Privacy
Privacy Policy
How we collect, use, and protect your personal data — and the rights you have over it.
Last updated: 5 May 2026. Effective: 5 May 2026.
GuardYourName is operated by Avida LLC ("we", "us"), a US company. We sell domain registrations, brand-protection bundles, and related hosting services. We treat your personal data carefully because losing customer trust is the fastest way to lose a brand-protection business.
This policy describes what we actually do with your data — not aspirations. Where we have a choice, we minimize. Where the law (ICANN, payment networks, accounting) requires us to keep something, we tell you that explicitly.
Who this applies to
This policy covers everyone who visits guardyourname.com, creates an account, or completes a purchase. It applies globally — we apply the same protections to every customer, including those in the EU/EEA/UK (GDPR), California (CCPA/CPRA), and other US states with comprehensive privacy laws (Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Delaware, Iowa, Tennessee, Maryland, Minnesota, Indiana, New Jersey).
What we collect
Account data
- Name and email — needed to log you in and contact you about your services.
- Phone number — required by ICANN as part of registrant contact information.
- Password — stored as a one-way bcrypt hash. We never see, store, or log the plaintext.
- Two-factor authentication secrets and recovery codes — encrypted at rest. Recovery codes are also hashed before encryption so even a database leak doesn't expose them in usable form.
- Customer number — an internal identifier we assign for support and accounting (e.g.
10008260).
Registrant contact information (WHOIS)
When you register a domain, ICANN requires us to collect a full set of contact information for the registrant: legal name, organization (if any), street address, city, state/province, postal code, country, phone number, and email. We:
- Encrypt it at rest in our database (Laravel
encrypted:arraycast on theorders.contacts_encryptedcolumn). - Send it to the registrar (OpenSRS or Namecheap) so the domain can be registered in your name.
- Enable WHOIS privacy on every registration by default — the registrar masks your contact details in the public WHOIS record so they aren't exposed to the world.
- Keep a copy on your account so future checkouts pre-fill (one-click reorder), unless you ask us to delete it.
Payment data
Card numbers, expiration dates, and CVCs are never stored on our servers. They're tokenized client-side by Stripe.js or Square Web Payments SDK and we only ever see opaque payment IDs that the card network can use to charge or refund. We store:
- A reference to the payment (Stripe Payment Intent ID or Square payment ID).
- Stripe Customer ID for recurring services.
- Amount, currency, and timestamps.
Usage data
- Session data — encrypted server-side. Your IP and user-agent are stored in the
sessionstable while the session is active. - Login token request IPs — when you request a magic-link sign-in, we record the requesting IP for anti-replay during the 15-minute link validity window. Pruned 7 days after expiry.
- Trusted-device fingerprints — if you tick "remember this device" during a 2FA prompt, we store a hashed token, a UA-derived label ("MacBook · Safari · 2026-05-05"), the IP at registration, and a 30-day expiration. Pruned at expiration.
What we don't collect
- No analytics or tracking — we don't run Google Analytics, Mixpanel, Plausible, Hotjar, PostHog, Fathom, Segment, GTM, or any other third-party tracking tool. There is no advertising tag on our site.
- No marketing pixels — no Facebook Pixel, no LinkedIn Insight Tag, no TikTok pixel, no retargeting cookies.
- No marketing email lists today. Our outbound mail is exclusively transactional (sign-in links, registration confirmations, transfer notices, renewal reminders). If we ever launch a newsletter, we will gate it behind explicit double-opt-in consent and an unsubscribe link, and we will not auto-enrol existing customers.
- We do not sell, share, or rent your personal information for any purpose, ever.
Why we collect it (lawful basis under GDPR)
| Purpose | Lawful basis |
|---|---|
| Performing the contract you signed up for (registering a domain, hosting your site, etc.) | Contract (Art. 6(1)(b)) |
| Sending you transactional emails (sign-in links, registration confirmations, renewal reminders) | Contract (Art. 6(1)(b)) |
| Complying with ICANN registrant data obligations | Legal obligation (Art. 6(1)(c)) |
| Tax + accounting record-keeping | Legal obligation (Art. 6(1)(c)) |
| Fraud prevention (rate limiting, IP reputation, bot detection) | Legitimate interest (Art. 6(1)(f)) |
| Account security (2FA, password reset flows) | Contract + Legitimate interest |
How long we keep it
| Data | Retention |
|---|---|
| Active account record | Until you delete the account. |
| Order header rows (totals, payment IDs, registrar IDs — for accounting / refunds) | 7 years per US tax / accounting practice. Personal data inside the order is anonymized earlier (see below). |
| Registrant contact data inside an order | While you have any active registration with us. Once you have no active domain destinations on file and your account has been idle for ≥1 year, the contact fields are anonymized on the next quarterly retention sweep. The order shell stays for accounting; the personal data is gone. |
| Magic-login tokens (with requesting IP) | Token TTL 15 minutes; row pruned 7 days after expiry. |
| Trusted-device records | 30-day TTL; row pruned at expiration. |
| Session records | Idle timeout 120 minutes; sweeper deletes expired rows. |
| Empty anonymous shopping carts (bot crawler cruft) | Deleted after 7 days idle. |
| Application logs (which may contain user IDs / emails) | 30 days on the host; rotated and overwritten. |
| Stripe / Square / Resend / registrar records (we don't control these) | Per the sub-processor's policy. See sub-processors. |
Who sees your data
Your data lives on our DigitalOcean droplet (US region) and is shared only with the sub-processors necessary to run the service. We have a separate, always-current page listing every sub-processor we use, what data they receive, and what country they operate in: see Sub-processors.
Internally, only the founder + any explicitly-designated support staff have access to the production database. We log administrative actions and gate sensitive ones (account deletion, customer edits, refunds, transfer-outs) behind a step-up two-factor challenge.
How we protect it
- Encrypted at rest: WHOIS contacts, default-contact prefill cache, two-factor secrets, two-factor recovery codes, and EPP transfer auth codes are encrypted using Laravel's app-key-based AES-256-CBC.
- Bcrypt passwords: never stored in plaintext, never recoverable.
- HTTPS only: served via Caddy with automatic Let's Encrypt certificates.
- Two-factor authentication available to every customer (TOTP + recovery codes; passkeys/WebAuthn supported).
- Step-up authentication (fresh-auth) on sensitive routes — even if your session is hijacked, destructive actions still require a fresh TOTP / passkey / magic-link confirmation.
- Rate limiting on login, magic-link, and password-reset flows to slow down credential-stuffing attempts.
- Cloudflare Turnstile on the magic-link login form to deter bot automation.
- Webhook signature verification on every Stripe / Square / registrar callback — we don't accept unsigned mutation requests.
Your rights
Under GDPR, CCPA/CPRA, and the parallel US state privacy laws, you have the following rights regardless of where you live (we apply them globally):
- Right to know — see exactly what data we hold about you. Authenticated customers can self-serve via Download my data, which produces a JSON file containing every personal data point we have on you.
- Right to portability — the same JSON export is structured so you can move it to another service.
- Right to erasure ("right to be forgotten") — self-serve at your profile → "Delete account". Both endpoints scrub PII out of related order rows on your way out, leaving only anonymous accounting shells.
- Right to correct — edit your own profile any time. For data on past orders, email us.
- Right to object / restrict processing — email us with a description of what you want restricted.
- Right to opt out of "sale or sharing" (CCPA/CPRA) — we do not sell or share your personal information for cross-context behavioral advertising or for monetary or other valuable consideration. There is nothing to opt out of, but if you want a written confirmation, email us.
- Right to non-discrimination — we don't penalize anyone for exercising these rights.
- Right to lodge a complaint with your supervisory authority if you're in the EU/EEA/UK.
To exercise any of the above by email, write to privacy@guardyourname.com. We respond within 30 days (and try to be much faster). We may need to verify your identity before honoring a request — usually by asking you to act from the email address on file.
International transfers
Our servers are in the United States. If you're in the EU/EEA/UK, your data crosses the Atlantic when you sign up. We rely on the Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework where our sub-processors participate in it. The full list of sub-processors and their certifications is on the Sub-processors page.
Children's privacy
Our service is not directed at children under 16, and we do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, email privacy@guardyourname.com and we will delete it.
Data breach notification
If we discover a personal-data breach affecting you, we will notify you and (where required) the relevant supervisory authority without undue delay and within 72 hours of discovery, per GDPR Art. 33–34 and the parallel state breach laws. The notification will describe what happened, what data was affected, and what we're doing about it.
Cookies
We use only strictly-necessary cookies (session, CSRF, cart binding, optional 2FA "remember this device"). No analytics cookies, no advertising cookies, no third-party trackers. Full breakdown on the Cookies page.
Changes to this policy
We will update this page when material changes happen. The "Last updated" date at the top reflects the date of the most recent material change. We won't quietly weaken your protections — if a change reduces your rights, we'll email customers in advance.
Contact
Avida LLC
privacy@guardyourname.com
For data protection / GDPR matters, you can also reach us at the same address. We have not designated a Data Protection Officer at this time because we fall well below the GDPR thresholds that would require one — but the privacy email is monitored daily and the founder personally reads it.