This Privacy Policy explains how NexrStack Software, Inc. ("NexrStack", "we", "us") collects, uses, discloses, and protects personal data when you use NexrDomains ("the Services"). It applies to visitors to nexrdomains.com, customers using clients.nexrdomains.com, and registrants of domain names registered through us.
We are the data controller for personal data collected through the Services. Where we act as a data processor (for example, when handling contact information you provide for a domain registrant other than yourself), we process that data only on your instructions.
1. Data we collect
Information you give us
- Account details: name, email address, password (hashed), billing address, phone number.
- Registrant details for each domain: name, organisation, postal address, email, phone number, where required by registry policy.
- Payment information: card number, expiry date, billing postcode. Card data is processed and stored by Stripe; we never store full card numbers ourselves.
- Support correspondence: messages, attachments, and tickets you open.
Information collected automatically
- Log data: IP address, user agent, referring URL, pages viewed, timestamps.
- Cookies and similar technologies: session cookies for authentication, a small number of first-party analytics cookies, and security cookies.
- Device data: browser type and version, operating system.
2. How we use your data
- To provide, maintain, and bill the Services.
- To register and manage domains on your behalf, including communicating with registries and ICANN.
- To detect, prevent, and respond to fraud, abuse, and security incidents.
- To respond to your support requests and account inquiries.
- To send service-related emails (e.g. expiry warnings, transfer confirmations, security alerts).
- To send marketing emails where you have opted in; you can unsubscribe at any time.
- To comply with legal obligations and enforce our Terms.
3. Legal bases (UK / EU residents)
Where the UK GDPR or EU GDPR applies, we rely on the following legal bases:
- Contract — to provide the Services you have requested.
- Legitimate interests — to keep the Services secure, prevent fraud, and improve the product.
- Legal obligation — to meet ICANN, registry, tax, and other obligations.
- Consent — for non-essential marketing emails and analytics cookies.
4. Sharing your data
We share personal data only as needed to operate the Services or as required by law:
- Domain registries and accredited registrars, including 20i, who operate registrar infrastructure on our behalf.
- ICANN and registry-required WHOIS / RDAP services, as required by policy. Registrant details may be public unless WHOIS privacy is enabled.
- Payment providers, including Stripe, to process payments and prevent fraud.
- Service providers (email, analytics, customer-support tooling) under appropriate data-protection terms.
- Law enforcement, regulators, or other parties where we have a good-faith belief that disclosure is required by law.
5. International transfers
We are based in the United States. Some of our service providers are located in the United Kingdom, the European Union, or other jurisdictions. Where we transfer personal data internationally, we rely on Standard Contractual Clauses, the UK International Data Transfer Agreement, or other lawful transfer mechanisms.
6. Cookies
We use a small set of first-party cookies for authentication, security, and analytics. Non-essential cookies are only set after consent on our cookie banner. You can withdraw consent at any time from the cookie preferences page in your client portal.
7. Retention
We retain personal data for as long as your account is active. After closure, we keep limited records (invoices, abuse logs, registry-mandated registrant history) for up to seven years to meet tax and legal obligations. Backups are rotated on a 35-day cycle.
8. Your rights
Depending on your location, you may have the right to access, correct, delete, restrict, or object to our processing of your personal data, to request a portable copy, and to withdraw consent. Residents of California, the EU, the UK, and certain other jurisdictions have statutory rights that we will honour.
To exercise any right, email privacy@nexrdomains.com. We will respond within 30 days. You also have the right to lodge a complaint with a data protection authority (in the UK, the Information Commissioner's Office; in the EU, your local supervisory authority).
9. Security
We use TLS in transit, AES-256 at rest, hardware-backed key management, regular penetration testing, and least-privilege access controls. No system is perfectly secure, but we treat your data as if it were our own.
10. Children
The Services are not directed at children under 16, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us.
11. Changes
We may update this Privacy Policy from time to time. Material changes will be notified by email or in the client portal at least 30 days before they take effect.
12. Contact our DPO
Data Protection Officer, NexrStack Software, Inc. — privacy@nexrdomains.com. Postal correspondence can be sent care of NexrStack Software, Inc., Delaware, USA.