Privacy Policy

This Privacy Policy (hereinafter referred to as "this Policy") is formulated and published by ERANET INTERNATIONAL LIMITED (hereinafter referred to as "we") in accordance with the Personal Data (Privacy) Ordinance (Cap. 486, hereinafter referred to as the "Ordinance") of the Hong Kong Special Administrative Region.

This Policy sets out the principles, policies and practices for the collection, use, disclosure, storage, transfer and protection of personal data by us in the course of providing domain name registration, domain name hosting, DNS management and related online services (hereinafter referred to as "Services").

For the purposes of this Policy, "personal data" means as defined in section 2(1) of the Ordinance, namely:

(a) Any data relating directly or indirectly to a living individual;

(b) Data that can identify the individual directly or indirectly; and

We undertake to strictly collect, use, store, process and disclose personal data in accordance with the Ordinance, in particular the six Data Protection Principles set out in Schedule 1, as well as the best practice guidelines issued by the Office of the Privacy Commissioner for Personal Data, Hong Kong (hereinafter referred to as the "Privacy Commissioner's Office").

From the effective date of this Policy, your continued access to or use of the Services constitutes your reading, understanding and acceptance of the terms of this Policy, and your consent to the collection, use, storage, transfer and other processing of your personal data as described in this Policy. If you have any questions about this Policy or do not agree with any part of it, you should immediately stop using the Services and may make inquiries in accordance with the contact information set out in Clause 9 below.

I. Collection of Personal Data

1.1 We may collect personal data directly from you, or indirectly through authorized registrars and distributors, including but not limited to your name, contact information and identity information. We may also collect personal data you provide when requesting technical support or assistance, such as your name, email address and telephone number.

1.2 Personal data will only be collected for purposes directly related to our operations, including but not limited to:

(a) Maintaining the accuracy and integrity of the domain name registration database;

(b) Handling complaints, domain name disputes, inquiries and feedback;

(d) Responding to technical support or assistance requests; and

(e) Complying with legal, regulatory and policy requirements applicable to domain name registration.

1.3 We will not collect sensitive personal data such as race or ethnic origin, political opinions, religious beliefs, health status or sexual orientation.

1.4 If you fail to provide the required personal data, we may be unable to perform our contractual obligations or provide the corresponding services.

II. Accuracy of Personal Data

2.1 We will take all reasonably practicable measures to ensure that the personal data we hold is accurate, up-to-date and complete for the purposes for which it is used.

2.2 You have the right to request correction of any inaccurate, incomplete, misleading or outdated personal data.

2.3 You have the right under the Ordinance to:

(a) Access your personal data held by us;

(b) Request correction of inaccurate personal data;

If you wish to exercise the above rights, please make a request in writing by contacting us as described in Clause 9 of this Policy. We may charge a reasonable fee for access requests.

III. Retention of Personal Data

3.1 Pursuant to Data Protection Principle 2(2) (hereinafter referred to as "DPP2(2)") and section 26(1) of the Ordinance, personal data shall not be retained for longer than is necessary to fulfill the purpose for which it was collected (including any directly related purposes).

3.2 Notwithstanding Clause 3.1, in accordance with the Internet Corporation for Assigned Names and Numbers (ICANN) Registration Data Policy, we are required to retain the data elements necessary to fulfill the Transfer Dispute Resolution Policy for a period of not less than 15 months in the following circumstances:

(a) When the registrar ceases to sponsor the registration; or

(b) On the date of completion of a registrant change (cross-registrant transfer),

whichever is later.

3.3 When personal data held by us is no longer required for the purposes set out in this Policy, we will take all reasonably practicable measures to delete it, unless:

(a) Any law prohibits the deletion of such data; or

(b) The data needs to be retained for public interest (including historical preservation).

3.4 As an online service provider, we hold and process personal data only in electronic form. For the purposes of section 26(1), "reasonably practicable measures" shall depend on the nature, form and sensitivity of the data, including but not limited to:

3.4.1 Regular Review and Assessment

(a) Regularly review personal data stored in the system to determine whether retention is still necessary;

(b) Identify and mark personal data that has exceeded the applicable retention period.

3.4.2 Verification of Retention Necessity

(a) Determine whether there is a legal, regulatory, contractual or operational need to continue retention.

3.4.3 Secure Electronic Deletion

(a) Permanently delete personal data from active systems, backup systems and cloud platforms in accordance with internationally recognized standards (such as NIST SP 800-88, ISO/IEC 27040), ensuring that it cannot be recovered through reasonably available means.

3.4.4 Anonymization as an Alternative to Deletion

(a) If retention is required for research or statistical purposes, irreversibly anonymize personal data so that it cannot identify an individual directly or indirectly;

(b) Ensure that anonymized data cannot be re-identified and is not used in a manner that reveals any individual's identity.

3.4.5 Documentation and Compliance Assurance

(a) Maintain records of deletion and anonymization operations, including the type of data processed, methods used, date of execution and responsible person;

(b) Regularly review and update data retention and anonymization policies to ensure ongoing compliance with the Ordinance.

3.5 Once deletion or anonymization is completed, no residual personal data in any form shall remain accessible or processable.

IV. Use of Personal Data

4.1 Personal data may only be used for the purpose specified at the time of collection or for purposes directly related thereto. Any other use shall be subject to your express consent in accordance with the Ordinance.

4.2 With your consent, we may use personal data to send you electronic communications, promotional materials or event invitations. You may withdraw such consent at any time by written notice, and withdrawal of consent shall not affect the lawfulness of processing carried out before the withdrawal. 4.3 When you explicitly agree to receive our SMS messages by checking an independent consent checkbox, we will collect and store the phone number you provide. This number will only be used for the communication purposes you have agreed to (e.g., sending verification codes, account security notifications, etc.). You may at any time reply with the specific instructions indicated in the SMS to stop receiving such messages. After unsubscribing, we will stop sending non-transactional SMS to this number, but may retain your number to prevent future accidental sending or to record your unsubscribe status. SMS and data usage charges may be incurred by your mobile operator.

V. Security of Personal Data

5.1 We shall take all reasonably practicable measures to protect personal data from unauthorized or accidental access, processing, deletion, loss or use.

5.2 Access to personal data shall be limited to authorized personnel, agents or contractors who are bound by confidentiality obligations under contract or law.

VI. Transparency

6.1 This Policy sets out our practices in handling personal data. The latest version of this Policy shall be published on our official website. In the event of material changes, we will notify you through appropriate means including but not limited to email notification or website announcement.

VII. Disclosure of Personal Data

7.1 Personal data shall be treated as strictly confidential, but may be disclosed when necessary to achieve the purposes set out in this Policy, including:

(a) Publishing registrant information as required by applicable domain name policies;

(b) Disclosing to other formally designated registration authorities;

(d) Disclosing to contractors, agents, auditors or service providers bound by contractual confidentiality obligations.

7.2 If personal data needs to be transferred to a jurisdiction outside the Hong Kong Special Administrative Region, we shall take all reasonably practicable measures to ensure that the recipient is subject to obligations substantially equivalent to the privacy obligations under the Ordinance.

7.3 Without the prior express consent of the data subject, we will not disclose, sell, rent, transfer or otherwise share your mobile communication information (including but not limited to phone numbers and identification information related to mobile communications) to any third party or affiliated company for their marketing or promotional purposes.

VIII. Cross-border Transfer of Personal Data

8.1 General Principle

We are aware that section 33 of the Ordinance (relating to the transfer of personal data to places outside Hong Kong) is not yet in force. However, in order to align with the Personal Data Protection Guidelines: Cross-border Data Transfers (2014) (hereinafter referred to as the "2014 Guidelines") and the Guidelines on Recommended Model Contract Clauses for Cross-border Transfer of Personal Data (2022) (hereinafter referred to as the "2022 Guidelines") issued by the Office of the Privacy Commissioner for Personal Data, Hong Kong, we have adopted measures consistent with recognized best practices to ensure that personal data transferred to places outside Hong Kong enjoys protection substantially equivalent to that provided under the Ordinance.

8.2 Nature of Transfers

In the course of providing the Services, we may need to transfer personal data to jurisdictions outside Hong Kong for purposes including but not limited to:

(a) Domain name registration, renewal, transfer and dispute resolution;

(b) DNS hosting, security monitoring and technical infrastructure operation and maintenance;

(d) Complying with requirements specified by ICANN, domain name registries or applicable laws in relevant jurisdictions.

The jurisdictions to which personal data is transferred may vary depending on operational, contractual and technical factors.

8.3 Transfer Safeguards

Where applicable, we will enter into written contractual arrangements with overseas recipients to ensure that personal data transferred to places outside Hong Kong receives protection substantially equivalent to that provided under the Ordinance. Such contracts may adopt or adapt the Recommended Model Contract Clauses issued by the Office of the Privacy Commissioner for Personal Data, Hong Kong in 2022, and shall include the following clauses:

(a) Restrict its use to the purposes stated in the transfer;

(b) Prohibit retention of data beyond the period required for processing;

(d) Restrict further disclosure to other parties without the prior written consent of the service provider.

8.4 Confirmation and Non-objection Statement

Your continued use of the Services from the effective date of this Policy constitutes your confirmation, acceptance and non-objection to the transfer of your personal data to places outside Hong Kong in the manner described in this Clause. If you do not agree to such transfers, you should immediately stop using the Services and may send any inquiries or objections to the contact information set out in Clause 9 of this Policy.

8.5 Security Measures for Cross-border Transfers

All transfers of personal data to places outside Hong Kong shall be conducted through secure communication channels and encryption protocols, and shall be subject to strict internal access controls to minimize the risk of unauthorized access, interception or data loss.

8.6 Miscellaneous

Notwithstanding that section 33 of the Ordinance (cross-border data transfer restrictions) is not yet in force, we undertake to fully comply with its requirements once it comes into force, including transferring personal data only to jurisdictions recognized as having a level of protection equivalent to that under Hong Kong law, or with the consent of the data subject/signing a compliant contract.

IX. Complaints and Dispute Resolution

9.1 If you believe that we have not complied with the Ordinance or this Policy, you have the right to file a complaint with us.

9.2 We will investigate and respond to your complaint as soon as possible, and take appropriate remedial measures (if reasonable and practicable).

9.3 Without prejudice to your rights under the law, data subjects are encouraged to first communicate directly with us to resolve the matter before filing a complaint with the Office of the Privacy Commissioner for Personal Data, Hong Kong.

X. Policy Updates

10.1 We reserve the right to revise, update or modify this Policy at our sole discretion without prior notice to reflect changes in laws, regulatory requirements or operational needs. The revised policy will be published on our official website and will take effect from the date of publication unless otherwise stated.

XI. Cookies

11.1 We may use Cookies to enhance user experience and assist in providing the Services. Cookies do not allow us to access information stored on your device. You may disable Cookies in your browser settings, but this may affect some features of this website.