Privacy Policy

Last Updated: March 11, 2026

1. Introduction

DNS by Echo Reply ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our domain management platform.

We have designed our service with privacy and security in mind, including compliance with global privacy regulations such as the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other applicable laws.

2. Information We Collect

2.1 Personal Information

We collect and process the minimum personal information necessary to provide our services:

  • Account Information: Email address used for authentication and communication
  • Security Information: IP addresses and login timestamps for security and audit purposes
  • Usage Data: Records of actions taken within the platform to maintain an audit trail

2.2 Business Data

  • Domain records and configurations
  • Organization information
  • DNS configurations and templates
  • Payment processing information (processed securely via Stripe's prebuilt forms)

2.3 Payment Information

We use Stripe's prebuilt payment forms for secure payment processing. When you make payments:

  • Payment details are processed directly by Stripe and never touch our servers
  • We store only the minimum necessary payment metadata (transaction IDs, amounts, timestamps)
  • All payment data is encrypted and handled according to Stripe's PCI DSS Level 1 compliance

3. How We Use Your Information

We use your personal information for the following purposes:

  • Providing and maintaining our services
  • Authenticating your access to the platform
  • Sending service notifications and updates
  • Ensuring compliance with security standards (including PCI DSS for payment processing)
  • Maintaining audit trails for legal and security purposes
  • Preventing fraud and abuse

4. Retention of Your Information

4.1 Account Information

We retain your account information for as long as your account remains active. When you delete your account, we will delete your personal information except as noted below.

4.2 Audit Logs

For security, compliance, and operational purposes, we maintain audit logs of user actions for 5 years. After account deletion:

  • Your email address and personal identifiers in these logs will be pseudonymized after 1 year
  • The underlying action records will be retained as required for security and compliance purposes

We maintain these logs based on our legitimate interest in:

  • Ensuring system security and integrity
  • Meeting regulatory obligations (NIS2, etc.)
  • Providing auditability for clients with compliance requirements
  • Resolving disputes regarding domain management actions

A detailed legitimate interest assessment is available for review in the Compliance section of your account.

5. Information Sharing and Disclosure

We do not sell your personal information to third parties. We may share information in the following limited circumstances:

  • With your explicit consent
  • With service providers that help us operate our platform, who are bound by confidentiality obligations
  • To comply with legal obligations, enforce our terms, or respond to legal process
  • In connection with a merger, acquisition, or sale of assets, with appropriate safeguards for your information

6. Your Rights and Choices

Depending on your location, you may have certain rights regarding your personal information:

6.1 For All Users

  • Access: Request information about the personal data we process about you
  • Correction: Request correction of inaccurate data
  • Account Deletion: Delete your account and associated personal information

6.2 For Users in the European Economic Area (GDPR)

  • Data Portability: Receive your data in a structured, machine-readable format
  • Restriction of Processing: Request restriction of processing in certain circumstances
  • Objection: Object to processing based on legitimate interests
  • Withdrawal of Consent: Withdraw consent where processing is based on consent

6.3 For California Residents (CCPA/CPRA)

  • Right to Know: Request information about personal information collected, used, disclosed, or sold
  • Right to Delete: Request deletion of personal information (subject to exceptions)
  • Right to Opt-Out: Opt-out of the sale of personal information (note that we do not sell personal information)
  • Non-Discrimination: Freedom from discrimination for exercising your rights

7. Data Security

We implement appropriate technical and organizational measures to protect your information, including:

  • Encryption of personal data at rest and in transit
  • Multi-layered security controls including Stripe's PCI DSS Level 1 compliant payment processing
  • Regular security assessments and penetration testing
  • Breach notification systems in compliance with NIS2 and other applicable regulations
  • Use of Stripe's prebuilt payment forms to ensure no sensitive payment data touches our infrastructure

8. Domain Administrator Considerations

If you are the last administrator of a domain, you cannot delete your account until you:

  1. Transfer ownership to another user, or
  2. Delete the domain entirely

This limitation is necessary to ensure domain continuity and prevent orphaned resources. We provide a streamlined workflow for ownership transfers in such cases.

9. International Data Transfers

DNS by Echo Reply operates globally. When we transfer personal data outside your region, we ensure appropriate safeguards are in place through:

  • Standard Contractual Clauses
  • Adequacy decisions where applicable
  • Other legally valid transfer mechanisms

10. Cookies and Similar Technologies

Our service uses essential cookies to maintain your session and authentication status. We also use analytics cookies to improve our service. You can manage cookie preferences through your account settings or browser configurations.

11. Children's Privacy

Our services are not directed to individuals under 16 years of age. We do not knowingly collect personal information from children.

12. Changes to This Privacy Policy

We may update this Privacy Policy periodically. We will notify you of any significant changes through the service or via email.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at:

For users in the European Economic Area, we have appointed a Data Protection Officer who can be reached at support@echo-reply.net.

14. Additional Information for Specific Jurisdictions

14.1 European Economic Area

Legal bases for processing include:

  • Contract performance: To provide our services
  • Legitimate interests: For audit logs, security, and service improvement
  • Legal obligation: For compliance with legal requirements
  • Consent: Where specifically requested

14.2 California

Under California law, we disclose the following:

  • We have not sold personal information in the preceding 12 months
  • We disclose the following categories of personal information for business purposes: identifiers (email address, IP address), internet activity information (platform usage)
  • California residents have rights as outlined in Section 6.3

14.3 Other Jurisdictions

Additional jurisdiction-specific information may be provided upon request.