Privacy notice
Nominet UK Privacy Policy
- Introduction
- Important information and who we are
- The data we collect about you
- How we use personal data
- Disclosures of personal data
- International transfers
- Data security
- Data retention
- Your legal rights
- Keeping your personal data accurate and current
- Third-party links
- Changes to this privacy notice
1. Introduction
We’re Nominet – operator of the official registries for .UK and other top-level domains such as .wales and .cymru. We also provide domain name system (DNS) and registry services to both public and private sector organisations. As a public benefit organisation, we focus on driving positive change through technology and fund projects to make this happen.
In this notice we explain how we use the personal data we collect via our websites and in connection with operating the registries, providing our services to customers and carrying out our public benefit activities.
This notice applies to:
- Members: individuals and representatives of corporate entities, who are members of Nominet
- Registrants: individuals, and representatives of corporate entities, who are recorded in the registries as being responsible for a domain
- Registrars: individuals, and representatives of corporate entities, who act as agents on behalf of Registrants in the registration, renewal and other administration of domains
- Resellers: individuals, and representatives of corporate entities, who are resellers of Nominet’s services
- Customers: representatives of our private and public sector corporate customers to whom we provide registry and DNS services
- Suppliers: individual contractors and representatives of companies that provide goods and services to us
- Public benefit partners: representatives of companies and organisations we work with to deliver our public benefit activities
- DRS Experts: individuals who act as independent adjudicators in domain name disputes submitted to our Dispute Resolution Service
- Website visitors: visitors to the websites we operate
- Subscribers: individuals who create an account to access training content we make available on our websites
- Members of the public: individuals who have contact with Nominet as a result of activities such as taking part in consultations we run, attending events we organise and participating in the public benefit activities we fund
These individuals are the data subjects of the personal data described in this privacy notice.
We have separate privacy notices for job applicants and staff, which we provide to applicants when they apply for jobs with us and to staff when they accept a job with us.
Our websites are not intended to be used by children and we do not knowingly collect data relating to children.
2. Important Information and who we are
Controller
We are Nominet UK, a limited company incorporated in England and Wales (company number 3203859). We are the controller of the data processing described in this notice.
Data Protection Officer
We have appointed a data protection officer (DPO) who is responsible for overseeing Nominet’s compliance with data protection laws. If you have any questions about our processing of personal data or this privacy notice, including any requests to exercise your legal rights, please contact the DPO using the details set out below.
Contact details
By post: Nominet UK, Minerva House, Edmund Halley Road, Oxford Science Park, Oxford OX4 4DQ.
By email: dpo@nominet.uk
3. The data we collect about you
Personal data means any information that can be used to identify an individual, whether by itself or in combination with other information.
We collect personal data in three ways: directly from individuals, from third party sources (such as Registrars in the case of Registrants), and using automated technologies.
The personal data we collect and use includes:
- Membership Data: Details about Members including name, postal address, admin and voting contact name and contact details, membership start date, membership status, voting rights, account ID number and credit account number. Name and contact details are provided to us by Members when they apply for membership and we assign account/ID numbers and create records of start dates, status and voting rights.
- Registration Data: Details about individuals associated with domain names that are recorded in the registries we operate, including:
- contact role: registrant, administrative, technical or billing
- contact details: full name (or role if applicable), organisation name (if applicable), postal address, email address, telephone number, fax number
- record of whether contact has given consent to the publishing of its name and address
- domain configuration data
- name and contact details of the Registrar that sponsors the domain
- any other information that Nominet is required to collect in connection with operating the registries pursuant to applicable law
- This information is provided by Registrants or their Registrars.
- Account Data: This includes details associated with accounts we make available, including registry accounts for Registrants and Registrars, support portal accounts for Customers, Member Hub and Community accounts for Members and online training accounts for Subscribers, such as username, login credentials/password, name and other details recorded in the account. This information is provided by individuals when they set up accounts, although names and email addresses may be provided by Registrars, Customers and Members to enable us to set up accounts for their representatives or invite them to create accounts.
- Identity Verification Data: Details about Registrants, Registrars and Members such as first name, maiden name, last name, username or similar identifier, marital status, title, date of birth, gender, nationality and citizenship obtained from a photo, photo identification document such as a passport or driving licence and proof of address document such as a bill or bank statement. This information is provided by Registrants, Registrars and Members themselves when we have asked them to verify their identity (see our ID Verification page for further detail about when verification is required and how it works). We may also consult publicly available data sets such as Companies House and the Electoral Register to verify this information.
- Contact Data: Details relating to DRS Experts and representatives of our Customers, Registrars, Resellers, Suppliers, Members and Public Benefit Partners, including name, job role, organisation, work address, email address and telephone number. This information is provided directly by the DRS Experts and representatives themselves or the Customer, Registrar, Reseller, Supplier, Member or Public Benefit Partner they work for when they interact with us.
- Correspondence Data: Information we receive when people communicate with us via email, phone, post, online chat and online contact forms, including name, contact details, information contained in the communication content, communication metadata such as the time and date of the call or submission of the email, online chat query/response or online form.
- Transaction Data: Details about payments to and from individual Registrants, Registrars, Members, Suppliers and DRS Experts. We create records of such payments in the course of performing our contracts and operating our Dispute Resolution Service.
- Technical Data: Information about the devices Website Visitors use to access our websites, including internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices. This information is collected automatically using technologies including cookies and server logs. See the cookie notice on the website you have visited for further information.
- Usage Data: Information about how Website Visitors use our websites and the products and services made available on our websites, such as which pages people visit and how long they spend on each page. This information is collected automatically using technologies including cookies and server logs. See the cookie notice on the website you have visited for further information.
- Marketing and Communications Data: Information about marketing communication preferences, such as subscriptions to our mailing lists or news alerts.
- Event Data: Information we collect in connection with running events such as name, contact details, related organisation and access and dietary requirements, provided by or on behalf of attendees when registering for our events.
- DEI Data: Information relating to diversity, equity and inclusion of people with different demographics, such as ethnicity and gender. This information is provided by the individuals who attend our events or interact with us in other ways if we ask for this information.
- Dispute Resolution Data: Information used and shared with the parties to a dispute managed through our Dispute Resolution Service, including Registration Data for the domain that is the subject of the dispute, names and contact details of the parties, name of the DRS Expert (if appointed) and other information disclosed in the claim and response.
- Member Forum Data: Information used by us to enable Members to participate in our Member Forum and Community including Contact Data, Account Data and information that Members choose to submit or share in the Forum or Community.
- Domain Usage Data: Information about domains including a screenshot of the website, a copy of the html code and information about any SSL certificates present. Some of this information may contain personal data to the extent that it is published on a publicly available website. We collect this information by running a web crawling application. See section on ‘Analysing domain name usage’ below for more detail about this activity and how website operators can prevent this data collection.
4. How we use personal data
We only use personal data when the law allows us to. Most commonly, we use personal data to the extent it is necessary:
- For the purposes of our legitimate interests (or those of a third party) where your interests and fundamental rights and freedoms do not override those interests.
- To comply with a legal or regulatory obligation.
Occasionally, we may rely on consent as a legal basis for processing personal data where the above legal bases are not applicable. We will make it clear when we are asking for consent to process your personal data for a particular purpose.
Purposes for which we use personal data
We have set out below the purposes for which we use personal data and the legal bases we rely on for those processing purposes. Where we rely on legitimate interests as our legal basis, we have also identified what those legitimate interests are.
It’s possible that more than one legal basis will apply to some of our processing purposes. Please contact us if you have any questions about the specific legal basis we rely on to process your personal data where more than one basis has been set out in the table below.
| Purpose | Type of data | Lawful basis for processing (including legitimate interest) |
|---|---|---|
| Undertaking corporate governance activities, including keeping membership records and arranging and keeping records of general meetings and elections | Membership Data | Necessary for our legitimate interests (operating our business in accordance with applicable law and good business practice). Compliance with legal obligations under applicable company law |
| Maintaining and operating top level domain registries | Registration Data | Necessary for our legitimate interests (maintaining an accurate and comprehensive record of the domains we manage) |
| Enabling Registrants and Registrars to manage domains and update Registration Data in the registries via accounts | Account Data | Necessary for our legitimate interests (maintaining an accurate and comprehensive record of the domains we manage) and the interests of Registrants and Registrars (being able to manage domains and update Registration Data easily and securely) |
| Ensuring the security, integrity and availability of the registries we operate and registry accounts | Account Data Identity Verification Data Technical Data Usage Data | Necessary for our legitimate interests (maintaining an accurate and comprehensive record of the domains we manage and preventing unauthorised or illegal access to the registries and Registration Data) |
| Making Registration Data available via a publicly accessible search tool | Registration Data | Inclusion of data about Registrars is necessary for the legitimate interests of third parties (having a point of contact for queries relating to a domain) Inclusion of data about Registrants and other contacts is based on consent (Registrants and other contacts choose whether to opt in to such publication) |
| Disclosing Registration Data to third parties in accordance with our Data Release Policy | Registration Data | Necessary for the legitimate interests of a third party (such as a trade mark holder wanting to identify the Registrant of a domain name so they can be included in a Dispute Resolution Service complaint, solicitors acting for a party that is trying to enforce their intellectual property rights, or a law enforcement agency requesting data on a domain so that it can investigate and take action on illegal use of the domain) If the request comes from a law enforcement agency, it may be necessary for us to disclose the information in order to comply with a legal obligation |
| Operating our Dispute Resolution Service, including notifying Registrants when a complaint has been raised against them | Dispute Resolution Data | Necessary for our legitimate interests (resolving complaints concerning domains we manage) and those of third parties (such as enforcing intellectual property rights or challenging abusive domain name registrations) Where a dispute relates to alleged cybersquatting, operating our Dispute Resolution Service is necessary to comply with our legal obligations under The Internet Domain Registry (Prescribed Practices and Prescribed Requirements) Regulations 2024 |
| Publishing Dispute Resolution Service decisions for cases that have gone to adjudication via our Decision Search Tool | Names of the parties (which may be company names), details of the case and decision, name of the independent adjudicator | Necessary for our legitimate interests and those of third parties (transparency and accountability regarding Dispute Resolution Services adjudicated decisions, as set out in our Dispute Resolution Policy) |
| Publishing Registrars’ contact details on our List of Registrars | Registrar details contained in Registration Data | Consent (Registrars can opt in and out of having their details published in the list) |
| Publishing Members’ contact details on our List of Members | Member name and contact details contained in Membership Data and other information Members ask us to publish | Consent (Members can opt in and out of having their details published in the list) |
| Taking action to prevent illegal use of domains, such as suspending or cancelling domains used or suspected of being used for illegal purposes, contacting the relevant Registrant or Registrar in relation to our actions regarding such domains and assisting law enforcement authorities with their investigations and enforcement action regarding such domains | Registration Data Correspondence Data (third party reports of illegal use of domains we manage) | Necessary for our legitimate interests and those of third parties (ensuring the domains we manage are not used for illegal purposes and preventing harm to individuals or the public at large) Where we are responding to requests or orders from law enforcement agencies, it may be necessary for us to disclose Registration Data in order to comply with a legal obligation We also have a legal obligation under The Internet Domain Registry (Prescribed Practices and Prescribed Requirements) Regulations 2024 to take steps to prevent or stop domains being used or intended to be used for activities prohibited under those regulations |
| Providing our services to Customers, including communicating with Customer representatives about the services, receiving payment for the services and providing support to Customer staff in relation to the services | Contact Data Correspondence Data Account Data | Necessary for our legitimate interests (providing services in accordance with our Customer contracts) |
| To register and manage attendance at in-person and virtual events | Contact Data Event Data Correspondence Data DEI Data (if collected in relation to the event) | Necessary for our legitimate interests (to organise events for the benefit of us and our stakeholders in a safe and orderly manner) If we collect DEI Data, we consider that this is necessary for the public interest purpose of monitoring equality of opportunity or treatment We rely on attendees’ consent to process any special category data revealed in access or dietary requirements |
| Performing and managing our contractual relationships with Members, Registrants, Registrars, Resellers, Customers, Suppliers, Public Benefit Partners and DRS Experts, including making and receiving payments and keeping financial transaction records | Contact Data Correspondence Data Transaction Data | Necessary for our legitimate interests (carrying out our business activities via contracts with Members, Registrants, Registrars, Resellers, Customers, Suppliers, Public Benefit Partners and DRS Experts and maintaining records in accordance with good business practice and applicable law) Maintaining financial transaction records is also necessary for compliance with our legal obligations under applicable finance and tax laws |
| Communicating with, and providing important information to, Members, Registrants, Registrars, Resellers, Customers, Suppliers, Public Benefit Partners, DRS Experts and members of the public, such as providing important news and service updates and responding to enquiries | Contact Data Correspondence Data | Necessary for our legitimate interests (communicating and maintaining good relationships with our stakeholders and conveying important information) |
| Enabling Members to participate in our Member Forum and Community | Member Forum Data | Necessary for our and our Members’ legitimate interests (enabling Nominet and Members to communicate with each other) |
| Running surveys as part of our engagement with Registrants, Registrars, Customers, Members, DRS Experts and members of the public | Contact Data Any personal data contained in survey responses | Necessary for our legitimate interests (understanding how Registrants, Registrars, Customers, Members and DRS Experts use our products and services to inform our business strategy, improve and develop our products and services and maintain positive relationships with our stakeholders) |
| Enabling Subscribers to access training content we make available on our websites, save progress on training courses and records of completed courses and receive communications relevant to the training completed | Account Data | Necessary for our legitimate interests (engaging with website visitors and the wider public) and Subscribers’ legitimate interests (accessing free training) |
| Running prize draws and competitions | Contact Data (collected via online forms) | Necessary for our legitimate interests (carrying out our public benefit activities) |
| Administering and protecting our websites (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) | Account Data Technical Data Usage Data | Necessary for our legitimate interests (promoting our business by operating useful, safe, secure and resilient websites and systems and preventing fraud and other illegal activities via our websites) |
| Delivering relevant website content and advertisements and measuring and understanding the effectiveness of our online advertising | Usage Data Technical Data | As this activity involves use of non-necessary cookies and similar technologies, we rely on user consent provided via the cookie preference tools we make available on our websites |
| Using data analytics and customer interaction information to enhance and improve our websites, products, services, marketing and user relationships and experiences, such as adding new content and features | Technical Data Usage Data Account Data (server logs) | As this activity involves use of non-necessary cookies and similar technologies, we rely on user consent provided via the cookie preference tools we make available on our websites |
| Sending marketing communications by email and post (See Marketing section below for further detail.) | Contact Data Marketing and Communications Data | Necessary for our legitimate interests (developing our products and services and growing our business) |
| Analysing domain name usage (See Analysing domain name usage section below for further detail.) | Domain Usage Data | Necessary for our legitimate interests (understanding the market and how domains are used by Registrants, identifying security vulnerabilities and identifying changes over time to inform our business and marketing strategy) |
Marketing
We may use your Contact Data and Marketing and Communications Data to send you marketing communications if:
- you have specifically requested information about our products or services
- you have subscribed to one or more of our mailing lists or newsletters
- you are a representative of a Customer that has previously purchased products or services from us
- you provided us with your Contact Data when you entered a competition or prize draw or completed a survey
You can opt out of receiving marketing from us when we first collect your Contact Data and at any time after that and can unsubscribe from our mailing lists at any time using the unsubscribe links in our emails or by contacting us at dpo@nominet.uk.
Analysing domain name usage
We monitor usage of domains by collecting Domain Usage Data on a regular basis. We collect and analyse this information to help us better understand the market and how domains are used by Registrants, identify security vulnerabilities and identify changes over time. To keep bandwidth to a minimum, we restrict the number of times we visit an individual website.
Change of purpose
We only use personal data for the purposes for which we collect it, unless we reasonably consider that we need to use it for another purpose that is compatible with the original purpose. We may update this notice from time to time to reflect new processing purposes and explain the legal bases we rely on for those purposes.
Other purposes
In addition to the purposes described above, we may need to process personal data for other legitimate purposes such as:
- protecting, enforcing and defending our legal rights or the rights of others;
- complying with legal obligations such as court orders for disclosure, data sharing requests from law enforcement agencies and record-keeping requirements under financial, tax and other applicable laws; and
- protecting the vital interests of individuals.
When we use or disclose personal data for these purposes, we do so in accordance with data protection laws and only use or disclose personal data to the extent necessary to achieve those purposes.
5. Disclosures of personal data
This section sets out the circumstances in which we share personal data with third parties.
Pursuant to our Data Release Policy
We may disclose Registration Data to third parties with a legitimate interest in accordance with our Data Release Policy.
Through our publicly accessible register
We make Registration Data available in our publicly accessible domain search tool. Details of Registrants and other contacts are only made available if they have consented to that publication. Registrar details are made available by default so that third parties have a point of contact for queries relating to domains.
To our service providers
We engage third party service providers who provide services and products that we use to carry out the purposes described in Section 3. Such service providers may host, store, access or otherwise process some of the personal data described in this notice in the course of providing their services and products. We have contracts in place with all our service providers that ensure they process personal data in accordance with data protection law, including only using personal data to the extent necessary for agreed purposes, applying appropriate security measures to protect personal data, retaining and deleting personal data in accordance with applicable law and complying with requirements under data protection law for any international transfers of personal data.
In connection with preventing illegal use of domains
We may share Registration Data and other personal data contained in third party reports with organisations we work with in connection with preventing illegal use of domains we manage, including other registry operators, law enforcement agencies and other organisations engaged in abuse prevention and internet safety work.
Other circumstances
In addition, we may share personal data where it is necessary to:
- protect, enforce or defend our legal rights or the rights of others;
- comply with legal obligations such as court orders for disclosure and data sharing requests from law enforcement agencies; or
- protect the vital interests of individuals.
6. International transfers
This section sets out the circumstances in which the personal data described in this notice may be processed outside the United Kingdom (UK).
Our registry servers are situated in the UK. However, personal data may be processed outside the UK for the purposes described in Section 3 in the following circumstances:
- if a service provider we use is based outside the UK;
- pursuant to our Data Release Policy if the requestor is based outside the UK; and
- if the transfer is necessary to comply with a legal obligation such as a court order for disclosure or a data sharing request from a law enforcement agency.
We ensure that all transfers of personal data are carried out in compliance with applicable data protection laws. This is usually achieved by relying on adequacy regulations or incorporating approved standard contractual clauses or international data transfer agreements into our contracts or arrangements with service providers, Customers or other recipients of personal data.
If you want to know which safeguard we use to protect the personal data we transfer in a particular circumstance, please contact our Data Protection Officer at dpo@nominet.uk or the postal address set out above.
7. Data security
We implement appropriate security measures to protect the personal data we process -see our Security at Nominet page for more information. We also ensure that our service providers apply appropriate security measures to protect the personal data they receive or have access to as a result of providing their services and products to us.
We have put in place procedures to deal with any suspected personal data breach and will notify affected individuals and any applicable regulator of a breach where we are legally required to do so.
8. Data Retention
We only retain personal data for as long as necessary to fulfil the purposes for which we process it and in accordance with our data retention policy.
To determine the appropriate retention period for personal data, we consider:
- the amount, nature and sensitivity of the personal data;
- the potential risk of harm from unauthorised use or disclosure of the personal data;
- the purposes for which we process the personal data and whether we can achieve those purposes without retaining personal data; and
- applicable legal requirements relating to record keeping.
If you want to understand the retention periods that apply to personal data relating to you, please contact our Data Protection Officer at dpo@nominet.uk or the postal address set out above.
9. Your legal rights
You have the following rights in respect of our processing of personal data about you (“your personal data”):
- Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of your personal data along with information about how we process that data, including our purposes for processing it, recipients of the data and the retention periods we apply to it.
- Request correction of your personal data. This enables you to have any incomplete or inaccurate data corrected, though we may need to verify the accuracy of the new data you provide to us.
- Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it, where you have successfully exercised your right to object to processing (see below), where we may have processed your personal data unlawfully or where we are required to erase your personal data to comply with applicable law. Note, however, that we may not always be able to comply with your erasure request for specific legal reasons which will be notified to you, if applicable, at the time of your request. .
- Object to processing. You can object to our processing of your personal data where we are relying on a legitimate interest (or those of a third party) to process your personal data and there is something about your particular situation which makes you want to object to our processing on this basis. In response to your objection we will stop the relevant processing unless we can demonstrate that we have compelling legitimate grounds to continue the processing which override your interests, rights and freedoms. You also have the right to object to us processing your personal data for direct marketing purposes, in which case we will stop processing your personal data for that purpose.
- Request restriction of processing of your personal data. This enables you to ask us to suspend our processing of your personal data in the following scenarios: (a) if you contest the accuracy of the personal data; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where we no longer require the personal data for our purposes but you need it to establish, exercise or defend legal claims; or (d) you have objected to our processing of your personal data but we need to verify whether we have overriding legitimate grounds to use it.
- Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information for which you initially provided consent for us to use or where we used the information to perform a contract with you.
- Withdraw consent. You can at any time withdraw any consent you previously gave us to process your personal data for a particular purpose. If you withdraw your consent, we will no longer process your personal data for that purpose, but this will not affect the lawfulness of any processing we carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
If you wish to exercise any of the rights set out above, please send your request to our Data Protection Officer at dpo@nominet.uk or the postal address set out above.
Complain to the ICO
You also have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
No fee usually required
You will not have to pay a fee to access your personal data or to exercise any of your other rights. However, if your request is clearly unfounded, repetitive or excessive, we may charge a reasonable fee or refuse to comply with your request.
What we may need from you
We may need to request specific information from you to help us confirm your identity and verify your right to access personal data or exercise other rights. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to assist our response.
Time limit to respond
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made more than one request. In this case, we will notify you and keep you updated.
10. Keeping your personal data accurate and current
We are required to take reasonable steps to ensure that the personal data we process is accurate and up to date. We implement internal processes to check and verify the personal data we hold. However, we also rely on individuals informing us of changes to their personal data. For this reason, please let us know if your personal data changes during your relationship with us.
11. Third-party links
Our websites may include links to third party websites. Clicking on those links may allow third parties to collect or share data about you. We do not control these third party websites and are not responsible for them. If you visit such websites, we encourage you to read the privacy notice and terms of use of those websites..
12. Changes to this privacy notice
We may make changes to this privacy notice at any time and for any reason, including to reflect changes in our processing activities or applicable law.
Last revised: August 2025. Last reviewed: August 2025.