Skip to content
DoggyBagg LLC
Menu

Legal · Data Governance

Privacy Policy & Data Processing Statement

Effective immediately upon access. This policy describes how DoggyBagg Index collects, processes, retains, and protects information within our analytical dark-terminal marketplace.

1. Data Controller & Scope

DoggyBagg Index operates as the data controller for information processed through this website, checkout flows, purchaser session cookies, anti-automation defense systems, and transactional email delivery. This policy applies exclusively to interactions with the DoggyBagg Index terminal at our published base URL and does not govern third-party restoration contractor websites referenced as cloaked index entities.

2. Categories of Information Processed

  • Technical session data: IP address, user-agent string, request timestamps, and reverse-proxy forwarding headers used for rate limiting and abuse prevention
  • Purchaser checkout data: Email address, Stripe Checkout Session identifiers, payment amounts, and currency codes supplied by Stripe upon successful dossier purchase
  • Fulfillment records: HMAC-bound asset tokens, domain identifiers, fulfillment timestamps, and receipt dispatch markers stored in our SQLite index database
  • Public index metadata: Cloaked regional hub tables, decay scores, lifecycle states, and trust-node evidence labels — never raw target domains on public channels

We do not operate behavioral advertising networks, sell personal data to data brokers, or publish purchaser email addresses on any public surface.

3. Processing Purposes & Legal Bases

Information is processed strictly to deliver the DoggyBagg Index service: marketplace rendering, dossier unlock fulfillment, purchaser receipt delivery, fraud and scraping prevention, and compliance with our Terms of Use. Contract performance covers paid dossier transactions. Legitimate interests cover security logging, honeypot enforcement, and persistent IP block matrices required to protect our compilation database.

4. Retention Boundaries

  • Purchase fulfillments: Retained for the life of the commercial record and tax reconciliation requirements, including Stripe session identifiers and receipt dispatch timestamps
  • Purchaser session cookie (dbi_session): HttpOnly, maximum age thirty (30) days, bound to the purchased asset token
  • Block matrix entries (blocked_clients): Retained until manually reviewed or superseded by operational security policy
  • Server logs: Rotated per hosting provider defaults; structured security events may be retained longer for incident investigation

Cloaked public index records are not personal data about visitors; they describe restoration-domain decay signals compiled from public and licensed sources.

5. Sub-Processors & Infrastructure

We rely on the following categories of processors to operate the terminal:

  • Stripe, Inc. — payment authorization, Checkout Sessions, and webhook event delivery
  • Resend, Inc. — transactional HTTP API for purchaser dossier receipts
  • Hosting provider (Fly.io / Render or successor) — application runtime, persistent volume storage for doggybagg_index.db, and TLS termination

Each processor receives only the minimum data required for its function. Stripe processes cardholder data under its own privacy policy; DoggyBagg Index never stores full payment card numbers.

6. Analytical Storage Structures & Cookie Compliance

DoggyBagg Index uses a minimal, strictly-necessary storage matrix. No third-party advertising or cross-site tracking cookies are deployed on the terminal.

Cookie Purpose Duration
dbi_session Cryptographically signed purchaser unlock for dossier content 30 days
dbi_blocked Enforces termination after honeypot or scraping violation 365 days

We do not deploy third-party analytics cookies, advertising pixels, or cross-site tracking technologies on the terminal. No consent banner is required for strictly necessary functional cookies described above.

7. Security Measures

Technical safeguards include HMAC-SHA256 asset tokens, HttpOnly session cookies, Content-Security-Policy headers, honeypot anti-scraping traps, persistent IP block matrices, Stripe webhook signature verification, and TLS in transit for all production traffic. Access to production secrets is restricted to authorized operators via environment configuration — never committed to source control.

8. Your Rights & Requests

Depending on jurisdiction, you may request access, correction, deletion, or restriction of personal data we hold about you as a purchaser. Submit requests through our security disclosure channel. We will verify identity before fulfilling deletion requests that affect active dossier entitlements.

9. Children & International Transfers

The terminal is not directed to individuals under eighteen years of age. Infrastructure may process data in the United States and other regions where our hosting and payment processors operate. By using the service, you acknowledge such transfers subject to applicable safeguards.

10. Policy Updates

We may revise this policy to reflect operational, legal, or product changes. Material updates will be published on this page with a revised effective date. Continued use constitutes acceptance. Review our Terms of Use for contractual enforcement provisions governing automated access.