Privacy Policy

Last updated: April 6, 2026

TL;DR: We collect the minimum data needed to monitor your WordPress sites. Your monitoring data is stored in the EU. Payments are handled by Lemon Squeezy (US) under GDPR safeguards. We don't track your visitors. You can export or delete your data anytime.

1. Data Controller

The data controller responsible for your personal data is:

Fizteq Solutions SRL

Str. Cpt. Nicolae Licaret, nr. 6, bl. PM43, sc. A, et. 4, ap. 23, Sector 3, Bucharest, Romania

CUI: RO 37187316

Reg. Com.: J2017003144400

Contact: wppulse@fizteq.com

2. What We Collect and Why

WPPulse collects the minimum data necessary to provide WordPress monitoring services. Below is what we collect, why, and the legal basis under GDPR:

Account data

First name, last name, email address, hashed password.

Purpose: Account creation, authentication, communication.

Legal basis: Contract performance (Art. 6(1)(b) GDPR).

Site data

Domain name, site name, monitoring configuration, WordPress/PHP version, active theme.

Purpose: Service delivery, site identification, debugging context.

Legal basis: Contract performance (Art. 6(1)(b) GDPR).

Event data

PHP errors (class, message, file, line), stacktraces, plugin lifecycle events, cron failures, database errors, REST API errors, security events, resource usage metrics.

Purpose: Error tracking, alerting, debugging.

Legal basis: Contract performance (Art. 6(1)(b) GDPR).

Request context

URL (query strings stripped), HTTP method, sanitized headers. Sensitive data (passwords, tokens, credit cards, PII) is automatically filtered before storage.

Purpose: Debugging context for error reports.

Legal basis: Contract performance (Art. 6(1)(b) GDPR).

IP addresses

IP addresses from request context in error reports, when included by the WordPress plugin.

Purpose: Security monitoring, abuse prevention, debugging.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) — preventing abuse and ensuring service security.

Uptime data

HTTP response codes, response times, outage timestamps.

Purpose: Uptime monitoring and alerting.

Legal basis: Contract performance (Art. 6(1)(b) GDPR).

Notification channel credentials

Email address, Telegram bot token and chat ID, Discord webhook URL, Slack webhook URL — only when you configure them.

Purpose: Delivering alerts via your chosen channels.

Legal basis: Consent (Art. 6(1)(a) GDPR) — you explicitly choose to enable each channel.

3. What We Don't Collect

  • Raw cookies or session data from your WordPress visitors
  • Authentication tokens or API keys from your visitors' requests
  • Credit card or payment information from request bodies
  • Unfiltered request bodies — sensitive fields are always redacted
  • Analytics, tracking pixels, or advertising data from your visitors

4. Our Role: Controller and Processor

WPPulse operates in two distinct GDPR roles:

  • Data Controller — for your account data (name, email, password). We determine the purpose and means of processing this data to provide our service.
  • Data Processor — for error and event data originating from your WordPress site visitors (IP addresses, request context). You, as the site owner, are the data controller for this data. We process it on your behalf to deliver the monitoring service.

If you require a formal Data Processing Agreement (DPA) to meet your GDPR obligations as a data controller, one is available at wppulse.app/dpa.

5. How We Process Data

Event data sent by the WordPress plugin is:

  1. Received via HTTPS-encrypted API endpoints
  2. Filtered for sensitive data (passwords, tokens, PII) at both plugin and server level
  3. Queued for asynchronous processing
  4. Fingerprinted and deduplicated to group related events
  5. Stored in our database for the retention period defined by your plan
  6. Used to generate notifications via your configured channels

6. Sensitive Data Filtering

WPPulse employs defense-in-depth filtering at two layers:

Plugin-side (before data leaves your server):

  • Sensitive request body fields (passwords, tokens, credit cards, PII) are replaced with [Filtered]
  • Sensitive headers (Authorization, Cookie, etc.) are filtered
  • IP-revealing headers can be optionally stripped
  • Developers can customize filtering via WordPress filter hooks

Server-side (secondary filter on all incoming data):

  • Sensitive headers (Authorization, Cookie, etc.) are stripped if present
  • Known sensitive parameters (passwords, tokens, API keys, credit cards) are redacted
  • Query strings are removed from URLs
  • Application logs redact passwords, tokens, and email addresses

7. Data Retention

Event and monitoring data is automatically deleted after your plan's retention period:

  • Free plan: 7 days
  • Solo plan: 30 days
  • Agency plan: 90 days
  • Unlimited plan: 180 days

Retention is enforced automatically by a daily cleanup job.

Account data (name, email, preferences) is retained for as long as your account is active. When you delete your account, all data is permanently removed (see Section 10).

Application logs are retained for 14 days and automatically rotated.

8. Data Hosting and International Transfers

All monitoring data (error reports, uptime checks, plugin events) and account data is stored on servers located in Bucharest, Romania (EU).

Payment processing: When you subscribe to a paid plan, payment data is processed by Lemon Squeezy (Lemon Squeezy, Inc., United States). Lemon Squeezy handles your name, email, and payment details to complete transactions and manage EU VAT compliance. This transfer is protected by Standard Contractual Clauses (SCCs) approved by the European Commission. We do not store full card details locally — see Section 11 for details.

User-initiated notification channels: When you choose to enable Telegram, Discord, or Slack notifications, event summary data (error messages, site names, URLs) is transmitted to those third-party services, which may process data outside the EU. This transfer occurs solely at your request and is based on your explicit consent when you activate each channel. You can disable any channel at any time.

9. Your Rights Under GDPR

As a data subject, you have the following rights:

  • Right of access (Art. 15): View all data associated with your account via the dashboard, or request a full data export.
  • Right to rectification (Art. 16): Update your account details at any time from Account Settings.
  • Right to erasure (Art. 17): Delete your account and all associated data from Account Settings.
  • Right to data portability (Art. 20): Export all your data in JSON format from Account Settings.
  • Right to restrict processing (Art. 18): Request restriction of processing by contacting us. You can also disable monitoring for specific sites at any time.
  • Right to object (Art. 21): Object to processing based on legitimate interest (e.g., IP address collection) by contacting us at wppulse@fizteq.com.
  • Right to withdraw consent (Art. 7): Where processing is based on consent (e.g., notification channels), withdraw it at any time by disabling the channel in your site settings. You may also delete your account entirely.

To exercise any of these rights, use the relevant dashboard feature or contact us at wppulse@fizteq.com. We will respond within 30 days.

10. Account Deletion

When you delete your account from Account Settings:

  1. You confirm with your password and receive a confirmation email.
  2. Your account is immediately deactivated and a deletion job permanently removes all your data — including all sites, issues, occurrences, uptime data, notifications, and sessions.
  3. A confirmation email is sent once deletion is complete.

Deletion is permanent and cannot be reversed. A daily safety check ensures no deletion jobs are missed.

11. Third-Party Data Processors

We use the following third-party services. Data is only shared when you explicitly enable the corresponding feature:

Matomo Analytics (self-hosted, Fizteq Solutions SRL — EU)

We use Matomo for website analytics, self-hosted on our own EU servers (analytics.fizteq.com). Matomo runs in cookieless mode — no cookies are set, no personal data is stored on your device, and no data is shared with third parties. We use it to understand aggregate page views and referral sources.

Newsman (Dazoot Software SRL, Romania — EU)

Your email address and notification content are processed by Newsman to send alerts, verification emails, and account notifications. Data stays within the EU.

Telegram (user-activated)

Event summaries sent via the Telegram Bot API. Data may be processed outside the EU. Only active when you enable Telegram notifications.

Discord (user-activated)

Event summaries sent via Discord webhooks. Data is processed in the US. Only active when you enable Discord notifications.

Slack (user-activated)

Event summaries sent via Slack webhooks. Data is processed in the US. Only active when you enable Slack notifications.

Lemon Squeezy (Lemon Squeezy, Inc. — US)

Payment processing for paid subscriptions. Lemon Squeezy processes your name, email, and payment details (credit card, billing address) to complete transactions and handle EU VAT. We do not store your full card details — only the card brand and last four digits are retained for display purposes. Lemon Squeezy also provides invoice receipts. Data is processed in accordance with their DPA. Only applicable when you subscribe to a paid plan.

12. Cookies

WPPulse uses only essential cookies required for the service to function. We do not use analytics, tracking pixels, or third-party advertising cookies. For a detailed list of cookies and their purposes, see our Cookie Policy.

13. Automated Decision-Making

WPPulse does not use automated decision-making or profiling that produces legal effects or similarly significant effects on you (Art. 22 GDPR). Error grouping and alert digesting are automated technical processes that do not involve profiling or automated individual decision-making.

14. Children's Data

WPPulse is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child under 16 has provided us with personal data, please contact us and we will promptly delete it.

15. Data Security

We implement appropriate technical and organisational measures to protect your data:

  • All data transmitted over HTTPS (TLS encryption in transit)
  • Passwords hashed with Bcrypt
  • API keys stored as one-way SHA-256 hashes
  • Notification credentials encrypted at rest (AES-256)
  • Sessions encrypted and HTTP-only
  • Security headers (CSP, HSTS, X-Frame-Options) on all responses
  • Rate limiting on API and authentication endpoints
  • Two-factor authentication available for user accounts

16. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Romanian supervisory authority (ANSPDCP) within 72 hours of becoming aware of it, as required by Art. 33 GDPR. If the breach is likely to result in a high risk to you, we will also notify you directly without undue delay (Art. 34 GDPR).

17. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is:

ANSPDCP

Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal

B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, 010336 Bucharest, Romania

Website: www.dataprotection.ro

18. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the service after notification constitutes acceptance of the updated policy.

19. Contact

For privacy-related inquiries, data subject requests, or complaints, contact us at:

Fizteq Solutions SRL

Email: wppulse@fizteq.com