To set the context to this policy as a United Kingdom based company we’ve always adopted strict Data Protection Rules and a lot of our practices and procedures fit very well within the GDPR framework. This document seeks to explain in a clear and concise fashion how as a company we take your personal data seriously, why we collect said data, what we do with the data and how long we keep the data for.
All data we collect from clients is collected with the sole purpose of delivering an efficient domain name registration and web hosting service to our clients. We do not collect any data that is not relevant to this purpose. We do not ever pass data onto third parties.
As a company servicing clients from the EU and around the world we will strictly adhere to the 7 key principles as set out in the GDPR:
Lawfulness, fairness and transparency
We will be transparent in everything we do regarding GDPR and we will only collect data lawfully. All personal data that is collected will have been provided by the client at time of purchasing their product and we will not hold any data for non clients on our systems after 90 days have elapsed.
We will only store and process your data for the purposes of providing a web hosting and domain name registration service to you. We will not use your data for any other purpose that is not relevant to any product we sell. All the data we collect is needed to provide service to you.
We will only store the minimum, amount of data we require to offer you the service initially and continually at renewal. The specific data we collect is listed further down this document.
All data is provided by our clients at sign up to our billing system. Clients can log in at any time to check the accuracy of the data they have provided. Clients can make changes themselves or we can do it for them. As per the GDPR regulations clients can request a full copy of all data we store on them and we will respond within the timeframe stipulated in the GDPR regulations. Given that all data we store on clients is in our WHMCS Billing System a client can immediately log in to get their own information without the need to formally request it.
We only store data for as long as you have an active product with us. After you cease to hold an active hosting product we will delete your data after 3 months (this time frame was chosen to reflect past experience where clients have come back asking for data etc). Any client who wishes to have their data completely deleted before the 3 month period can contact us and we will assist them within 72 hours in completely deleting their data.
Integrity and confidentiality (security)
Security of the server we store your data on is our top priority. We take steps to ensure your data is as secure as we can make it. Among other things, we keep all software up to date, we run monthly vulnerability scans and act upon the results, we perform regular malware scans and we ensure the server is locked down to a very limited set of IP addresses for admin access. The data centre we store your data in is within the EU and has ISO27001 certification.
Our MD (Stephen Kinkaid) is our GDPR Officer and all staff have been extensively briefed on Data Protection, GDPR and their responsibilities. We will regularly review and improve our practices on a daily basis to ensure we remain fully compliant with the GDPR.
What Data do we Collect and Why do we Collect it?
To create your client area with us we need the following information. The fields below are the minimum data required to register a domain name with ICANN The same information is used when you register a domain name but we need to collect additional information for certain domain registrar policies
- First Name
- Last Name
- Email Address
- Company Name
- Phone Number
- Domain Name
- Client area Password
For domain registration we may also require the following:
- Domain Name
- Registrant Name
- Registrant Type (Individual / Partnership / Sole Trader / Limited Company)
- Company Number (if applicable)
- Number of Years registration required
We use third party companies for payments. When you order or renew a service with us and you choose to pay by card we will collect your Card Number, Expiry Date, Name and Security Code via a web form provided by stripe.com and your data is passed to stripe.com for processing securely. If you choose to pay by Direct Debit you will register with GoCardless.com and provide your details there. We do not store your details (GoCardless and Stripe do). If you prefer not to provide your details to these two reputable companies you can pay by Bank Transfer directly into our bank account.
Registration of Domain Names
When you register a domain name we are required to send the information above to the relevant domain registry and they will process the domain registration. If you do not agree to this then it is impossible for us to register a domain name on your behalf. Your details we pass across will be entered into the Public WHO IS database accessible on line via websites such as who.is or whois.domaintools.com to name a couple. The registries themselves are implementing GDPR changes to mask your personal data if you are from the EU and register a domain name.
Retention of Data
Your client area will remain intact for 6 years as we are required to keep invoice payment data in case of a Tax Inspection by the UK Tax Authority (HMRC). However what we will do Post GDPR is we will be making client areas of those who no longer have an active product anonymous so we will delete your name, address and email data and replacing it with GDPR-MASK. This will preserve the accounting records as required by law. We will keep any payment references such as Paypal payment reference numbers and Stripe Reference Numbers for 6 years but these do not personally identify you in and of themselves. Once your client area gets closed (after 90 days following expiration or cancelation of your last product) we will mask out your data. If you have no active products and require us to mask your data immediately just let us know.
Right of Access
Under GDPR you have the right to access data we hold on you. Just put that request in an email to our support desk: email@example.com and we will respond within 30 days. Please note, the only place we store client personal data is our client billing system so you already have full access to all data we store on you and can download this yourself. Any access requests will simply result in us providing you with a copy of this data anyhow.
Client’s have a responsibility to ensure they choose strong passwords. We also strongly recommend that all clients turn on 2 factor authentication in their client area so they have a second password (using the Google Auth App on their phone) needed to access their client area. This will ensure no one has access to their client area unless they have access to the client’s phone. Our staff can help set this up if a client needs help.
Marketing Email Lists
Since GDPR we have separated our ‘Marketing Email List’ from our ‘Active Client Mailing List’. The Marketing Email list requires opt in from 25 May 2018. Only clients who specifically opt in to the marketing list will receive details of special offers. We use Mailchimp.com to service this mailing list so all data provided to this mailing list is stored and processed on mailchimp.com servers which could be outside of the EU Region. By signing up to receive our marketing email list you understand we do not store your data and it is stored by Mailchimp. We collect the following information: Your Name: So we can address you in the email personally and Your Email Address so we can send you the email. You can unsubscribe at any time by clicking the relevant link in any marketing email we send you and Mailchimp will process that unsubscribe request for you or if you prefer simply email firstname.lastname@example.org and ask us to remove your information from this mailing list.
Active Client Mailing List
By having an active product with us we will occasionally send you emails that are relevant to the products you have with us. Such emails could be notifications of price variations, notifications of planned data centre maintenance, notifications of emergency data centre maintenance etc. We will never send marketing emails to this email list and as these emails are relevant to the product you host with us it is not possible to opt out of this list. We promise we will only send information relevant to any product you have with us that is currently active or suspended (suspended means more than 8 days past due but less than 60 days past due). We are required by the domain registries to send relevant expiry reminder emails 60, 30 and 5 days prior to domain expiration. This list will be used to send these domain expiry notices as well as invoice notifications (invoice generated, pre expiry date reminder, first overdue reminder, second overdue reminder and third overdue reminder, suspension notification)