GoDaddy Corporate Domains Privacy Notices
Last Revised: December 4, 2023
Global Privacy Notice
To view our archived Privacy Notice, click here .
This Global Privacy Notice describes GoDaddy Corporate Domains, LLC’s (“GCD”) core privacy practices and applies to all individuals regardless of where they live. The laws in some places where we do business also require customized local privacy notices, which you can access through the following links:
We encourage you to review your local customized notice if you live in one of these areas.
As described below, you can reach us at privacy@gcd.com or by mail at the addresses listed in Contact Us to exercise your privacy rights.
Data Covered by this Global Privacy Notice
This global privacy notice covers personally identifiable information (PII) when we act as the data controller.
- PII identifies or could be used to identify a specific person, and any data about that person. For example, your name, address, and payment details are PII.
· We act as a controllerwhen we process PII for our own use. For example, we act as a controller when you provide your PII to open an account.
This notice does not apply when you process PII for your own benefit. For example, when you send email for your business purposes that includes PII, you are acting as the “controller”. When you act as the controller, we act as the “processor” and process PII only in accordance with your instructions or as required by law.
This notice also does not apply to third-party applications offered through our services or linked through our website. Please review the privacy notice of any third-party service or website before using it.
Core Privacy Rights
We recognize several core privacy rights:
- the right to know what PII we hold about you
- the right to access, correct, or delete your PII
- the right to transfer your PII (data portability)
- the right to set your marketing and advertising preferences
We promptly review requests to exercise privacy rights. If we need more information to process your request, we will contact you by email or, if we do not have an email address on file for you, by the same method you made your request.
If we do not honor your request for legal or other reasons, we will explain why we did not honor your request, your right to appeal, and your right to file a complaint (if available where you live).
PII We Collect
1. PII You Provide We collect PII when you set up an account, use our services, or contact us. Examples of PII we may collect from you include your name, email address, phone number, physical address, and payment method. We also collect PII of your employees and customers that you provide to us.
2. PII We Collect Automatically We collect PII automatically when you visit our websites, use our services, contact us, open our emails, or view our advertising. Examples of PII we may collect include your device ID, your IP address, information about web pages and other websites you visit, and other similar details.
3. PII from Other Sources We may collect PII about you from other sources. Examples of PII obtained from other sources include publicly available data, social media information, and information lawfully gathered by third party data providers.
4. PII We Generate We process data in connection with our business and services to generate inferences and insights that may be linked to you or your account.
Use of PII
We use PII to operate our business and provide services. Examples of how we use PII include:
- Managing accounts
- Processing purchase requests
- Registering domains you purchase
- Provisioning products and services you have requested or may be interested in using
- Providing customer support
- Securing, updating, and improving our services
- Detecting fraud and other illegal activity
- Customized marketing and personalized advertising of our services
- Contacting you by telephone, text or messaging applications to offer you services
- Website traffic measurement
- Other uses consistent with the purposes for which the PII was collected or that have been authorized by you
No Sale of PII
We do not sell PII.
Disclosures to Others
We disclose PII:
- to processors to operate our business and deliver services, including but not limited to administering accounts, providing customer support; conducting contests and surveys; and performing other activities related to our business and services.
- to business partners and/or affiliated companies to offer some services.
- to marketers and advertisers who create personalized marketing and advertising messages.
- to comply with law enforcement and other legal requests, protect our legal rights, prevent harm to us or others, and enforce our policies and contracts.
- if we sell some or all of our assets or merge with a third-party we may transfer relevant PII to the buyer or new company.
Cookies, Web Beacons, and Other Tools
We use three main “identifiers” on our website and in our services: cookies, web beacons, and scripts.
- Cookies are text files placed on your device when you visit our webpages or view messages from us. Some cookies are “session cookies” that expire at the end of your browser session, while others are “persistent cookies” that allow us to remember your preferences and settings over multiple visits and across other websites.
- Web Beacons are image files placed in our web pages and emails.
- Scripts are small pieces of computer code that power customer service tools, deliver video, and provide interactive experiences. We also use scripts for measuring service use.
We manage some identifiers directly. Other identifiers are managed by third parties. For example, we use Google Analytics to monitor site performance and visitor engagement.
We use identifiers to provide customized services, measure website performance, provide customer support, and deliver personalized advertising. Examples of how we use identifiers include, but are not limited to:
- Setting your service preferences
- Managing your purchases
- Guarding against fraud
- Delivering relevant advertisements
- Measuring website use
- Conducting research to improve our services
Identifier Management
You can manage identifier settings by clicking on Manage Privacy Settings through the link in this notice. Customers can manage their identifier settings for our website and our services through their customer account. We use optional and mandatory cookies and other identifiers. Optional cookies and other identifiers are used for support, website performance, and advertising. Mandatory cookies and other identifiers are used for account verification, service continuity, security, and other functions necessary to provide our website and services.
In addition to our Manage Privacy Settings options, many web browsers allow users to block cookies (directly or through plugins and extensions). Some cookies, however, are essential for our website and services to function. If you set your browser to block all cookies, you may not be able to use our services.
“Do Not Track” and other Preference Signals
Some web browsers provide a “Do Not Track” feature. There are no generally accepted standards for this feature and we do not respond to “Do Not Track” signals.
We also do not recognize any universal opt-out mechanism, such as the Global Privacy Control, which is still under development.
Marketing and Advertising Preferences
You can reach us at privacy@gcd.com or by mail at the addresses listed in Contact Us to manage your marketing and advertising preferences.
Storage
We store PII on our own systems and with trusted service providers, including Amazon Web Services.
International Transfers
We transfer PII internationally to operate our business and provide services. We comply with applicable law when making international transfers.
For transfers of PII from the European Union/European Economic Area, Switzerland, and the United Kingdom, we have certified our compliance with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF) , the Swiss-U.S. Data Privacy Framework, and the UK Extension to the EU-U.S. DPF, collectively (the “DPF”). Please see our Data Privacy Framework Notice for more information on our participation in the DPF Program.
Please see our European Data Protection Disclosures for more information pursuant to the DPF and other transfer mechanisms we use to transfer PII from the EU/EEA, Switzerland, and the UK.
Length of Retention
We retain PII for our business needs and to comply with law. If we no longer need PII, we may delete it or de-identify it so that it no longer identifies a specific person. Factors we consider when deciding when to delete or de-identify your PII include: (1) if you still have an account, (2) if we are required to retain PII to comply with law, or (3) if the PII is needed for tax other business purposes.
Security
We use risk-based measures to protect PII, including appropriate security controls and employee training. We also require that our service providers, business partners, and advertisers use appropriate risk-based controls to protect PII.
No Collection of PII about Children
We do not knowingly collect PII about anyone under 18 without permission from their legal guardian. Please contact us at privacy@gcd.com if you believe we have collected information from a child without permission from their legal guardian.
Legal Basis for Processing
We process PII upon your request, with your consent, to fulfill our contract with you, based on our legitimate interest, or other lawful bases. The specific basis of processing depends on the services you are using, the data being processed, the place where the processing occurs, and the place where you live. If you have questions about our basis for processing your PII, please contact us at privacy@gcd.com.
Non-Discrimination
We will not discriminate against you for exercising your privacy rights.
No Financial Incentives
We do not provide any financial incentives for providing PII to us.
Policy Changes
We may revise this global privacy notice by posting a revised statement at the same location as this notice or on another location on our website. If we change this notice, it will apply to personal data collected prior to adoption of the new statement only to the extent as the new statement does not reduce the rights of affected data subjects.
Contact Us
If you have any questions, you can contact at privacy@gcd.com or by mail at:
- United States: Attn: Office of the Data Privacy Officer, 2155 E. GoDaddy Way, Tempe, AZ 85284 USA
- United Kingdom: Attn: Legal, Office of the Data Privacy Officer, 5th Floor, The Shipping Building, Old Vinyl Factory, 252-254 Blyth Road, Hayes, UB3 1HA.
- European Union (EEA) / Switzerland: Attn: Legal, Office of the Data Privacy Officer, c/o WeWork, Friesenplatz 4, 50672 Cologne, Germany
- Asia: Attn: Office of the Data Privacy Officer, 80 Robinson Road #02-00 Singapore 068898
We respond to all questions or concerns within 30 days.
United States Supplemental Privacy Notice
GoDaddy Corporate Domains, LLC (“GCD”) maintains a global privacy program as described in our Global Privacy Notice. This US Privacy Notice supplements our Global Privacy Notice by providing additional disclosures required by US state law. For disclosures specific to your state, please click the relevant link below:
If your state is not listed above, please see our Global Privacy Notice for a description of your rights.
Additional California Disclosures
Our Global Privacy Notice applies to all California residents. If you are applying for a job with us, the GoDaddy Applicant Privacy Notice also applies to you.
The following additional California-specific disclosures are required by California law and relate to both our online and offline practices for handling “Personal Information” (as defined below) of California residents.
The California Consumer Privacy Act (“CCPA”) regulates the processing of Personal Information, which is defined as “information that identifies, relates to, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly with a particular consumer or household.” For purposes of honoring rights of California residents, all references to PII in our Global Privacy Notice include personal information as defined in the CCPA.
Categories of Personal Information Collected
In the last 12 months, we have collected the following categories of personal information for the business purposes described below.
Category | Examples | Business Purpose | ||
---|---|---|---|---|
Identifiers | Name, postal address, telephone number, email address, IP address, driver’s license number, passport number, or other similar identifiers | Managing accounts, processing purchase requests, security, detecting fraud, marketing, advertising, and employment | ||
Personal Information Categories listed in California Consumer Records Statute | Name, postal address, telephone number, financial information (e.g., account number or card number) , employment information | Managing accounts, processing purchase requests, security, detecting fraud, marketing, advertising, and employment | ||
Protected classification characteristics under California or federal law | Age (40 years or older) , marital status, sex (including gender, gender identity, gender expression) , veteran or military status | Employment | ||
Commercial Information | Services purchased and other information about our customers’ enterprises | Managing accounts, processing purchase requests, security, detecting fraud, marketing, and advertising | ||
Internet or other similar network activity | Information about the use of our website and services, interaction with advertising, IP address, and similar information | Managing accounts, processing purchase requests, security, detecting fraud, marketing and advertising | ||
Professional or employment related information | Information about our employees, job applicants, and our customers’ employer(s) , position, and job responsibilities | Managing accounts, Employment | ||
Inferences drawn from other personal information | Inferences regarding our customers’ businesses and interests | Marketing, advertising, and customer support | ||
Audio, electronic, visual, thermal, olfactory, or similar information | Recordings of customer support calls, voice messages, SMS and text messages, and security video | Managing accounts, customer support, and security | ||
Biometric information | Access to company computer systems and facilities | Security | ||
Education information | Education information relating to job applicants and employees | Employment |
Categories of Sensitive Personal Information Collected
Users of some services are required by applicable laws, contracts, and other requirements (including requirements imposed by ICANN) to supply certain information that is defined as “Sensitive Personal Information” under California law.
In the past 12 months, we have collected the following categories of Sensitive Personal Information from some individuals:
- Identifiers: Social security numbers, driver’s license numbers, state identification card numbers, or passport numbers
- Personal Information Categories listed in California Consumer Records Statute: account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password or credentials allowing access to an account
Categories of Personal Information Disclosed
In the past 12 months, we have disclosed the following categories of Personal Information for the business purposes described above (see, Categories of Personal Information Collected) to the following categories of third parties:
Category | Examples |
---|---|
Identifiers | - Service providers - Business partners - Courts, government officials, attorneys, and law enforcement |
Personal Information Categories listed in California Consumer Records Statute | - Service providers - Business partners - Courts, government officials, attorneys, and law enforcement |
Protected classification characteristics under California or federal law | - Service providers - Business partners - Courts, government officials, attorneys, and law enforcement |
Commercial Information | - Service providers - Business partners - Courts, government officials, attorneys, and law enforcement |
Internet or other similar network activity | - Service providers - Business partners - Courts, government officials, attorneys, and law enforcement |
Professional or employment related information | - Service providers - Courts, government officials, attorneys, and law enforcement |
Inferences drawn from other personal information | - Service providers - Business Partners |
Audio, electronic, visual, thermal, olfactory, or similar information | - Service providers |
Biometric information | - Service providers |
Education information | - Service providers |
No Sale of Personal Information
We do not sell Personal Information.
Sharing of Personal Information
The CCPA defines “sharing” personal information to include providing personal information to third parties for certain online behavioral advertising purposes. Pursuant to this CCPA definition, we “shared” personal information with third parties for customized and personalized marketing and advertising in the past 12 months, including identifiers, internet or other similar network activity, and inferences drawn from other personal information. The recipients of this personal information are prohibited from using this shared personal information except to provide services to us or as otherwise required by law.
We recognize the right for California residents (and all other individuals regardless of where they live) to opt-out of the “sharing” of personal information by clicking on the Do Not Share My Personal Information link in this notice and on our website. You can also request that we not share your personal information by emailing us at privacy@gcd.com.
Use of Sensitive Personal Information
We do not use sensitive personal information, as defined in the CCPA, for any purpose other than:
- providing the services or goods requested by our customers
- preventing, detecting, and investigating security incidents
- detecting and responding to malicious, deceptive, fraudulent, or illegal actions
- to ensure the physical safety of natural persons
- for short term, transient use, including but not limited to, nonpersonalized advertising shown as part of a consumer’s interaction with us
- to service accounts
- to verify or maintain the quality or safety of products, services, and/or devices that are owned, manufactured, manufactured for, or controlled by us
- for employment purposes
As a result, the right to limit use of sensitive personal information under the CCPA does not apply to our activities.
How to Exercise Your Rights
You can make a request to exercise your rights to know, access, correct, delete, transfer (portability) , opt-out of marketing, or restrict sharing of your personal information by emailing us at privacy@gcd.com. You also can send your request by mail to:
GoDaddy Corporate Domains, LLC
Attn: Legal – Privacy 2155 E. GoDaddy Way Tempe, Arizona 85284 USA.
If we require additional information to process your request, we will contact you by email or mail.
Use of Authorized Agents
The CCPA allows authorized agents to make requests on behalf of California residents to exercise their personal information rights. To exercise rights on behalf of a California resident, authorized agents must provide us with evidence they are authorized to make the request.
To make an authorized request, please email us at privacy@gcd.com. Authorized agents can also send their requests to GoDaddy Corporate Domains, LLC Attn: Legal – Privacy, 2155 E. GoDaddy Way, Tempe, Arizona 85284 USA.
Please note that we will confirm the authorized agent’s authority and send any personal information directly to the California resident on whose behalf the agent is acting. No personal information will be provided to the authorized agent.
Time To Respond
We will acknowledge your request to exercise your rights within 10 business days after receiving the request. Under California law, we have 45 days to respond to your inquiry and may add an additional 45 days depending on the complexity of your request. Please note, however, that as a general rule we normally respond to requests within 30 days as set forth in our global privacy notice.
Supplemental Colorado, Connecticut, and Virginia Disclosures
Our Global Privacy Notice applies to all Colorado, Connecticut, and Virginia residents. The following supplemental disclosures are specifically required by state law.
Colorado, Connecticut, and Virginia regulate the processing of “Personal Data”, which generally has the same definition as PII in our global privacy notice. We recognize all requests to exercise state privacy rights as including both personal data under applicable state law and PII as defined in our global privacy notice.
Mandatory Disclosures
- We process the following categories of personal data: identifiers/contact information, demographic information (including gender and age) , payment card information, commercial information (such as information about your business) , internet activity, audio and electronic information, and inferences.
- The purposes for processing your personal data are described in our global privacy notice.
- We may disclose all of the categories of personal data described above to the third parties described in our global privacy notice.
- We process the following categories of personal data for targeted advertising purposes: identifiers, demographic information, commercial information, internet activity, and inferences.
The Right to Opt-Out of Marketing and Advertising
We recognize the right to opt-out of targeted marketing and advertising communications. You can exercise this right by sending us an email at privacy@gcd.com. If you are a customer, you can also opt-out of targeted marketing and advertising communications by setting your advertising and marketing preferences in your account. You also can send your request by mail to: GoDaddy Corporate Domains, LLC Attn: Legal – Privacy, 2155 E. GoDaddy Way, Tempe, Arizona 85284 USA
We also recognize the right to opt-out of the processing of personal data for targeted advertising through a third party authorized by you to act on your behalf. We reserve the right to use commercially reasonable methods to authenticate your identity and the authorized agent’s authority to act your behalf. Authorized agents may make such requests by sending us an email, or mailing the request to GoDaddy Corporate Domains, LLC Attn: Legal – Privacy, 2155 E. GoDaddy Way, Tempe, Arizona 85284.
How to Exercise Your Rights
You, or an authorized agent, may make a request to exercise your rights to know, access, correct, delete, transfer (portability) , or opt-out of marketing by emailing us at privacy@gcd.com. You, or an authorized agent, can also send your request by mail to:
GoDaddy Corporate Domains, LLC
Attn: Legal – Privacy 2155 E. GoDaddy Way Tempe, Arizona 85284 USA.
We reserve the right to use commercially reasonable methods to verify your identity and the authority of any authorized agent to act on your behalf.
Time To Respond
Under state law, we have 45 days to respond to your inquiry and may add an additional 45 days depending on the complexity of your request. Please note, however, that as a general rule we normally respond to requests within 30 days as set forth in our Global Privacy Notice.
Right of Appeal
If we reject your request, you have the right to appeal that denial by notifying us that you disagree with our decision by email at privacy@gcd.com or by mail at: GoDaddy Corporate Domains, LLC Attn: Legal – Privacy, 2155 E. GoDaddy Way, Tempe, Arizona 85284.
If you choose to appeal, please explain why you believe you are entitled to receive the information requested despite our denial. We will respond to any appeal within 45 days.
Right to Complain to Attorney General
If we deny any request you made under our Global Privacy Notice or this state supplemental notice, you may file a complaint with your state’s attorney general.
European Supplemental Privacy Notice
GoDaddy Corporate Domains (“GCD”) maintains a global privacy and data protection program as described in our Global Privacy Notice.
This European Data Protection Notice supplements our Global Privacy Notice by providing additional disclosures required by law in the European Union/European Economic Area (EU/EEA) , Switzerland, and the United Kingdom.
Controller
When you use services offered by GCD in the EU/EEA, Switzerland, or the United Kingdom, the data controller will be GCD.
Legal Basis for Individual Processing Activities
We use personal data (called PII in our Global Privacy Notice) primarily to provide you the services you request. We also use personal data to comply with our legal obligations and protect our legitimate interests, including providing you personalized services, communicating with you, improving our services, and detecting fraudulent and illegal activity. With your prior consent, we also may use your personal data to send you marketing materials and offers.
Cookies and Other Online Identifiers
We use cookies and other online identifiers as part of our services. Please see our Global Privacy Notice section on online identifiers for more information on our use of cookies and other identifiers. Please note that in cases where our cookies process personal data of data subjects in the EU/EEA, Switzerland, and the UK, we collect your consent before using those cookies.
International Data Transfers
We operate a global business and personal data you provide may be transferred from your country to the United States or to another country where we do business. We make these transfers when necessary to provide our services, to perform our contract with you, or when we have your consent to transfer your personal data to another country.
We transfer personal data outside the EU/EEA, Switzerland, and the UK to countries that have been determined by the European Commission to offer an adequate level of data protection.
For transfers from the EU/EEA and Switzerland to countries that have not been deemed to offer an adequate level of data protection, we transfer personal data pursuant to a data protection addendum with standard contractual clauses and appropriate supplementary measures including, appropriate technical and organizational measures.
For transfers from the UK to countries that have not been deemed to offer an adequate level of data protection, we transfer personal data pursuant to a data protection addendum consistent with the requirements of the UK International Data Transfer Agreement issued by the UK Information Commissioner, Version B1.0.
Transfers to the United States
For transfers to the United States, we transfer data pursuant to the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”) , the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) as set forth by the U.S. Department of Commerce.
We have certified to the U.S. Department of Commerce that we adhere to the EU-U.S. Data Privacy Framework Principles (“EU-U.S. DPF Principles”) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. We have certified to the U.S. Department of Commerce that we adhere to the Swiss-U.S. Data Privacy Framework Principles (“Swiss-U.S. DPF Principles”) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in our privacy notice and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the applicable Principles shall govern. To learn more about the Data Privacy Framework (“DPF”) program, and to view our certification, please visit https://www.dataprivacyframework.gov/s/participant-search/.
For transfers to the United States in situations where transfers via the DPF are not available (for example, between Switzerland and the United States while approval of the DPF is pending) , we transfer personal data pursuant to a data protection addendum with standard contractual clauses and appropriate supplementary measures including, appropriate technical and organizational measures.
Please see our Data Privacy Framework Notice for more information on our compliance with the DPF’s requirements.
EU Article 27 Representative
Our EU Article 27 Representative is:
GoDaddy Deutschland GmbH c/o WeWork Friesenplatz 4 50672 Cologne, Germany
Complaints to Data Protection Authorities
In the EU/EEA, you have the right to lodge a complaint with your local data protection supervisory authority.
In Switzerland, you have the right to lodge a complaint with the Federal Data Protection Information Commissioner.
In the UK, you have the right to lodge a complaint with the Information Commissioner’s Office.
Data Privacy Framework Notice
GoDaddy Corporate Domains, LLC (“GCD”) has self-certified its compliance with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”) , the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) , and the UK Extension to the EU-U.S. DPF (“UK Extension”) , collectively (the “DPF”).
This Data Privacy Framework Notice describes our compliance with the specific requirements of the DPF. For a complete statement of our privacy practices, please see our Global Privacy Notice. For the purposes of this Data Privacy Framework Notice, all references to PII and personal information in our Global Privacy Notice and its supplements are deemed to be references to personal data.
Certifications
We comply with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”) , the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) as set forth by the U.S. Department of Commerce. We have certified to the U.S. Department of Commerce that we adhere to the EU-U.S. Data Privacy Framework Principles (“EU-U.S. DPF Principles”) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. We have certified to the U.S. Department of Commerce that we adhere to the Swiss-U.S. Data Privacy Framework Principles (“Swiss-U.S. DPF Principles”) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this notice and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (“DPF”) program please visit www.dataprivacyframework.gov.
To view our certification, please visit https://www.dataprivacyframework.gov/s/participant-search/.
Scope
This DPF Notice applies to our processing of personal data transferred to the United States from the European Union/European Economic Area (“EU/EEA”) , Switzerland, and the United Kingdom in reliance upon the DPF. If there is any conflict between this notice and the DPF Principles, the DPF Principles govern.
We process personal data as a controller (who determines the purpose and means of processing) or processor (who acts upon the written instructions of the controller)
Notice of Privacy Practices: Controller
Our privacy practices when we act as a data controller are set forth in our Global Privacy Notice, including:
- the types of personal data collected
- the purposes for which we collect personal data
- the type of third parties to whom we disclose personal data,
- our practices relating to the collection and use of personal data,
- the right of individuals to access their personal data, and
- the choices and means we offer for limiting use and disclosure of personal data.
Notice of Privacy Practices: Processor
When we act as a data processor, our customers determine the types of personal data collected, and the practices relating to the collection and use of personal data collected.
Our rights and obligations as a processor are defined by a written data processing addendum (“DPA”) executed between us and our customer. In general, we process personal data according to applicable law and the instructions provided by our customer acting as the data controller. Our customers are responsible for ensuring they:
- have a lawful basis for collecting the personal data provided to us
- have provided appropriate notices and disclosures to data subjects as required under applicable law
- have the right to allow transfer of personal data to the United States
- have otherwise complied with all applicable laws relating to the collection and processing of personal data
- provide responses to requests from individuals to access their personal data, and
- provide appropriate choices and means to individuals to limit the use and disclosure of their personal data.
When acting as a processor, we disclose personal data:
- to our affiliates and subprocessors for the purpose of operating our business and/or providing our services
- to third parties at our Customer’s request
- when required to make disclosures pursuant to law or in response to lawful requests from governmental authorities, including in response to national security, government interests, or law enforcement requests.
Onward Transfers of Personal Data
When transferring personal data to a processor (or subprocessor) pursuant to the DPF (an “Onward Transfer”) , we:
- require the processor to enter into a written DPA
- require the processor to process the personal data for only limited and specific purposes defined in the agreement
- take reasonable and appropriate steps to ensure that the personal data is processed in a manner consistent with the DPF Principles,
- require the processor to notify us if the processor determines that it can no longer meet its obligations under the DPF Principles,
- take reasonable and appropriate steps to stop and remediate unauthorized processing, and
- will provide a summary or representative copy of the relevant privacy protections in our agreements with our processors to the Department of Commerce upon request.
We remain liable under the DPF Principles if our processor or any other party to whom our processor transfers personal data processes personal data in a manner not consistent with the DPF Principles, unless we demonstrate that we are not responsible for the unauthorized processing.
Other Disclosures
We also disclose personal data (a) for the purpose of operating our business and providing our Services as described in our Global Privacy Notice and related privacy policies, (b) to third parties at our Customer’s request, (c) if required to make disclosures pursuant to law, or (d) in response to lawful requests from governmental authorities, including in response to national security, government interest, or law enforcement requests.
Data Subject Choice
We do not disclose personal data to third parties (other than processors working on our behalf) or use personal data for a purpose different for the purposes for which it was originally collected or subsequently authorized.
Human Resources Personal Data
We transfer human resources data pursuant to the DPF. A copy of our employee privacy policy governing the processing of employee personal data is available to employees on our internal network or by emailing us at privacy@gcd.com. Employment candidates are invited to review our Applicant Privacy Policy.
Data Security
Our Global Privacy Notice contains a description of the measures we employ to protect the confidentiality, integrity, and availability of personal data we process.
Recourse, Enforcement, and Liability
We have established internal mechanisms to verify our ongoing adherence to the DPF Principles and the other requirements described in this notice and our Global Privacy Notice. We also are subject to the investigatory and enforcement powers of the U.S. federal government, including the U.S. Federal Trade Commission (“FTC”).
GCD commits to resolve DPF Principles-related complaints about our collection and use of personal information. Individuals with inquiries or complaints regarding our handling of personal data received in reliance on the DPF should first contact us at privacy@gcd.com or at the address below:
Office of the Data Privacy Officer GoDaddy Corporate Domains, LLC 2155 E GoDaddy Way Tempe, Arizona 85284
We respond to complaints within 45 days.
If we cannot resolve a compliant through our internal processes, we commit to cooperate and comply with the advice of the panel applicable to the complainant established by the EU Data Protection Authorities (“EU DPAs”) , the UK Information Commissioner’s Office (“ICO”) , and the Swiss Federal Data Protection and Information Commission (“FDPIC”) with respect to all personal data, including HR-related data.
If we are unable to resolve a complaint through the independent dispute resolution panel appliable to you, you may be able to invoke binding arbitration for some residual claims not otherwise resolved by other recourse mechanisms. This binding arbitration mechanism is administered by the International Centre for Dispute Resolution -American Arbitration Association (ICDR-AAA). For more information about binding arbitration, please visit the Data Privacy Framework’s Annex regarding Arbitration.
Changes to this Statement
We may revise this Data Privacy Framework Notice by posting a revised statement at the same location as this notice or on another location on our website. If we change this notice, it will apply to personal data collected prior to adoption of the new statement only to the extent as the new statement does not reduce the rights of affected data subjects. As long as we continue to participate in the DPF program, we will not change our statement in a way that is inconsistent with our obligations under the DPF program or the DPF Principles.