GoDaddy Operating Company, LLC has self-certified its compliance with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF (“UK Extension”), and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”), collectively (the “DPF”).

Several other GoDaddy Operating Company, LLC affiliates also have certified their compliance with the DPF Principles, including:

GoDaddy.com, LLC, GoDaddy Media Temple, Inc. d/b/a Sucuri, Lantirn, Inc. d/b/a re:Amaze, GoDaddy Corporate Domains LLC, GoDaddy Sellbrite, Inc., Starfield Technologies, LLC, Domains by Proxy, LLC, Poynt LLC, Pagely LLC, CallCatchers, Inc. d/b/a Freedom Voice, GoDaddy Payments, LLC, and Blue Razor Domains, LLC (collectively, together with GoDaddy Operating Company, LLC, “GoDaddy”).

This DPF Notice describes GoDaddy's compliance with the specific requirements of the DPF. For a complete statement of our privacy practices, please see our Global Privacy Notice.

Certifications

We comply with the EU-U.S. DPF, the UK Extension, and the Swiss-U.S. DPF as set forth by the U.S. Department of Commerce. We have certified to the U.S. Department of Commerce that we adhere to the EU-U.S. Data Privacy Framework Principles (“EU-U.S. DPF Principles”) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension. We have certified to the U.S. Department of Commerce that we adhere to the Swiss-U.S. Data Privacy Framework Principles (“Swiss-U.S. DPF Principles”) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this notice and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the applicable Principles shall govern. To learn more about the DPF program please visit www.dataprivacyframework.gov.

To view our certification, please visit https://www.dataprivacyframework.gov/list.

Scope

This DPF Notice applies to our processing of personal data transferred to the United States from the European Union/European Economic Area (“EU/EEA”), Switzerland, and the United Kingdom ("UK") in reliance upon the DPF. If there is any conflict between this notice and the DPF Principles, the DPF Principles govern.

We process personal data as a controller (who determines the purpose and means of processing) or as a processor (who acts upon the written instructions of the controller)

Notice of Privacy Practices: Controller

Our privacy practices when we act as a data controller are set forth in our Global Privacy Notice, including:

• the types of personal data collected
• the purposes for which we collect personal data
• the type of third parties to whom we disclose personal data,
• our practices relating to the collection and use of personal data,
• the right of individuals to access their personal data
• the choices and means we offer for limiting use and disclosure of personal data.

Notice of Privacy Practices: Processor

When we act as a data processor, the controller determines the types of personal data collected, and the practices relating to the collection and use of personal data collected.

Our rights and obligations as a processor are defined by a written data processing addendum (“DPA”) executed between us and the controller. In general, we process personal data according to applicable law and the instructions provided by the data controller. The data controller is responsible for ensuring it:

• has a lawful basis for collecting the personal data provided to us
• has provided appropriate notices and disclosures to data subjects as required under applicable law
• has the right to allow transfer of personal data to the United States
• has otherwise complied with all applicable laws relating to the collection and processing of personal data
• provides responses to requests from individuals to access their personal data, and
• provides appropriate choices and means to individuals to limit the use and disclosure of their personal data.

When acting as a processor, we disclose personal data:

• to our affiliates and subprocessors for the purpose of operating our business and/or providing our services
• to third parties at the controller's request
• when required to make disclosures pursuant to law or in response to lawful requests from governmental authorities, including in response to national security, government interests, or law enforcement requests.

Onward Transfers of Personal Data

When transferring personal data to a processor (or subprocessor) (an “Onward Transfer”), we:

• require the processor or subprocessor to enter into a written DPA
• require the processor or subprocessor to process the personal data for only limited and specific purposes defined in the agreement
• take reasonable and appropriate steps to ensure that the personal data is processed in a manner consistent with the DPF Principles,
• require the processor or subprocessor to notify us if the processor determines that it can no longer meet its obligations under the DPF Principles,
• take reasonable and appropriate steps to stop and remediate unauthorized processing, and
• will provide a summary or representative copy of the relevant privacy protections in our agreements with our processors to the Department of Commerce upon request.

We remain liable under the DPF Principles if our processor or any other person or entity to whom our processor transfers personal data processes personal data in a manner not consistent with the DPF Principles, unless we demonstrate that we are not responsible for the unauthorized processing.

Other Disclosures

We also disclose personal data (a) for the purpose of operating our business and providing our Services as described in our Global Privacy Notice and related privacy policies, (b) to third parties at the controller's request, (c) if required to make disclosures pursuant to law, or (d) in response to lawful requests from governmental authorities, including in response to national security, government interest, or law enforcement requests.

Data Subject Right – Access

Individuals in the European Union, United Kingdom (and Gibraltar), and Switzerland generally have the right to access, correct, amend, or delete their personal data. Where GoDaddy acts as a Controller, to access, correct, amend, or delete any general information you have provided to us as a customer, you can log into your account for self-service; or send a request to privacy@godaddy.com. Where GoDaddy acts as a processor processing personal data on behalf of its customers in the course of providing our services, GoDaddy does not own or control such data and does not have a direct relationship with the users whose personal data may be processed in connection with providing the service. Since each customer is in control of what information, including any personal data, it collects from its users, how that information is used and disclosed, and how that information can be changed, users of our services should contact the applicable customer administrator with any inquiries about how to access, correct, amend, or delete personal data contained in customer data. To the extent a user makes an access, correction, amendment, or deletion request to GoDaddy, we will refer the request to the appropriate GoDaddy customer and will support such customer as needed in responding to any request.

Data Subject Choice - Secondary Purposes

If personal data covered by this Data Privacy Framework Notice is to be used for a new purpose that is materially different from that for which the personal data was originally collected or subsequently authorized, or is to be disclosed to a non-agent third party in a manner not specified in this Policy, GoDaddy will provide you with an opportunity to choose whether to have your personal data so used or disclosed. Requests to opt out of such uses or disclosures of personal data should be sent to privacy@godaddy.com.

Certain personal data, such as information about medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, is considered “sensitive information”. GoDaddy will not use sensitive information for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual unless GoDaddy has received your affirmative and explicit consent (opt-in).

Human Resources Personal Data

We transfer human resources data pursuant to the DPF. A copy of our employee privacy policy governing the processing of employee personal data is available to employees on our internal network or by emailing us at privacy@godaddy.com. Employment candidates are invited to review our Applicant Privacy Policy.

Data Security

Our Global Privacy Notice contains a description of the measures we employ to protect the confidentiality, integrity, and availability of personal data we process.

Recourse, Enforcement, and Liablity

We have established internal mechanisms to verify our ongoing adherence to the DPF Principles and the other requirements described in this notice and our Global Privacy Notice. We also are subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (“FTC”).

We have committed to resolve DPF Principles-related complaints about our collection and use of personal information. Individuals with inquiries or complaints regarding our handling of personal data received in reliance on the DPF should first contact us at privacy@godaddy.com or at the address below:

Office of the Data Privacy Officer
GoDaddy Operating Company, LLC
100 S. Mill Ave
Suite 1600
Tempe. AZ 85281 USA

We respond to inquiries and complaints within 45 days.

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, GoDaddy commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs), the UK Information Commissioner’s Office (ICO), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF.

If we are unable to resolve a complaint through the independent dispute resolution panel appliable to you, you may be able to invoke binding arbitration for some residual claims not otherwise resolved by other recourse mechanisms. This binding arbitration mechanism is administered by the International Centre for Dispute Resolution -American Arbitration Association (ICDR-AAA). For more information about binding arbitration, please visit the Data Privacy Framework's Annex regarding Arbitration.

Changes to this Statement

We may revise this Data Privacy Framework Notice by posting a revised statement at the same location as this notice, on another location on our website, or by direct notice to you. If we change this notice, it will apply to personal data collected prior to adoption of the new statement only to the extent as the new statement does not reduce the rights of affected data subjects. As long as we continue to participate in the DPF program, we will not change our statement in a way that is inconsistent with our obligations under the DPF program or the DPF Principles.