UDR Universal Domain Registry
EN FR
Registrar Login Register Domain

Version 2.0 - Effective 2 May 2026

Privacy Policy

How UDR collects, uses, publishes, protects, retains, discloses, and deletes registry, RDAP, contact, abuse, automation, and account data.

Effective 2 May 2026 Universal Domain Registry Privacy v2.0

Policy Alignment

  • Uses ICANN-style principles for registration agreements, abuse mitigation, RDAP publication, accuracy, lifecycle controls, and dispute handling where appropriate for a policy-driven domain registry.
  • Preserves upstream country-code registry authority for AFNIC-family labels in .pm, .wf, and .yt and Greece-family labels in .gr.
  • Requires qualified legal review before production publication in jurisdictions where UDR, registrars, or registrants operate.

01 Scope and Controller Roles

This Privacy Policy covers personal data processed by UDR when a person visits the website, searches availability, submits a contact or abuse report, creates or manages a registration, uses a registrar or admin portal, interacts with RDAP, receives notifications, or participates in a dispute or compliance process.

Depending on the workflow, UDR may act as an independent controller, joint controller, processor, service provider, registry operator, or private registry administrator. Sponsoring registrars, resellers, payment providers, Logto, notification providers, n8n, hosting providers, and upstream registries may have their own privacy roles and notices.

02 Data We Collect

UDR collects only data reasonably needed for registry operation, security, compliance, billing, support, abuse handling, legal response, and service improvement.

  • Registration data: registrant, organization, administrative, technical, billing, and abuse-contact data supplied by registrants, registrars, or resellers.
  • Domain data: label, extension, status, nameservers, DNSSEC data, lifecycle events, registrar, handles, transaction history, and registry notes.
  • Support and legal data: contact forms, correspondence, tickets, reporter identity, evidence files, declarations, dispute materials, and status updates.
  • Usage and security data: IP address, user agent, logs, cookies, session identifiers, rate-limit signals, authentication events, API calls, webhook events, and fraud-screening metadata.
  • Payment and commercial data: invoice references, order records, tax details, chargeback information, and premium quote history. UDR should avoid storing full card data unless a compliant payment provider requires it.

03 Purposes and Legal Bases

UDR processes personal data to operate a private registry, perform agreements, comply with law and upstream requirements, protect users and the DNS, respond to abuse and disputes, maintain accurate records, send service notices, secure the platform, and improve registry services.

  • Contract performance and pre-contract steps for applications, registrations, renewals, transfers, support, and registrar services.
  • Legitimate interests in registry security, abuse mitigation, fraud prevention, RDAP operation, account protection, policy enforcement, and service improvement.
  • Legal obligations, court orders, regulatory requests, law-enforcement requests, tax obligations, sanctions screening, and upstream registry compliance.
  • Consent where required for optional marketing, analytics cookies, non-essential communications, or certain data-sharing workflows.

04 RDAP, WHOIS, and Data Publication

UDR publishes or makes available registration data through RDAP and WHOIS-style lookup only to the extent required or appropriate for registry operation, security, accountability, and lawful transparency. RDAP output may include domain status, nameservers, events, handles, registrar information, DNSSEC status, and selected contact data.

Non-public personal data may be redacted, pseudonymized, restricted, or disclosed only through a controlled request process, depending on applicable law, upstream rules, registrar data, and the nature of the request.

  • UDR may disclose non-public registration data to the sponsoring registrar, upstream registry, trusted notifier, dispute provider, court, regulator, law-enforcement authority, or rights holder where lawful and proportionate.
  • Requesters seeking non-public data must identify themselves, describe the lawful basis and need, provide evidence, and accept limits on use and onward disclosure.
  • RDAP records may cache for performance and security. Corrected data may take a short period to propagate through public lookup tools and third-party indexes.

05 Abuse, Dispute, and Legal Evidence

Abuse reports, dispute submissions, legal notices, screenshots, URLs, headers, logs, and evidence files may contain personal data about reporters, registrants, victims, suspects, or third parties. UDR processes this data to investigate, mitigate, document, and resolve policy matters.

  • Reporter contact data is used for tracking IDs, status notices, evidence questions, and outcome notices.
  • UDR may share evidence with registrars, upstream registries, hosting providers, mail providers, security vendors, trusted notifiers, payment providers, dispute providers, regulators, or law enforcement when appropriate.
  • Sensitive evidence should be submitted only when necessary. Reporters should redact unrelated personal data where possible.

06 Providers, Transfers, and Security

UDR may use service providers for hosting, databases, backups, authentication, Logto admin login, email, SMS, AWS SES, AWS SNS, SMTP, Twilio, Africas Talking, n8n automation, AI drafting, analytics, fraud prevention, storage, and monitoring. Providers must be configured with appropriate security and access controls.

  • Data may be processed in countries other than the data subject location. UDR uses contractual, technical, and organizational safeguards where required.
  • UDR uses role-based access, audit logs, encryption in transit, reasonable encryption at rest, backups, rate limits, token rotation, and least-privilege access where practical.
  • No system is perfectly secure. UDR will assess suspected incidents and notify affected parties or authorities where required by law.

07 Retention

UDR keeps personal data only as long as reasonably needed for registry operation, legal compliance, security, billing, dispute defense, abuse-history tracking, and auditability. Retention periods may vary by data type and jurisdiction.

  • Active registration data is retained while the label is active and for a reasonable period after deletion, expiration, transfer, or termination.
  • Abuse, dispute, and legal evidence may be retained longer where needed for enforcement history, repeat-abuse detection, litigation, regulatory review, or upstream registry defense.
  • Security logs and automation events may be retained for shorter operational windows unless linked to abuse, fraud, or legal matters.

08 Individual Rights and Corrections

Depending on applicable law, individuals may request access, correction, deletion, objection, restriction, portability, or withdrawal of consent. UDR may need to verify identity, confirm registrar authority, preserve registry records, or deny requests that conflict with law, security, disputes, billing, RDAP obligations, or upstream requirements.

  • Registrants should correct registration data through their sponsoring registrar when a registrar manages the label.
  • UDR may route requests to the registrar, reseller, provider, or upstream registry when they control the relevant data.
  • Privacy requests can be sent to the legal contact configured in the registry settings.
Back to Legal Hub Contact Compliance