Privacy Policy

1. Who We Are (Data Controller)

The data controller for your personal data is:

As data controller, we are responsible for deciding how and why we process your personal data. We do not have a formal Data Protection Officer (DPO) but you may direct all data protection queries to the email address above.

We are in the process of registering with the Information Commissioner's Office (ICO) as required under UK data protection law. Our registration number will be published here once confirmed.

2. What Personal Data We Collect and Why

2a. Landing page visitors

If you submit your email address via our mailing list form, we collect:

• Email address — to send you launch updates and early access notifications about WP Admin Assistant.

We do not collect any other personal data from website visitors. We use Cloudflare Web Analytics, which is cookieless and does not collect personally identifiable information.

2b. Plugin users (WordPress.org)

When you install and activate the WP Admin Assistant WordPress plugin, we collect and process:

• Site scan data — a structural snapshot of your WordPress installation, including: active theme name and settings, list of active plugins, page titles and slugs, menu structure, widget areas, and WooCommerce store configuration (if WooCommerce is installed). This data is sent with every question to enable site-specific AI answers.
• Conversation history — the questions you ask and the AI-generated answers. Stored per installation to enable conversation continuity (Pro plan) and as a conversion feature (Free plan: stored but not displayed until upgrade).
• Anonymous site token — a randomly generated unique identifier that serves as a pseudonymous identifier for your WordPress installation. Not linked to any individual person.
• Hashed API key — a cryptographic hash of your installation's API key, used for authentication. The plaintext key is never stored on our servers.

2c. Pro plan billing (via Paddle)

If you upgrade to Pro, billing is handled by Paddle.com Market Limited ("Paddle"), who acts as Merchant of Record for all transactions. We do not store your payment card details. Paddle may collect your name, billing email, and payment method in accordance with Paddle's Privacy Policy. We receive from Paddle only: your Paddle customer ID, subscription status, and billing email (to associate the subscription with your WordPress installation).

3. Lawful Basis for Processing

We rely on the following lawful bases under GDPR Article 6:

4. Where Your Data Is Stored

We take data residency seriously. All primary data storage is within the EU/EEA:

• Site scan data and conversation history — stored in our EU Region (Ireland) servers. All AI processing (question answering) is performed in the same EU Region using the Claude AI model.
• Mailing list email addresses — stored in Resend, which offers EU data residency. No data leaves the EEA under this arrangement.
• Billing data — processed and stored by Paddle. Paddle operates EU-compliant data infrastructure; see Paddle's Privacy Policy for details.
• Site scan data (on your server) — a copy of the scan JSON is stored in your WordPress database (wp_options) on your own hosting environment. This remains under your control at all times.

5. How Long We Retain Your Data

• Conversation history — retained for 2 years from the date of the last message, then automatically deleted via automatic data expiry.
• Site token and API key hash — retained for the lifetime of the plugin installation. Deleted from our systems when you contact support to request deletion, or when you exercise your right to erasure (see Section 7).
• Mailing list email addresses — retained until you unsubscribe. Every email we send includes an unsubscribe link. You may also request deletion by emailing us directly.
• Billing records — retained as required by applicable tax and financial law (typically 6–7 years in the UK/EU). This data is held by Paddle.

6. What We Do NOT Collect

We explicitly do not collect or access:

• Post or page content (body text, images, media)
• WordPress user passwords or password hashes
• WordPress user names, email addresses, or roles
• Database table contents or raw SQL data
• Questions and answers in plain text within our server logs — our logs contain only operational metadata (status codes, response times, token counts)
• IP addresses (not logged or stored by our application layer)
• Browser cookies or tracking identifiers from website visitors

7. Your Rights Under GDPR

Under UK GDPR and EU GDPR, you have the following rights regarding your personal data:

• Right of access (Art. 15) — you may request a copy of the personal data we hold about you.
• Right to rectification (Art. 16) — you may request correction of inaccurate data.
• Right to erasure / "right to be forgotten" (Art. 17) — you may request deletion of your data. For plugin users: the "Delete all my data" button in the plugin's Settings page → Conversation History section will immediately delete all conversation history and your site token from our servers. For mailing list subscribers: unsubscribe via the link in any email, or contact us directly.
• Right to restriction of processing (Art. 18) — you may request that we limit how we use your data while a dispute is resolved.
• Right to data portability (Art. 20) — you may request your data in a machine-readable format. Available in V2 of the product; in V1, contact us and we will provide a JSON export of your conversation history.
• Right to object (Art. 21) — you may object to processing based on legitimate interests (not applicable here — we use consent and contract as our lawful bases).
• Right to withdraw consent (Art. 7(3)) — if processing is based on your consent (mailing list), you may withdraw that consent at any time without affecting the lawfulness of prior processing. Withdrawal will result in removal from our mailing list.

To exercise any of these rights, contact us at contact@wpadminassistant.com. We will respond within 30 days.

8. International Data Transfers

Our primary data storage and processing is within the EU/EEA (EU Region, Ireland). However, some sub-processors (Resend, Paddle) may transfer data outside the EEA in the course of providing their services. Where such transfers occur, they are protected by:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions for the UK where applicable

You can review our sub-processors' transfer mechanisms in their respective privacy policies: Resend and Paddle.

9. Cookies and Analytics

This website does not use tracking cookies.

We use Cloudflare Web Analytics, a privacy-first, cookieless analytics service. It does not collect personally identifiable information, does not use cookies, and does not track individual users across sessions. No consent banner is required for its use. You can read more at cloudflare.com/web-analytics.

The WordPress plugin itself does not use cookies.

10. Third-Party Links

Our website and plugin may contain links to third-party websites (e.g. WordPress.org, Stripe). We are not responsible for the privacy practices of those sites and encourage you to review their privacy policies.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified by updating the "Last updated" date at the top of this page and, where appropriate, by email to mailing list subscribers. We encourage you to review this page periodically. Continued use of the service after a change constitutes acceptance of the updated policy.

12. Contact Us and Right to Complain

For any questions, concerns, or requests regarding your personal data:

If you are unhappy with how we have handled your data, you have the right to lodge a complaint with the relevant supervisory authority:

• UK residents — Information Commissioner's Office (ICO): ico.org.uk, 0303 123 1113
• EU residents — the supervisory authority in your EU member state of residence.