Data Protection

Table of Contents

Customer Rights
1.1 Right of access and confirmation
1.2 Right to rectification
1.3 Rights to erasure
1.4 Right to restriction of processing
1.5 Rights to object to processing
1.6 Right to data portability
1.7 Right to withdraw data protection consent
1.8 Right to lodge a complaint with the supervisory authority
1.9 Statutory or contractual requirements for the provision of personal data
 

Data We Collect and Process
2.1 Web server
2.2 Contract data
2.3 Data stored on our servers
2.4 Customer correspondence
2.5 Domain holder inquiries
2.6 Cookies, pixels, and other technologies
2.7 Google reCAPTCHA
2.8 Social media
2.9 Matomo Analytics
 

Legal Basis for Processing
 

Categories of Recipients
4.1 Registrars and registries
4.2 Data processors
4.3 Public authorities
 

Data Processing in Third Countries
5.1 Registries
5.2 Internet Security Research Group (Let’s Encrypt)
 

Storage Duration
6.1 General timeframe
6.2 Domain holder inquiries
6.3 Log and account data
6.4 Customer correspondence and payment processes
6.5 Subscriptions & contract data

1. Customer Rights

1.1 Right of Access and Confirmation
You have the right to obtain, free of charge and at any time, information about the personal data stored concerning you, confirmation as to whether such data is being processed, and a copy of this information.

1.2 Right to Rectification
You have the right to request the immediate correction of inaccurate personal data concerning you. Furthermore, taking into account the purposes of the processing, you have the right to request the completion of incomplete personal data, including by means of a supplementary statement.

1.3 Right to Erasure
You have the right to request the immediate deletion of personal data concerning you if one of the following reasons applies and processing is not required:

• The personal data is no longer necessary for the purposes for which it was collected or otherwise processed.
• You withdraw your consent on which the processing was based, and there is no other legal basis for the processing.
• You object to the processing pursuant to Article 21(1) GDPR, and there are no overriding legitimate grounds for the processing, or you object pursuant to Article 21(2) GDPR.
• The personal data has been unlawfully processed.
• Erasure is necessary for compliance with a legal obligation under Union or Member State law to which we are subject.
• The personal data was collected in relation to information society services offered pursuant to Article 8(1) GDPR.

1.4 Right to Restriction of Processing
You have the right to request restriction of processing if one of the following conditions is met:

• You contest the accuracy of the personal data for a period enabling us to verify its accuracy.
• The processing is unlawful, and you oppose the deletion of the personal data and request restriction of its use instead.
• We no longer need the personal data for processing purposes, but you require it for the establishment, exercise, or defense of legal claims.
• You have objected to processing pursuant to Article 21(1) GDPR, and it has not yet been determined whether our legitimate grounds override yours.

1.5 Right to Object to Processing
You have the right to object at any time to the processing of personal data concerning you. In the event of an objection, we will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing serves the establishment, exercise, or defense of legal claims. You also have the right to object at any time to the processing of your personal data for direct marketing purposes.

1.6 Right to Data Portability
You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used, and machine-readable format. You also have the right to transmit those data to another controller without hindrance from us, provided the processing is based on consent as described in our privacy policy and is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Furthermore, when exercising your right to data portability under Article 20(1) GDPR, you have the right to have the personal data transmitted directly from one controller to another, where technically feasible and provided this does not adversely affect the rights and freedoms of others.

1.7 Right to Withdraw Consent
You have the right to withdraw your consent to the processing of personal data at any time.

1.8 Right to Lodge a Complaint with a Supervisory Authority
You have the right to lodge a complaint with a supervisory authority in your Member State of residence, place of work, or the place of the alleged infringement if you believe that the processing of your personal data violates the GDPR.

1.9 Legal or Contractual Requirement to Provide Personal Data
The provision of personal data may be required by law (e.g., tax regulations) or by contractual provisions (e.g., information about a contracting party). In some cases, it may be necessary for the conclusion of a contract that you provide personal data that must subsequently be processed by us. For example, you are required to provide personal data when we enter into a contract with you. Failure to provide such data would mean that the contract cannot be concluded.

2. What Data We Collect and Process

2.1 Web Server
When you visit our website or use our services, the device you use automatically transmits connection data to our servers. This is particularly the case when you log in or upload/download data. The following connection data is collected:

• Client IP address
• Request line
• Timestamp
• Status code
• Size of the response body
• Referrer sent by the client
• User agent sent by the client
• Remote user

2.2 Contract Data
We collect, process, and store the data you provide when booking or ordering services from us. We also store and process information relating to order and payment history.

2.3 Data Stored on Our Servers
We collect, process, and store the data you save while using our services. This includes creating backups in our backup systems.

2.4 Customer Correspondence
We process data generated when you contact us, for example by email, fax, or post.

2.5 Domain Owner Inquiries
We process the data you provide in connection with domain ownership inquiries, including your name, address, email address, and any personal data submitted to verify your entitlement to receive information.

2.6 Cookies, Pixels, and Similar Technologies
We use cookies, pixels, and similar technologies on various parts of our website. The term “cookies” is used as a general term that also includes tags, pixels, and scripts as alternative technical implementations. Cookies are small identifiers stored by a server on the device used to access our website or services. They contain information that can be retrieved during access and help improve the efficiency and usability of our offerings.

We use both:

• Session cookies, which are deleted when you close your browser.
• Persistent cookies, which remain on your device until they are no longer required and are deleted.

2.7 Google reCAPTCHA
Data protection also means taking proactive measures against spam and attacks on our systems. Due to an increased number of attacks, we use Google reCAPTCHA on our website. Processing is based on Article 6(1)(f) GDPR. The website operator has a legitimate interest in protecting its web applications from abusive automated access and spam. The reCAPTCHA script is only embedded on pages where it is actually used. reCAPTCHA analyzes whether data entry on our websites is made by a human or an automated program. This analysis begins automatically when a visitor accesses the website.

For this purpose, reCAPTCHA evaluates various information, such as:

• IP address
• Length of stay on the website
• Mouse movements made by the user

The data collected during analysis is transmitted to Google. The analysis runs entirely in the background and users are not notified separately.

Further information can be found in Google's Privacy Policy.

Provider:
Google Inc.
1600 Amphitheatre Parkway
Mountain View, CA 94043, USA

2.8 Social Media
We use icons linking to Facebook, Instagram, and LinkedIn on our website. To enhance data protection, these are implemented as static links using locally stored font files. This prevents your data from being transmitted to social networks simply by visiting our website. A connection to the social network is only established when you actively click the respective icon. For detailed information about data processing, objection rights, and access requests, please refer to the privacy policies of the respective platform providers.

Facebook
Provider: Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland

Instagram
Provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland

LinkedIn
Provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland

2.9 Matomo Analytics
We use Matomo, a web analytics service provided by InnoCraft Ltd., 150 Willis Street, Wellington 6011, New Zealand. Matomo helps us analyze the use of our website and its functions so that we can optimize our services. Matomo uses cookies that allow evaluation of your use of our website, including your IP address. We have enabled the “Anonymize Visitors IP Addresses” feature so that IP addresses are shortened before processing, preventing direct identification of individuals. Additionally, all data is stored within our own infrastructure on servers located in Germany. The legal basis for processing is Article 6(1)(a) GDPR.

Right of Withdrawal
You may withdraw your consent at any time with future effect. If you do not agree to the future transmission of your data to Matomo, you can disable Matomo entirely through your browser settings. However, this may limit the functionality of our website.

Further information regarding Matomo's terms of use and privacy policy can be found at:
https://matomo.org/privacy-policy/

3. Legal Basis for Processing

We process and use your data in order to perform the contract and provide our services, improve our services and websites, provide updates and upgrades, send you service-related notifications, issue invoices, and collect outstanding payments. Article 6(1)(a) GDPR serves as the legal basis for processing operations where we obtain consent for a specific processing purpose. Where the processing of personal data is necessary for the performance of a contract, the processing is based on Article 6(1)(b) GDPR. The same applies to processing operations that are necessary for the implementation of pre-contractual measures, for example in cases of inquiries regarding our products or services. Where we are subject to a legal obligation requiring the processing of personal data, such as compliance with tax obligations, the processing is based on the applicable legal provisions. Processing operations that are not covered by any of the aforementioned legal bases are carried out where processing is necessary for the purposes of our legitimate interests or those of a third party, provided that such interests are not overridden by the interests, fundamental rights, or freedoms of the data subject. Such processing activities are expressly permitted because they are specifically recognized by the European legislator. A legitimate interest is generally assumed where the data subject is a customer of the controller.

4. Categories of Recipients

4.1 Registrars and Registration Authorities
For domain registrations, we are required to transmit certain personal data to registrars and registration authorities.

4.2 Data Processors
As the data controller, we transfer various personal data to our data processors within the framework of data processing agreements. We have ensured the security of your data by entering into appropriate data processing agreements with our processors. Our data processors can be grouped into the following categories:

Provision of Services, including:

• Distribution of newsletters
• Printing and mailing of invoices
• Customer surveys
• Payment service providers
• Data destruction services

Operation, Maintenance, and Support of Hardware and Software Services

4.3 Public Authorities
We disclose data to public authorities and third parties only in accordance with legal requirements or pursuant to a court order. Information may be provided to public authorities where required by law for purposes such as threat prevention or criminal prosecution. Third parties will only receive information where permitted or required by law, for example in cases involving copyright infringements.

5. Data Processing in Third Countries

5.1 Registries
For the registration of Top-Level Domains (TLDs), personal data may be transferred to the relevant registry. Such processing is carried out pursuant to Article 49(1)(b) GDPR. Information on the registry responsible for a specific Top-Level Domain can be found via the relevant domain registration rules, policies, and registry information.

5.2 Internet Security Research Group (Let's Encrypt)
We act as an intermediary in the procurement and maintenance of SSL certificates. For this purpose, we transfer your data to the Internet Security Research Group (Let's Encrypt) in the United States so that it can provide its certificate services. This processing is carried out pursuant to Article 49(1)(b) GDPR. Further information about the Internet Security Research Group (Let's Encrypt) is available at:

https://www.abetterinternet.org/

6. Data Retention Periods

6.1 General Retention Period
We process and store personal data only for as long as necessary to achieve the purpose of storage or as required by law. As a rule, the purpose of processing is fulfilled upon termination of your contractual relationship.

6.2 Domain Owner Inquiries
Data collected in connection with domain owner inquiries is stored until the date of deletion of the domain or its transfer to another provider following the submission of the request.

6.3 Log and Account Data
Log and account data associated with user logins are retained for a maximum period of six (6) months. Following termination of the contract, account data is deleted within four (4) months.

6.4 Customer Correspondence and Payment Records
Customer correspondence, order history, and payment records are retained for the statutory retention period of six (6) years in accordance with Section 257 of the German Commercial Code (HGB) and Section 147 of the German Fiscal Code (AO).

6.5 Subscriptions and Contract Data
Following termination of the contract, the processing of contract-related data is restricted. Such data is deleted after the expiry of the statutory retention period of ten (10) years pursuant to Section 257 HGB and Section 147 AO. Data stored by you within our services can be modified or deleted by you at any time. Upon termination of the contract, data stored within our services will be deleted within one (1) to three (3) months. Backups stored in our backup systems are deleted automatically after a delayed retention period.