Legal

Privacy Policy

Effective · Last updated

DomainShark is operated by Dingoblue Services (ABN 40 705 499 787), an Australian business that collects, holds and uses personal information under the Australian Privacy Principles set out in the Privacy Act 1988 (Cth). This Privacy Policy explains what we collect, why, how we protect it, and the choices you have. References to “we”, “us” and “our” mean Dingoblue Services operating the DomainShark service at domainshark.com.au.

1. What this policy covers

This policy applies to all personal information collected through the DomainShark website, member accounts, search interactions, contact forms and removal requests. It does not cover third-party sites we link to (including our registrar partner members.dingoblue.com.au), which have their own privacy policies.

2. Information we collect

We collect only the information we need to run the service.

  • Account information, if you create a free account: email address, display name, password hash, optional avatar.
  • Authentication data, session cookies, CSRF tokens, and (if you choose third-party sign-in) the identifier returned by that provider.
  • Search activity, keywords you search, results returned, timestamps and the token cost of each search. Linked to your account if signed in, otherwise to your IP for quota enforcement.
  • API key metadata, if you create one or more keys for our developer API: a label you choose, a one-way hash of the key, creation/last-used timestamps, the plan tier, and per-key request counters used to enforce rate limits and quotas. Request payloads and responses are logged at an aggregate level for billing, rate-limiting and abuse prevention.
  • Contact submissions, name, email, subject and message body when you use our contact form, removal form or change-of-registrant form.
  • Technical metadata, IP address, user-agent, referrer, request paths and timestamps. Used for security, abuse prevention, rate limiting and aggregate analytics.
  • Device/browser preferences, theme (light/dark) and dismissible notice state, stored locally in your browser.
  • Billing information, if you subscribe to a paid plan (for example a paid API tier), our payment provider collects the payment details directly; we receive a customer reference, plan, status and the last four digits of your card. We do not store full card numbers.

We do not deliberately collect sensitive information (race, political opinion, health information, etc.). Please do not include sensitive information in free-text fields such as contact-form messages.

3. The SharkDEX dataset

DomainShark maintains a public search index (the “SharkDEX”) of Australian domain names that have expired and become re-registrable. Domain names themselves are not personal information, they are identifiers in the public DNS, and the dataset does not include WHOIS contact details. If you believe a specific listing is in error or causes you harm, you can request removal via domainshark.com.au/remove; we action removal requests promptly.

4. How we use information

We use personal information to:

  • operate the search index, member accounts, the marketplace and the developer API;
  • enforce per-account, per-IP and per-API-key search quotas, rate limits and tier limits, and prevent abuse;
  • respond to contact, removal and change-of-registrant requests;
  • send transactional email (verification, password reset, removal confirmation, billing receipts) via a third-party email-delivery provider;
  • process paid subscriptions, including communicating with our payment processor and reconciling invoices;
  • maintain security, including human-verification challenges on public forms, fraud prevention, and incident alerting to our internal team;
  • improve the service through aggregate, de-identified analytics.

5. Cookies and similar technologies

We use a small number of first-party cookies and local-storage entries:

  • Session cookie, keeps you signed in between page loads.
  • CSRF token, protects forms against cross-site request forgery.
  • Theme preference, remembers your light/dark choice (stored in localStorage, not transmitted).
  • Bot-challenge widget, a third-party human-verification widget on public forms, which may set its own cookies in line with its provider's privacy policy.

We do not run third-party advertising trackers. If we add web analytics we will update this policy and provide a cookie consent mechanism where required.

6. Disclosure and overseas storage

We host the service in Australia and only disclose personal information to third-party service providers who help us run it. Categories of provider we use include:

  • Infrastructure and network, hosting, content delivery, DDoS mitigation and DNS.
  • Security and abuse prevention, bot-challenge / human-verification, IP-reputation and rate-limiting tooling.
  • Transactional email delivery, for verification, password reset, removal confirmations, billing receipts and similar one-to-one messages.
  • Optional third-party sign-in, if you choose to sign in with a supported identity provider, that provider returns an identifier and basic profile information to us.
  • Payment processing, if you subscribe to a paid plan, a PCI-compliant payment processor handles your card details directly. We receive only a customer reference, plan status and limited last-four-digit metadata.
  • Internal incident alerting, we forward non-public technical alerts (e.g. signup spikes, error spikes) to a private team channel for monitoring.
  • Registrar partner, when you proceed to register or transfer a domain, you are handed off to members.dingoblue.com.au; information you submit at the registrar is governed by its own privacy terms.

The current list of named subprocessors is available on request via the contact form with “Privacy” in the subject line. Some providers may store or process information outside Australia. We take reasonable steps to ensure each handles personal information consistently with the Australian Privacy Principles.

7. How we protect information

We use HTTPS site-wide, hash passwords with modern algorithms, store credentials separately from application data, protect forms with bot-challenge and CSRF tokens, and apply least-privilege server access. No internet service is 100% secure, but we work hard to protect what you share with us.

8. How long we keep information

We retain account information for as long as your account is active and for a reasonable period afterwards to meet legal and operational needs. Search logs and IP-level metadata are kept for the period necessary for security and quota purposes (typically up to 12 months) and then aggregated or deleted. API request logs (request path, timestamp, key reference, response status, byte count) are retained for the period needed for billing, abuse investigation and rate-limit enforcement, typically up to 24 months, and then aggregated or deleted. Contact and removal submissions are retained as required to action and audit the request. Billing records are retained for the period required by Australian tax and corporations law.

9. Your rights

Under the Australian Privacy Principles you have the right to access the personal information we hold about you, ask us to correct it if it is inaccurate, ask us to delete your account, and complain if you believe we have mishandled your information. To make any of these requests, use the contact form and mention “Privacy” in the subject line. We aim to respond within 30 days.

If you are not satisfied with our response, you can contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

10. Children

DomainShark is intended for users aged 16 and over. We do not knowingly collect personal information from children under 16. If you believe a child has provided us personal information, please contact us so we can remove it.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will change the “Last updated” date at the top and, for material changes, notify signed-in members by email.

12. How to contact us

For any privacy question or request, use our contact form with “Privacy” in the subject line. Postal correspondence to Dingoblue Services, Australia.