1. Overview

NamelyHost ("we", "us", "our") is the data user and operator of this website and the domain, email, hosting and SSL services offered under the NamelyHost brand. This policy explains what personal data we collect from you, why we collect it, how we use and protect it, and the rights you have under the Personal Data Protection Act 2010 (PDPA) of Malaysia.

We have written this policy in plain English so that you can read it in one sitting. If something is unclear, please write to us at privacy@namelyhost.com.

2. What personal data we collect

We only collect what we need to operate our services and comply with the law. Specifically:

  • Account data - name, email address, phone number, billing address, company name (if applicable) and a password hash. Collected when you create an account.
  • Identification data - for certain TLDs and for Extended Validation SSL certificates, the relevant registry or certificate authority requires identity documents (NRIC, passport, business registration number). We pass these to the registry or authority and retain only what is needed for audit.
  • Payment data - card details are processed by our payment gateway (Stripe and iPay88) and are never stored on NamelyHost servers. We retain a token and the last four digits of the card for reconciliation.
  • WHOIS data - the registrant contact details for each domain you register. These are published in the WHOIS database as required by ICANN and the relevant registry, unless you subscribe to WHOIS privacy.
  • Service data - records of the services you use, logs of your access to our control panel and API, support tickets and correspondence.
  • Technical data - IP address, browser type, device identifiers, pages visited, referring URL. Collected automatically through server logs and cookies.

3. Why we use it

We use personal data to:

  • Set up, deliver and manage the services you have purchased.
  • Register, renew and transfer domain names with registries and registrars.
  • Validate SSL certificates with certificate authorities.
  • Process payments, send invoices and manage your account balance.
  • Respond to support requests and keep you informed about service issues.
  • Detect and prevent fraud, abuse and breaches of our Acceptable Use Policy.
  • Comply with legal obligations including tax, anti-money-laundering and law-enforcement requests.
  • Send you service-related notices. We do not send marketing emails without your opt-in.

4. Legal basis for processing

Under the PDPA, we rely on one or more of the following bases for each processing activity:

  • Performance of a contract - where we are delivering a service you have ordered.
  • Legal obligation - where we must keep records or share data under Malaysian law or ICANN policy.
  • Legitimate interest - where we process data to run the business (for example, preventing abuse) and that interest is not overridden by your rights.
  • Consent - where we ask for it, for example before sending marketing communications or setting non-essential cookies.

5. Who we share your data with

We share personal data only with parties who need it to deliver the services you have purchased or to operate our business. Categories of recipient:

  • Domain registries and registrars (Verisign, MYNIC, Identity Digital, PIR, Nominet and others) - for domain registration and renewal.
  • Certificate authorities (Sectigo, DigiCert, Let's Encrypt) - for SSL issuance and validation.
  • Payment processors (Stripe, iPay88) - for card and local-rail payments.
  • Infrastructure providers (our upstream data-centre operators) - who host the servers your services run on.
  • Professional advisers (auditors, lawyers, accountants) - under duties of confidence.
  • Authorities - where we are required to disclose by law, court order or regulator.

We do not sell personal data to anyone. We do not share personal data for third-party advertising.

6. International transfers

Some recipients above are based outside Malaysia. Where we transfer personal data abroad, we rely on the PDPA's permitted-transfer provisions (Section 129), including your consent, performance of a contract, or transfers to jurisdictions that provide substantially similar protection. Current transfer destinations include Singapore, the European Union, the United Kingdom and the United States.

7. How long we keep data

We keep personal data only as long as we need it for the purposes set out in this policy, plus any period required by law. Indicative retention periods:

  • Account data - for the life of your account plus 7 years, to meet accounting-record requirements.
  • Billing and tax records - 7 years.
  • Server access logs - 90 days.
  • Support tickets - 3 years after resolution.
  • Marketing preferences - until you withdraw consent.

8. How we protect your data

We take reasonable technical and organisational measures to protect personal data against loss, misuse and unauthorised access. These include encryption in transit (TLS 1.2+), encryption at rest for sensitive fields, role-based access controls, audit logging, regular backups, patch management, and periodic security reviews. No system is perfectly secure; we will notify you and, where required, the Commissioner, if a breach affects your personal data.

9. Your rights under the PDPA

You have the following rights in relation to personal data we hold about you:

  • Access - to request a copy of the personal data we hold.
  • Correction - to have inaccurate data corrected.
  • Withdrawal of consent - for any processing based on consent.
  • Prevent processing - for direct marketing or where processing causes damage or distress.
  • Complaint - to complain to the Personal Data Protection Commissioner at www.pdp.gov.my.

To exercise any of these rights, email privacy@namelyhost.com. We will respond within 21 days. We may charge a prescribed fee for access requests as allowed under the PDPA.

10. Cookies and analytics

We use a small number of cookies to keep you logged in, remember your preferences, and understand how the site is used in aggregate. Details are in our Cookie Policy.

11. Children

Our services are not directed at children under 18. We do not knowingly collect personal data from anyone under 18. If you believe we have, please contact us and we will delete it.

12. Changes to this policy

We may update this policy from time to time. We will post the new version here and update the "effective" date at the top. Significant changes will be notified by email to account holders.

13. Contact us

For questions, complaints or to exercise your rights:

NamelyHost - Privacy Officer
Email: privacy@namelyhost.com
Post: NamelyHost, Kuching, Sarawak, Malaysia