phone number.
  • Billing or shipping address.
  • Credit card or bank routing details (we don't accept those payment forms).
  • Date of birth.
  • Anything else not in section 1 above.

3. Why we collect what we do

To operate the service. Domain registration requires a contactable account. Payments require provider-side metadata. Security monitoring requires login history and rough geo. That's it — no advertising, no data brokers, no "analytics partners".

4. Who we share it with

Nobody, by default. Specifically:

  • Registries — minimum data needed to register a domain. WHOIS privacy substitutes our generic contact for yours where supported.
  • OxaPay — payment processor sees crypto txid + amount. They don't know who you are; we don't know your wallet.
  • Backblaze B2 — encrypted backups. We hold the keys; B2 sees ciphertext.
  • Competent courts — only when legally compelled. See our transparency report for what this looked like last semester.

We do not run Google Analytics, Meta Pixel, Hotjar, Mixpanel, Segment, or any third-party tracker. There is no GTM container on this site. Browser cookies are first-party only.

5. Where we host data

Application stack runs offshore (Moldova / Iceland depending on workload). Encrypted backups go to Backblaze B2. DNS resolution is anycast-distributed. Nothing customer-facing runs on AWS, GCP, or Azure.

6. Data retention

  • Active accounts: kept while the account is active.
  • IPs in users / login_history: stripped to /16 or /48 after 7 days.
  • Login history: 12 months rolling.
  • Closed accounts: marked deleted; PII fields cleared within 30 days.
  • Backups: encrypted, 90-day rotation.
  • Domain registration records: retained as long as the domain is registered with us.

7. Your rights

  • Access — request a JSON export of everything we have on you, via privacy@bunkerdomains.com.
  • Deletion — close your account from /dashboard/profile. PII is purged within 30 days. Domains stay registered until they expire.
  • Correction — update editable fields directly in the dashboard.
  • Portability — domain transfers out are unrestricted. EPP codes available on demand.

8. Cookies

Three first-party cookies, all functional:

  • auth_session — keeps you logged in. HttpOnly, Secure, SameSite=Strict.
  • bunker_cart — carries the anonymous shopping cart while you browse.
  • bunker_currency — your preferred display currency.
  • bunker_pre2fa — short-lived (10 minutes), used during 2FA login.

No third-party cookies, no tracking pixels, no fingerprinting.

9. Children

Our service is not directed at minors. We don't knowingly collect data about anyone under the age of majority in their jurisdiction.

10. Changes

Material changes to this policy get a 30-day notice via dashboard banner and email. Continued use after the effective date counts as acceptance.

11. Contact

Privacy questions: privacy@bunkerdomains.com. Legal compulsion: legal@bunkerdomains.com.