Privacy & Data Protection.
How we collect, store, and protect your information — in plain English.
Last updated: April 2026
Who We Are
Domma CMS is operated by Domma Ltd (referred to as "we", "us", or "our"). We are the data controller for personal data collected through this website and our managed hosting services.
For all data-related enquiries, contact us at:
Email: support@dommajs.org
We are registered in England and Wales.
What Data We Collect
We collect personal data in the following circumstances:
When you register for a hosted account:
- Name and email address
- Billing information (processed via Stripe — we do not store card details)
- Account credentials (password stored as a bcrypt hash — never in plain text)
When you contact us:
- Name, email address, and the content of your message
When you visit our website:
- Cookies used for session management and cookie consent preferences
- If Analytics is enabled on your site: page views and basic browser metadata (no cross-site tracking)
Self-hosted installations:
- If you run Domma CMS on your own infrastructure, we have no access to your data whatsoever. Your server, your data, your rules.
Legal Basis for Processing
We process personal data under the following lawful bases (UK GDPR Article 6):
| Purpose | Legal Basis |
|---|---|
| Delivering hosting services | Contract performance |
| Billing and payment | Contract performance |
| Responding to enquiries | Legitimate interests |
| Security and fraud prevention | Legitimate interests |
| Marketing communications | Consent (opt-in only) |
| Cookie analytics | Consent |
Cookies
We use the following categories of cookies:
Strictly necessary: Session cookies required for the site to function. These cannot be disabled.
Functional: Remember your preferences (e.g. theme, reduced-motion setting). Only set after consent.
Analytics: If you accept analytics cookies, we use a self-hosted, privacy-first analytics plugin to count page views. No data is shared with third parties such as Google Analytics.
Marketing: We do not currently use marketing or advertising cookies.
You can manage your cookie preferences at any time using the cookie settings panel at the bottom of this page.
Your Rights Under UK GDPR
You have the following rights regarding your personal data:
You may request a copy of the personal data we hold about you at any time. We will respond within one calendar month.
If any data we hold about you is inaccurate or incomplete, you have the right to ask us to correct it.
You may request that we delete your personal data. We will comply unless we have a lawful reason to retain it (e.g. outstanding billing obligations).
You may request a copy of your data in a structured, machine-readable format (JSON or CSV) for transfer to another service.
You may ask us to limit how we process your data while a dispute is resolved, without requesting full deletion.
You may object to processing based on legitimate interests, including direct marketing. We will stop processing unless we can demonstrate compelling grounds.
We do not make automated decisions or carry out profiling that produces significant effects on individuals.
To exercise any of these rights, email support@dommajs.org with your request. We will verify your identity before processing. There is no fee for reasonable requests.
Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Until account deletion + 30 days |
| Billing records | 7 years (legal requirement) |
| Contact enquiries | 2 years |
| Analytics data | 12 months rolling |
| Server logs | 30 days |
Third-Party Processors
We use the following third-party processors to deliver our service:
| Processor | Purpose | Location |
|---|---|---|
| Stripe | Payment processing | UK/US |
| Hetzner / DigitalOcean | Server infrastructure | EU |
We only share the minimum personal data necessary. All processors are bound by data processing agreements.
Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Passwords stored as bcrypt hashes (never in plain text)
- HTTPS/TLS for all data in transit
- Access controls limiting who can view account data
- Regular security updates and dependency audits
Changes to This Policy
We may update this Privacy Policy from time to time. Where changes are significant, we will notify hosted account holders by email. The "Last updated" date at the top of this page reflects the most recent revision.
Complaints
If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Website: ico.org.uk Telephone: 0303 123 1113
We would always prefer to resolve any concerns directly — please contact us first at support@dommajs.org.