1. Controller
The data controller is WAFRA IT Solutions, Doha, Qatar.
2. Scope
This Policy covers wafra.net, our APIs, mobile app, and related services.
3. Data we collect
- Identity/account: name, email, password hash, OTP
- Billing: Tap identifiers, tokenized card references, last4, brand, expiry, invoices, and payment history (no full PAN stored by WAFRA)
- Domain contacts (registrant/admin/tech/billing); for
.com.qa/.net.qa: CR documents, trade license file, trading license number - Hosting: plan, region/provider, IPs, hostnames, panel credentials for delivery, backup metadata, provisioning/agent status
- Technical: IP address, device/app info, logs, captcha/Turnstile outcomes
4. Purposes
We process data to provide services; register and renew domains; provision and bill servers; support auto-renewal; maintain security; provide support; comply with law; and improve the service.
5. Legal bases
Contract performance; legitimate interests (security); consent where required; and legal obligation (registry/CRA/PDPPL as applicable).
6. Sharing / subprocessors
| Recipient | Purpose |
|---|---|
| Tap Payments | Payment processing |
| Hetzner | Cloud/dedicated infrastructure |
| Google Cloud | Cloud infrastructure (customer-selected regions) |
| CentralNic / RRPproxy | Non-.qa domain operations |
| Qatar Domains Registry (via CRA registrar stack) | .qa domains |
| Database host (Supabase) | Application data storage |
| Backblaze B2 | Backup storage |
| Email delivery provider | Transactional email |
| Captcha provider (e.g. Turnstile) | Bot protection |
7. International transfers
Data may be processed outside Qatar (EU or other regions depending on Hetzner, GCP, B2, and other subprocessors). We disclose this transparently under PDPPL principles.
8. Retention
Account data while active; billing records as required by law/accounting; hosting order records removed on cancel or permanent delete as implemented; registry WHOIS data retained per registry rules even if a local account is deleted.
9. Security
We apply appropriate technical and organizational measures. No method of transmission or storage is absolutely secure.
10. Your rights
You may request access, correction, and other PDPPL rights via support@wafra.net. Some registry data cannot be deleted on request.
11. Children
Our services are not directed to under-18s.
12. Cookies
See our Cookie Policy.
13. Changes & contact
We may update this Policy. For complaints you may also escalate to the competent authority or CRA consumer path where applicable.