WHOIS privacy — what registrars show vs hide
// published 2026-04-17
WHOIS used to expose your full name, email, phone, and home address in a public global database. A lot changed with GDPR (2018) and registrar privacy services. In 2026, what you see in a WHOIS lookup depends on who owns the domain, which registrar they use, and what jurisdiction they're in.
What's always public
Regardless of privacy settings, a WHOIS query will always tell you:
- Domain status codes — whether it's locked (
clientTransferProhibited), in pending delete, etc. - Registration, update, and expiry dates
- Sponsoring registrar (GoDaddy, Namecheap, Cloudflare, etc.)
- Name servers — where the domain's DNS is hosted
- DNSSEC status — is the domain signed
Run a WHOIS Lookup on any domain to see exactly this.
What privacy services hide
When the owner enables domain privacy (a registrar feature, usually free):
- Registrant name — replaced by the privacy service's name ("Privacy service provided by Withheld for Privacy ehf" is a common one).
- Email address — replaced by an obfuscated forwarding address. Messages get relayed to the real owner.
- Phone, street address — replaced by the privacy service's postbox.
Effectively: you can still contact a privacy-protected owner, but you don't know their identity.
What GDPR and similar laws changed
Before 2018, all the above was public by default. GDPR forced ICANN to redact all personal data for registrants in the EU (and, in practice, globally, since registrars didn't want to maintain two formats).
The result: for most domains registered after 2018, you see "REDACTED FOR PRIVACY" in owner fields even when the owner didn't explicitly opt for privacy. ICANN gave EEA-residents the "right to erasure" by default; registrars extended it to everyone to simplify operations.
When identity is still visible
Identity still appears in WHOIS in these cases:
- Corporate domains registered with a company name — companies aren't natural persons and GDPR doesn't apply to their business data. So
google.comshows "Google LLC" with a real address. - Country-code TLDs that opted out of redaction — some ccTLDs run their own policies (.us, .ca requires verified Canadian presence, etc.).
- Older domains where the registrant explicitly opted into public listing.
What you can learn from privacy-redacted WHOIS
Even with full redaction, WHOIS still reveals a lot:
- Name servers → who runs their DNS (Cloudflare vs. Route53 vs. GoDaddy vs. in-house)
- Registrar → operational maturity clue (enterprise uses MarkMonitor / CSC; indie devs use Namecheap / Porkbun)
- Created date → how old the domain is
- Expiry date → is it up for renewal soon (can signal an abandoned project)
- Status codes → is it locked (actively managed) or not
Run a WHOIS Lookup to see what's visible on any domain today. Save domains you care about and we'll alert you when the registrar or owner changes — a classic signal of takeover, theft, or acquisition.