mycentral.domains is committed to full compliance with the General Data Protection Regulation (EU 2016/679). This page outlines how we process personal data of individuals in the European Economic Area (EEA), the United Kingdom, and Switzerland.
1. Data Controller
mycentral.domains acts as the data controller for personal data collected through our Platform. For inquiries regarding data processing, contact our Data Protection Officer:
2. Lawful Basis for Processing
We process personal data under the following lawful bases defined in GDPR Article 6:
| Lawful Basis | Processing Activity |
|---|---|
| Contract (Art. 6(1)(b)) | Providing account services, domain management, payment processing, and customer support |
| Consent (Art. 6(1)(a)) | Analytics cookies, marketing communications, and AI-powered recommendations |
| Legitimate Interest (Art. 6(1)(f)) | Platform security, fraud prevention, service improvement, and aggregated anonymised analytics |
| Legal Obligation (Art. 6(1)(c)) | Tax records, abuse prevention, and regulatory compliance |
3. Your Data Subject Rights
Under the GDPR, you have the following rights. To exercise any of these, email legal@mycentral.domains — we will respond within 30 days.
Right of Access (Art. 15)
Request a copy of all personal data we hold about you, including the purposes of processing, categories of data, and recipients.
Right to Rectification (Art. 16)
Request correction of inaccurate or incomplete personal data. You can also update most information directly in your account settings.
Right to Erasure (Art. 17)
Request deletion of your personal data ("right to be forgotten"). We will delete your data within 30 days unless retention is required by law.
Right to Restriction (Art. 18)
Request restriction of processing when you contest data accuracy, object to processing, or the processing is unlawful.
Right to Data Portability (Art. 20)
Receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV) and transfer it to another controller.
Right to Object (Art. 21)
Object to processing based on legitimate interests or direct marketing. We will cease processing unless we demonstrate compelling legitimate grounds.
Right to Withdraw Consent (Art. 7(3))
Withdraw consent at any time for processing based on consent (e.g., marketing emails, analytics cookies). Withdrawal does not affect the lawfulness of prior processing.
4. Data We Collect
| Category | Examples | Retention |
|---|---|---|
| Account data | Name, email, hashed password | Until account deletion + 30 days |
| Domain data | Domain names, DNS records, registrar info | Until account deletion + 30 days |
| Payment data | Billing address, plan type (card data held by Stripe) | 7 years (tax compliance) |
| Web3 data | Public wallet address, ENS names | Until wallet disconnected + 30 days |
| Usage data | Page views, feature usage, timestamps | 12 months (anonymised after) |
| Device data | IP address, browser type, OS | 90 days |
For complete details, see our Privacy Policy.
5. Data Processing & Sub-Processors
We use the following sub-processors, each bound by Data Processing Agreements (DPAs):
| Sub-Processor | Purpose | Location |
|---|---|---|
| Vercel | Hosting & edge compute | USA / Global CDN |
| Supabase | Database & authentication | EU (Frankfurt) |
| Stripe | Payment processing | USA / EU |
| Vercel Analytics | Privacy-focused analytics | USA / Global |
6. International Data Transfers
Where personal data is transferred outside the EEA, we use the following safeguards as required by GDPR Chapter V:
- Standard Contractual Clauses (SCCs) — adopted by the European Commission (Decision 2021/914).
- EU-U.S. Data Privacy Framework — where applicable and certified by sub-processors.
- Supplementary measures — including encryption and access controls per EDPB recommendations.
7. Data Protection Impact Assessments
We conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities, including:
- AI-powered domain analytics and valuation models.
- Integration with blockchain networks and wallet data.
- Cross-border data transfers to non-EEA countries.
8. Data Breach Notification
In the event of a personal data breach:
- We will notify the relevant Supervisory Authority within 72 hours of becoming aware of the breach (GDPR Article 33).
- We will notify affected data subjects without undue delay when the breach is likely to result in a high risk to their rights and freedoms (GDPR Article 34).
- All breaches are documented with their effects and remedial actions taken.
9. Cookie Policy
In accordance with the ePrivacy Directive and GDPR, we only place non-essential cookies after obtaining your explicit consent. See Section 5 of our Privacy Policy for details on cookie types and management.
10. Supervisory Authority
If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local Data Protection Authority. A list of EU DPAs is available at edpb.europa.eu.
11. Contact
| Purpose | Contact |
|---|---|
| Data Protection Officer / GDPR inquiries | legal@mycentral.domains |
| Data subject requests | support@mycentral.domains |
| Security concerns | security@mycentral.domains |