Updated September 1, 2023

Google Registry Privacy Policy

At Charleston Road Registry d/b/a Google Registry (“Google Registry”) we understand the trust users place in us and our responsibility to protect the privacy of user information. This Privacy Policy is meant to help you understand what information we collect, why we collect it, and how you can access, update, and delete your information.

Information we collect

We collect information in three ways:

Information you give us

When you use our services, you may choose to provide us with certain personal information. For example, you may provide your name and email address when you reach out with customer support requests, or register for our promotional offerings.

If you use a Google Account to access Google Registry products and services (“Services”), your use of that account for our Services is governed by this Privacy Policy. When you’re signed in, we also collect information that we store with your Google Account, which we treat as personal information.

Information we get from your use of our services

We may collect information about the services that you use and how you use them, like when you visit our website. This information may be linked to your Google Account and may include:

Device information: We may collect device-specific information (such as your hardware model, operating system version, unique device identifiers, and mobile network information including phone number).
Log information: When you use our services or view content provided by Google Registry, we may automatically collect and store certain information in server logs (records of the page requests made when you visit our sites). This may include: details of how you used our service; Internet protocol address; device event information such as crashes, system activity, hardware settings, browser type, standard HTTP request headers, including but not limited to user agent, referral URL, language preference, date and time; and cookies that may uniquely identify your browser or your account.
Cookies and Local Storage: We may use various technologies to collect and store information when you visit the website, and this may include sending one or more cookies or randomly generated identifiers to your device. A cookie is a small file containing a string of characters that is sent to your computer when you visit a website. Cookies may store user preferences and other information. The "help" portion of the toolbar on the majority of browsers will direct you on how to prevent your browser from accepting new cookies, how to command the browser to tell you when you receive a new cookie, or how to fully disable cookies. However, some of Google Registry’s website features or services may not function properly without cookies. We may also collect and store information using mechanisms such as browser web storage (including HTML5) and application data caches.

Information we get from your registrar

Your registrar collects information from you when you register a domain name, including your name, address, contact information, the name servers on which your domain name is hosted and their IP addresses, and the same information for administrative and technical contacts you identify. We receive this information from registrars for Google Registry’s top-level domains.

How we use the information we collect

We use the information we collect from our services for the following purposes:

Provide our services. We use your information to deliver our services including fulfilling requirements under our agreement with the Internet Committee for Assigned Names and Numbers (“ICANN”), the accrediting body for top-level domain registries and additional domain-related services we may offer in conjunction with your registration.
Maintain and improve our services. We also use your information to ensure our services are working as intended, such as tracking outages or troubleshooting issues. We maintain a centralized repository of registration information for registrants of our top-level domains to ensure the continuity, stability, and resiliency of the Domain Name System. We may also use your information to make improvements to our services or to offer new services — for example, launching verification services for some new top-level domains or expanding IDNs available for registration based on registrant location and demand.
Measure performance. We use data for analytics and measurement to understand how our services are used. For example, we analyze data about your visits to our sites to do things like optimize product design. We use a variety of tools to do this, including Google Analytics. When you visit sites that use Google Analytics, Google and a Google Analytics customer may link information about your activity from that site with activity from other sites that use Google’s ad services.
Communicate with you. We may use information we collect, like your email address, to interact with you directly. For example, we may send you information about our services or administrative messages related to your domain registration. And if you contact Google Registry, we’ll keep a record of your request including any contact information provided in order to help resolve any issues you might be facing.
Protect Google Registry, our users, and the public. We use information to help improve the safety and reliability of our services. This includes detecting, preventing, and responding to fraud, abuse, security risks, and technical issues that could harm Google Registry, our users, or the public. For example, we collect and analyze IP addresses and cookie data to protect against automated abuse. This abuse takes many forms, such as sending spam to our registrants. Where abuse is detected through our technical monitoring we may reach out to you, your registrar, or other third parties to assist in mitigation.

Information we share

We do not share your personal information with companies, organizations, or individuals outside of Google Registry except in the following cases:

With your consent

We may share personal information with companies, organizations or individuals outside of Google Registry when we have your consent.

For external processing

We provide personal information to our affiliates or other trusted businesses or persons to process it for us, based on our instructions and in compliance with this Privacy Policy and any other appropriate confidentiality and security measures.

For legal reasons

We will share personal outside of Google Registry if we have a good-faith belief that access, use, preservation or disclosure of the information is reasonably necessary to:

meet any applicable law, regulation, legal process or enforceable governmental request.
enforce applicable Terms of Service, including investigation of potential violations.
detect, prevent, or otherwise address fraud, security or technical issues.
protect against harm to the rights, property or safety of Google Registry, our users, our registrar partners, or the public as required or permitted by law.

To meet our obligations to ICANN

To the extent permitted by law, we may share personal information with ICANN and other third parties as required to comply with ICANN requirements. These obligations include requiring us to:

Operate registration data directory services that provide free public access to certain registration information including the registrant’s self-identified Organization, State/Province and Country.
Deposit domain name registration information with a third party escrow agent to provide redundancy in the case of failure.
Provide domain name registration information to an ICANN-authorized Uniform Rapid Suspension (URS) provider upon notification from that provider of the existence of a complaint. The URS system is a rights protection mechanism for rights holders experiencing infringement.
Provide reasonable access to domain name registration information to ICANN for the purpose of investigating compliance-related inquiries or for other legitimate purposes.

We may share aggregated, anonymized information with ICANN, publicly, and with our partners. For example, we may share information publicly to show statistical trends about the general use of our services.

If Google Registry is involved in a merger, acquisition, or sale of assets, we’ll continue to ensure the confidentiality of your personal information and give affected users notice before personal information is transferred or becomes subject to a different privacy policy.

Retaining and deleting your personal information

We retain your personal information only as long as necessary to provide you services and to safely delete it following termination of services. When we receive an update indicating that you deleted your registration data via your registrar, we start the process of removing it from our systems. First, we aim to remove any publicly visible personal information by removing your information from any registration data directory services we operate. We then begin a process to safely and completely delete the data from our back-up storage systems.

Sometimes business or legal requirements may oblige us to retain certain information, for specific purposes, for an extended period of time. We might retain some data for longer periods of time if:

An applicable law, regulation, legal process (e.g., a subpoena) or enforceable government request, requires us to do so or it is necessary to enforce applicable Terms of Service, including investigation of potential violations of those terms or our abuse policies.
We are investigating or have taken action with respect to a domain for abusive behavior.
You have directly communicated with us, through a customer support channel, feedback form, or a bug report, in which case, we may retain reasonable records of those communications.

Information security

Google Registry uses strong security features that continuously protect your information. The insights we gain from maintaining our services help us detect and automatically block security threats from ever reaching you. And if we do detect something risky that we think you should know about, we’ll notify you or your registrar and help guide you through steps to stay better protected. We work hard to protect you and Google Registry from unauthorized access, alteration, disclosure, or destruction of information we hold, for example:

We use encryption to keep your data private while in transit
We regularly review our information collection, storage, and processing practices, including physical security measures, to prevent unauthorized access to our systems
We restrict access to personal information to Google employees, contractors, and agents who need access that information in order to process it. Anyone with this access is subject to strict contractual confidentiality obligations and may be disciplined or terminated if they fail to meet these obligations.

Where we have given you (or where you have chosen) a password which enables you to access certain parts of our website, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

Compliance and cooperation with regulators

We regularly review this Privacy Policy and make sure that we process your information in ways that comply with it.

Data Transfers

Our parent company, Google LLC, maintains servers around the world and your information may be processed on servers located outside of the country where you live. Data protection laws vary among countries, with some providing more protection than others. Regardless of where your information is processed, we apply the same protections described in this policy. We also comply with certain legal frameworks relating to the transfer of data, such as the Data Privacy Framework described below.

When we receive formal written complaints, we respond by contacting the person who made the complaint. We may work with the appropriate regulatory authorities, including local data protection authorities, to resolve any complaints regarding the transfer of your data that we cannot resolve with you directly.

Adequacy decisions

The European Commission has determined that certain countries outside of the European Economic Area (EEA) adequately protect personal data, which means that data can be transferred from the European Union (EU) and Norway, Liechtenstein, and Iceland to that third country without any further safeguard being necessary. The UK and Switzerland have approved similar adequacy decisions. We rely on the following adequacy decisions in some cases:

Model contract clauses

Model contract clauses are non-modifiable written commitments between parties that can be used as a ground for data transfers from the EU (including the EEA), UK and Switzerland to third countries by providing appropriate data protection safeguards. EU Standard Contractual Clauses (SCCs) have been approved by the European Commission (you can see the SCCs adopted by the European Commission here). Such clauses have also been approved for transfers of data to countries outside Switzerland. The UK has approved the International Data Transfer Addendum to the EU SCCs (UK Addendum), which is available here. We rely on SCCs and the UK Addendum model contract clauses for our data transfers where required.

EU-U.S. and Swiss-U.S. Data Privacy Frameworks

As described in our parent company Google LLC’s Data Privacy Framework certification, we comply with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (collectively, the "Data Privacy Framework" or “DPF”), as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information received in the U.S. from the EU, UK or Switzerland in reliance on the DPF. Google LLC, including Google Registry and Google LLC’s other wholly-owned subsidiaries (unless explicitly excluded), has certified that it adheres to the DPF Principles. Google Registry remains responsible for any of your personal information that is shared under the Accountability for Onward Transfer Principle with third parties for external processing performed on our behalf, as described in the “Sharing Your Information” section. To learn more about the DPF certification program, and to view our parent company Google LLC’s certification, please visit the Data Privacy Framework website.

If you have an inquiry regarding our privacy practices in relation to our DPF certification, we encourage you to contact us. Google Registry is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC). You may also refer a complaint to your local data protection authority, and we will work with them to resolve your concern. In certain circumstances, the Data Privacy Framework provides the right to invoke binding arbitration to resolve complaints not resolved by other means, as described in Annex I to the Data Privacy Framework Principles.

European Requirements

If European Union or United Kingdom data protection law applies to the processing of your information, you have the right to request access to, update, remove, and restrict the processing of your information. You also have the right to object to the processing of your information. The personal information that we process about you is the information we receive from your registrar and any update that you make in your registrar’s system will be automatically reflected in our system. If you would like to access, update, or remove any of that personal information, please first contact your registrar.

We process your information for the purposes described in this policy, based on the following legal grounds:

When we’re pursuing legitimate interests

We process your information for our legitimate interests and those of third parties while applying appropriate safeguards that protect your privacy. This means that we process your information for the following purposes:

Providing, maintaining, and improving our services to meet the needs of our users
Detecting, preventing, mitigating, or otherwise addressing fraud, abuse, security, or technical issues with our services
Centralizing registrant data for our top level domains to ensure the ongoing continuity, stability, and resiliency of the Domain Name System
Protecting against harm to the rights, property or safety of Google, our users, or the public as required or permitted by law
Performing research that improves our services for our users and benefits the public
Fulfilling obligations to ICANN and our registrar partners
Enforcing legal claims, including investigation of potential violations of applicable Terms of Service and abuse policies

When we’re providing a service

We process your data to fulfill registration and operation of your domain that you request through your registrar.

When we’re complying with legal obligations

We’ll process your data when we have a legal obligation to do so, for example, if we’re responding to legal process or an enforceable governmental request. Google Registry may receive requests from governments and courts around the world to disclose registrant data. Respect for the privacy and security of your data underpins our approach to complying with these legal requests. Google’s legal team reviews each request and frequently pushes back when a request appears to be overly broad or doesn’t follow the correct process. Learn more in Google’s Transparency Report.

If you have questions, you can contact Google LLC and its data protection office. And you can contact your local data protection authority if you have concerns regarding your rights under local law.

For the purposes of EEA data protection law, Google Registry has appointed Google Ireland Ltd. as its local representative in the EEA. Google Ireland Ltd.’s address is Gordon House, Barrow Street, Dublin 4, Ireland. For the purposes of UK data protection law, Google Registry has appointed Google UK Ltd. as its local representative in the UK. Google UK Ltd.'s address is Belgrave House, 76 Buckingham Palace Road, London, SW1W 9TQ, UK.

U.S. State Law Requirements

Some U.S. state privacy laws require specific disclosures.

These laws include:

California Consumer Privacy Act (CCPA);
Virginia Consumer Data Protection Act (VCDPA);
Colorado Privacy Act (CPA);
Connecticut Act Concerning Personal Data Privacy and Online Monitoring (CTDPA); and
Utah Consumer Privacy Act (UCPA)

This Privacy Policy is designed to help you understand how Google Registry handles your information:

We explain the categories of information Google Registry collects and the sources of that information in Information we collect.
We explain the purposes for which Google Registry collects and uses information in How we use the information we collect.
We explain when Google Registry may disclose information in Information we share. Google Registry does not sell your personal information. Google Registry also does not “share” your personal information as that term is defined in the California Consumer Privacy Act (CCPA).
We explain how Google Registry retains information in Retaining and deleting your personal information. You can also learn more about how Google anonymizes data. As described there, when Google anonymizes data to protect your privacy, we maintain policies and technical measures to avoid re-identifying that information.

U.S. state privacy laws also provide the right to request information about how Google Registry collects, uses, and discloses your information as well as how to request deletion of your personal information. Many of these laws provide the right to not be discriminated against for exercising these privacy rights. Many of these laws also provide the right to opt out of certain forms of profiling and targeted advertising. Finally, the CCPA treats certain kinds of information, like health data, as sensitive; when users provide this information, Google Registry only uses it for purposes permitted by the CCPA, like to provide services that are requested and expected by our users.

If you have questions or requests related to your rights under U.S. state privacy laws, you (or your authorized agent) can also contact Google LLC. And if you disagree with the decision on your request, you can ask Google LLC to reconsider it by responding to our email.

We also provide more information on Google Registry’s handling of CCPA requests.

Some U.S. state privacy laws also require a description of data practices using specific categories. This table uses these categories to organize the information in this Privacy Policy.

Categories of information we collect

Identifiers and similar information such as your name and password, phone number, and address, as well as unique identifiers tied to the browser, application, or device you’re using.

Demographic information, such as your age, gender and language.

Commercial information such as your payment information and a history of purchases you make on Google’s services.

Internet, network, and other activity information such as your search terms; views and interactions with content and ads; Chrome browsing history you’ve synced with your Google Account; information about the interaction of your apps, browsers, and devices with our services (like IP address, crash reports, and system activity); and activity on third-party sites and apps that use our services. You can review and control activity data stored in your Google Account in My Activity.

Geolocation data, such as may be determined by IP address, depending in part on your device and account settings. Learn more about Google’s use of location information.

Business purposes for which information may be used or disclosed

Protecting against security threats, abuse, and illegal activity: Google Registry uses and may disclose information to detect, prevent and respond to security incidents, and for protecting against other malicious, deceptive, fraudulent, or illegal activity. For example, to protect our services, Google may receive or disclose information about IP addresses that malicious actors have compromised.

Auditing and measurement: Google uses information for analytics and measurement to understand how our services are used, as well as to fulfill obligations to our partners like publishers, advertisers, developers, or rights holders. We may disclose non-personally identifiable information publicly and with these partners, including for auditing purposes.

Providing our services. Google Registry uses your information to deliver our services, including fulfilling requirements under our agreement with ICANN.

Maintaining and improving our services: Google Registry uses information to ensure our services are working as intended, such as tracking outages or troubleshooting bugs and other issues that you report to us. We may also use information to make improvements to our services or offer new services (like verification services for some top-level domains).

Research and development: Google uses information to improve our services and to develop new products, features and technologies that benefit our users and the public. For example, we use publicly available information to help train Google’s AIlanguage models and build products and features like Google Translate, Bard, and Cloud AI capabilities.

Use of service providers: Google shares information with service providers to perform services on our behalf, in compliance with our Privacy Policy and other appropriate confidentiality and security measures. For example, we may rely on service providers to help provide customer support.

Legal reasons: Google Registry also uses information to satisfy applicable laws or regulations, and discloses information in response to legal process or enforceable government requests, including to law enforcement. We provide information about the number and type of requests we receive from governments in our Transparency Report.

Parties with whom information may be disclosed

Third parties as required by our contracts with ICANN, including registrars, escrow agents, and ICANN.

Service providers, trusted businesses, or persons that process information on Google Registry’s behalf, based on our instructions and in compliance with our Privacy Policy and any other appropriate confidentiality and security measures.

Law enforcement or other third parties, for the legal reasons described in information we share.

Requirements under Japan Act on the Protection of Personal Information

Google may transfer your personal data to California based companies. Please click here for information on the personal data protection regulation in California, USA (with regard to US federal law, please see here). For other disclosure, please see here.

About this Policy

When this Policy Applies

This Privacy Policy applies to all of the services offered by Google Registry. This Privacy Policy doesn’t apply to the information practices of other companies and organizations or to other Google products and services. For example, our website may contain links to and from the websites of our partners and these websites have their own privacy policies. Please check these policies before you submit any personal data to these websites.

Changes to this Policy

We change this Privacy Policy from time to time. We will not reduce your rights under this Privacy Policy without your explicit consent. If changes are significant, we’ll provide a more prominent notice (including, for certain services, email notification of Privacy Policy changes)Any changes we may make to this Privacy Policy in the future will be posted on this page and, where appropriate, notified to you by e-mail.

Contact Us

If you have any questions about this Privacy Policy, please feel free to contact us here.