Privacy Policy

1 Introduction and Scope

1.1 Who We Are

True Registrar is a brand of PeaceWeb B.V. (statutory name: PeaceWeb B.V.), a company registered in the Netherlands. We operate as a European domain registrar and hosting provider, offering domain name registration, DNS management, web hosting, Virtual Private Servers (VPS), SSL/TLS certificates, and related infrastructure services (collectively, the "Services").

For the purposes of the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the Dutch Implementation Act for the GDPR (Uitvoeringswet AVG), PeaceWeb B.V. is the data controller responsible for the processing of your personal data as described in this Privacy Policy. Where we process personal data on your behalf (for example, data you store on our hosting infrastructure), we act as a data processor under the terms of our Data Processing Agreement.

1.2 Scope of This Policy

This Privacy Policy applies to all personal data collected through our website at trueregistrar.com, our client portal, our APIs, our support channels, and any other interaction you have with True Registrar. It covers personal data of website visitors, prospective customers, registered clients, domain registrants, and any other individuals whose data we process in the course of providing our Services.

By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy. We encourage you to read this document in conjunction with our Terms of Service and Data Processing Agreement.

1.3 Data Controller Information

2 Categories of Personal Data Collected

We collect and process the following categories of personal data, depending on how you interact with our Services:

2.1 Contact Data

• • Full name (first name, last name)
• • Email address
• • Telephone number
• • Physical address (street, city, postal code, country)

2.2 Business Data

• • Company or organization name
• • VAT identification number (BTW-nummer)
• • Chamber of Commerce registration number (KvK-nummer)
• • Business type and industry

2.3 Account Data

• • Username and account identifier
• • Password hash (passwords are never stored in plain text)
• • Two-factor authentication (2FA) configuration data
• • Account preferences and notification settings

2.4 Payment Data

• • Payment method details (processed securely via Stripe and Mollie; we do not store full credit card numbers)
• • Billing address and invoicing details
• • Transaction history and invoice records

2.5 Verification and KYC Data

• • Government-issued identification documents (passport, national ID)
• • Proof of address documentation
• • Business registration documents

2.6 ICANN-Mandated WHOIS and Registration Data

• • Registrant name and organization
• • Registrant address (street, city, state/province, postal code, country)
• • Registrant email address and telephone number
• • Administrative, technical, and billing contact details
• • Domain name registration and expiration dates
• • Name server information

2.7 Technical Data

• • IP address
• • Browser type, version, and language
• • Operating system and device type
• • Screen resolution and viewport size
• • Referring URL and landing page

2.8 Usage Data

• • Pages viewed, features used, and click patterns
• • Session duration and navigation paths
• • Search queries within our platform
• • Error logs and performance data

2.9 Cookie Data

We use cookies and similar tracking technologies to collect data about your browsing activity. This includes session identifiers, authentication tokens, CSRF protection tokens, consent preferences, and analytics identifiers. For full details, see Section 8 (Cookies and Tracking Technologies) below.

3 Purposes and Legal Bases for Processing

We process your personal data only where we have a valid legal basis under Article 6(1) of the GDPR. The table below sets out each processing purpose and its corresponding legal basis:

4 Disclosure of Personal Data

We do not sell your personal data. We share personal data only with the following categories of recipients, and only to the extent necessary for the stated purposes:

4.1 Sub-Processors and Service Providers

4.2 Legal and Regulatory Disclosures

We may disclose personal data to law enforcement authorities, regulatory bodies, courts, or other governmental agencies when required by applicable law, regulation, legal process, or enforceable governmental request. This includes compliance with Dutch law, EU regulations, ICANN requirements, and valid court orders. We will notify you of such disclosures where legally permitted.

5 Data Retention and Security

5.1 Retention Periods

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. The following specific retention periods apply:

5.2 Security Measures

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• • Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3.
• • Encryption at rest: Sensitive data stored on our systems is encrypted using AES-256 encryption.
• • Access controls: Role-based access control (RBAC) ensures that only authorized personnel can access personal data, on a need-to-know basis.
• • Multi-factor authentication: MFA is enforced for all administrative access to our systems and is available for all client accounts.
• • Infrastructure: Our primary infrastructure is hosted in Tier III+ data centers located within the European Union, with physical security controls, redundant power, and environmental monitoring.
• • Security testing: Regular penetration testing, vulnerability assessments, and security audits are conducted to identify and remediate potential vulnerabilities.
• • Certified facilities: Our data center partners maintain ISO 27001 certification for information security management.

6 Your Data Protection Rights

Under the GDPR, you have the following rights with respect to your personal data. These rights are not absolute and may be subject to limitations and conditions as provided by applicable law:

7 Data Location and International Transfers

7.1 Primary Data Storage

Your personal data is primarily stored and processed on servers located in the Netherlands and other European Union member states. Our primary data center infrastructure is located within the EU to ensure compliance with GDPR data residency requirements.

7.2 International Transfers

In certain cases, your personal data may be transferred to countries outside the European Economic Area (EEA), for example when using sub-processors located in the United States (such as Stripe, Front, or ICANN) or when transmitting domain registration data to non-EU registries. When such transfers occur, we ensure that appropriate safeguards are in place in accordance with GDPR Chapter V, including:

• • EU Standard Contractual Clauses (SCCs): We enter into the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) with all sub-processors located outside the EEA that do not benefit from an adequacy decision.
• • Adequacy Decisions: Where the European Commission has determined that a third country provides an adequate level of data protection, we may rely on that adequacy decision for transfers to that country.
• • Schrems II Compliance: In line with the Court of Justice of the European Union's Schrems II ruling (Case C-311/18), we conduct transfer impact assessments and implement supplementary measures where necessary to ensure that the level of protection guaranteed by the GDPR is not undermined.

8 Cookies and Tracking Technologies

We use cookies and similar technologies in accordance with the ePrivacy Directive 2002/58/EC (as amended by Directive 2009/136/EC) and the Dutch Telecommunications Act (Telecommunicatiewet). Cookies that are not strictly necessary require your prior consent.

8.1 Essential Cookies

These cookies are strictly necessary for the operation of our website and Services. They cannot be disabled. They include:

• • Session cookies: Maintain your authenticated session and shopping cart state.
• • CSRF tokens: Protect against cross-site request forgery attacks.
• • Cloudflare Turnstile: Bot detection and security verification to protect our platform from automated abuse.
• • Cookie consent preferences: Store your cookie consent choices.

8.2 Analytics Cookies (Consent Required)

These cookies help us understand how visitors interact with our website. They are only placed after you provide explicit consent:

• • PostHog: Product analytics to understand feature usage and improve our platform. Data processed within the EU.
• • Google Analytics: Website traffic analysis and user behavior insights. Data may be transferred to the United States under SCCs.

8.3 Marketing Cookies (Consent Required)

These cookies are used to track advertising effectiveness and deliver relevant advertisements. They are only placed after you provide explicit consent:

• • Google Ads: Conversion tracking and remarketing for advertising campaigns.
• • Microsoft Advertising: Conversion tracking for Microsoft Ads campaigns.

8.4 Managing Your Cookie Preferences

You can manage your cookie preferences at any time through our cookie consent banner or by adjusting your browser settings. Please note that disabling essential cookies may impair the functionality of our website and Services. You may also opt out of specific analytics and advertising cookies through the respective providers' opt-out mechanisms.

9 Data Breach Notification

9.1 Notification to Supervisory Authority

In the event of a personal data breach, True Registrar will notify the competent supervisory authority (Autoriteit Persoonsgegevens) without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with Article 33 of the GDPR. The notification will include the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address the breach.

9.2 Notification to Data Subjects

Where a personal data breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in accordance with Article 34 of the GDPR. The notification will describe the nature of the breach in clear and plain language, provide the contact details of our privacy team, describe the likely consequences, and outline the measures taken to address the breach and mitigate its effects.

9.3 Liability Limitations

Our liability in connection with personal data processing is subject to the limitations set forth in our Terms of Service. While we implement robust security measures to protect your data, no system is completely secure. We are not liable for breaches resulting from circumstances beyond our reasonable control, provided we have implemented appropriate technical and organizational measures as required by Article 32 of the GDPR.

10 Amendments to this Policy

True Registrar reserves the right to update or modify this Privacy Policy at any time to reflect changes in our data processing practices, legal requirements, or business operations. When we make material changes, we will:

• • Provide reasonable advance notice by email to your registered email address and/or by posting a prominent notice on our website.
• • Update the "Last updated" date at the top of this Privacy Policy.
• • Where required by law, seek your renewed consent for any new processing activities.

Your continued use of our Services after the effective date of a revised Privacy Policy constitutes your acceptance of the updated terms. If you do not agree with the changes, you should discontinue your use of our Services and contact us to close your account.

11 Supervisory Authority

The competent supervisory authority for data protection matters concerning True Registrar (PeaceWeb B.V.) is the Dutch Data Protection Authority:

If you are located in another EU/EEA Member State, you also have the right to lodge a complaint with the supervisory authority in your country of habitual residence, place of work, or place of the alleged infringement. A list of EU data protection authorities is available on the European Data Protection Board website.

12 Limitation of Liability and Disclaimers

12.1 Liability for Data Processing

Our liability arising from or in connection with the processing of personal data under this Privacy Policy is subject to the limitation of liability provisions set forth in our Terms of Service. Nothing in this Privacy Policy limits our liability for damages caused by willful misconduct (opzet) or gross negligence (grove schuld) on the part of our management, or any liability that cannot be excluded or limited under applicable Dutch or EU law, including the GDPR.

12.2 Third-Party Processor Actions

While we carefully select our sub-processors and require them to implement appropriate security measures through data processing agreements, we are not liable for the independent actions of third-party processors beyond our reasonable oversight and control. We conduct due diligence on all sub-processors, require contractual data protection commitments, and monitor compliance on an ongoing basis. However, each sub-processor is independently responsible for its own compliance with applicable data protection laws.

12.3 ICANN and Registry Obligations

As a domain registrar, we are subject to mandatory data sharing obligations imposed by ICANN and domain registry operators. We are not liable for the processing of registration data by ICANN, registry operators, or other parties in the domain name ecosystem to the extent that such processing is required by applicable policies, contracts, or regulations governing the domain name system.

13 Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact us using the information below.