When you register a domain, somewhere in the registry's database your name, your email, your phone number end up next to it. That information used to be fully public for anyone curious enough to type a command. The rules have changed several times since 2018, and they changed again in 2025. Knowing what is currently visible matters because it affects your privacy, your spam load, and what an attacker can learn about you for free.

This article explains the three things people confuse: the WHOIS protocol, the newer RDAP protocol, and the "WHOIS privacy" upsell that registrars sell.

WHOIS, the original

WHOIS is a 1980s protocol. You ask a server "who has this domain?" and it answers with a chunk of plain text: registrant name, address, phone, email, dates, nameservers. Run from a terminal:

whois example.com

There is one WHOIS server per registry. The .com registry, Verisign, runs whois.verisign-grs.com. The .it registry, Registro.it, runs whois.nic.it. Each TLD has its own. The whois command on your laptop knows which one to ask based on the TLD.

What you get back depends on the TLD. Some return registrant data fully, some return only the registrar's contact info, some return nothing identifying. Since 2018, after GDPR, most TLDs hide personal data of EU registrants by default.

RDAP, the modern replacement

ICANN required all generic TLDs to support RDAP from 2025. RDAP returns the same kind of data as WHOIS but as JSON over HTTPS, so it can be machine-parsed reliably:

curl https://rdap.verisign.com/com/v1/domain/example.com

RDAP also has standardised fields, language tags, status codes, and respects access control. A registrar can return more data to a court order than to an anonymous request, while WHOIS could not distinguish.

In practice the average user still types whois example.com and gets the answer they need. RDAP matters mostly for tools, security firms, abuse desks. From your perspective the privacy impact is the same: whatever is public on WHOIS is public on RDAP.

What is actually public in 2026

For generic TLDs (.com, .net, .org, .dev, .io, .app, all the new gTLDs), the default fields you see are:

  • Domain name and unique ID
  • Registrar (Namecheap, Cloudflare, GoDaddy)
  • Creation date, expiry date, last update
  • Status flags (clientTransferProhibited, serverHold, etc.)
  • Authoritative nameservers
  • DNSSEC info if any

What is hidden by default for natural persons since 2018:

  • Registrant name, organisation, address, phone, email
  • Same for admin and tech contacts

Instead of the email you usually get a forwarder like [email protected] or a contact form URL. Anyone who really needs to reach the registrant goes through that.

For country-code TLDs the rules vary. The Italian .it shows registrant name and email if the registrant is a company, hides them if a natural person. The German .de shows almost nothing without justification. The Brazilian .br shows everything to anyone, no GDPR. Always check the rules of the specific TLD before assuming.

"WHOIS privacy", the registrar upsell

Many registrars sell a WHOIS privacy add-on for 5 to 15 euro a year. They replace your real contact data with their own (proxy contacts) in the public WHOIS record. Mail to the proxy gets forwarded to you, calls go to a voicemail.

In 2018, before GDPR enforcement, this was useful. After GDPR, for most generic TLDs registered by an EU natural person, your data is already hidden by default at no cost. The privacy add-on still has value if:

  • You registered as a company (organisation data may not be GDPR-redacted by default)
  • The TLD is not under GDPR (.us, .io, .br and others)
  • You want a proxy email instead of yours, even when redaction would happen anyway

For a typical EU individual registering a .com or .it in 2026, the paid privacy is mostly redundant. Some registrars (Cloudflare, Porkbun) include it for free. Others charge for what is now a default. Read what your specific registrar shows publicly before paying for the upsell.

Why this matters

Two practical consequences. First, anyone can see when your domain was registered, when it expires, and which registrar holds it. That is enough for an attacker to send a fake renewal email two months before expiry, looking exactly like a real renewal notice from your registrar, and trick you into entering your credentials on a phishing page. The expiry date is the one piece of public data you cannot hide. Mark on your calendar to renew earlier than the email suggests, and never click renewal links in email.

Second, buying a domain in your own name vs your company name has different consequences. If you register as Marco Rossi the natural person, GDPR redaction usually applies. If you register as ACME Srl, the company name may stay public. For some businesses that is fine and even desirable (transparency). For others it is a leak you did not want. Decide consciously.

How to check what your domain leaks

Two minutes, no tools to install:

  1. Open the registrar's public WHOIS lookup, or use https://lookup.icann.org.
  2. Enter your domain.
  3. Read what the page shows about you.

If you see your real name, real email, real phone, that data is public worldwide. Spammers scrape WHOIS hourly. Decide if that is what you want, and if not, contact your registrar and either enable their privacy proxy or move the domain to one that redacts by default.

For domains you registered five or more years ago, before the GDPR redaction wave, this is worth checking even if you assume "it must be hidden by now". Old .org and .info records sometimes still leak.