As a company, our processes and website are designed to comply with the following national and international legislations with regards to the privacy of our users and data protection:
- UK Data Protection Act 1988 (DPA)
- EU Data Protection Directive 1995 (DPD)
- EU General Data Protection Regulation 2018 (GDPR)
Our compliance with the above legislation which are all stringent in nature means that this site is likely also compliant with the data protection and user privacy legislation defined within most countries as well. If you are outside of the UK and EU and are unsure about whether this site is compliant with your own country of residences’ specific data protection and user privacy legislation, then please contact us requesting to speak to our data protection officer.
2.0 Why we collect information
We collect the minimum amount of information required from users to solely meet the requirements for us to provide our services to you and this information is visible to you within our website client area. We collect personal information from users in a variety of ways for the following reasons:
2.1 Our Client Area
In order to provide our hosting and domain registration services, we require certain contractual information legally from customers in order to be able to provide services. For contractual, operational security and accounting purposes, we require name, address, telephone number and e-mail address along with the answer to your security question.
We also collect payment card details from you when you pay for our services. This information is only passed securely to our payment processor and is never shared with a 3rd party. Any stored card information is also encrypted within our databases.
2.2 Our Website Contact Form
Our website provides a contact form in order for anyone to submit an enquiry to us. The contact page of our website is encrypted using TLS and we do not transmit this data externally - it remains at all times within our secure network. As well as the information that you submit via the form, we also collect the IP address of the person submitting it.
2.3 Our Mailing List
We maintain a mailing list within our client area so that customers can receive information about any special offers or promotions that we may have available. We may also use this to run a survey or competition or other site feature. Our mailing list is specifically opt-in and you can control whether to opt in or out of these mailings via our client area.
Marketing mailings are occasional and generally limited to a maximum of 3 or 4 per year. This does not include system notifications where we need to inform you of any changes that may affect your service and these are sent to applicable customers as required.
You can also opt-out of mailings if you wish by clicking the opt-out link that is included at the bottom of our mailings.
2.4 Site Visitor Statistical Tracking
Our website implements the commonly used Google Analytics to track visitors to our site. This includes information such as browser, geographic location, your IP address, operating system and your device type and this is information that could potentially be used to personally identify you. We do not have access to this level of information with Google and we consider Google to be one of our 3rd party data processors.
One cookie gets set when a customer is referred to us affiliate link and it simply stores the ID of the affiliate that referred them, so that if an order is placed within the next 90 days following the referral, the affiliate gets credited for it. It is a persistent cookie.
We also make use of a cookie that is set for tracking links to our website from specific promotional urls. It remembers the link the visitor followed to first get to our website, and is then used when an order is placed to be able to associate the conversion with a link to be able to provide stats on the effectiveness of your links. It is a persistent cookie.
3.0 Data Storage & Web Servers
Client information on our website and client area is stored within a database server. Some of this data is encrypted where necessary and not all is stored in a personally identifiable manner, making the majority of it pseudonymous, ie it would require additional processing to link data within tables together.
Our servers are located within the Next Generation Data datacentre at Newport. This is a high security facility with 4 metre high perimeter fencing, military grade security and is accredited with ISO9001, ISO14001, ISO27001, PDI DSS Compliance, SSAE16/ISAE3402 Type I and II Certified and IIP Committed. Access to our physical servers is therefore very tightly controller and limited to specific persons.
4.0 3rd Party Data Processors
We use a number of 3rd party companies to process data on our behalf. Each of these companies have been assessed to comply with the above legislation.
- Google (For Google Analytics Statistics)
- SagePay (Our Payment Processor)
- cPanel (Our hosting control panel software provider)
- Maxmind (For fraud detection)
- Nominet (For domain registration)
- Enom (For domain registration)
- OpenSRS (For domain registration)
- Xero (For accounting)
We do not sell, trade, or rent Users personal identification information to others. We may share generic aggregated demographic information not linked to any personal identification information regarding visitors and users with our business partners, trusted affiliates and advertisers for the purposes outlined above
5.0 Data Retention
HMRC legally requires us to retain accounting information for a minimum of 6 years for audit purposes. Our client area will automatically purge clients and all of their information at 11 years after their last transaction. This period of time is in place to ensure clients can still manage domain names purchased for an extended duration as a single transaction can be to register a domain name for up to 10 years. This also allows for control of and renewal whilst in an expired or redemption status.
In the interim period between 6 years and our automatic purging at 11 years, you have the legal right to be forgotten. You can request that we remove any or all of your personal information prior to the automatic removal.
Clients with financial information do not have the right to be forgotten prior to 6 years from the date of their last financial transaction as this would breach our legal HMRC requirements, however clients with information on our systems and no financial transactions have the right to be forgotten at any time.
6.0 Data Access
If you require a copy of the data that we hold regarding yourself, this will be subject to a formal access request for this and we will take reasonable measures to verify the identity of the person or organisation making the request. We will not charge for this information, unless the request is manifestly unfounded or excessive, particularly if it is repetitive and then under these circumstances we will charge a reasonable fee to cover the administration required to fulfil the request. Further copies of the same information may also be subject to an administration charge.
Access requests will be fulfilled within a maximum of 28 days following our receipt of the request. Should the request be complex or numerous, we may extend this period by a further two months. If this is the case, we will inform you within one month of the receipt of the request and explain why the extension is necessary.
Where requests are manifestly unfounded or excessive, in particular because they are repetitive we may refuse to respond. If this is the case then we will explain why, informing you them of your right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month of the request being made.
7.0 Data Breaches
In the event of us detecting a data breach, this will be reported within 72 hours if we believe that personally identifiable data has been obtained without authorisation. This includes data from our website, or from any systems used by our 3rd party data processors.
8.0 Children and compliance with the children's online privacy protection act
Protecting the privacy of the very young is especially important. For that reason, we never collect or maintain information at our Site from those we actually know are under 13, and no part of our website is structured to attract anyone under 13.
As per our terms and conditions our services are only available for persons over the age of 18 and we will not knowingly enter into a contract with someone below that age.
9.0 The Data Controller
The data controller for our website is Penguin Internet Ltd, a UK Private Limited Company with a registration number of 5601885. Our registered office is:
Penguin Internet Ltd 733b Newport Road Rumney Cardiff CF3 4FD
10.1 Policy Changelog
04/04/2018 Policy rewritten to incorporate GDPR required changes 20/10/2014 Initial policy published