Privacy Policy

1. Data Controller

The data controller responsible for your personal data is:

• Company: DotWee Limited
• IANA Registrar ID: 3870
• Address: Room 701, Unit 108, 7th Floor, Tower B, New Mandarin Plaza, 14 Science Museum Road, Tsim Sha Tsui, Kowloon, Hong Kong
• Privacy Contact: privacy@dotwee.com

2. Data We Collect

We collect the following categories of personal data:

2.1 Account Registration Data

• First name and last name
• Email address
• Password (stored as a secure hash using Argon2id)
• Phone number with country code
• Postal address (street, city, state, postcode, country)
• Company name and VAT number (if applicable)

2.2 Domain Registration Data (WHOIS/RDAP Data)

Per ICANN requirements, we collect the following for each domain registration:

• Registrant name (individual or organization)
• Registrant postal address
• Registrant email address
• Registrant phone number
• Administrative contact details
• Technical contact details
• Billing contact details

2.3 Technical and Usage Data

• IP address
• Browser type and version
• Device information
• Pages visited and actions taken on our website
• Date and time of access
• Referring URL

2.4 Transaction Data

• Order history and domain transactions
• Payment references (transaction IDs from payment processors)
• Account balance history
• Invoice records

Note: We do not store credit card numbers or full payment card details. All payment processing is handled by third-party processors (Stripe for cards, Heleket for cryptocurrency).

2.5 Communication Data

• Support ticket contents
• Email correspondence
• Contact form submissions

2.6 Activity Logs

• Login and logout timestamps
• Account changes and updates
• Domain management actions
• Security events (failed login attempts, password changes)

3. Purpose of Data Collection

We collect and process your personal data for the following purposes:

3.1 Service Delivery

• Processing domain registrations, renewals, transfers, and restorations
• Managing your account and providing customer support
• Communicating service-related information (expiration notices, verification requests)
• Processing payments and maintaining billing records

3.2 Regulatory Compliance

• Fulfilling ICANN requirements for domain registration data
• Maintaining WHOIS/RDAP databases as required
• Responding to lawful data access requests
• Submitting data to ICANN-approved escrow providers

3.3 Security and Fraud Prevention

• Protecting against unauthorized access to accounts
• Detecting and preventing fraudulent activity
• Investigating abuse reports and DNS abuse
• Maintaining service security and integrity

3.4 Legal Obligations

• Responding to court orders and law enforcement requests
• Complying with applicable laws and regulations
• Defending legal claims

4. Legal Basis for Processing

We process your personal data under the following legal bases:

4.1 Contract Performance

Processing is necessary to perform our contract with you, including domain registration services and account management.

4.2 Legal Obligation

We are required by ICANN's Registrar Accreditation Agreement (RAA) and Consensus Policies to collect and maintain certain registration data. We are also subject to Hong Kong law and may be required to respond to lawful requests from authorities.

4.3 Legitimate Interests

We process certain data based on our legitimate interests, including:

• Preventing fraud and ensuring security
• Improving our services
• Communicating with you about your account

4.4 Consent

Where required by law, we will obtain your consent before processing personal data for specific purposes, such as marketing communications.

5. WHOIS and RDAP Data Publication

As an ICANN-accredited registrar, we maintain publicly accessible WHOIS and RDAP services that display domain registration data.

5.1 Published Data

In accordance with the ICANN Registration Data Policy, the following data may be publicly accessible:

• Domain name
• Registry domain ID
• Registrar WHOIS/RDAP server URLs
• Domain creation, update, and expiration dates
• Registrar name and IANA ID
• Domain status codes
• Nameserver information
• DNSSEC data (if applicable)

5.2 Redacted Data

To protect registrant privacy, the following personal data is redacted from public WHOIS/RDAP output:

• Registrant name (individual registrants)
• Postal address
• Phone number
• Email address (replaced with a web form or anonymized contact)

Organization names may be published where the registrant is an organization rather than an individual.

5.3 Legitimate Access Requests

Third parties with a legitimate interest (such as law enforcement, intellectual property rights holders, or security researchers) may request access to non-public registration data. Such requests are evaluated on a case-by-case basis in accordance with ICANN policy and applicable law.

5.4 RDAP Terms of Use

Access to our RDAP and WHOIS services is subject to our RDAP and WHOIS Terms of Use.

6. Data Sharing with Third Parties

We share your personal data with the following categories of recipients:

6.1 Registry Operators

To register domain names, we must share registration data with the applicable TLD registry operators. Each registry has its own privacy policies and data handling practices.

6.2 ICANN

We share registration data with ICANN as required by our Registrar Accreditation Agreement for compliance verification and policy enforcement.

6.3 Data Escrow Provider

Per ICANN requirements (RAA Section 3.6), we submit registration data to an ICANN-approved data escrow provider (DENIC) to ensure business continuity in case of registrar failure.

6.4 Payment Processors

• Stripe: Processes credit card payments. See Stripe's Privacy Policy.
• Heleket: Processes cryptocurrency payments. See Heleket's privacy policy.

6.5 Email Service Provider

We use Brevo (formerly Sendinblue) to send transactional emails. Your email address and name are shared for email delivery purposes.

6.6 Law Enforcement and Authorities

We may disclose personal data to law enforcement agencies, regulatory bodies, or courts when:

• Required by valid legal process (court order, subpoena, warrant);
• Necessary to protect our rights or property;
• Necessary to protect the safety of any person;
• Required to investigate or prevent illegal activity.

6.7 Professional Advisors

We may share data with legal, accounting, and other professional advisors as necessary for business operations.

7. Data Retention

We retain personal data for the following periods:

7.1 Active Account Data

Account and registration data is retained for as long as your account remains active and you have registered domains with us.

7.2 Post-Expiration Retention

Per ICANN requirements, we retain registration data for a minimum of two (2) years after a domain name expires or is transferred away.

7.3 Transaction Records

Financial and transaction records are retained for seven (7) years to comply with accounting and tax requirements under Hong Kong law.

7.4 Activity Logs

Security and activity logs are retained for one (1) year unless needed for ongoing investigations.

7.5 Communication Records

Support tickets and correspondence are retained for three (3) years after resolution.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

8.1 Technical Measures

• Encryption: All data in transit is protected by TLS encryption. Passwords are hashed using Argon2id algorithm.
• Access Controls: Strict access controls limit employee access to personal data on a need-to-know basis.
• Secure Infrastructure: Our systems are hosted in secure data centers with physical and network security controls.
• Regular Updates: We regularly update and patch our systems to address security vulnerabilities.

8.2 Organizational Measures

• Staff training on data protection and security
• Incident response procedures
• Regular security assessments
• Vendor security evaluations

8.3 Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify you and relevant authorities as required by applicable law.

9. International Data Transfers

As a domain registrar, international data transfers are inherent to our services:

9.1 Registry Transfers

Domain registration data is transferred to registry operators, which may be located in various countries. These transfers are necessary for domain registration and are governed by registry policies and ICANN contracts.

9.2 Data Escrow

Registration data is escrowed with our ICANN-approved escrow provider (DENIC, Germany).

9.3 Safeguards

Where personal data is transferred outside Hong Kong, we ensure appropriate safeguards are in place, including:

• Contractual obligations on data recipients;
• Compliance with ICANN requirements;
• Ensuring recipients provide adequate data protection.

10. Your Rights

Under the Hong Kong PDPO and ICANN policies, you have the following rights:

10.1 Right of Access

You may request a copy of the personal data we hold about you. You can access most of your data through your account dashboard.

10.2 Right to Correction

You have the right to request correction of inaccurate personal data. You can update most information directly in your account settings.

10.3 Right to Erasure

You may request deletion of your personal data. However, we may retain certain data where required by ICANN policy or applicable law.

10.4 Right to Object

You may object to processing of your personal data based on legitimate interests. We will cease processing unless we have compelling legitimate grounds.

10.5 Right to Data Portability

You may request a copy of your data in a structured, commonly used format.

10.6 Exercising Your Rights

To exercise these rights, contact us at privacy@dotwee.com. We will respond within thirty (30) days. We may request verification of your identity before processing requests.

10.7 Complaints

If you believe we have not handled your data appropriately, you may lodge a complaint with the Hong Kong Office of the Privacy Commissioner for Personal Data.

11. Cookies and Analytics

11.1 Essential Cookies

We use essential cookies for:

• Session management (keeping you logged in)
• Security (CSRF protection)
• Shopping cart functionality

These cookies are necessary for the website to function and cannot be disabled.

11.2 Security Services

We use Google reCAPTCHA to protect our forms from spam and abuse. This service may collect certain data. See Google's Privacy Policy.

11.3 Analytics

We may use analytics services to understand how visitors use our website. Analytics data is aggregated and does not identify individual users.

12. Children's Privacy

Our services are not intended for individuals under the age of eighteen (18). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately at privacy@dotwee.com and we will delete such data.

13. Policy Updates

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or ICANN policies. Material changes will be communicated to you via email or prominent notice on our website. The effective date at the top of this policy indicates when it was last updated.

We encourage you to review this Privacy Policy periodically. Your continued use of our services after any changes constitutes acceptance of the updated policy.

14. Contact Us

For questions or concerns about this Privacy Policy or our data practices, please contact us:

• Privacy Inquiries: privacy@dotwee.com
• General Support: support@dotwee.com
• Postal Address: Room 701, Unit 108, 7th Floor, Tower B, New Mandarin Plaza, 14 Science Museum Road, Tsim Sha Tsui, Kowloon, Hong Kong

For data access or erasure requests, please include "Privacy Request" in the subject line and provide sufficient information to verify your identity and locate your records.