Legal · Your data

Privacy Policy

Last updated: 26 June 2026·Thinking Fish Ltd · Company № 03637036·Registered in England & Wales

Who we are

This Privacy Policy explains how Thinking Fish Ltd ("Thinking Fish", "we", "us" or "our") collects, uses, shares and protects your personal data when you use this website (thinking.fish) and the services we provide through it.

Thinking Fish Ltd is a company registered in England and Wales under company number 03637036, with its registered office at 4.01 The Tea Building, 56 Shoreditch High Street, London, E1 6JJ. For the purposes of UK data protection law (the UK GDPR and the Data Protection Act 2018), Thinking Fish Ltd is the data controller for the personal data described in this policy.

If you have any questions about this policy or about how we handle your personal data, please contact our data protection contact at dpo@thinking.fish, or write to us at the address above.

What this policy covers

This policy covers personal data we collect when you browse the site, search for and register domain names, place an order and pay for services, create and use a customer account, submit a careers application, run a WHOIS lookup, or otherwise contact us.

Our services are also governed by our Terms and Conditions for the sale of goods and services, our Domain Name Terms and Conditions, our Website Terms of Use, and our Abuse and Complaints policies. This Privacy Policy should be read alongside those documents.

The personal data we collect

Depending on how you use the site, we may collect the following categories of personal data:

  • Identity and contact details - your name, email address, telephone number, postal or billing address, country, and (for business customers) company name and company/VAT number. We collect these when you register a domain, place an order, create an account, make an enquiry, or apply for a job.
  • Domain registrant details - the registrant contact information required to register and manage a domain name. Some of this information may be passed to the domain registry and published in public WHOIS / RDAP records, subject to the redaction described below.
  • Account information - the email address you log in with and the one-time login codes we send you. We do not store passwords for the website account; sign-in uses a code sent to your email.
  • Order and billing information - the products and services you buy, order references, invoices and payment status.
  • Payment information - card payments are processed by our payment provider (Judopay). We do not receive or store your full card number; we receive a confirmation of the transaction and limited details such as the card type and last four digits.
  • Careers information - if you apply for a role, the contact details, CV/resume and any other information you choose to include in your application.
  • Technical and usage data - your IP address, browser and device type, the pages you visit and how you interact with the site. Some of this is collected through our server logs and, where you consent, through analytics cookies.
  • Communications - the content of emails, support requests and other correspondence you send us.

How we collect your data

We collect personal data directly from you when you enter it on the site (for example in the domain checkout, the account area, the careers form, or a WHOIS search), and when you email or otherwise contact us.

We also collect certain technical data automatically when you use the site, through server logs and - only with your consent - analytics cookies. We receive limited information from our payment provider when you make a payment, and from domain registries when we manage a domain on your behalf.

How and why we use your data

We only use your personal data where the law allows us to. The legal bases we rely on are: performance of a contract with you; compliance with a legal obligation; our legitimate interests (where these are not overridden by your rights); and your consent. We use your data to:

  • Provide our services - register and manage domain names, set up and run the products you buy, and operate your account (legal basis: performance of a contract).
  • Take and process payments and keep accounting and tax records (legal bases: performance of a contract, and compliance with a legal obligation).
  • Register domains with the relevant registry and meet the registry's and ICANN's requirements (legal bases: performance of a contract, and compliance with a legal obligation).
  • Respond to your enquiries and provide customer support (legal bases: performance of a contract, and our legitimate interest in helping our customers).
  • Consider and process careers applications (legal basis: taking steps at your request prior to a possible contract, and our legitimate interest in recruiting).
  • Understand how the site is used and improve it, using analytics (legal basis: your consent).
  • Keep the site and our services secure, prevent fraud and abuse, and enforce our terms (legal basis: our legitimate interest in protecting our business and customers).
  • Comply with our legal and regulatory obligations and respond to lawful requests from authorities (legal basis: compliance with a legal obligation).

We do not send marketing emails without your consent, and you can withdraw any consent at any time.

Cookies and analytics

When you first visit the site you are shown a consent banner. Strictly necessary cookies - such as those that remember your cookie choices and keep you signed in to your account - are always set, because the site cannot function without them.

Analytics cookies are only set if you accept them. We use Google Analytics to understand, in aggregate, how visitors use the site so we can improve it. Google Analytics sets cookies and processes usage data (including a truncated/again-processed form of your IP address) as our processor. If you do not consent, these cookies are not set and Google Analytics does not run.

You can change or withdraw your cookie choices at any time using the cookie settings on the site, and you can also block or delete cookies through your browser settings.

Who we share your data with

We do not sell your personal data. We share it only with the parties below, and only as far as needed to provide our services or meet our legal obligations:

  • Domain registries and our domain registrar partners - including Tucows / OpenSRS and Nominet (for .uk domains) - to register and manage domain names. Registries operate their own WHOIS / RDAP systems; registrant details may be held by them and, in some cases, published, subject to privacy redaction.
  • Our payment provider, Judopay, to process card and Apple Pay payments securely.
  • Our accounting system, Xero, to raise and manage invoices and keep financial records.
  • Microsoft, where you purchase Microsoft 365 products, to provision and manage those subscriptions.
  • Amazon Web Services, which hosts infrastructure and sends our transactional email on our behalf.
  • Google, as the provider of Google Analytics, where you have consented to analytics cookies.
  • Our professional advisers (such as accountants and lawyers), and law enforcement, regulators or other authorities where we are legally required to disclose information.

Where we use third parties to process personal data on our behalf, they act under contract and may only use the data for the purposes we specify.

International transfers

Some of the providers we use (for example Google, Microsoft, Amazon Web Services and Tucows) may process personal data outside the United Kingdom. Where they do, we rely on appropriate safeguards recognised under UK data protection law - such as the UK's adequacy regulations, the International Data Transfer Agreement, or Standard Contractual Clauses with the UK addendum - so that your data continues to be protected.

How long we keep your data

We keep your personal data only for as long as we need it for the purposes set out in this policy, including to provide our services and to meet our legal, accounting and reporting obligations.

  • Account, order and customer-relationship data is kept for as long as you are a customer and for a period afterwards.
  • Accounting and tax records are kept for at least six years, as required by law.
  • Domain registrant data is kept for the lifecycle of the domain registration, and as required by the relevant registry.
  • Careers application data is kept only for as long as needed to consider your application and for a short period afterwards, unless you agree we may keep it longer for future opportunities.
  • Analytics data is retained in line with the retention settings we configure in Google Analytics.

When we no longer need your data we will delete it or anonymise it securely.

Your rights

Under UK data protection law you have the right to: ask for a copy of the personal data we hold about you; ask us to correct inaccurate data; ask us to delete your data; ask us to restrict or object to our processing; ask us to transfer certain data to another provider; and, where we rely on consent, to withdraw that consent at any time.

To exercise any of these rights, please contact us at dpo@thinking.fish. We will respond within the time limits set by law. There is normally no charge.

If you are unhappy with how we have handled your personal data, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk, although we would welcome the chance to resolve your concerns first.

How we protect your data

We take appropriate technical and organisational measures to protect personal data against loss, misuse and unauthorised access, including encryption in transit (HTTPS), access controls, and using reputable providers for payments, hosting and email. No method of transmission or storage is completely secure, but we work to protect your data and to deal promptly with any incident.

Children

Our website and services are intended for businesses and adults. They are not directed at children, and we do not knowingly collect personal data from children.

Changes to this policy

We may update this Privacy Policy from time to time. The latest version is always the one published on this page, with the "last updated" date shown above. Where changes are significant we will take reasonable steps to bring them to your attention.

Contact us

For any privacy question, or to exercise your rights, contact our data protection contact:

  • Email: dpo@thinking.fish
  • Post: Data Protection, Thinking Fish Ltd, 4.01 The Tea Building, 56 Shoreditch High Street, London, E1 6JJ