01Who we are
DNSfish ("we," "us," "DNSfish") is operated by Reefline Labs, Inc., a Delaware C-corp headquartered at 1 Market St., San Francisco, CA. We run the website at dnsfish.com and the API at api.dnsfish.com.
This policy explains exactly what data we collect when you use DNSfish, why we collect it, and what we do with it. We don't believe in 27-page privacy policies that exist only to satisfy lawyers — so this one tries to be honest, specific, and short.
02What we collect
For every lookup, we record the minimum needed to make the service work and improve it:
| Field | Why we keep it | Retention |
|---|---|---|
| domain | To run the lookup | 14 days raw · forever in aggregate |
| record_type | To filter results | 14 days raw · forever in aggregate |
| resolver_id | To compare resolvers | 14 days raw · forever in aggregate |
| ip_hash | Abuse + rate-limiting | 14 days, then deleted |
| country (from IP) | Choose nearest probe | 14 days, then deleted |
| ua_family | Debug rendering issues | 14 days, then deleted |
| latency_ms | Service quality SLOs | 14 days, then deleted |
If you create an API account, we additionally store your email, hashed API keys, billing details (handled by Stripe — we never see your card), and usage counters. That's all.
03What we don't collect
Specifically, DNSfish does not do any of the following:
- Set advertising or analytics cookies. We have no ads and no third-party trackers.
- Build a profile of your DNS query history across sessions.
- Sell or share lookup data with brokers, registrars, or marketing partners.
- Receive telemetry from your browser other than what you submit in the form.
- Use Google Analytics, Mixpanel, Segment, Heap, or similar.
The only first-party cookies we set are a session ID (if you sign in), a CSRF token, and your tweak preferences — none of which leave your browser except to talk to us.
04How we use the data
- Operate the service. We need the domain to look it up. Obvious.
- Aggregate analytics. Once data is anonymized and aggregated, it's used to publish the public DNS Index at
dnsfish.com/index. - Abuse prevention. Hashed IPs let us throttle scrapers without storing identities.
- Reliability. Latency and error rates feed our SLO dashboards.
- Support. If you email us, your message and email address are used only to reply.
05Who we share data with
We share data with the smallest possible number of subprocessors, listed exhaustively here:
| Provider | Purpose | Data shared |
|---|---|---|
| Cloudflare | CDN + DDoS protection | Request metadata (no body) |
| AWS (us-east-1, eu-west-1) | Application hosting | Everything in section 2 |
| Stripe | Payments (paid plans only) | Card data — direct from your browser |
| Postmark | Transactional email | Email address + message body |
We've signed standard contractual clauses with each subprocessor where required by GDPR. No data is sold under any circumstances.
06Your rights
Under GDPR, CCPA, and other modern privacy regimes, you have the right to:
- Access all data we hold tied to your account or hashed IP.
- Rectify anything inaccurate.
- Delete your account and all associated data within 7 days of request.
- Export your account data in a portable JSON file.
- Object to any specific processing activity.
privacy@dnsfish.com with any of the above. We'll respond within 48 hours and complete the request within 30 days.07Security
All traffic to dnsfish.com uses TLS 1.3 with HSTS preload. Customer data at rest is encrypted with AES-256 using AWS KMS. Production access is limited to engineers with hardware security keys; every admin action is audit-logged for 12 months.
We're SOC 2 Type II certified (Coalfire, 2024) and run a public security disclosure program at dnsfish.com/security. Report vulnerabilities to security@dnsfish.com — payouts up to $5,000 for critical issues.
08Children
DNSfish is not directed at children under 13. We don't knowingly collect data from anyone in that age group. If you believe a child has signed up, email us and we'll delete the account immediately.
09Changes to this policy
We post the diff for every material change at dnsfish.com/legal/history. Non-trivial changes are also emailed to API account holders at least 14 days before they take effect. Continued use of DNSfish after a change means you accept it; if you don't, you can close your account before the effective date with no charge.