Last Revised: DATE 2021
.CO Internet SAS, the registry operator ("Registry Operator") for the .CO top level domain (".CO") cares about your privacy. For this reason, we collect and use information that is linked or linkable to natural persons ("Personal Data") only as needed to offer, operate, maintain, support, and enhance .CO and operate our business and to communicate with you about the same, or as you have requested (collectively, our "Services"). Your Personal Data includes information such as:
Billing and payment information (for .CO registrars)
Candidate information (for job applicants)
Other data associated with these or other persistent identifiers that could directly or indirectly identify you
Background and Legal Framework for the .CO Top Level Domain
Resolution 161 of 2020 (the ".CO Contract"), issued by the Ministry of Information and Communication Technologies of Colombia ("MINTIC"), establishes the policy framework for the (a) promotion, administration and operation of the Colombian Internet Top-Level Domain (ccTLD ".CO") and (b) the delegation of domain names under the ".CO" domain.
.CO INTERNET S.A.S. is the operator responsible for the operation of the .CO domain, with delegation from and supervision of MINTIC. Under the .CO Contract, the Registry Operator is responsible for providing the .CO registry and a share registration system; promoting and marketing .CO; selling, through registrars, .CO registrations; maintaining the security, stability, and resiliency of .CO; enforcing .CO policies; and reporting on these activities.
.CO INTERNET S.A.S. is a private company identified with TIN 900.308.815-4, whose domicile is "Calle 100 # 8A-49, Torre B, Oficina 507" in the city of Bogotá D.C., Colombia, zip code 110221069.
In compliance with Law 1581 / 2012, regulated by Decree 1377 / 2013 and all other laws and regulations on the subject, .CO INTERNET S.A.S. is the Controller of the Personal Data of its clients, registrants, users, suppliers, vendors, employees and customers, among others.
What information we collect, how we collect it, and why.
Much of what you likely consider personal information is collected directly from you when you:
i. create an account (ex: billing information, including name, address, credit card number, government identification);
ii. register a domain in .CO (ex: name, contact, and nameserver information)
iii. request assistance from our award-winning customer support team (ex: phone number);
iv. complete contact forms or request newsletters or other information from us (ex: email); or
v. participate in contests and surveys, apply for a job, or otherwise participate in activities we promote that might require information about you.
However, we also collect additional information when delivering our Services to you to ensure necessary and optimal performance. These methods of collection may not be as obvious to you, so we thought we’d highlight and explain a bit more about what these might be (as they vary from time to time):
Registrant data. When you register a domain name, your registrar collects certain information, including the personal information identified above, the name of your Registrar, the IP Address of the servers on which your domain name is hosted, contact information for others involved in operation of the domain, and other information about the domain name registration. We use this information to deliver registry services and for other purposes described below.
Data on domain names, contact and hosting for each registry under the ccTLD.co is included in a database named the Registry Database for the ccTLD.co.
Registry Operator and/or the Registrars, as the case may be, carry out the collection, storage, use, circulation, elimination, transmission, transfer and/or reception of such abovementioned data with the following purpose: to administer and/or manage the Registry Database and provide the registry services in order to comply the terms of the Resolution 161 of 2020, the .CO Contract and the guides, policies and supervision of the MINTIC, related to registry operations of such domain names.
Registry Operator shall not permit access to the Registry Database by individuals other than required for fulfillment of the purpose of the .CO Contract, taking into account in any case the privileges that each shall have regarding access to said Registry Database. Where required in accordance with applicable laws, Registry Operator shall permit access to the Registry Database whenever a Colombian judicial authority so orders.
Registry Operator may not sell the personal data contained in the database, neither in a disaggregated manner, nor jointly, nor by anonymizing the data. Registry Operator does not have nor will it develop any intellectual property right regarding the data in the Registry Database and this Database is at the service of the Colombian Nation, the Registered Users and the Internet community in general.
Registry Operator shall be responsible for processing the personal data of the Registry Database, under the terms stipulated in Law 1581 of 2012 and its regulatory provisions, as well as those that modify, complement or replace them.
Registry Operator has a Mirror Database/Escrow File available to the MINTIC and the Emergency Operator (EBERO) for the purposes of Supervision and Emergency Transition, if required, which replicates the contents of the Registry Database.
DNS services, we provide a variety of Domain Name System (DNS) services to facilitate the global flow of Internet traffic. In providing these services, we collect and processes DNS queries, which includes both source and destination IP Address information, time and date stamps, and other technical information. We use this information to provide connectivity and routing services to our customers, to investigate, identify and mitigate malicious and fraudulent activity, and to enhance our products and services.
DDoS services, in providing DDoS services we collect and process network traffic information containing both source and destination IP Addresses, Referrer URL, and other Internet Log Data to help our customers identify and respond to cyber-attacks and other malicious online traffic, including distributed denial of service (DDoS) attacks. We analyze the attack vector information containing the source and destination IP Addresses, attack duration, and traffic volume to enhance our ability to detect and mitigate malicious activity on the Internet more broadly. Based on this analysis, we may share information about malicious activities, blocked hostnames or IP Addresses, source and target geolocation data, and target industry or vertical information with third parties such as internet security research groups and service providers to prevent, detect, and mitigate against malicious online behavior.
Supplemented Data may be received about you from other sources, including publicly available databases or third parties from whom we have purchased data, in which case we may combine this data with information we already have about you so that we can update, expand and analyze the accuracy of our records, assess the qualifications of a candidate for employment, identify new customers, and provide products and services that may be of interest to you. If you provide us personal information about others, or if others give us your information, we will only use that information for the specific reason for which it was provided to us.
How we utilize information.
We strongly believe in both minimizing the data we collect and limiting its use and purpose to only that (1) for which we have been given permission, (2) as necessary to deliver the Services you purchase or interact with, or (3) as we might be required or permitted for legal compliance or other lawful purposes. To the extent permitted by applicable law and the .CO Contract, we use Personal Data about .CO registrants to:
Deliver, improve, update and enhance our Services. We collect various information relating to your purchase, use and/or interactions with our Services. We utilize this information to:
Provide, support, enhance, improve and optimize our Services and the operation and performance of our Services; diagnose problems with and identify any security risks, errors, or needed enhancements to the Services;
Detect, prevent and respond to cybersecurity threats as well as fraud and abuse of our Services and systems;
Collecting aggregate statistics about use of the Services;
Understand and analyze how you use our Services and what products and services are most relevant to you;
Comply with contractual requirements, ICANN policy requirements, laws and regulations;
Investigate and respond to complaints and inquiries, including complaints about abusive and/or illegal conduct, and orders and inquiries from authorities; Comply with .CO Contract obligations, including but not limited to producing information reports to MINTIC, producing reports to MINTIC in connection with support claims and support services requests from users, clients and registrants;
Provide support services and commercial information, process invoice operations and registry operations (registration, renewal, elimination, consulting and modification), respond to petitions, complaints and claims and respond to orders and requests from authorities.
Enforce registry policies related to, without limitation, reviewing the accuracy of submitted information, , limitations on registration, and prohibitions against the use of domain names to distribute malware, operate botnets, or engage in phishing, piracy, intellectual property infringement, fraudulent or deceptive practices, counterfeiting or other activity that is contrary to applicable law. Much of the data collected is aggregated or statistical data about how individuals use our Services, and is not linked to any personal information.
Sharing with third parties. We limit access to Personal Data about .CO registrants to those with a need to know for purposes of providing our Services and fulfilling our obligations under the CO Contract. We may share your personal information with affiliated companies within our corporate family, with third parties that we have partnered to allow you to integrate their services into our own Services, and with our affiliates or trusted third party service providers as necessary for them to perform services on our behalf, such as:
Processing credit card payments
Serving advertisements for the .CO. domain
Conducting contests or surveys
Performing analysis of our Services and customers demographics
Communicating with you, such as by way email or survey delivery
Customer relationship management
Recruiting support and related services
To Colombian Judicial authorities in response to a lawful order.
These third parties (and any subcontractors they may be permitted to use) have agreed to comply with applicable law, including the Republic of Colombia’s data protection Law 1581 of 2012, not to share, use or retain your personal information for any purpose other than as necessary for the provision of Services.
We will also disclose your information to third parties:
in the event that we sell or buy any business or assets (whether a result of liquidation, bankruptcy or otherwise), in which case we will disclose your data to the prospective seller or buyer of such business or assets; or
if we sell, buy, merge, are acquired by, or partner with other companies or businesses, or sell some or all of our assets. In such transactions, your information may be among the transferred assets.
We do not sell Personal Data about .CO registrants.
Registrant Data and "WHOIS"
As the Registry Operator for the .CO TLD, we collect this registrant data from registrars. In addition to the uses and disclosures described above, we use this data to provide registry services, to enforce our policies and our customers’ policies, prevent, detect, and respond to malicious behaviour and/or misuse of our services, and provide "WHOIS" services described below. We also make this information available online, in accordance with applicable law and/or policy or contractual requirements imposed by the ICANN and/or our registry customers. For example, Personal Data about .CO registrants may be made available upon request to third parties with a legitimate and proportionate interest in using the data for non-marketing purposes such as consumer protection, crime detection, intellectual property protection, etc. We may from time to time collect and aggregate demographic data or statistical analysis and other research but does not disclose personal information in that process and we do not commercialize that data.
We prohibit use of registrant data:
For purposes other than the legitimate and proportionate purpose for which it was acquired (e.g., consumer protection);
For third party marketing and advertising;
To allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via direct mail, electronic mail, or by telephone;
In contravention of any applicable data and privacy protection laws; or
Io enable high volume, automated, electronic processes that interact with domain name registry systems.
Communicating with you. We may contact you directly or through a third party service provider regarding products or services you have signed up or purchased from us, such as necessary to deliver transactional or service related communications. We may also contact you with offers for additional services we think you’ll find valuable if you give us consent, or where allowed based upon legitimate interests. You don’t need to provide consent as a condition to purchase our goods or services. These contacts may include:
Text (SMS) messages
Messenger applications (e.g. WhatsApp, etc.)
Automated phone calls or text messages.
If you make use of a service that allows you to import contacts (ex. using email marketing services to send emails on your behalf), we will only use the contacts and any other personal information for the requested service. If you believe that anyone has provided us with your personal information and you would like to request that it be removed from our database, please contact us at email@example.com.
Transfer of personal information abroad. The Registry Operator and .CO registrars may transmit or transfer Personal Data about .CO registrants across international borders and to countries other than the country in which you reside. When you register a .CO domain name you provide your express, written, and informed authorization for such transfers. We obligate all recipients of this data to process it only in accordance with applicable law and to be accountable for such processing.
If you utilize our Services from a country other than the country where our servers are located, your personal information may be transferred across international borders, which will only be done when necessary for the performance of our contract with you, or when we have your consent to do so, or when the appropriate standard contractual clauses are in place. Also, when you call us or initiate a chat, we may provide you with support from one of our global locations outside your country of origin.
Compliance with legal, regulatory and law enforcement requests. We cooperate with government and law enforcement officials and private parties to enforce and comply with the law. We will disclose any data about you to government or law enforcement officials or private parties as we, in our sole discretion, believe necessary or appropriate to respond to claims and legal process (such as lawful requests) ) in connection with US or foreign civil, criminal, or investigative matters, to protect our property and rights or the property and rights of a third party, to protect the safety of the public or any person, or to prevent or stop activity we consider to be illegal or unethical.
We will also share your data to the extent necessary to comply with any ICANN rules applicable to country-code top level domains. For reasons critical to maintaining the security, stability and resiliency of the Internet, this may include the transfer and publication of domain name registration to other third parties that demonstrate a legitimate legal interest to such information.
How we secure, store and retain your data.
We follow generally accepted standards to store and protect the personal information we collect, both during transmission and once received and stored, including utilization of encryption where appropriate.
We retain personal information only for as long as necessary to provide the Services you have requested and thereafter for a variety of legitimate legal or business purposes. These might include retention periods:
mandated by law, contract or similar obligations applicable to our business operations;
for preserving, resolving, defending or enforcing our legal/contractual rights; or
needed to maintain adequate and accurate business and financial records.
If you have any questions about the security or retention of your personal information, you can contact us at firstname.lastname@example.org.
How you can access, update or delete your data.
To easily access, view, update, delete or port your personal information that we collect from you, you may contact us by email at email@example.com or by one of the other methods described in the "Contact Us" section below.
If you make a request to delete your personal information and that data is necessary for the products or services you have purchased, the request will be honored only to the extent it is no longer necessary for any Services purchased or required for our legitimate business purposes or legal or contractual record keeping requirements.
To submit a request to know or delete Registrant Data collected by your Registrar, you will need to contact your Registrar to fulfill the request.
Your rights under Colombian law.
Under Colombian data protection law, including without limitation, Article 15 of Political. Constitution of Colombia, Statutory Law 1581 / 2012, Decree 1377 / 2013, and Resolution 16 / 2020, you may have certain rights to control your Personal Data. This includes the rights to:
Free access your Personal Data at any time;
Access, update, and rectify your Personal Data where it is inaccurate, incomplete, or misleading;
Request proof that you have authorized such processing in your Registration Agreement, or otherwise;
Upon request be informed about our use of Personal Data;
Ask us to delete your Personal Data and/or revoke your authorization to process it (however, if you do so we may no longer be able to provide the Services);
File a complaint with the Superintendence. of Industry and Trade (SIC) for any violation of Colombian data protection law.
In order to exercise any of these rights, please send an email to firstname.lastname@example.org. You may also address written communications to us at:
Privacy -Customer. Service
.CO Internet SAS
Calle 100 #8A-49. Torre B Oficina. 507
World. Trade Center
Registry Operator’s Personal Data Protection Policy
For further information about our privacy obligations and practices, please review our Personal Data Protection Policy.
‘Do Not Track’ notifications.
Some browsers allow you to automatically notify websites you visit not to track you using a “Do Not Track” signal. There is no consensus among industry participants as to what “Do Not Track” means in this context. Like many websites and online services, we currently do not alter our practices when we receive a “Do Not Track” signal from a visitor’s browser. To find out more about “Do Not Track,” you may wish to visit www.allaboutdnt.com.
Our Services are available for purchase only for those over the age of 18. Our Services are not targeted to, intended to be consumed by or designed to entice individuals under the age of 18. If you know of or have reason to believe anyone under the age of 18 has provided us with any personal information, please contact us.
We will not discriminate against you for exercising any of your privacy rights. Unless permitted under applicable laws, we will not:
Deny you goods or services.
Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
Provide you a different level or quality of goods or services.
Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
Changes to this policy.
In the alternative, you may contact us by mail:
Attn: Office of the Data Protection Officer, 14455 North Hayden Road, Suite 219, Scottsdale, AZ 85260 USA, or for customers established in the EEA, Attn: Legal, Office of the DPO, 5th Floor, The Shipping Building, Old Vinyl Factory, 252-254 Blyth Road, Hayes, UB3 1HA.
We will respond to all requests, inquiries or concerns within thirty (30) days of receipt.