Privacy Policy

1. Introduction

Reg AI LLC ("Reg AI," "we," "us," or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our domain name registration and related services ("Services").

Contact Information:
Email: privacy@reg.ai

2. Information We Collect

Information You Provide to Us

• Account Information: Username, email address, and password
• Registrant Information: Full name, postal address, telephone number
• Contact Information: Technical, administrative, and billing contact details
• Payment Information: Collected and processed directly by our payment processor (Stripe). This includes credit/debit card details, bank transfer instructions, and lease installment schedules. Payment credentials are not stored on our servers.
• Guest Checkout Information: Email address provided during guest checkout for order confirmation and domain delivery
• Domain Monitoring Preferences: Domains you choose to monitor and notification preferences
• Inquiry Information: Name, email address, and optionally phone number when you submit a domain inquiry or contact form

Information Collected Automatically

• IP Address: Collected for internal analytics purposes only
• Log Data: Browser type, access times, pages viewed, and referring URL

3. How We Use Your Information

We use the information we collect for the following purposes:

• To register, renew, transfer, and manage domain names (Legal basis: performance of contract)
• To communicate with you about your account and Services (Legal basis: performance of contract)
• To process payments for Services, including credit/debit card payments, bank transfer invoicing, and recurring lease-to-own installments (all processed by Stripe) (Legal basis: performance of contract)
• To process guest checkout orders, including collecting your email address for order confirmation and domain delivery. Guest checkout email addresses are retained for 90 days after order fulfillment, then automatically anonymized. (Legal basis: performance of contract — Art. 6(1)(b) GDPR)
• To comply with Registry requirements and policies (Legal basis: legal obligation)
• To respond to disputes, legal requests, or enforcement actions (Legal basis: legal obligation)
• To conduct internal, first-party analytics and improve our Services. We use self-hosted error tracking (GlitchTip) for application reliability. We do not use Google Analytics, ad networks, or retargeting services. (Legal basis: legitimate interest)
• To send transactional emails (order confirmations, domain delivery) and, with your consent, informational email sequences about your domains or account. You may unsubscribe from non-transactional emails at any time. (Legal basis: consent for marketing; performance of contract for transactional)
• To prevent fraud and maintain security (Legal basis: legitimate interest)

We do not use your information for marketing or advertising purposes (unless you opt in), profiling or automated decision-making, or sale to third parties.

4. Disclosure of Your Information

We do not sell, rent, or share your personal information with third parties for their marketing purposes.

We may disclose your information in the following limited circumstances:

• Registry Operators: Required to complete domain registration
• Legal Requirements: When required by law, court order, or government request
• Dispute Resolution: In connection with domain name disputes (UDRP)
• Service Providers: AWS (hosting), Stripe (payments), Supabase (authentication and database), Escrow.com (escrow services), Cloudflare (CDN, DNS, and DDoS protection — all web traffic is routed through Cloudflare's network)
• Domain Sales Databases: We may share transaction information (domain name, sale price, and transaction date) with third-party domain sales databases such as NameBio for market transparency purposes. No buyer-identifying information is disclosed. You may opt out by contacting legal@reg.ai prior to completing your purchase.

We maintain Data Processing Agreements (DPAs) with all service providers that process personal data on our behalf, in accordance with GDPR Article 28. For a complete list of sub-processors including data categories and processing locations, see our Sub-Processor List.

International Data Transfers

Your personal data may be transferred to and processed in the United States by our service providers. For transfers of personal data from the EEA, UK, or Switzerland, we rely on each processor's Data Processing Agreement (DPA) and, where applicable, Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA):

• AWS: DPA with Standard Contractual Clauses
• Stripe: DPA with Standard Contractual Clauses
• Supabase: DPA with Standard Contractual Clauses
• Cloudflare: DPA with Standard Contractual Clauses
• Escrow.com: Standard Contractual Clauses

5. Registration Data (WHOIS/RDAP)

Domain name registration requires the collection and publication of certain registrant information via Registration Data Directory Services (WHOIS or RDAP). This is a requirement of the Registry Operator.

The following information may be made publicly available: domain name, registrant name and organization, contact information, name server information, and registration dates.

We send an annual email to domain registrants reminding them to review and verify the accuracy of their registration data. These are compliance emails required by the registry operator and are not marketing communications.

WHOIS Privacy Protection

We offer a WHOIS privacy protection service that replaces your personal contact information in the public WHOIS/RDAP record with proxy contact details. When enabled, the following substitutions are made:

• Name and organization: Replaced with Reg AI LLC privacy proxy details.
• Email address: Replaced with a domain-specific forwarding address in the format whois+yourdomain@reg.ai.
• Phone, fax, and mailing address: Replaced with Reg AI LLC contact information.

Communications sent to the proxy email address are forwarded to the registrant's actual email address on file. We do not read, modify, or store the contents of forwarded messages beyond what is necessary for delivery.

WHOIS privacy is enabled by default for all domains and can be disabled at any time from your account dashboard. Disabling privacy will restore your real contact information in the public WHOIS/RDAP record.

6. Data Retention

We retain your personal data only for as long as necessary. Specific retention periods by data category:

• Account data: Retained while your account is active. Deleted immediately upon verified account deletion request, except where longer retention is required by law (e.g., financial records retained for 6 years per Oregon contract statute of limitations, domain registration data retained for 2 years post-expiration per ICANN requirements).
• Domain registration data: Retained for the duration of the domain registration as required by the registry operator.
• Security audit logs (login, logout, failed access attempts, password changes, passkey operations): Personal identifiers (IP address, user agent) anonymized after 90 days. Full records deleted after 6 years (Oregon contract statute of limitations).
• Non-security audit logs (general activity): Personal identifiers (IP address, user agent) anonymized after 30 days. Full records deleted after 6 years (Oregon contract statute of limitations).
• Payment processing records: Stripe webhook event logs retained for 30 days. Order and payment transaction records (amount, date, domain name, payment method type) retained for 5 years as required by applicable financial regulation and tax reporting obligations (BSA, IRS).
• API usage logs: Deleted after 30 days.
• Checkout session data: Expired automatically based on session lifetime (typically within hours of completion).
• Notification history: Read notifications deleted after 30 days.
• Cookie consent records: Consent preferences, version, and timestamp are retained as proof of consent (GDPR Article 7). Personal identifiers (IP address, user agent) are anonymized after 90 days.

We may also retain data as necessary to comply with legal obligations, resolve disputes, and enforce our agreements.

7. Your Rights Under GDPR

If you are located in the EEA, UK, or Switzerland, you have the following rights:

• Right of access to your personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object to processing
• Right to withdraw consent
• Right to complain: You have the right to lodge a complaint with your national data protection authority (supervisory authority). A list of EU/EEA data protection authorities is available at edpb.europa.eu.

To exercise these rights, contact us at privacy@reg.ai.

Guest Checkout Users: If you completed a purchase without creating an account, you may still exercise your data rights. Email privacy@reg.ai with the email address you used at checkout. We will verify your identity by sending a confirmation to that address before processing your request. Guest checkout emails are automatically anonymized 90 days after order fulfillment.

8. Your Rights Under California Law (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with the following rights:

• Right to Know: You may request that we disclose what personal information we have collected about you, the categories of sources, the business purpose for collection, and the categories of third parties with whom we share it.
• Right to Delete: You may request the deletion of your personal information, subject to certain exceptions (e.g., legal obligations, ongoing transactions).
• Right to Correct: You may request that we correct inaccurate personal information.
• Right to Opt Out of Sale or Sharing: We do not sell or share your personal information for cross-context behavioral advertising as defined under the CCPA/CPRA.
• Right to Limit Use of Sensitive PI: You may request that we limit our use of sensitive personal information to purposes necessary to provide our Services.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.

Do Not Sell or Share My Personal Information

Reg AI does not sell your personal information and does not share your personal information for cross-context behavioral advertising. Because we do not engage in these practices, we do not offer an opt-out mechanism for sale or sharing. If our practices change, we will update this policy and provide a conspicuous opt-out link.

Categories of Personal Information

The following table describes the categories of personal information we collect, the business purposes for collection, the categories of third parties with whom we share it, and our retention practices:

To exercise these rights, email privacy@reg.ai with the subject "CCPA Rights Request." We will verify your identity and respond within 45 days.

9. Additional US State Privacy Rights

Oregon (OCPA)

If you are an Oregon resident, the Oregon Consumer Privacy Act (ORS 646A.570–646A.589), effective July 1, 2025, provides you with the following rights:

• Right to know what personal data we process about you
• Right to correction of inaccurate personal data
• Right to deletion of personal data you have provided to us
• Right to obtain a copy of your personal data in a portable format
• Right to opt out of processing for targeted advertising, sale of personal data, or profiling

Virginia, Colorado, Connecticut, Texas, and Montana

If you are a resident of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), or Montana (MCDPA), you may have additional privacy rights under your state's consumer privacy law, including:

• Right to access the personal data we process about you
• Right to correct inaccuracies in your personal data
• Right to delete your personal data
• Right to data portability (obtain a copy in a usable format)
• Right to opt out of the processing of your personal data for targeted advertising, sale, or profiling in furtherance of decisions that produce legal or similarly significant effects

Reg AI does not sell your personal data or use it for targeted advertising or profiling. If you wish to exercise any of these rights or appeal a decision regarding a rights request, contact us at the address below.

To exercise any US state privacy right, email privacy@reg.ai with the subject "State Privacy Rights Request." We will verify your identity and respond within the timeframe required by your state's law (typically 45 days). If we deny your request, you may appeal by contacting us.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

• Encryption of data in transit (TLS/SSL)
• Secure storage of personal data
• Access controls limiting who can access personal data
• Regular security assessments

11. Data Breach Notification

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms:

• We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by applicable data protection laws.
• We will notify affected individuals without undue delay when the breach is likely to result in a high risk to their rights and freedoms, as required by applicable data protection laws.
• Notifications will include: the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures taken or proposed to address the breach.

For data protection inquiries or to report a security concern, contact us at privacy@reg.ai.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new Privacy Policy on our website and providing at least 30 days' notice before the changes take effect.

13. Contact Us

If you have questions about this Privacy Policy, please contact us: