indexo.dev

Privacy Policy

This policy explains how indexo.dev (the "Service") processes personal data, in compliance with Regulation (EU) 2016/679 (GDPR) and the Spanish Organic Law 3/2018 (LOPDGDD).

1. Data controller

The data controller is the service operator identified in the Legal Notice. Contact for privacy matters: legal@indexo.dev.

2. Data we process

2.1 Visitors (no account)

  • Standard server access logs: IP address, user-agent, timestamp, requested path, response status. Used for security, abuse prevention and capacity planning. Retained up to 90 days.
  • A first-party, signed session cookie is set only after you initiate authentication. It is strictly necessary for the login flow and is exempt from prior consent under Article 22.2 of the LSSI-CE.

2.2 Domain submissions

When you submit a domain through the public form, the Service stores a one-way SHA-256 hash of your IP address against a per-hour rate limit. The plain IP is not retained. The hash is kept up to 30 days.

2.3 Developer accounts (Google sign-in)

If you sign in to obtain an API key, Google shares with us your Google account ID, email address, name, and profile picture. We store these to identify your account and apply your plan limits. You can request deletion at any time by writing to legal@indexo.dev.

3. Legal bases

  • Performance of a contract (Art. 6.1.b GDPR) — for developer accounts and API key issuance.
  • Legitimate interest (Art. 6.1.f GDPR) — for security logging, rate limiting and abuse prevention.
  • Legal obligation (Art. 6.1.c GDPR) — where required to retain data to comply with applicable law.

4. Recipients and processors

  • Hetzner Online GmbH (Germany, EU) — hosting provider; acts as a data processor.
  • Google LLC / Google Ireland Ltd. — when you sign in with Google. Transfers to the United States rely on the EU-US Data Privacy Framework.
  • jsDelivr (Prospect One) and UNPKG (Cloudflare) — public CDNs that serve static front-end assets directly to your browser. They may process your IP address solely to deliver the requested resource.

The Service does not use analytics, advertising, fingerprinting or behavioural tracking.

5. International transfers

Personal data is stored within the European Economic Area. The only regular transfer outside the EEA is to Google (United States), under the EU-US Data Privacy Framework adequacy decision.

6. Your rights

You have the right to access, rectify or erase your personal data, to restrict or object to its processing, to data portability and, where applicable, to withdraw any consent given. To exercise these rights, contact legal@indexo.dev.

You also have the right to lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos, AEPD — aepd.es) if you believe your rights have been infringed.

7. Information about third-party domains

The Service publishes technical metadata about third-party domains (DNS, certificates, HTML metadata, outbound link graph) collected from public sources. This information is not personal data with respect to visitors, but may incidentally include data about domain owners that they have made publicly available themselves (for example, contact details published on a website). Domain owners can request removal of specific information by writing to legal@indexo.dev; see the Terms of Use for the removal process.

8. Changes to this policy

We may update this policy. The current version is always available at this URL; substantive changes will be highlighted on this page.