Privacy and Data Protection Policy

Last updated: March 2026  ·  Effective date: March 2026

1. Who we are — data controller

The data controller responsible for the personal data collected through this website and through the provision of domain name registration services is:

• Trading name: 301Domains
• Website: https://301domains.com
• Data Protection contact (DPO): contact@301domains.com

We are an accredited domain name registrar operating under the authority of multiple domain name registries across the EU/EEA and internationally. We process personal data in accordance with Regulation (EU) 2016/679 (GDPR), the UK General Data Protection Regulation (UK GDPR), and other applicable data protection laws.

2. Personal data we collect

Depending on the service you use, we collect the following categories of personal data:

• Identity: first name, last name, or company name and registration number
• Contact: email address, phone number, postal address (street, city, postal code, country)
• Account: username, encrypted password, account preferences
• Transaction: domain names registered, renewal dates, transfer history, invoices
• Technical: IP address, browser type, access logs
• Communications: content of support requests and email exchanges

We do not collect special categories of personal data as defined in GDPR Article 9. We do not process payment card data directly — payment processing is handled by our PCI-DSS-compliant payment provider.

3. Legal basis for processing

• Providing domain registration and management services — Art. 6(1)(b) GDPR (performance of a contract)
• Transmission of registrant data to domain name registries — Art. 6(1)(c) GDPR (legal obligation arising from registrar accreditation requirements)
• Annual verification of registrant identification data — Art. 6(1)(c) GDPR (legal obligation)
• Responding to inaccuracy reports and registry requests — Art. 6(1)(c) GDPR (legal obligation)
• Security of the platform and fraud prevention — Art. 6(1)(f) GDPR (legitimate interests)
• Compliance with tax and accounting obligations — Art. 6(1)(c) GDPR (legal obligation)
• Sending service communications (renewals, expiry notices) — Art. 6(1)(b) GDPR (performance of a contract)

4. How we use your data

Domain registration and lifecycle management. To register domain names on your behalf, manage renewals, transfers and deletions, and to fulfil all obligations arising from the registrar–registrant relationship.

Identity verification. To verify that the identification data you provide is accurate and complete, in compliance with the naming policies of the relevant registry. At least once per year, we will contact you to request confirmation or update of your identification data.

Communications. To send you transactional emails (registration confirmation, renewal reminders, expiry notices, security alerts). We do not send marketing emails without your separate, explicit consent.

Customer support. To respond to your questions and requests, and to resolve any disputes or issues relating to your domain names.

Legal and regulatory compliance. To respond to requests from domain registries and other competent authorities, and to fulfil our obligations as an accredited registrar.

5. Transmission of your data to domain registries

When you register a domain name, we are required by our accreditation agreements and by applicable law to transmit your identification data (name, address, email address, phone number) to the relevant registry operator. This transmission is a legal obligation and a necessary condition for domain name registration. Each registry acts as an independent data controller for the data it receives and processes it in accordance with its own privacy policy and applicable law.

Registries may make certain registrant data publicly available via WHOIS or RDAP services, subject to applicable data protection law and each registry's own publication policy.

5.1 French domain names (.fr, .re, .pm, .wf, .yt, .tf)

For domain names in French TLDs, your data is transmitted to Afnic (Association Française pour le Nommage Internet en Coopération), the registry operator headquartered in France. This obligation arises from Article R20-44-43 of the French Electronic Communications and Postal Code (CPCE) and from Afnic's naming charter. For full details of how Afnic processes registrant data as an independent data controller, please consult:

Afnic — Processing of holders’ data

5.2 European domain names (.eu)

Registration of a .eu domain name requires that the registrant is established in or a resident of the European Union, European Economic Area, or Switzerland. By completing a .eu registration, you self-certify your eligibility. Your data is transmitted to the official .eu registry operator, which processes it as an independent data controller in accordance with GDPR.

5.3 German domain names (.de)

Your data is transmitted to the official .de registry operator, which processes it as an independent data controller in accordance with GDPR and applicable German data protection law.

5.4 British domain names (.uk, .co.uk, .org.uk)

Your data is transmitted to the official .uk registry operator, headquartered in the United Kingdom. Processing by the .uk registry is governed by the UK GDPR and the Data Protection Act 2018. If you are a UK resident and wish to raise a concern about how your data is processed in connection with a .uk domain registration, you may contact the UK Information Commissioner's Office (ICO) at ico.org.uk.

5.5 Italian domain names (.it)

Your data is transmitted to the official .it registry operator, headquartered in Italy, which processes it as an independent data controller in accordance with GDPR and applicable Italian data protection law.

5.6 Spanish domain names (.es)

Your data is transmitted to the official .es registry operator, which processes it as an independent data controller in accordance with GDPR and applicable Spanish data protection law.

5.7 Other domain extensions

For any other domain extension offered on our platform, your data is transmitted to the relevant registry operator in order to complete and maintain the registration. Each registry acts as an independent data controller. We recommend consulting the privacy policy of the relevant registry for details of their data processing practices.

6. Third-party processors

We may share your personal data with the following categories of third-party processors, who act strictly on our instructions and are bound by GDPR-compliant Data Processing Agreements (DPAs):

• Cloud hosting / infrastructure: platform hosting and database storage, located within the EU/EEA
• Payment processor: secure payment handling, located in an EU/EEA or adequacy-decision country
• Email delivery service: transactional email dispatch, located in an EU/EEA or adequacy-decision country
• Domain registries: as described in Section 5 above

We do not sell, rent or trade your personal data to third parties for marketing purposes.

7. International transfers

All personal data is stored and processed within the EU/EEA by default. Where a third-party processor is located outside the EU/EEA (for example, in the United Kingdom, which benefits from an EU adequacy decision for data transfers), we ensure that appropriate safeguards are in place before any transfer takes place, specifically:

• an adequacy decision by the European Commission (GDPR Article 45); or
• Standard Contractual Clauses (SCCs) approved by the European Commission (GDPR Article 46).

No personal data is transferred to countries not offering an adequate level of protection unless covered by one of the above mechanisms.

8. Retention periods

• Registrant identification data (active domain): duration of registration + 5 years after expiry — legal obligation under registrar accreditation requirements
• Account data with no active domains: 3 years after last activity, then securely deleted or anonymised
• Transaction and invoice records: 10 years — applicable commercial and tax law
• Support communications: 3 years from closure of the request
• Server access logs: 12 months

At the end of each retention period, personal data is securely and permanently deleted from all active systems and backups. Deletion is logged in our records of processing activities.

9. Security measures

We implement appropriate technical and organisational security measures to protect your personal data against accidental loss, unauthorised access, disclosure, alteration or destruction, in accordance with GDPR Article 32. These include:

• Access control: role-based access control (RBAC) and multi-factor authentication (MFA) for all administrative accounts
• Encryption: all data in transit is protected by TLS 1.2 or higher; data at rest is encrypted (AES-256)
• Backups: daily automated encrypted backups stored at a separate location within the EU; integrity tested regularly
• Patch management: critical security patches applied within 72 hours; non-critical patches within 30 days
• Security audits: a technical security review of the entire information system is performed at least once per year and following any significant security incident
• Breach register: we maintain a register of personal data breaches and notify the competent supervisory authority and affected individuals within GDPR-prescribed timeframes where required

10. Your rights

Under the GDPR (and, where applicable, the UK GDPR), you have the following rights with respect to your personal data:

• Right of access (Art. 15): obtain a copy of the personal data we hold about you and information about how it is used
• Right to rectification (Art. 16): request correction of inaccurate or incomplete data; you can also do this directly in your account portal
• Right to erasure (Art. 17): request deletion of your data where we no longer have a legal ground to retain it
• Right to restriction (Art. 18): request that we restrict processing of your data in certain circumstances
• Right to portability (Art. 20): receive your data in a structured, machine-readable format and transfer it to another controller
• Right to object (Art. 21): object to processing based on our legitimate interests

Please note that some rights may be limited where we process your data to comply with a legal obligation, such as our duty to retain registrant data under registrar accreditation requirements.

You have the right to lodge a complaint with the competent data protection supervisory authority in your country of residence. EU/EEA residents may also contact the AEPD (Agencia Española de Protección de Datos) at www.aepd.es. UK residents may contact the Information Commissioner's Office (ICO) at ico.org.uk.

11. How to exercise your rights

To exercise any of the rights described in Section 10, or to ask any question about how we process your personal data, please contact us electronically:

• Email: contact@301domains.com — subject line: Data Subject Rights Request — [your name]
• Support portal: https://301domains.com/clientarea.php

We will respond within one month of receiving your request (GDPR Article 12). For complex or numerous requests, this period may be extended by a further two months; if so, we will notify you within the first month and provide reasons for the extension. We may ask you to verify your identity before processing your request.

12. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law. When we make material changes, we will notify you by email to the address associated with your account and update the “Last updated” date at the top of this page. Previous versions of this policy are available on request by contacting contact@301domains.com.