Civetta ("we", "us") provides family-aware DNS security. This policy explains what we collect, why, and how you control it.
Information we collect
Account information
Email address, account identifier, and authentication state — collected when you sign up. Authentication is handled by Clerk; we never see your password.
Device information
Platform, model, and a device label you choose. We store an optional push token so we can deliver the notifications you've opted into.
DNS event data
When a Civetta-protected device blocks a malicious or suspicious domain, we record: the device, the blocked domain, the threat category and score, the threat-intel source that matched, and the time of the block. We store the actual domain (not just a hash) so you can see in the app exactly what was blocked and decide whether to allowlist it.
We do not store your full browsing history. Successful DNS lookups — everything that wasn't flagged — are processed in memory and discarded. Only blocks (and the small number of monitor-tier suspicious lookups that produced a soft warning) are persisted.
Cross-tenant aggregates that feed our own threat intelligence (see “Threat intelligence we derive” below) keep the domain name itself — that's the indicator — but the aggregate stores volume counts only, never which tenants queried it. Your per-block records stay in your tenant.
Emails you submit for analysis
If you submit a suspicious email to Civetta for analysis — an explicit, user-initiated action; we never collect email automatically — we analyze the message to give you a verdict and to improve our threat detection. The message and its analysis trace are retained for the life of your account so we can reproduce verdicts and debug misclassifications. Submitted messages are processed in your tenant; we do not show them to other users.
Billing
On iOS, purchases are processed by Apple via In-App Purchase — we never see your payment instrument or any card data. We receive only subscription metadata (plan, status, period dates) from Apple's App Store Server API.
Family-share data
When a protected user invites a family member to receive alerts, the family member sees only:
- A severity tier (Critical, High, Medium, Info)
- A general threat category
- A short, non-identifying recommendation
The family member never sees the raw domain, the threat score, or the device label. Both parties must consent before any data is shared, and either party can revoke at any time.
Family-sharing consent is renewable, not perpetual. It must be confirmed every 90 days. If a renewal is missed, sharing pauses automatically — no alerts flow, and the family member no longer sees the protected user's history — until both parties reconfirm. Neither account is deleted; only the share is paused.
Revocation runs in two phases. Immediately, in the same database transaction that records your revocation, the share is marked revoked and any in-flight request using it is denied before the response is sent. Asynchronously, within 24 hours, cached shared alerts on the family member's web dashboard, push-notification history, and downstream view stores are scrubbed; both parties receive a confirmation email when the cleanup completes; and an audit-log entry records the completion. Until that second phase finishes, a copy of the abstracted alert may briefly remain in a cache, which is why we send the confirmation email rather than treat the synchronous revoke as the end of the process.
How we use the data
- To detect and block threats in real time on your devices
- To send you the alerts and digests you've subscribed to
- To bill you for the plan you chose
- To meet our security and audit obligations
We do not sell your data. We do not use your DNS event data to build advertising profiles.
Sharing
We share data with:
- Apple — for In-App Purchase processing on iOS
- Clerk — for authentication
- Amazon Web Services — for hosting and storage
- Apple Push Notification service / Amazon SES — for delivering notifications you opted into
We share only the minimum each provider needs. We never share your data with advertisers, data brokers, or analytics platforms that build cross-site profiles.
Your rights
- Access — request a copy of your data
- Correction — fix anything inaccurate
- Deletion — delete your account and all associated data, anytime, from the Account screen inside the app
- Portability — export your data in a machine-readable format
Email [email protected] for any of the above. We respond within 30 days.
Data retention
- DNS event data (blocks): retained for the life of your account. You can archive individual alerts in the app at any time, and account deletion removes all of them.
- Forwarded emails and their analysis traces: retained for the life of your account so we can reproduce verdicts and debug misclassifications. Account deletion removes them.
- Audit logs: 90 days hot, seven years cold for compliance.
- Account data: removed from our active systems immediately on deletion and from backups within 30 days.
Security
Civetta uses database-enforced multi-tenant isolation so one customer's data cannot reach another's, even through an application bug. Customer data is encrypted at rest and in transit.
Threat intelligence we derive
Civetta generates its own threat indicators from patterns observed across our user base. These indicators contain only domain names, URLs, certificate fingerprints, and threat-category labels — never user identifiers, email addresses, device labels, or IP addresses. When an indicator is derived from cross-tenant patterns, anonymity thresholds prevent re-identification of the user whose activity surfaced it.
Third-party threat-intelligence sources
Civetta's protection also draws on multiple public threat-intelligence feeds operated by independent security organizations. Attribution and license details: civetta.app/attribution.
Changes to this policy
If we change anything material we'll email you and update the date at the top of this page before the changes take effect.
Contact
Questions: [email protected].