#Cloudflare Registrar just doxxed me via WHOIS on .ai TLD

I recently registered a domain with the .ai TLD through Cloudflare. Despite their claim that "WHOIS information is redacted by default for your privacy," my personal contact information was publicly exposed via WHOIS shortly after registration.

Even Cloudflare's own RDAP lookup tool (https://rdap.cloudflareregistrar.com/ui/index.html) reports that the data is redacted. However, multiple third-party WHOIS servers returned my unredacted information, and it has since been scraped and stored by historical WHOIS trackers.

I’ve saved evidence of the exposure, but there appears to be no way to retroactively remove this data from those sources. I'm currently on Cloudflare's free plan—do I really need to upgrade to a paid plan just to get this escalated or acknowledged by their support team?

Any advice or similar experiences would be appreciated.

Thanks for the report, and my apologies this impacted you - that really sucks.

I reproduced and raised this months ago when it was first discovered, and was assured it had been fixed and pushed for anyone impacted to be contacted about this leak of unredacted personal information. Tagging some folks for escalation, cc @severe kayak @eager hare

For those folks with access, you can see the escalation conversation here: #nda-lounge message

Just received this from cloudflare support ( They let me file a ticket through their dashboard randomly, but i think its all AI agent driven):

Note:

The TLD .ai is not redacted at the registry. 

We can only redact the WHOIS details thru Cloudflare’s RDAP service can be found at https://rdap.cloudflare.com/ ↗. but not at the registry.

it is true that some TLDs just don't allow this, I don't know about .ai specifically

while true, some TLDs like .us where that is a thing, clearly state that multiple times during the checkout process, .ai does not, and I raised this months ago.