Privacy Policy

This Privacy Policy explains how SIA ROOTAPI, operating as NetPoint, collects, uses, shares, and protects your personal data when you use our website at netpoint.io, the management panel at panel.netpoint.io, and related services. We are committed to protecting your privacy in compliance with the EU General Data Protection Regulation (GDPR) and applicable Latvian data protection legislation.

1. Data Controller

The data controller responsible for your personal data is:

• Company: SIA ROOTAPI
• Registration No.: 40203090070
• VAT No.: LV40203090070
• Address: Briezu iela 7 - 55, LV-1034, Riga, Latvia
• Email: [email protected]

For all data protection inquiries, please contact us at [email protected].

2. Types of Data Collected

2.1. Account Data

When you create an account, we collect:

• Full name
• Email address
• Password (stored in hashed form)
• Phone number (optional)
• Organization name (optional)
• Billing address
• Country of residence

2.2. Domain Registration Data

When you register a domain name, we collect information required by ICANN and the applicable registry, including:

• Registrant name and organization
• Postal address
• Email address
• Telephone number
• Administrative and technical contact details

2.3. Payment Data

Payment information (credit card numbers, bank account details) is collected and processed directly by our payment processor, Stripe. We do not store your full payment card details on our servers. We retain a record of transactions including amount, date, and the last four digits of the payment method for billing purposes.

2.4. Technical Data

When you visit our website or use our services, we automatically collect:

• IP address
• Browser type and version
• Operating system
• Referring URL
• Pages visited and time spent
• Device identifiers

2.5. Support Data

When you contact our support team, we collect the content of your communications, including email messages and any attachments.

3. Legal Basis for Processing

We process your personal data on the following legal bases under the GDPR:

• Performance of a Contract (Art. 6(1)(b)). Processing is necessary to provide our services to you, including account management, domain registration, hosting, and billing.
• Legal Obligation (Art. 6(1)(c)). Processing is necessary to comply with legal obligations, including ICANN requirements for domain registration data, tax and accounting regulations, and responding to lawful requests from authorities.
• Legitimate Interests (Art. 6(1)(f)). Processing is necessary for our legitimate interests, including preventing fraud and abuse, maintaining security of our services, improving our services, and communicating with you about service updates.
• Consent (Art. 6(1)(a)). Where we rely on your consent (e.g., for marketing communications or non-essential cookies), you may withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

4. Data Sharing and Transfers

We share your personal data with the following categories of recipients:

4.1. Sponsoring Registrar

Domain registration data is shared with our sponsoring registrar, Internet.bs Corp. (IANA #2487), as required to process domain registrations, renewals, and transfers. Internet.bs Corp. may further share registration data with the applicable domain registry and, where required by ICANN policy, through the public WHOIS/RDAP system (subject to GDPR-related redactions for personal data).

4.2. Payment Processor

Payment data is shared with Stripe, Inc. for the purpose of processing transactions. Stripe processes data in accordance with its own privacy policy and is certified under the EU-US Data Privacy Framework. For more information, see Stripe's Privacy Policy.

4.3. Infrastructure Providers

We use third-party datacenter and infrastructure providers within the European Union to host our services and store data. These providers act as data processors under our instruction.

4.4. Legal and Regulatory

We may disclose your personal data when required by law, regulation, legal process, or governmental request, including to comply with ICANN policies, respond to UDRP proceedings, or cooperate with law enforcement authorities.

4.5. International Transfers

Where personal data is transferred outside the European Economic Area (EEA), we ensure that adequate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions, or other lawful transfer mechanisms under the GDPR.

5. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:

• Account data: Retained for the duration of your account and for up to 12 months after account closure, unless longer retention is required by law.
• Domain registration data: Retained for the duration of the domain registration and for a period required by ICANN and the applicable registry after the domain is deleted or transferred (typically up to 2 years).
• Transaction and billing data: Retained for a minimum of 5 years as required by Latvian tax and accounting regulations.
• Technical and log data: Retained for up to 12 months for security and performance analysis purposes.
• Support correspondence: Retained for up to 3 years after the last communication to provide continuity of service.

6. Your Rights Under GDPR

Under the GDPR, you have the following rights regarding your personal data:

• Right of Access (Art. 15). You have the right to obtain confirmation as to whether your personal data is being processed and, if so, to access the data and information about how it is processed.
• Right to Rectification (Art. 16). You have the right to request correction of inaccurate personal data and to have incomplete data completed.
• Right to Erasure (Art. 17). You have the right to request deletion of your personal data, subject to legal and contractual retention obligations. Note that domain registration data may need to be retained as required by ICANN policy.
• Right to Restriction of Processing (Art. 18). You have the right to request restriction of processing in certain circumstances, such as when you contest the accuracy of the data.
• Right to Data Portability (Art. 20). You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller.
• Right to Object (Art. 21). You have the right to object to processing based on legitimate interests or for direct marketing purposes.
• Right to Withdraw Consent. Where processing is based on consent, you may withdraw your consent at any time.
• Right to Lodge a Complaint. You have the right to lodge a complaint with the Latvian Data State Inspectorate (Datu valsts inspekcija) or the supervisory authority in your country of residence.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within one (1) month, as required by the GDPR. This period may be extended by two further months where necessary, taking into account the complexity of the request.

7. Cookies and Similar Technologies

7.1. Essential Cookies. We use essential cookies that are strictly necessary for the operation of our website and management panel, including session cookies for authentication and security. These cookies do not require your consent.

7.2. Analytical Cookies. We may use analytical cookies to understand how visitors interact with our website, helping us improve our services. These cookies are only set with your consent.

7.3. No Third-Party Advertising. We do not use third-party advertising cookies or tracking pixels on our website.

7.4. Managing Cookies. You can control and manage cookies through your browser settings. Please note that disabling essential cookies may affect the functionality of our services.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit (TLS/SSL) and at rest
• Secure password hashing (bcrypt)
• Access controls and authentication mechanisms
• Regular security assessments and updates
• Datacenter physical security (EU Tier III+ facilities)

While we take all reasonable precautions, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security of your data.

9. Children's Privacy

Our services are not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will take steps to delete such data promptly.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or services. Material changes will be communicated to you via email or through notice on our website at least thirty (30) days before they take effect. We encourage you to review this page periodically.

11. Contact Information

For any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact us:

• Data Controller: SIA ROOTAPI
• Address: Briezu iela 7 - 55, LV-1034, Riga, Latvia
• Data Protection Inquiries: [email protected]
• General Support: [email protected]

You also have the right to contact the Latvian Data State Inspectorate:

• Authority: Datu valsts inspekcija
• Address: Elijas iela 17, Riga, LV-1050, Latvia
• Website: www.dvi.gov.lv