1. Information We Collect

We collect different types of information depending on how you interact with RakuWP:

Account information: When you register, we collect your name, email address, and optional company name. If you sign in with a passkey, we store the WebAuthn credential ID associated with your device (no biometric data is ever transmitted to or stored on our servers).

Billing information: When you subscribe to a paid plan, payment is processed by Stripe. We do not store your full credit card number. Stripe provides us with a tokenized reference, the last four digits of your card, and your billing address for invoicing purposes.

Site and technical information: When you activate a license or use the plugin, we collect your site URL, site name, WordPress version, PHP version, and the list of enabled service modules. This data is used for compatibility checks, support, and to display your sites in the management dashboard.

Support information: When you submit a support ticket, we collect the subject, message content, any file attachments you upload, and your browser language preference to route the ticket to the appropriate team.

Email interaction data: Transactional emails sent from our platform may include a small tracking pixel and rewritten links. This allows us to record whether an email was opened and which links were clicked, for deliverability monitoring purposes only. No personal browsing data is collected through these mechanisms.

Logs and security data: We automatically log IP addresses, user agent strings, and timestamps when you interact with our panel or API. These logs are used for security, abuse prevention, and debugging, and are retained for up to 90 days. Administrative actions are recorded in an audit log for accountability.

Monitoring data: If you use the Monitoring service module, we collect and process data related to your site's security, including: login attempt records (IP address, timestamp, username, success or failure status, and user agent), file integrity checksums and change records, malware scan results, and vulnerability assessments. IP addresses collected through login monitoring are used for geolocation lookups (country, region, city) to help identify the origin of access attempts. This data is stored on your behalf and is accessible only to the authenticated account holder.

2. How We Use Your Information

We use your information for the following purposes:

• Providing, operating, and maintaining the RakuWP platform and plugin
• Processing subscription payments and managing billing through Stripe
• Sending transactional emails such as account verification, password resets, and subscription receipts
• Responding to support tickets and providing customer assistance
• Verifying license activations and enforcing site limits per plan
• Improving our services through aggregated, anonymized usage analytics

We do not sell, rent, or share your personal data with third parties for marketing purposes.

3. Third-Party Services

We rely on the following third-party service to operate our platform:

Stripe: Processes all subscription payments. Stripe receives your payment details directly and is certified as a PCI Level 1 Service Provider. For details, see Stripe's Privacy Policy.

We also use the following services:

IP Geolocation API: Used to resolve the approximate geographic location (country, region, city) of IP addresses collected through Simple Analytics visitor tracking and Monitoring login attempts. IP addresses are sent to the API for resolution; RakuWP does not store raw IP addresses beyond the transient lookup.

WPVulnerability.net: Provides vulnerability data for WordPress plugins and themes used by the Monitoring service module. Only plugin and theme identifiers (slugs and versions) are sent to this service; no personal or site-identifying data is shared.

We do not use third-party advertising or marketing tracking services.

4. Data Security

We implement industry-standard security measures to protect your data, including:

• Passwords hashed with bcrypt (never stored in plain text)
• All connections encrypted via HTTPS/TLS
• CSRF token protection on all forms and state-changing requests
• Secure, HTTP-only session cookies
• Role-based access control restricting personal data to authorized personnel
• Audit logging of administrative actions

While no system is 100% secure, we continuously review and improve our security practices.

5. Simple Analytics (Website Visitor Analytics)

If you use the Simple Analytics service module on your WordPress site, it collects aggregated, anonymous visitor analytics. This system is designed to be privacy-friendly and does not collect any personal data.

What is collected:
• Page URLs, referrers, and page titles
• Screen resolution, viewport size, device type, browser name, operating system, and browser language
• Geolocation (country, region, city) — derived from the visitor's IP address via an external geolocation API
• UTM campaign parameters (source, medium, campaign, term, content)
• WordPress metadata (post author, categories, tags)
• Interaction data: link clicks (URL and anchor text), scroll depth, and time on page

How visitors are identified:
Simple Analytics uses a browser fingerprint hash to distinguish unique visitors and sessions. This hash is generated from non-identifying attributes (screen size, timezone, language, and platform) and cannot be reversed to identify an individual. No cookies are set, and no login or personal information is used.

IP address handling:
IP addresses are used transiently for a single purpose: to look up approximate geolocation (country, region, city) via an external API. The IP address itself is never stored in the analytics database. Geolocation results are cached by an IP hash for up to 24 hours to reduce external API calls, after which the cached entry is automatically deleted.

Bot detection:
The system identifies bot traffic using over 95 known bot patterns. Bot visits are tracked separately and are not mixed with human visitor data.

Data retention:
Analytics data is retained based on the site owner's subscription plan, ranging from 3 months to 5 years. When the retention period expires, data is automatically purged.

Data access:
Only the authenticated site owner can view analytics data for their own sites. Analytics data is not shared with any third party.

Data storage:
All analytics data is stored on servers located in the European Union, in compliance with GDPR requirements.

6. Cookies

We use only essential cookies that are strictly necessary for our platform to function. We do not use advertising, analytics, or social media cookies. Notably, the Simple Analytics service module operates entirely without cookies. For full details on each cookie we set, please see our Cookie Policy.

7. Data Retention

We retain your account data for as long as your account is active. Support tickets and associated attachments are kept for the duration of your account to provide ongoing reference. Email logs are retained for up to 12 months for deliverability monitoring.

Simple Analytics data is retained based on your subscription plan (from 3 months to 5 years) and is automatically purged after the retention period.

Monitoring data (login attempts, file integrity records, malware scan results, and vulnerability reports) is retained for as long as your account is active. Historical monitoring data may be pruned based on your plan tier to manage storage.

If you delete your account, we will remove your personal data within 30 days. Some data may be retained longer where required by law (for example, billing records for tax compliance).

8. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), we process your personal data on the following legal bases:

• Contract performance: Processing necessary to provide the Service you signed up for (account management, license activation, support)
• Legitimate interest: Security logging, fraud prevention, service improvement through aggregated analytics, and email deliverability monitoring
• Legal obligation: Retaining billing records as required by tax and commercial law
• Consent: Where required by law and not covered by another basis, we will request your explicit consent before processing

You may withdraw consent at any time without affecting the lawfulness of processing carried out before the withdrawal.

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you
• Rectification: Correct inaccurate or incomplete data via your account settings
• Deletion: Request that we delete your personal data and close your account
• Data portability: Request your data in a structured, machine-readable format
• Objection: Object to certain types of processing where applicable
• Restriction: Request that we limit the processing of your data in certain circumstances

You can manage most of your data directly from your account dashboard. For deletion requests or to exercise any other right, please contact us. We will respond within 30 days as required by applicable law.

If you are in the EEA and believe that your data protection rights have been violated, you have the right to lodge a complaint with your local supervisory authority.

10. Children's Privacy

RakuWP is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided us with personal data, please contact us and we will promptly delete that information.

11. International Transfers

Your data may be processed on servers located outside your country of residence. When transferring data outside the EEA, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission, or adequacy decisions, to ensure your data remains protected in accordance with applicable data protection laws.

12. Changes to This Policy

We may update this privacy policy from time to time. If we make material changes, we will notify you by email or through a prominent notice on our website at least 15 days before the changes take effect. Continued use of our services after the changes take effect constitutes acceptance of the revised policy.

13. Contact

If you have questions or concerns about this privacy policy or how we handle your data, please contact us.