This Privacy Notice describes how information is collected, used, disclosed, processed, and otherwise handled when you visit or interact with this website (the "Site") or communicate using addresses associated with the @protected.is domain.
This Notice should be read together with the Communications & Data Liability Agreement and Policy available at protected.is/policy. In all matters relating to data breach liability, indemnification, and binding obligations arising from communications with @protected.is addresses, the Agreement and Policy governs and takes precedence over this Notice where the two documents address the same subject matter.
By accessing the Site or communicating through any associated channel, you acknowledge that information you provide may be used, disclosed, retained, or otherwise processed as described in this Notice.
This Site and related communications are operated by authorized users of the @protected.is domain ("we," "us," or the "Operator").
Privacy Contact: Protected.is Privacy Desk
Email: privacy@protected.is
This Notice applies to information submitted, transmitted, or collected through:
This Notice does not govern third-party websites or services that may be linked or referenced. For binding obligations specific to communications with @protected.is addresses — including data breach liability — see the Communications & Data Liability Agreement and Policy.
Information may be submitted voluntarily or incidentally, including but not limited to:
Limited technical or operational data may be collected automatically, including:
The Site is not intended to solicit sensitive personal information. Submission of sensitive data through any channel is done at the sender's discretion. The Operator will treat any sensitive information received with heightened care consistent with applicable law.
The Site may use cookies or similar technologies for functionality, diagnostics, analytics, or security purposes. Cookies may collect technical or usage-related information. You may control cookies through your browser settings. Disabling cookies may affect Site behavior or availability.
The Operator is under no obligation to respond to any communication, inquiry, or request within any particular timeframe, or at all. No inference of acceptance, agreement, waiver, or consent shall be drawn from the Operator's delay in responding or failure to respond. Silence on the part of the Operator does not constitute agreement to any terms or proposals made by the Communicating Party.
Where the Communicating Party operates under their own response time requirements or service level agreements, such requirements do not bind the Operator. This provision does not affect the Operator's 72-hour Security Incident notification obligation under the Communications & Data Liability Agreement and Policy.
Where the Operator creates an account, subscribes to a service, or registers using a @protected.is email address on any platform or service operated by the Communicating Party, the Communicating Party's acceptance of this Notice and the Communications & Data Liability Agreement and Policy shall be deemed to occur at the moment the @protected.is address is submitted and accepted as a valid registration credential — regardless of whether the Communicating Party has separately acknowledged these documents in writing.
By processing, storing, or using a @protected.is address in any way — including sending automated, transactional, or marketing emails to it — the Communicating Party accepts the terms of this Notice and the Agreement in full.
Where the Communicating Party sends communications from a no-reply or unmonitored address, the inability of the Operator to deliver a reply to that address does not exempt the Communicating Party from their obligations under this Notice or the Agreement, nor does it constitute a failure of notice on the part of the Operator. The Communicating Party is responsible for maintaining an alternative contact channel — such as a legal notices or abuse address — through which formal notices may be delivered.
This Notice and the Communications & Data Liability Agreement and Policy are publicly accessible at protected.is/privacy and protected.is/policy respectively. Any party who sends communications to, receives communications from, or stores a @protected.is address is deemed to have constructive notice of both documents, regardless of whether they have individually accessed or read them.
Formal legal notices to the Operator must be sent to privacy@protected.is. Communications sent to no-reply or automated addresses by the Communicating Party do not constitute valid legal notice to the Operator.
Information collected through this Site or communications with @protected.is addresses may be used for the following purposes:
Information will not be used for purposes incompatible with the above without notice, except where required by applicable law.
Where required by law, information is processed on one or more of the following bases:
Information submitted or transmitted through the Site or related communication channels may be processed, stored, and used as described in this Notice. The Operator does not voluntarily sell personal information to third parties.
Information may be disclosed to third parties in the following circumstances:
The Operator's obligations regarding the confidentiality of communications content are further defined in the Communications & Data Liability Agreement and Policy. In particular, Section 1 of that Agreement sets out the Operator's mutual commitment not to voluntarily disclose private communication content to unauthorized third parties.
Information may be processed, stored, or transferred to jurisdictions with different or lesser data protection standards than those in your location. The Operator's primary jurisdictions are the United States (Illinois) and Iceland (EEA/GDPR). Where transfers occur outside these jurisdictions, the Operator will apply appropriate safeguards to the extent required by applicable law.
By submitting information, you acknowledge that such processing or transfer may occur. Where mandatory legal requirements apply, appropriate mechanisms will be in place.
Information may be retained for as long as necessary for the purposes described in this Notice, or as required or permitted by applicable law. The Operator may retain certain information indefinitely for legal, security, or operational reasons, or delete it at the Operator's discretion, unless retention or deletion is restricted by applicable law.
The Operator maintains reasonable administrative, technical, and physical safeguards designed to protect information from unauthorized access, disclosure, use, or destruction, consistent with the Operator's obligations under the Communications & Data Liability Agreement and Policy.
However, no transmission or storage system is completely secure. While the Operator takes data security seriously, absolute security cannot be guaranteed. You transmit information at your own risk. In the event of a Security Incident affecting your information held by the Operator, the Operator will notify you in accordance with applicable law and the terms of the Agreement and Policy.
Parties who communicate with @protected.is addresses are bound by equivalent security obligations under the Communications & Data Liability Agreement and Policy. Those obligations — including data breach liability of $5,000 + all documented remediation costs — apply to any Security Incident caused or contributed to by the Communicating Party's systems or practices.
Where required by applicable law — including the GDPR as implemented under Icelandic law — individuals may have rights with respect to their personal information, including rights of access, correction, deletion, restriction, portability, and objection to processing.
To submit a request, contact privacy@protected.is. All requests will be evaluated in accordance with applicable legal requirements, and the Operator reserves the right to verify identity, apply legal exceptions, and assess operational constraints before responding.
To the maximum extent permitted by applicable law, individuals who voluntarily submit information through the Site or communications accept that the exercise of certain rights may be limited by the Operator's legitimate interests, legal obligations, or the terms of the Communications & Data Liability Agreement and Policy. Mandatory legal rights under applicable law cannot be waived and will be respected.
This Site is not designed to solicit or target individuals under the age of 18. The Operator does not knowingly collect personal information from children. If you believe a child has submitted personal information through this Site, please contact privacy@protected.is.
Any telephone or voice communication involving a party with a @protected.is email address is subject to both this Notice and the Communications & Data Liability Agreement and Policy. The full spoken disclaimer, acceptance mechanism, and binding terms for voice communications are set out in Section 5 of that Agreement.
This Notice may be modified at any time. Updates become effective upon posting. The current version is always available at protected.is/privacy. Continued interaction with the Site or communications with @protected.is addresses following an update constitutes acceptance of the revised Notice where permitted by law. Material changes will be reflected in an updated revision number.
This Privacy Notice is governed by the following dual jurisdictional framework, consistent with the Communications & Data Liability Agreement and Policy:
For parties located in the United States, this Notice is governed by the laws of the State of Illinois and applicable United States federal privacy law.
For parties located in the EEA, or for communications through Icelandic infrastructure associated with the .is domain, this Notice is governed by Icelandic law and the GDPR as implemented under Icelandic law.
Dispute resolution for matters arising under this Notice shall follow the process set out in Section 8 of the Communications & Data Liability Agreement and Policy.