At Charleston Road Registry d/b/a Google Registry (“Google Registry”) we understand the trust users place in us and our responsibility to protect the privacy of user information. We want you to be clear how we’re using information and the ways in which you can protect your privacy.
- What information we collect and why we collect it.
- How we use that information.
- The choices we offer, including how to access and update information.
Information we collect
We collect information in three ways:
Information you give us
Information we get from your use of our services
We may collect information about the services that you use and how you use them, like when you visit our website. This information may be linked to your Google Account and may include:
- Device information: We may collect device-specific information (such as your hardware model, operating system version, unique device identifiers, and mobile network information including phone number).
- Log information: When you use our services or view content provided by Google Registry, we may automatically collect and store certain information in server logs (records of the page requests made when you visit our sites). This may include: details of how you used our service; Internet protocol address; device event information such as crashes, system activity, hardware settings, browser type, standard HTTP request headers, including but not limited to user agent, referral URL, language preference, date and time; and cookies that may uniquely identify your browser or your account.
- Cookies and Local Storage: We may use various technologies to collect and store information when you visit the website, and this may include sending one or more cookies or randomly generated identifiers to your device. A cookie is a small file containing a string of characters that is sent to your computer when you visit a website. Cookies may store user preferences and other information. The "help" portion of the toolbar on the majority of browsers will direct you on how to prevent your browser from accepting new cookies, how to command the browser to tell you when you receive a new cookie, or how to fully disable cookies. However, some of Google Registry’s website features or services may not function properly without cookies. We may also collect and store information using mechanisms such as browser web storage (including HTML5) and application data caches.
Information we get from your registrar
Your registrar collects information from you when you register a domain name, including your name, address, contact information, the name servers on which your domain name is hosted and their IP addresses, and the same information for administrative and technical contacts you identify. We receive this information from registrars for Google Registry’s top-level domains.
How we use the information we collect
We use the information we collect from Google Registry’s services for the following purposes:
Provide our services. We use your information to deliver our services including fulfilling requirements under our agreement with ICANN, the accrediting body for top-level domain registries and additional domain-related services we may offer in conjunction with your registration.
Maintain and improve our services. We also use your information to ensure our services are working as intended, such as tracking outages or troubleshooting issues. We maintain a centralized repository of registration information for registrants of our top-level domains to ensure the continuity, stability, and resiliency of the Domain Name System. We may also use your information to make improvements to our services or to offer new services — for example, launching verification services for some new top-level domains or expanding IDNs available for registration based on registrant location and demand.
Measure performance. We use data for analytics and measurement to understand how our services are used. For example, we analyze data about your visits to our sites to do things like optimize product design. We use a variety of tools to do this, including Google Analytics. When you visit sites that use Google Analytics, Google and a Google Analytics customer may link information about your activity from that site with activity from other sites that use our ad services.
Communicate with you. We may use information we collect, like your email address, to interact with you directly. For example, we may send you information about our services or administrative messages related to your domain registration. And if you contact Google Registry, we’ll keep a record of your request including any contact information provided in order to help resolve any issues you might be facing.
Protect Google Registry, our users, and the public. We use information to help improve the safety and reliability of our services. This includes detecting, preventing, and responding to fraud, abuse, security risks, and technical issues that could harm Google, our users, or the public. For example, we collect and analyze IP addresses and cookie data to protect against automated abuse. This abuse takes many forms, such as sending spam to Google Registry registrants. Where abuse is detected through our technical monitoring we may reach out to you, your registrar, or other third parties to assist in mitigation.
Retaining and deleting your personal information
We retain your personal information only as long as necessary to provide you services and to safely delete it following termination of services. When we receive an update indicating that you deleted your registration data via your registrar, we start the process of removing it from our systems. First, we aim to remove any publicly visible personal information by removing your information from any registration data directory services we operate. We then begin a process to safely and completely delete the data from our back-up storage systems.
Sometimes business or legal requirements may oblige us to retain certain information, for specific purposes, for an extended period of time. We might retain some data for longer periods of time if:
- An applicable law, regulation, legal process (e.g., a subpoena) or enforceable government request, requires us to do so or it is necessary to enforce applicable Terms of Service, including investigation of potential violations of those terms or our abuse policies.
- We are investigating or have taken action with respect to a domain for abusive behavior.
- You have directly communicated with us, through a customer support channel, feedback form, or a bug report, in which case, we may retain reasonable records of those communications.
Information we share
- With your consent. We may share personal information with companies, organizations or individuals outside of Google Registry when we have your consent to do so.
For legal reasons. We may share personal information with companies, organizations or individuals outside of Google Registry if we believe that access, use, preservation or disclosure of the information is reasonably necessary to:
- meet any applicable law, regulation, legal process or enforceable governmental request.
- enforce applicable Terms of Service, including investigation of potential violations.
- detect, prevent, or otherwise address fraud, security or technical issues.
- protect against harm to the rights, property or safety of Google Registry, our users or the public as required or permitted by law.
- To meet our obligations to ICANN. To the extent permitted by law, we may share personal information with ICANN and other third parties as required to comply with ICANN requirements. These obligations include requiring us to:
- Operate a registration data directory services that provide free public access to certain registration information including the registrant’s self-identified Organization, State/Province and Country.
- Deposit domain name registration information with a third party escrow agent to provide redundancy in the case of failure.
- Provide domain name registration information to an ICANN-authorized Uniform Rapid Suspension (URS) provider upon notification from that provider of the existence of a complaint. The URS system is a rights protection mechanism for rights holders experiencing infringement.
- Provide reasonable access to domain name registration information to ICANN for the purpose of investigating compliance-related inquiries or for other legitimate purposes.
We may share aggregated, anonymized information with ICANN, publicly, and with our partners. For example, we may share information publicly to show statistical trends about the general use of our services.
In the event that Google Registry is involved in a merger, acquisition or asset sale, we may disclose your personal data to the prospective seller or buyer of such business or assets.
Google Registry uses strong security features that continuously protect your information. The insights we gain from maintaining our services help us detect and automatically block security threats from ever reaching you. And if we do detect something risky that we think you should know about, we’ll notify you or your registrar and help guide you through steps to stay better protected. We work hard to protect you and Google Registry from unauthorized access, alteration, disclosure, or destruction of information we hold, including:
- We use encryption to keep your data private while in transit
- We review our information collection, storage, and processing practices, including physical security measures, to prevent unauthorized access to our systems
- We restrict access to personal information to Google employees, contractors, and agents who need that information in order to process it. Anyone with this access is subject to strict contractual confidentiality obligations and may be disciplined or terminated if they fail to meet these obligations.
Where we have given you (or where you have chosen) a password which enables you to access certain parts of our website, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
Compliance and cooperation with regulators
Our parent company, Google LLC, maintains servers around the world and your information may be processed on servers located outside of the country where you live. Data protection laws vary among countries, with some providing more protection than others. Regardless of where your information is processed, we apply the same protections described in this policy. We also comply with certain legal frameworks relating to the transfer of data, such as the European frameworks described below.
The European Commission has determined that certain countries outside of the European Economic Area (EEA) adequately protect personal data. You can review current European Commission adequacy decisions here. To transfer data from the EEA to other countries, such as the United States, we comply with legal frameworks that establish an equivalent level of protection with EU law.
When we receive formal written complaints, we respond by contacting the person who made the complaint. We may work with the appropriate regulatory authorities, including local data protection authorities, to resolve any complaints regarding the transfer of your data that we cannot resolve with you directly.
Model Contract Clauses
The European Commission has approved the use of model contract clauses as a means of ensuring adequate protection when transferring data outside of the EEA. By incorporating model contract clauses into a contract established between the parties transferring data, personal data is considered protected when transferred outside the EEA or the UK to countries which are not covered by an adequacy decision.
We rely on these model contract clauses for data transfers.
EU-U.S. and Swiss-U.S. Privacy Shield Frameworks
As described in our parent company Google LLC’s Privacy Shield certification, we comply with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks ("Privacy Shield") as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from EEA member countries and the UK as well as Switzerland, respectively. Google LLC, including Google Registry and Google LLC’s other wholly-owned subsidiaries (unless explicitly excluded), has certified that it adheres to the Privacy Shield Principles. Google Registry remains responsible for any of your personal information that is shared under the Onward Transfer Principle with third parties for external processing, as described in the “Sharing Your Information” section. To learn more about the Privacy Shield program, and to view our parent company Google LLC’s certification, please visit the Privacy Shield website.
If you have an inquiry regarding our privacy practices in relation to our Privacy Shield certification, we encourage you to contact us. Google Registry is subject to the investigatory and enforcement powers of the US Federal Trade Commission (FTC). You may also refer a complaint to your local data protection authority and we will work with them to resolve your concern. In certain circumstances, the Privacy Shield Framework provides the right to invoke binding arbitration to resolve complaints not resolved by other means, as described in Annex I to the Privacy Shield Principles.
As of July 16, 2020, we no longer rely on the EU-U.S. Privacy Shield to transfer data that originated in the EEA or the UK to the U.S.
If European Union or United Kingdom data protection law applies to the processing of your information, you have the right to request access to, update, remove, and restrict the processing of your information. You also have the right to object to the processing of your information. The personal information that we process about you is the information we receive from your registrar and any update that you make in your registrar’s system will be automatically reflected in our system. If you would like to access, update, or remove any of that personal information, please first contact your registrar.
We process your information for the purposes described in this policy, based on the following legal grounds:
When we’re pursuing legitimate interests
We process your information for our legitimate interests and those of third parties while applying appropriate safeguards that protect your privacy. This means that we process your information for the following purposes:
- Providing, maintaining, and improving our services to meet the needs of our users
- Detecting, preventing, mitigating, or otherwise addressing fraud, abuse, security, or technical issues with our services
- Centralizing registrant data for our top level domains to ensure the ongoing continuity, stability, and resiliency of the Domain Name System
- Protecting against harm to the rights, property or safety of Google, our users, or the public as required or permitted by law
- Performing research that improves our services for our users and benefits the public
- Fulfilling obligations to ICANN and our registrar partners
- Enforcing legal claims, including investigation of potential violations of applicable Terms of Service and abuse policies
When we’re providing a service
We process your data to fulfill registration and operation of your domain that you request through your registrar.
When we’re complying with legal obligations
We’ll process your data when we have a legal obligation to do so, for example, if we’re responding to legal process or an enforceable governmental request. Google Registry may receive requests from governments and courts around the world to disclose registrant data. Respect for the privacy and security of your data underpins our approach to complying with these legal requests. Google’s legal team reviews each request and frequently pushes back when a request appears to be overly broad or doesn’t follow the correct process. Learn more in Google’s Transparency Report.
If you have questions, you can contact Google LLC and its data protection office. And you can contact your local data protection authority if you have concerns regarding your rights under local law.
For the purposes of EEA data protection law, Google Registry has appointed Google Ireland Ltd. as its local representative in the EEA. Google Ireland Ltd.’s address is Gordon House, Barrow Street, Dublin 4, Ireland. For the purposes of UK data protection law, Google Registry has appointed Google UK Ltd. as its local representative in the UK. Google UK Ltd.'s address is Belgrave House, 76 Buckingham Palace Road, London, SW1W 9TQ, UK.
If you have additional questions or requests related to your rights under the CCPA, you can contact Google LLC and its data protection office.
About this Policy
When this Policy Applies
Changes to this Policy