Skip to content
Log in Get started
Legal · Privacy

Your data, handled honestly.

What we collect, why we collect it, who we share it with, and exactly how to make us stop.

● Last updated 6 May 2026

On this page

  1. 1. Who we are
  2. 2. What we collect
  3. 3. Why we collect it
  4. 4. Who we share it with
  5. 5. How long we keep it
  6. 6. Your rights (GDPR / CCPA / UK-DPA)
  7. 7. Cookies + tracking
  8. 8. How we protect your data
  9. 9. International data transfers
  10. 10. Children's privacy
  11. 11. Changes to this policy
  12. 12. Contact

1. Who we are

WordPressistic is a brand operated by an independent solo founder. We provide AI-powered automation tools, a member portal, marketplace plugins, and consulting services to WordPress-powered businesses primarily in the United States and Europe. Our website is wordpressistic.com. For privacy questions write to [email protected].

2. What we collect

We only collect what we need to run the service. Specifically:

Account data

  • Name, email, password (stored as a salted hash via WordPress).
  • Optional: business name, website URL, time zone, profile photo.
  • Membership tier and subscription status (managed by Paid Memberships Pro).

Billing data

  • We do not see or store credit card numbers. Stripe processes all payments directly.
  • We store: Stripe customer ID, subscription ID, last-4 of card (display only), invoice history.

Usage data

  • Tools Hub usage (which tools you ran, when, with what input — for quota tracking and report saving).
  • API key activity (key ID, last-used timestamp, calls per day).
  • Login timestamps and IP address (Cloudflare-resolved) for security auditing.

Communications

  • Strategy-call request form: name, email, website, industry, time zone, goal.
  • Contact form messages.
  • Newsletter subscriptions (email + signup source).
  • Support tickets and email replies.

Technical data

  • Browser type, OS, device class (mobile/tablet/desktop), referring URL.
  • Pages visited and time on page (via Google Analytics 4 — see Cookies section).

3. Why we collect it

We use your data only for the following purposes:

  • Service delivery — running tools, saving reports, gating features by membership tier.
  • Billing — taking payment and issuing invoices via Stripe.
  • Communication — sending transactional emails (account confirmations, receipts, password resets) and newsletter content (only if you subscribed).
  • Security — detecting brute-force attempts, abusive API use, and suspicious account activity.
  • Improvement — measuring which tools are useful, which pages convert, and prioritizing the roadmap.
  • Legal compliance — keeping records required by tax law and responding to lawful authority requests.

We do not use your data to train AI models, profile you for advertising, or build a saleable dataset.

4. Who we share it with

We share strictly the minimum data needed with these processors. Each is bound by a Data Processing Agreement (DPA) compliant with GDPR Article 28:

  • Stripe (USA) — payment processing. Receives card details and billing address. stripe.com/privacy
  • Hostinger (Lithuania / EU) — hosting. Stores all account, usage, and content data.
  • Cloudflare (USA) — CDN, DDoS protection, DNS. Receives IP addresses and request metadata in transit. cloudflare.com/privacypolicy
  • FluentSMTP relay (your selected provider — typically Brevo or Postmark) — transactional and marketing email delivery.
  • MailPoet (when active) — newsletter sending, list segmentation, open/click tracking. mailpoet.com/privacy-notice
  • Google Analytics 4 (Google LLC, USA) — web analytics. IP anonymization is enabled. policies.google.com/privacy

We do not sell, rent, or barter your personal data with anyone, ever.

5. How long we keep it

  • Active account data — kept while your account exists.
  • Billing records — retained 7 years to satisfy tax law in the US and EU.
  • Usage logs — 90 days, then aggregated and anonymized.
  • Support tickets — 24 months after closure.
  • Newsletter subscribers — until you unsubscribe.
  • Marketing analytics — 14 months (GA4 default).
  • Deleted account — wiped within 30 days of deletion request, except for billing records (legal hold).

6. Your rights (GDPR / CCPA / UK-DPA)

Whether you're in the EU, UK, California, or anywhere else, we honor these rights:

  • Right of access — get a copy of every piece of data we have on you.
  • Right to rectification — fix anything that's wrong.
  • Right to erasure — "the right to be forgotten" — wipe your account and data.
  • Right to portability — get your data in a machine-readable format (JSON or CSV).
  • Right to restrict processing — pause our use of your data while a dispute is resolved.
  • Right to object — opt out of any processing based on legitimate interests.
  • Right to withdraw consent — for newsletters, analytics, and any opt-in.
  • Right to lodge a complaint — with your local data protection authority.

Email [email protected] with the subject line Data Request. We respond within 30 days as required by law. No fee unless your request is unfounded or excessive.

7. Cookies + tracking

We use cookies — see the full Cookie Policy for the breakdown by name, vendor, purpose, and lifetime. The short version: essential cookies for login + Stripe + Cloudflare (no consent needed); analytics + marketing only with your consent.

8. How we protect your data

  • HTTPS-only with TLS 1.3 enforced via Cloudflare.
  • WordPress core, PHP 8+, and all plugins kept on auto-update.
  • Cloudflare WAF blocks common OWASP Top 10 patterns by default.
  • Passwords are bcrypt-hashed by WordPress (never stored in plaintext).
  • API keys are HMAC-SHA256-hashed at rest — we store the hash, never the plaintext.
  • Sessions use HttpOnly + Secure + SameSite=Lax cookies.
  • Daily off-site backups with 30-day retention.
  • If a breach affecting personal data occurs, we notify the relevant authority within 72 hours and affected users without undue delay (GDPR Article 33).

9. International data transfers

Some of our processors (Stripe, Cloudflare, Google) are based in the United States. When personal data is transferred from the EU/UK to the US, we rely on the EU-US Data Privacy Framework and Standard Contractual Clauses (SCCs) where applicable. You can request copies of these safeguards.

10. Children's privacy

WordPressistic is not directed at children under 16. We do not knowingly collect data from children. If you believe a minor has provided us data, email [email protected] and we will delete it.

11. Changes to this policy

If we make a meaningful change, we update the "Last updated" date at the top and email subscribers + active members at least 14 days before the change takes effect. Continued use of WordPressistic after that means you accept the updated policy.

12. Contact

For anything privacy-related: [email protected]

For general questions: [email protected]

Or visit /contact/.