Privacy Policy

Plain-language summary of what FatDig collects from you, why we collect it, how long we keep it, and how to ask for it to be removed. No dark patterns, no 30-page legalese.

What we collect

Every time you run a dig (or load a shared report) FatDig records:

• Your IP address — the public network address your request came from. If you're behind Cloudflare, AWS CloudFront, or a similar proxy, we'll see the upstream IP via the relevant trust header.
• Your User-Agent — the string your browser sends identifying its make, model, version, and operating system.
• The domain you searched — this is necessarily required to perform the lookup.
• The Referer — the page that linked to FatDig (if any).
• The approximate timestamp of the request, accurate to the second.
• The full JSON report we produced for that domain at that time, stored as a permanent historical record.

We do not collect:

• Your name, email, or any contact information — unless you provide it deliberately (e.g. via a support email).
• Any cookies for advertising or cross-site tracking.
• Anything from your browser other than the User-Agent string.

Why we collect it

Three reasons, in order of importance:

1. Historical archive. A domain's DNS, SSL, and email-security setup change over time. Keeping every report we ever generated means anyone can look back and see how a domain was configured on a specific date — useful for security investigations, incident timelines, and confirming what was published when.
2. Abuse mitigation. The service is free, which makes it attractive to scrapers, bots, and reconnaissance scripts. Keeping IPs lets us rate-limit, block obvious abuse, and respond to complaints from domain owners who feel their domain is being probed maliciously.
3. Operational visibility. Aggregate request volumes, common errors, and the like — the stuff every operator needs to keep a site running well.

Who can see it

Two categories of access:

• Shared reports. When you run a dig, the report is assigned a permanent URL (e.g. fatdig.com/tools/dig/?share=abc12345). Anyone with that URL can view the report. The shared view shows the WHOIS, DNS, SSL, and other public information about the domain — it does not show the IP, User-Agent, or any other identifying information about the requester.
• Administrators. A small number of FatDig administrators can log in to a private dashboard that shows the IPs, User-Agents, and timestamps of requests. This is used purely for abuse-mitigation and operational purposes.

We don't sell this data, share it with advertisers, or hand it to data brokers.

How long we keep it

Indefinitely, unless you ask us to delete it. The historical archive is a feature of FatDig — the value of comparing today's report against a report from two years ago disappears if we delete the old reports.

One exception: PageSpeed Insights data. The performance scores, Core Web Vitals, and related metrics come from Google's PageSpeed Insights API, whose terms do not permit indefinite storage of their results. We therefore purge the PageSpeed portion of any report once it is more than 30 days old. Everything else about that report — WHOIS, DNS, IP, SSL, email authentication, detected technologies, and cookies — is retained as part of the historical archive. Viewing an older report simply re-measures PageSpeed live at that moment rather than showing the original (now-deleted) numbers.

If you'd like the records associated with your IP removed, email us — see the Contact section below.

Cookies

FatDig sets exactly two cookies, both first-party:

• fd_privacy_seen — remembers that you've seen the privacy notice banner so we don't keep showing it. No personal data; it just stores the value 1.
• fd_admin — only set when you log in to the admin area. Used to keep you signed in. Most users never receive this.

No third-party advertising or tracking cookies. No fingerprinting scripts. No web beacons.

Third-party services

FatDig calls a number of third-party APIs as part of producing a report:

• LilWho for WHOIS lookups.
• Google PageSpeed Insights for performance scores.
• SecurityTrails, AbuseIPDB, IPStack for the supplementary tools.
• Cloudflare, jsDelivr, Google Fonts for CDN-hosted static assets.

These services receive the request itself (and necessarily, the IP your request comes from when our server proxies the call). They are governed by their own privacy policies, which we encourage you to read if you have concerns.

Your rights

Regardless of where you live, you can ask us to:

• Show you what data we have associated with your IP.
• Delete all records associated with your IP.
• Stop processing requests from your IP.

We'll comply with reasonable requests within a reasonable window (typically a few business days). Email the contact below with the IP in question.

Security

Data is stored on the server's filesystem in an SQLite database that is not web-accessible. Connections to FatDig are served over HTTPS. We use parameterised queries everywhere, follow the principle of least privilege for server processes, and rotate any credentials promptly if a compromise is suspected.

That said: no system is perfectly secure. Don't include sensitive private information in any field of any request you make to a public service, including ours.

Changes to this policy

If we change what we collect or what we do with it, we'll update this page and bump the “Last updated” date at the top. Material changes will be flagged in a banner on the home page for at least 30 days.

Contact

Privacy questions, data-removal requests, or general feedback:

privacy@fatdig.com