WHAT'S NEW

PIR Privacy Notice

Privacy Notice

 

Our globally diverse team is committed to providing a stable online platform where everyone has a voice. As part of our commitment to provide a secure, stable space to empower people’s voices, your privacy is important to us. Likewise, we strive to respect your human rights and fundamental freedoms.

This Privacy Notice outlines what information Public Interest Registry (PIR) collects through your interactions with our products and services, how we use that information, and how we work to protect your privacy and personal data.

 

Privacy Notice (all gTLDs under management)

PIR provides reliable, secure management of the .org, .ngo, .ong, .charity, .foundation, .gives, .giving, .机构, .संगठन, and .орг domains. As the registry operator for these generic top-level domains (gTLD), PIR is responsible for the operation of each gTLD, including maintaining a registry of the domain names within each gTLD.

PIR serves as the registry operator for these gTLDs under contracts with the Internet Corporation for Assigned Names and Numbers
(ICANN), a not-for-profit private sector organization which is charged with coordinating and ensuring the stable and secure operation of the Internet’s unique identifier systems.

This Privacy Notice outlines policies that apply to information processed in conjunction with all PIR’s products and services.
Inquiries can be made electronically via e-mail at privacy@pir.org, or via mail to Public Interest Registry c/o Privacy Office, 11911 Freedom Drive, 10th Floor, Suite 1000, Reston, VA 20190, USA , or via PIR’s EU Representative at datenschutz@rickert.net or Rickert Rechtsanwaltsgesellschaft mbH, Kaiserplatz 7-9, 53113, Bonn, Germany.

 

I. Why Do We Collect Information?

As a registry operator, PIR has the responsibility to maintain the operation of each of its gTLDs, including effecting registrations in TLDs and maintaining a registry of the domain names within each gTLD.  PIR takes actions to process information and directs the actions of third parties to process data in connection with our responsibilities as a registry operator to ensure domain name registrations function in a predictable and reliable way as required by our contracts with ICANN.

As defined by our ICANN contracts, PIR works with ICANN accredited registrars to enable the sale of domain names and to ensure those domain names properly function for registrants (domain name owners).  In order to provide domain name services and maintain a secure zone, registrars are required to collect information from registrants upon registration of a domain name.  Registrars are then required to pass certain information to registries to maintain the functionality of the zone.  All of these requirements are outlined in both the registry and registrar contracts with ICANN and the subsequent required contracts between registries and registrars.

Registrars are responsible for collecting and transferring registration data, presenting each registrant with their privacy policies, that of their registry partners, and information on the mechanisms for access and correction of their data.  Because you may choose any ICANN accredited registrar to register a domain name, questions regarding a registrar’s privacy policy or practices should be directed to your Registrar.

ICANN, registries, and registrars are joint controllers for all information collected, stored, transferred, and processed in line with our Registry contracts with ICANN

In addition to the joint controller relationship between ICANN, registries, and registrars, registries and registrars are required to securely escrow registry data with ICANN accredited data escrow providers to provide protection against the unlikely event of registry or registrar failure or loss.

PIR will also collect and process information from employees and applicants seeking employment with PIR.  Information collected for employment and hiring will only be used for those purposes and will only be retained for as long as is required by applicable law.

 

II. Information We Collect

PIR receives domain name registrations, and the associated personal data provided upon registration of a domain name by registrants, from ICANN accredited registrars.  In addition to domain name registration data, PIR collects information from users interacting with our websites and services. The data PIR collects depends on your interactions with our websites and services:

  • Much of what we collect is provided directly by you during the process of registering a domain name from an ICANN accredited registrar pursuant to a domain name registration contract.
  • We collect information about you when you interact with a PIR website, participate in a survey, request a newsletter or mailing list membership, and apply for a job.
  • PIR may also obtain data from sources such as cookies, third-party website analytics and ad platforms (Google), publicly available datasets, and third-party data analysis.

1. Registrants

PIR accepts domain name registrations only from ICANN-accredited domain name registrars. PIR does not accept domain name registrations directly from registrants. When you register a domain name through a registrar, the registrar collects information (in accordance with their ICANN accreditation and ICANN contract requirements and discloses it to PIR (Registration Data or WHOIS Data)). Registrant data is not collected at the registry level by PIR. Information may be collected from the registrant, a nominated administrative domain contact, technical contact, or billing contact. This Notice defines “registrant” or “you” as these persons. Registrars then pass the registrant data to PIR as required by our contracts with ICANN to fulfill our requirements and service as a registry operator to register and maintain the domain name. A list of registration data received and processed by PIR:

Domain Name:
Registrant ID:
Registrant Name:
Registrant Organization (optional input)
Registrant Street:
Registrant Street:
Registrant City:
Registrant State/Province: (optional input)
Registrant Postal Code:
Registrant Country:
Registrant Phone:
Registrant Fax: (optional input)
Registrant Email:
Admin ID:
Admin Name:
Admin Organization: (optional input)
Admin Street:
Admin Street:
Admin City:
Admin State/Province: (optional input)
Admin Postal Code:
Admin Country:
Admin Phone:
Admin Fax: (optional input)
Admin Email:
Registry Tech ID:
Tech Name:
Tech Organization: (optional input)
Tech Street:
Tech Street:
Tech City:
Tech State/Province: (optional input)
Tech Postal Code:
Tech Country:
Tech Phone:
Tech Fax: (optional input)
Tech Email:

Please note that each registrar has its own policies and procedures and you should review a registrar’s privacy policy and procedures prior to your registration of a domain name.

 

2. Website Users

a. User Information

You may visit PIR websites without identifying yourself. If you are interested in our services (other than registering a domain name, which must be done through an accredited registrar) or wish to subscribe to our newsletter, you may be required to register with PIR. When you register, we may request certain personal data, including your name, address, e-mail address and other personal data. In addition to website registration, PIR may request personal data for purposes such as the provision of customer service, service offerings, network management, surveys, and other exchanges of information.

b. Cookies

A cookie is a small data file that certain websites write to your hard drive when you visit the site. A cookie file can contain information that allows PIR to track the pages you have visited. PIR uses cookies to tell when a user is a repeat visitor and to let us know how the user found the website. Cookies also allow us to automatically link users to their personalized accounts (should you choose to register with PIR), enabling you to enter various services as a member and to visit member-restricted areas of the site without having to log in each time. This applies to the use of cookies by PIR and does not apply to the use of cookies or other tracking technologies used by any third parties.

Visitors to our sites have the option to disable cookies via their browser preferences or through www.allaboutcookies.org. You can refuse cookies by turning them off in your browser (Google Chrome, Safari, Internet Explorer, Firefox). However, PIR maintains a legitimate interest in using cookies, as some portions of our website and services will not work if the ability to accept cookies is disabled. This applies to the use of cookies by PIR and does not apply to the use of cookies or other tracking technologies used by any third parties.

c. Analytics

PIR utilizes third-party data analytics for our website (Google) (i.e., cookies, log files, usage data, IP address, browser, and click stream data) to track general website performance. However, all website analytic data is aggregate and anonymous. Third-party data analytics platforms have access only to aggregate anonymous data. PIR also uses general performance data from third-party ads and may use that data to analyze and evaluate the effectiveness of our website design, services, marketing, and campaigns.

d. Third-party Links

This Privacy Notice only addresses the processing of personal data you provide to PIR via this website. The processing of any data you disclose to other parties via third-party links will be governed by their privacy policies. In some cases PIR will use a software/host to administer services (e.g., .ORG Impact Award entries). These services may require use of their own cookies and analytics to provide the service. Users should be aware of their personal privacy settings when using platforms and apps and update them to manage your privacy preferences. PIR is not responsible for the privacy policies of other websites. We encourage you to familiarize yourself with the privacy policies of other websites you visit.

e. User generated content

PIR is not responsible for maintaining as confidential any personal or other data posted by you on message boards hosted by our websites. Users voluntarily disclosing such personal data makes your information publicly available.

f. Log files

PIR gathers information about all users collectively, such as what areas of its site’s users visit most frequently and what services users access most often. This data is logged and aggregated so we may use it to understand user behavior and for system-performance monitoring. PIR does not maintain individual log file data and only maintains aggregate user statistics which are not capable of identifying an individual. PIR may disclose aggregated user statistics to describe the service to prospective partners, advertisers, and other third parties and for other lawful purposes.

g. Third-party advertisement

PIR may utilize third-party ads (Google, Facebook, Instagram). In general, PIR receives only general ad performance data and does not receive any personal data from the third-party ad platform, however, PIR does employ lead generation within ads where the user is given the option to provide informed consent to receive an email contact for a specific and limited purpose. The user may still engage with the ad and service without providing any personal information and the third-party does not receive any of the personal data. Any data, other than lead generation in ads, received by PIR via third-party ad platforms will be aggregate and anonymous. PIR does not use personal data to target ads, however, third-party advertisers may use data you submit to them to provide advertisements. In order to control your advertisement preferences as part of third-party platforms, you must update your account settings in those platforms or in your browser. PIR takes care to structure any online advertisements to not target any individual natural person, not perpetuate any stereotype or social segregation, be fair and not create discrimination by denying natural persons access to employment opportunities, services, or target them with any risky financial ventures or services.

h. Children

Please note that we do not knowingly solicit information from children, and we do not knowingly market our products or services to children. If you have reason to believe anyone under the age of 18 has provided PIR with any personal data, please contact us at privacy@pir.org.

i. Sensitive Personal Information

Similarly, PIR dos not ordinarily or knowingly require or collect sensitive personal information (information specifying medical or health conditions, racial or ethnic origins, political opinions, religious or philosophical beliefs, trade union membership, or information specifying sex life of an individual.

j. DNS Abuse Institute (Institute) & Compass

The DNS Abuse Institute (Institute) was created by, and is a part of  PIR, and is tasked with creating outcomes-based initiatives that will create recommended practices, foster collaboration, and develop industry shared solutions to combat abuses of the Domain Name System (DNS). DNSAI: Compass (Compass) is an initiative of the Institute to measure the use of the DNS for phishing and malware.  In order to access the service, users of Compass may be asked to provide personal data. In order to provide access to the Compass dashboards, that personal data will also be securely processed through PIR’s instances of Snowflake and Tableau. If you have questions about the Institute’s NetBeacon initiative, it has a separate Privacy Policy located here.

 

3. Employment Data

During the interview, hiring, and onboarding process, PIR will process personal data applicants and employees provide to PIR in order to fulfill PIR’s employer obligations to employee and/or job applicants as outlined in its Human Resources Policies, including its Employee Data Notice.

The data collected for employment purposes will not be used by PIR for any other purpose. PIR will only retain employment information for as long as is required by applicable law.

If you have any questions or concerns about employment data please feel free to contact Human Resources hr@pir.org or the Privacy Office at privacy@pir.org.

 

III. Purpose for Using Personal Data

PIR will make all reasonable efforts to ensure that personal information is processed only for the purposes set out below (including to provide the services requested by you and to fulfill PIR’s contracts with ICANN). We will make all reasonable efforts to ensure that personal information is not further processed in a way incompatible with the purpose for which it was collected or received. PIR will only disclose this information, or elements of this information, in certain defined situations defined below in the Data Sharing and Disclosure.

 

1. Domain Name Registration

PIR uses the information provided by registrars to effect domain name registrations and to maintain the security and stability of our TLDs to ensure continued and reliable function to domain name users; to conduct analysis in order to optimize our service to you; and investigate and mitigate abuse in line with PIR’s Abuse Policy. In addition to ensuring the secure and stable registration and operation of your domain name, PIR may use registration data to improve our services, promotions, and systems and to develop and collect aggregate anonymous statistics related to PIR’s systems and services. In addition, because .ngo and .ong are restricted TLDs, meaning that only non-governmental organizations may register these domain names, PIR will use the registration information we receive from registrars, as well as additional credential information provided by the registrant organization, to complete an audit to assess compliance with the Eligibility Requirements  of .ngo and .ong.

 

2. WHOIS

PIR is required by our ICANN contracts to maintain a public searchable WHOIS or RDDS lookup for domain names in our TLDS. To that end, PIR will display all non-personal registration information publicly via both web-based WHOIS or RDDS lookup and a Port 43 WHOIS service. PIR will retain and maintain the full set of registration information provided by registrants upon registration of a domain name.

 

3. Website & Third-party Ad Information

If you submit personal data to PIR through our website, we may use that information to assist with the functionality of the website. This may include sending you information you have requested to receive (i.e. newsletters, emails from lead generation ads) and providing you with policy and services updates. Be aware that any information you voluntarily provide via message boards or public discussion tools becomes publicly available information and may be used by PIR or others.

PIR collects aggregated anonymized data from visitors to our websites via third-party data analytics (Google) (i.e. cookies, log files, usage data, IP address, browser, click stream data, etc.) as well as general performance data from any third-party ads and may use that data to analyze and evaluate the effectiveness of our website design, services, marketing, and campaigns.

 

4. DNS Abuse Institute (Institute) & Compass

Personal data submitted to PIR by users of the Institute’s Compass dashboards will be processed solely to provide the requested service, access to Compass dashboards. Personal data will be processed through PIR instances of Snowflake, Tableau, Azure, AWS, and Sharepoint software in order to provide access to the PIR developed dashboards.

 

5. Employment Data

PIR will process employee information in order to fulfill PIR’s employer obligations as outlined in its Human Resources Policies. During the job application process PIR may collect applicant information in order to evaluate and contact candidates.

 

IV. Lawful Bases for Processing Personal Data

PIR processes your personal data: (a) based on the performance of a contract to which you are a subject or (b) where we have a legitimate business interest in doing so.

When a person requests and registers a domain name through a registrar, they agree to a domain name registration contract. In order to provide the requested domain name registered in a person’s name (or in the name of the organization), PIR as a registry, must use the information received from the registrar to effect a domain name registration and ensure domain name function throughout the registration period.

PIR may also have a legitimate interest in using personal data that is provided by you in order to optimize our service to you and your experience on our Website. PIR may also use third-party data providers to process data in the use of their services to provide online advertisement.

PIR will process data related to Institute’s Compass dashboards based upon user consent which will be recorded and is revocable at any time by the user.

 

V. Data Sharing and Disclosure

 

1. Partners and Service Providers

Our trusted processors (vendors, subcontractors, and other similar business partners) are responsible for processing some of the personal data that we receive. Therefore, PIR discloses some personal data as received from your registrar to our processors. These processors are not authorized to use such personal data for purposes beyond those specified by us and to the extent that they process any personal data they are required to provide security and privacy protections in line with PIR’s Privacy Policy and in compliance with applicable privacy and data protection laws.

a. WHOIS and Registration Data

PIR only requires the registrars to disclose to us the registration data dictated by ICANN as necessary for the registration and maintenance of a domain name. ICANN requires the maintenance of both web-based WHOIS access and Port 43 WHOIS access. The below shows the non-personal data that PIR will make publicly available via PIR’s web-based WHOIS portal and Port 43 access pursuant to the redaction requirements in ICANN’s Interim Registration Data Policy for gTLDs.

Domain Name: example.tld
Registry Domain ID: D13664-LRMS
Registrar WHOIS Server:
Registrar URL: www.example.tld
Updated Date: 2017-07-13T15:15:13Z
Creation Date: 2001-07-29T23:51:48Z
Registry Expiry Date: 2018-07-29T23:51:48Z
Registrar Registration Expiration Date:
Registrar: Example Registrar
Registrar IANA ID: XXX
Registrar Abuse Contact Email: abuse@pir.org
Registrar Abuse Contact Phone: +XX.XXXXXXX
Reseller:
Domain Status: ok https://icann.org/epp#ok
Registrant Organization:
Registrant State/Province:
Registrant Country:
Name Server:
DNSSEC:
URL of the ICANN Whois Inaccuracy Complaint Form
Last update of WHOIS Database:

In addition, we may share aggregated demographic information with our business partners and the press. This is not linked to any personal data that can identify any individual.

b. Data Escrow Provider

PIR is required by its contracts with ICANN to escrow all the registration data PIR receives from registrars by providing a copy to a trusted third party (Data Escrow Providers). The Data Escrow Providers are accredited by ICANN and are tasked with securely holding the data. They are not authorized to process the data for any other purpose. In the event of a registry technical failure, the securely held data will be used to ensure the continued functionality of registered domain names. This backup mechanism is a protective measure that ensures the continued stable and secure operation of the DNS.

c. Identity Digital

While PIR is the registry operator for the .org, .ngo, .ong, .charity, .foundation, .gives, .giving, .机构, .संगठन, and .орг domains, we contract Identity Digital Inc. to be our technical registry services provider. To make the chosen domain name a functional address on the Internet, PIR discloses data to TLD server administrators for the purpose of ensuring that the domain name bundle operates as a functional address on the Internet. As a processor, Identity Digital receives registrant information solely for the purpose of processing the information on behalf of PIR to perform the technical functions to effect domain name registrations.

d. Sharing the information we collect on our website & via third-party ad platform (Google, Facebook, Instagram)

The information that you supply to PIR through this site, OnGood, or through a promotional program conducted by PIR will never be given, sold, rented, loaned, or otherwise disclosed to any third parties outside of PIR, except where outlined above or under special circumstances. Third-party ad providers (Google, Facebook, Instagram) may have access to data that PIR does not control or share and is subject to the third-party’s privacy policies and is not governed by PIR. Our Exceptions and Special Circumstances Policy (below), permits PIR to share information when it is necessary to comply with legal process or protect the rights, property, or personal safety of PIR, its customers, or the public.

e. Links and third-party collection

This Privacy Notice only addresses the processing of personal data we collect from you. The processing of any data you disclose to other parties will be governed by their privacy policy. Users should be aware of their personal privacy settings when using platforms and apps and update them to manage your privacy preferences.

f. Traffic Data

PIR is authorized by our contracts with ICANN to make use of “traffic data” for a variety of purposes (the relevant registry contract provision can be viewed here; Sec. 3.1(f)). PIR makes use of traffic data for technical purposes to enhance security and stability in its operations. PIR may make use of such data for purposes connected with the sale of domain names provided that such use does not involve collection or dissemination of personally identifiable information.

f. Software Providers

PIR utilizes third-party software providers (Microsoft, Sharepoint, Azure Services, Amazon Web Services, Snowflake, and Tableau) to allow us to do internal research in order to maintain and improve the services we provide. This data is only shared with providers which have appropriate data processing agreements in place and they are prohibited from processing PIR provided data for any other purposes. In some instances PIR will process personal data provided to us via our instances of Snowflake and Tableau in order to provide the service requested by the user.

2. Exceptions and Special Circumstances

There are occasionally special circumstances that require PIR to disclose information which could include personal data.

In certain circumstances, PIR must disclose information beyond the limits outlined above including when it is necessary to fulfill a transaction or provide information you have requested; necessary to protect the rights, property or personal safety of PIR, its customers or the public; in the vital interests of the data subject or another person; required by law or necessary to respond to legal process; necessary to meet the requirements of requests, lawfully made by public authorities, including requests to meet national security or law enforcement requirements.

PIR reserves the right to disclose personal data or non-personal data that PIR believes, in good faith, is appropriate or necessary to enforce our Registry Policies, and to protect the security or integrity of our Website.

 

VI. How to Access, Amend, and Control Your Personal Data

If you have any questions about a domain name registration, you should begin by contacting the registrar of record. Except for certain extraordinary circumstances, PIR only alters a record in the registry at the request of a relevant and authorized registrar.

If you are a domain name registrant and wish to update your domain account information, you should do so through your sponsoring registrar.

If you are another type of user, you may request to have your personal data changed or corrected (e.g., a change of address). If you object to the processing of your personal data by third party service providers for online advertising please change your personal privacy settings within those services (i.e. Facebook Companies, Google, Twitter) or in your browser.

You may also wish to contact us should you no longer desire our service. You may contact PIR via e-mail at privacy@pir.org or at Public Interest Registry, c/o Privacy Office, 11911 Freedom Drive, 10th Floor, Suite 1000, Reston, VA 20190, United States of America.

 

Special Note for EU Data Subjects

1. Data Subject Rights

The EU General Data Protection Regulation (2016/679) affords you certain rights. Where applicable you may request confirmation that PIR does or does not process personal data related to you. You may request a copy of your personal data or request that a copy is sent to a third party. You may request that your data, such as your address, is amended or corrected. In some circumstances you may request that your data processed by PIR be deleted. You may also request, in certain cases, that we restrict processing of your personal data by PIR. You also have the right to object to receiving direct marketing. To the extent your information is processed by PIR based upon consent, you may withdraw that consent at any time.

Should you wish to exercise any of these rights or other rights afforded you by the GDPR please contact us via e-mail at privacy@pir.org, or at Public Interest Registry, c/o Privacy Office, 11911 Freedom Drive, 10th Floor, Suite 1000, Reston, VA 20190, United States of America.

You may contact PIR’s EU Representative at datenschutz@rickert.net or Rickert Rechtsanwaltsgesellschaft mbH, Kaiserplatz 7-9, 53113, Bonn, Germany.

2. Data Transfer

In order to fulfill the requirements of our contracts with ICANN and registrars, and to provide the promised services to you, PIR may receive data from EEA countries or transfer your data to third countries. PIR, as a non-profit, US-based entity, is not able to avail itself of the Privacy Shield Frameworks and instead transfers EEA data to third countries as is necessary to perform the requirements of our contracts using model contractual clauses as our legal basis for transfer. Ordinarily, PIR will not operate on the basis of consent, however, for certain non-contractual operations, PIR may transfer your data on the basis of consent. In such cases, your consent will be explicitly requested and is revocable at any time.

 

VII. Security

PIR takes strong precautions to protect information and continually strives to ensure we are adhering to industry best practices and security standards. When you submit personal data via our websites or when registrars submit specifics about a domain name registration, as required by our ICANN contracts, your personal data are protected both online and offline.

We are required to take reasonable steps to protect personal data from loss, misuse, unauthorized disclosure, alteration, or destruction and not to use or authorize the use of personal data in a way that is incompatible with the purposes for which it was collected or with the notice provided to registrars. All joint controllers and vendor (third party processors) partners are to adhere to the requirements in this privacy policy and to meet security standards that are commensurate with the data they receive and process. These third parties also have their own privacy and security policies. Should you have questions about their privacy policies or security practices, you should contact them.

1. Data Breaches

PIR, upon discovering a data breach, will ensure we meet all data privacy requirements, including GDPR Articles 33 and 34 where applicable.

2. Data Retention

PIR does not retain personal data for any longer than is necessary for its original purpose.

 

VIII. Update

We reserve the right to amend this Privacy Notice at any time. This Privacy Notice was last updated in October 2023.