Privacy Policy

1. Introduction & Scope

Deepnom is operated by Vitviggs Electric Ltd, a company incorporated under the laws of Hong Kong SAR (referred to below as "we," "us," or "Deepnom"). This Privacy Policy describes how we collect, process, disclose, and retain personal data when you use any part of the Deepnom service, which now comprises two linked offerings:

• the Deepnom Marketplace — aftermarket listings, auctions, brokered messaging, and escrowed settlement; and
• the Deepnom Registrar — new domain registrations, renewals, and transfers processed as an authorised reseller of Tucows Domains Inc. (trading as OpenSRS), an ICANN-accredited registrar based in Canada.

For data-protection purposes we are the data controller. Our contact details are at the end of this document. This policy is written to satisfy EU/UK GDPR, the Hong Kong Personal Data (Privacy) Ordinance (PDPO), and CCPA where applicable.

2. Information We Collect

Depending on which part of the service you use, we collect some or all of the following categories of personal data:

• Identity & Contact Data. Email, username, optional display name, and identifiers provided during account creation, identity verification (KYC), or guest inquiries.
• WHOIS / Registrant Contact Data. For Registrar customers: first and last name, organisation (if any), postal address, country, phone, fax, and contact email supplied for each registered domain. This data is forwarded to Tucows/OpenSRS and, as required by ICANN and the relevant registry, is published in the public WHOIS / RDAP directory (unless WHOIS privacy is enabled and supported for the TLD).
• KYC / Identity Verification Data. Government-issued identity documents, proof of address, and any liveness / facial-recognition signals you submit during the KYC flow. Identity documents are stored under cryptographically randomised paths and are never exposed through public URLs.
• Transaction, Bidding & Messaging Data. Records of listings, offers, bids, chat content, purchase orders, invoices, refund events, renewal reminders, and registrar lifecycle events (registration, transfer in/out, DNS edits, WDRP reminders).
• Payment Metadata (not card data). Stripe customer identifier, payment-method identifier, card brand, last four digits, expiry month/year, and Stripe payment-intent / session references. We do not receive or store full card numbers, CVVs, or bank details — those are captured directly by Stripe, which is PCI-DSS compliant.
• DNS & Technical Configuration. For Registrar customers: the DNS records you configure (A, AAAA, CNAME, MX, TXT, SRV, etc.), nameserver delegations, per-domain OpenSRS management credentials, and DNS edit audit log entries.
• Technical & Security Data. IP address, user-agent hash, session identifiers, language/timezone, referring URL, approximate geolocation derived from IP, and fraud-model signals (including shared-IP and bid-pattern indicators).

3. Lawful Basis for Processing (GDPR Art. 6)

We rely on the following lawful bases, depending on the category of data and the purpose:

• Performance of a contract (Art. 6(1)(b)): creating your account, listing and selling Digital Assets, executing domain registrations / renewals / transfers, processing payments, sending transaction receipts and lifecycle notifications, handling auto-renewals you authorised, and responding to support requests.
• Compliance with a legal obligation (Art. 6(1)(c)): ICANN Registrar Accreditation Agreement obligations (including WHOIS publication, WDRP annual reminders, and RAA 3.7.7/3.7.8 registrant-data retention), AML/CTF Know-Your-Customer record-keeping, tax record-keeping, and responses to valid law-enforcement requests.
• Legitimate interest (Art. 6(1)(f)): securing the platform against fraud, shill-bidding, and abuse; product analytics in aggregate form; maintaining forensic bid audit trails; operating WebSocket real-time features; and limited direct marketing to existing users about service updates. We balance these interests against your rights and freedoms; you may object at any time (see Section 7).
• Consent (Art. 6(1)(a)): non-essential cookies, optional marketing emails, and any processing expressly described as consent-based at the point of collection. Consent may be withdrawn at any time without affecting the lawfulness of prior processing.

4. How We Use & Share Your Data

We do not sell your personal data. We use it only to:

• Operate the marketplace (listings, bids, offers, brokered messaging, moderation, notifications).
• Provision, renew, transfer, and manage domain registrations through the Upstream Registrar (Tucows/OpenSRS) and the registry operator for each TLD.
• Publish registrant data to the public WHOIS / RDAP directory, as required by ICANN and registry policy (see Section 6).
• Authenticate payments through Stripe, send registration / renewal receipts, and deliver ICANN-mandated lifecycle reminders.
• Prevent fraud, shill bidding, chargeback abuse, account takeover, and unlawful use of the platform.
• Comply with tax, accounting, law-enforcement, and regulatory obligations.
• Where you have actively engaged a broker, route relevant listing context and contact details to that broker so they can negotiate on your behalf.

5. Third-Party Service Providers & Sub-Processors

We use the following sub-processors. Each operates under its own privacy terms and only receives data necessary for the stated purpose.

Deepnom does not store, process, or have access to your full card number, CVV, or bank account details. Payment credentials are captured directly by Stripe through a PCI-DSS-compliant interface.

6. Public WHOIS Publication (Registrar customers)

ICANN requires every domain registration to be accompanied by contact data that is made available to the public through the WHOIS / RDAP directory. Any Registrant of a domain registered through Deepnom Registrar acknowledges and is informed, in accordance with GDPR Articles 13 and 14, that:

• Registrant name, organisation (if any), postal address, email, phone, and fax are transmitted to Tucows/OpenSRS and, unless WHOIS privacy is enabled and supported for the TLD, are published to the public WHOIS / RDAP service for the life of the registration.
• Certain registries additionally publish the creation and expiry dates, nameservers, domain status codes, and registrar identity.
• WHOIS privacy, where offered, replaces the public contact with a Tucows-operated proxy address. The underlying contact data remains on file at the Upstream Registrar and may be disclosed in response to law-enforcement process, trademark complaints, or other disclosures permitted by the Upstream Registrar's WHOIS disclosure policy.
• In accordance with ICANN's WHOIS Data Reminder Policy (WDRP) we send you an annual email asking you to review and correct your WHOIS data. You are responsible for keeping it accurate; failure to do so can result in suspension of the registration under RAA 3.7.8.

7. International Data Transfers

Because our sub-processors include entities in Canada, the United States, and the European Economic Area, personal data may be transferred out of your country of residence. Where such transfers leave the EEA or the UK and the destination is not the subject of a European Commission or UK adequacy decision, we rely on Standard Contractual Clauses (and, for UK transfers, the UK International Data Transfer Addendum). Stripe, Cloudflare, and Tucows (OpenSRS) each maintain published GDPR transfer mechanisms which we rely on in tandem with our own contractual arrangements. You may request a copy of the relevant clauses by emailing [email protected].

8. Data Security & Retention

We apply industry-standard technical and organisational measures including TLS in transit, encrypted at-rest storage for identity documents, role-based access control, per-domain generated credentials, isolated production environments, and forensic audit logging. Access to personal data inside the company is limited to staff with a strict business need.

We retain personal data only for as long as necessary for the purposes listed in Section 4, after which it is deleted or irreversibly anonymised. Indicative retention windows:

• Account profile data: for the life of the account, then up to 24 months after closure for fraud prevention.
• Registrant (WHOIS) data: for the life of the registration, plus 2 years after the domain leaves our books, in line with ICANN RAA 3.4.1/3.7.7.
• KYC documents & audit log: 5 years after last use, in line with AML/CTF record-keeping requirements.
• Billing & tax records (BillingEvent ledger, invoices): 7 years from the end of the fiscal year, per Hong Kong record-keeping practice.
• Transactional email content: up to 18 months at the email relay; indefinitely in our own archive where linked to a billing or compliance event.
• IP address & forensic bid context: up to 5 years, to support dispute resolution and regulatory review.
• Chat messages: for the life of the parent conversation; quarantined or removed messages are retained 180 days for moderation review, then deleted.

9. Your Rights

Under the GDPR, UK GDPR, PDPO, and CCPA (as applicable), you have the right to:

• Access the personal data we hold about you and receive a copy.
• Correct inaccurate or incomplete data, including updating WHOIS contact details from the control panel.
• Erase personal data ("right to be forgotten"), subject to our legal retention obligations (ICANN registrant-data retention, AML, tax) and to active contractual commitments (open escrow, live auctions, currently registered domains).
• Restrict processing or object to processing we perform on a legitimate-interest basis.
• Port data you have provided to us, in a structured, machine-readable format, where processing is based on consent or contract.
• Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.
• Opt out of "sale" or "sharing" under the CCPA — we do not sell or share personal data for cross-context behavioural advertising.
• Lodge a complaint with the supervisory authority in your jurisdiction, including the Hong Kong PCPD, your EU member-state DPA, the UK ICO, or the California Privacy Protection Agency.

We respond to verifiable requests within 30 days (GDPR) or 45 days (CCPA) and will let you know if we need more time.

10. Cookies & Tracking

We use a small number of essential cookies to keep you signed in (sessionid), protect against cross-site request forgery (csrftoken), and remember your cart or UI state. These cookies rely on the strictly-necessary exemption under the ePrivacy Directive and PECR and do not require prior consent. We do not currently deploy advertising or cross-site tracking cookies. If we introduce analytics or marketing cookies in the future, we will first ask for your consent through a cookie banner and you will be able to refuse or withdraw consent at any time without losing access to the service.

11. Children's Data

Deepnom is not directed at children. You must be at least 18 years old, or the legal age of majority in your jurisdiction if higher, to create an account or complete any transaction. If we learn that we have collected data from a child, we will delete it without delay.

12. Changes to This Policy

Material changes to this Policy are notified by email and by a prominent notice on the service at least 14 days before they take effect. The "Effective Date" and "Version" at the top of this page indicate the most recent revision.