PRIVACY POLICY - DOMANENNAME

Privacy and Personal Data Protection Notice

Version: 1.0 Effective Date: 18th May 2026 Company: CRISALEO LIMITED Operating Domains: domanenname.com | domanenname.it | domanenname.eu | domanenname.us | domanenname.de

Governing Law: The laws of England and Wales (English Law), with GDPR compliance for applicable territories

---

1. INTRODUCTION

CRISALEO LIMITED ("the Company", "we", "our", "Domanenname") is a domain name registration intermediary. This Privacy Policy describes how we collect, use, share, and protect personal data of customers.

Compliance Framework:

Data Protection Act 2018 (UK)
UK General Data Protection Regulation (UK GDPR)
GDPR (EU/EEA customers)
CCPA (California residents)
Local data protection laws

---

2. DATA CONTROLLER

CRISALEO LIMITED Address: 7 Bell Yard, London, England, WC2A 2JR Contact: [email protected] Company Number: [UK Companies House]

Data Protection Officer: Email: [email protected]

---

3. PERSONAL DATA COLLECTED

3.1 Domain Registration Data (Registrant Data)

ICANN requires the following data for domain registration:

Full name and surname
Complete postal address (street, number, postcode, city, country)
Primary email address
International telephone number
Telephone fax (optional)
Organisation/Company name (if applicable)

Legal Basis: ICANN regulatory requirement Source: Provided by Customer during registration

3.2 Administrative and Technical Contacts

Administrative contact (name, email, telephone)
Technical contact (name, email, telephone)
Billing contact (name, email, address)

Legal Basis: ICANN regulatory requirement

3.3 Payment and Billing Data

Partial credit card number (last 4 digits only)
Card expiration date (month/year)
Billing address
Payment method used
Transaction history

Legal Basis: Performance of contract

Security Note:

Full card numbers are NOT stored by Domanenname
Data transmitted via SSL/TLS encryption
Processed through PCI-DSS Level 1 compliant gateways
We do NOT store payment details for future charges

3.4 Control Panel Access Data

Login username/email
Password (stored as hashed value, bcrypt/Argon2)
Login IP addresses
Login timestamps
Active sessions
Devices used

Legal Basis: Performance of contract (account security)

3.5 Service Usage Data

Domain registration history
Renewal and transfer history
DNS nameserver configurations
Support tickets and communications
Control panel activity logs

Legal Basis: Performance of contract

3.6 Communication Data

Emails sent and received
Support chat transcripts
Feedback and survey responses
Newsletter subscriptions (if opted in)

Legal Basis: Consent for marketing; contract for support

3.7 Technical Data

IP address
Browser type and version
Operating system information
Device information
Pages visited
Links clicked
Time on page

Legal Basis: Legitimate interest (service improvement) Tools: Google Analytics, Cloudflare, security monitoring

---

4. PURPOSES OF PROCESSING

4.1 Domain Registration and Management

Purpose:

Register domain at appropriate registry
Maintain WHOIS public record
Process renewals and transfers
Manage technical DNS configuration

Legal Basis: Performance of contract (Art. 6(1)(b) UK GDPR)

4.2 Billing and Payment

Purpose:

Issue invoices
Process payments
Handle refunds
Maintain financial records
Anti-corruption compliance
Tax reporting obligations

Legal Basis: Legal obligation (Art. 6(1)(c) UK GDPR)

4.3 Customer Support

Purpose:

Respond to support requests
Resolve technical problems
Follow up on support tickets
Service quality improvement

Legal Basis: Performance of contract + Legitimate interest

4.4 Service Communications

Purpose:

Domain expiration reminders
Registration and renewal confirmations
Account security notices
Policy updates

Legal Basis: Contractual obligation + Legitimate interest

4.5 Marketing (Optional)

Purpose:

Promotional offers
Newsletter distribution
Service announcements
Customer satisfaction surveys

Legal Basis: Consent (Art. 6(1)(a) UK GDPR)

Unsubscribe: Click unsubscribe link in any email or manage preferences in control panel.

4.6 Analytics and Service Improvement

Purpose:

Analyse platform usage
Identify technical issues
Improve user experience
Service development

Legal Basis: Legitimate interest (Art. 6(1)(f) UK GDPR)

4.7 Legal Compliance and Fraud Prevention

Purpose:

Verify customer identity (KYC)
Prevent fraud and abuse
Comply with ICANN policy
Respond to legal requests
Law enforcement cooperation

Legal Basis: Legal obligation + Legitimate interest

---

5. DATA SHARING

5.1 Public WHOIS Database

The following data is AUTOMATICALLY PUBLISHED in the public WHOIS database by default:

Registrant name
Postal address
Email address
Telephone number
Registration/expiration dates
Nameserver information

Public Access:

Available to anyone via WHOIS queries
Indexed by search engines
Accessible via public APIs

Privacy Protection: Optional WHOIS Privacy Protection (paid service) masks this data.

5.2 Registry Disclosure (Mandatory)

Registrant data is AUTOMATICALLY TRANSFERRED to ICANN registries:

Recipient: Registry managing the domain TLD Data: Complete registrant information Legal Basis: ICANN mandatory requirement Recipient's Privacy Policy: Applies separately

5.3 Registrar Partners

Data is transferred to our registrar partners for technical management:

Partners:

OpenProvider (Netherlands)
eNom (USA)
Ascio Technologies (Denmark)
Twcoms Domains (USA)

Data Shared: Complete registrant data, technical access data Legal Basis: Performance of contract (necessary for service)

Data Protection:

Standard Contractual Clauses (SCC) in place
Data Processing Agreements executed
Recipients subject to GDPR or equivalent protections

5.4 Law Enforcement and Legal Requests

Domanenname may disclose personal data to authorities if:

Required by court order or legal process
Required for legal compliance
Necessary to investigate illegal activity
Necessary to protect Domanenname's rights

Customer Notification: We will notify Customer unless legally prohibited.

5.5 Acquisition or Corporate Changes

In case of acquisition, merger, bankruptcy, or asset sale:

Personal data may be transferred
Transferee must accept this Privacy Policy
Customer will be notified
Customer may terminate without penalty

5.6 Restriction on Sharing

Domanenname does NOT share personal data with:

Marketing agencies (without consent)
Data brokers
Advertising networks
Social media platforms (without explicit action)
Other companies (without consent)

---

6. INTERNATIONAL DATA TRANSFERS

6.1 Transfers Outside UK/EU

Personal data may be transferred outside UK/EU to:

Registry partners (USA, Netherlands, Denmark)
Payment processors
Cloud infrastructure providers
Backup and disaster recovery services

6.2 Protection Mechanisms

For international transfers, we use:

Adequacy Decisions: To countries with recognised data protection
Standard Contractual Clauses (SCC): EU-approved contract terms
Consent: Explicit customer consent where applicable

6.3 Customer Rights for Transfers

Customers have right to:

Know where data is transferred
Understand protection mechanisms
Request transfer documentation
Object to transfers (where permitted)

---

7. DATA RETENTION

7.1 General Retention

Personal data is retained for:

Active domains: Duration of registration + 1 year post-cancellation
Payment data: Invoicing period + 7 years (tax requirements)
Log data: 12 months (security/audit)
Support records: 24 months (dispute resolution)

Reason for Extended Retention:

ICANN audit requirements (12 months post-cancellation)
UK tax retention requirements (6 years)
Legal claim time limits

7.2 Payment Information

Partial card details: 3 years after last use
Transaction history: 10 years (tax obligation)

7.3 Security Logs

Login logs: 12 months
Failed login attempts: 6 months
Active sessions: 24 hours after logout

7.4 Right to Erasure (Right to be Forgotten)

Customer may request data deletion via:

Email: [email protected] Web Form: https://domanenname.com/privacy-request

Exceptions to Erasure:

Active domain registration (ICANN requirement)
Tax record retention (legal obligation)
Ongoing legal proceedings
Debt collection proceedings

Response Time: 30 days

---

8. SECURITY MEASURES

8.1 Encryption

In Transit: SSL/TLS 256-bit (HTTPS)
At Rest: AES-256 encryption for databases
Passwords: bcrypt/Argon2 hashing with salt

8.2 Authentication

2FA (Two-Factor Authentication) available
TOTP support (Time-based One-Time Password)
Unique login credentials required

8.3 Access Controls

Principle of least privilege
Role-based access control
Segregation of duties
Staff training on data handling

8.4 Monitoring and Threat Detection

Firewall and IDS (Intrusion Detection System)
Web Application Firewall (Cloudflare)
DDoS protection enabled
24/7 anomaly monitoring

8.5 Backup and Disaster Recovery

Daily encrypted backups
Geographic replication (multi-datacenter)
RTO: 4 hours
RPO: 1 hour

8.6 Testing and Compliance

Annual penetration testing
Weekly vulnerability scanning
Bug bounty programme
PCI-DSS Level 1 compliance
ISO 27001 certified

---

9. YOUR RIGHTS

9.1 UK GDPR Rights (UK/EU Customers)

9.1.1 Right of Access (Art. 15)

Right: Obtain a copy of all personal data held

How to Request:

Control Panel: Settings > Privacy > Download Data
Email: [email protected]
Web Form: https://domanenname.com/access-request

Response Time: 30 days

9.1.2 Right to Rectification (Art. 16)

Right: Correct inaccurate or incomplete data

Correctable Data:

Email address
Telephone number
Address (if not domain registrant)
Name (if not domain registrant)

How to Request:

Control Panel: Settings > Profile > Edit
Email: [email protected]

9.1.3 Right to Erasure (Art. 17)

Right: Request data deletion ("Right to be Forgotten")

Exceptions:

Active domain registration (ICANN requirement)
Tax records (legal obligation)
Legal proceedings pending
Debt collection proceedings

Response Time: 30-60 days

9.1.4 Right to Restriction (Art. 18)

Right: Request processing be restricted (paused temporarily)

Grounds:

You contest accuracy of data
Processing is unlawful
Data is no longer needed
You have objected to processing

9.1.5 Right to Data Portability (Art. 20)

Right: Receive data in structured, machine-readable format

Available Data:

Registrant information
Transaction history
Control panel data

Format: CSV, JSON, XML

9.1.6 Right to Object (Art. 21)

Right: Object to processing for specific purposes

Objectionable Processing:

Marketing communications
Profiling for marketing
Processing based on legitimate interest

How: Click unsubscribe link in emails or manage preferences in control panel

9.1.7 Rights Regarding Automated Decisions (Art. 22)

Right: Not be subject to fully automated decision-making

Domanenname does NOT use fully automated decisions with legal effect. Domain suspension/cancellation involves human review.

9.2 CCPA Rights (California Residents)

9.2.1 Right to Know

Right to know what personal data is collected, used, and shared.

9.2.2 Right to Delete

Right to request deletion of personal data.

Exceptions: Data necessary for service delivery or legal compliance.

9.2.3 Right to Opt-Out

Right to opt-out of "sale" (sharing for value received).

Domanenname Position: We do NOT sell personal data in CCPA sense.

9.2.4 Right to Non-Discrimination

Domanenname cannot discriminate for exercising CCPA rights (e.g., deny service, charge more, provide inferior service).

9.3 How to Exercise Your Rights

Contact Methods:

Email: [email protected]
Web Form: https://domanenname.com/privacy-request
Phone: +44 [number] (identity verification only)

Identity Verification:

Government-issued ID copy
Email or SMS verification
Security question answers

Response Times:

Acknowledgement: 5 working days
Full response: 30 days (extendable to 60 days if complex)

---

10. COOKIES AND TRACKING

10.1 Cookie Types Used

| Type | Name | Purpose | Duration | |------|------|---------|----------| | Essential | PHPSESSID | Session management | Session | | Essential | csrf_token | CSRF protection | Session | | Functional | user_preferences | UI preferences (language, theme) | 1 year | | Analytics | _ga | Google Analytics | 2 years | | Analytics | _gid | Google Analytics session | 24 hours |

10.2 Consent to Non-Essential Cookies

We display a consent banner on first visit. Non-essential cookies are only used with consent.

Banner Options: Accept All / Reject All / Manage Preferences

10.3 Cookie Management

Manage cookies via:

Browser settings: Tools > Options > Privacy > Cookies
Domanenname settings: https://domanenname.com/cookie-settings
Do Not Track (DNT): We respect browser DNT preference

10.4 Third-Party Cookies

Third-party services use cookies:

Google Analytics (analytics)
Cloudflare (security)
Stripe (payments)

See their privacy policies for opt-out options.

---

11. CONTACT AND COMPLAINTS

11.1 Privacy Contacts

Data Protection Officer: Email: [email protected]

Privacy Team: Email: [email protected] Web: https://domanenname.com/privacy

Data Subject Request: https://domanenname.com/privacy-request

11.2 Complaints Process

If you believe your rights have been violated:

Contact Domanenname: [email protected]
Escalation: DPO for internal review
Supervisory Authority:
- UK: Information Commissioner's Office (ICO)
- EU: Your national data protection authority
- California: California Attorney General

---

12. POLICY CHANGES

Domanenname may update this Privacy Policy with 30 days' notice via:

Email to registered address
Notice on websites
Control panel announcement

Continued use of service after notice = acceptance of new policy.

---

Version: 1.0 Last Updated: 18th May 2026 Next Review: 31st December 2026

Approved by: CRISALEO LIMITED DPO & Compliance Team