Privacy Policy • WP STAGING

WP STAGING is committed to protecting your privacy. Contact us if you have any questions or concerns regarding the use of your personal data, and we will be happy to help.

When you use our website or services, we process personal data as described in this Privacy Policy and only where there is a legal basis for doing so, such as contract performance, legal obligations, legitimate interests, or your consent where required.

This Privacy Policy explains how we process personal data when you use our website, our products, or our support services. It does not constitute a data protection consent unless consent is expressly requested.

If there are inconsistencies between the terms used in the Terms and Conditions and this Privacy Policy, this Privacy Policy shall prevail.

Definitions

Personal data means any information relating to an identified or identifiable natural person.
Processing means any operation or set of operations performed on personal data or on sets of personal data.
Data subject means a natural person whose personal data is processed.
Child means a natural person under 16 years of age.
We/us, whether capitalized or not, means WP STAGING.

We aim to comply with the following data protection principles:

Processing is lawful, fair, and transparent. Our processing activities have a legal basis. We consider your rights before processing personal data. Upon request, we will provide information about the processing.
Processing is limited to its purpose. Our processing activities correspond to the purpose for which the personal data was collected.
Processing is limited to the necessary data. We collect and process only the minimum amount of personal data required for each purpose.
Processing is limited in time. We do not store your personal data longer than necessary.
We will make reasonable efforts to ensure that personal data is accurate.
We will make reasonable efforts to ensure the integrity and confidentiality of personal data.

The data subject has the following rights:

Right to information. You have the right to know whether your personal data is being processed, what data is collected, where it comes from, why it is processed, and by whom.
Right of access. You have the right to access the data collected about you. This includes your right to request and receive a copy of your personal data.
Right to rectification. You have the right to request the correction or deletion of inaccurate or incomplete personal data.
Right to erasure. Under certain circumstances, you may request the deletion of your personal data from our records.
Right to restriction of processing. Where certain conditions apply, you have the right to restrict the processing of your personal data.
Right to object to processing. In some cases, you have the right to object to the processing of your personal data, for example in the case of direct marketing.
Right to object to automated processing. You have the right to object to automated processing, including profiling, and not to be subject to a decision based solely on automated processing. You may exercise this right if the result of the profiling has legal effects concerning you or significantly affects you.
Right to data portability. You have the right to receive your personal data in a machine-readable format or, where technically feasible, to have it transferred directly from one controller to another.
Right to lodge a complaint. If we refuse your request under your access rights, we will provide a reason. If you are not satisfied with how your request is handled, please contact us.
Right to assistance from a supervisory authority. You have the right to seek assistance from a supervisory authority and the right to other legal remedies, including claiming damages.
Right to withdraw consent. You have the right to withdraw any consent you have given for the processing of your personal data.

Account and Purchase Information

On our website, you can purchase software licenses and packages that you can download after purchase.
To send you a license key and a software download link, we collect your email address. We also collect your full name, billing address, and private address in order to create and send you an invoice by email and to allow downloads from our website.

We create an account on our website when you make your first purchase. This account is linked to your email address and contains license information as well as a history of your purchases and license activity. License activity tracks, for example, on which websites you have activated the software purchased from us.

We store the information you provide to us so that you can comment or perform other activities on the website. This information may include, for example, your name and email address.

We store this information on our servers.

We retain invoice, order, payment, and accounting records for the applicable statutory retention periods, usually for up to ten years.

We store account, license, and support data for as long as necessary for contract performance, customer support, license management, fraud prevention, security, legal obligations, and the establishment, exercise, or defense of legal claims.

When personal data is no longer required, we delete or anonymize it unless statutory retention obligations or legitimate reasons for further storage apply.

You can update your account information here.

Communication and Support Requests

We use Help Scout to handle support requests that can be submitted through the contact form on our website or sent to the email address support [at] wp-staging.com. We use this service to keep all support requests in one place and to be able to search for similar requests from previous conversations.

When you submit a support request, we process the content you provide, your contact details, technical information, attachments, and communication metadata. Help Scout processes this data as a processor on the basis of a data processing agreement. Depending on the request, support data may include information about your WordPress installation, server environment, plugin configuration, log files, or error messages.

The company address of Help Scout is:

Help Scout Inc.
131 Tremont Street
3rd Floor
Boston, MA 02111-1338

Other Communication

We may communicate with you directly by email without using Help Scout, which means that your email request will be stored on our computer systems.
We may use additional services such as X.com or Facebook to communicate with you if you start communication with us through one of these services.
The use of these services is not required in order to contact us or to use our services or products.
You are subject to the privacy policies of external services if you use them to contact us.

Information Collected Automatically About You

This includes information that is automatically stored through cookies and other session tools. This may include your shopping cart information, your IP address, and your purchase history. This information is used for security purposes and to prevent fraudulent attempts or transactions. This information is also stored to provide a better customer experience.
When you use our services or view the content of our website, your activity may also be logged for security reasons.

You can request access to or deletion of this data. Your request may be limited by legal obligations and depends on the type of data concerned.

Information From Service Providers and Payment Providers

We receive personal data from service providers only to the extent necessary to provide our products, process payments, provide support, secure our website, or comply with legal obligations.

This includes, in particular, payment confirmations and transaction information from payment providers as well as information processed in connection with support requests or technical error analysis.

See the list of our processing partners here.

Publicly Available Information

We do not routinely collect publicly available personal information about customers. In individual cases, we may review publicly available information where this is necessary to protect our rights, prevent abuse, investigate security incidents, or respond to public claims.

Overview of Personal Data Processing

The following overview shows which personal data we process, for which purposes, on which legal basis, and how long the data is stored.

Processing Activity	Data Categories	Purpose	Legal Basis	Recipients / Service Providers	Retention Period
Website visits and server logs	IP address, date and time of access, requested URL, referrer, user agent, browser and system information, technical request data	Providing the website, technical delivery, error analysis, abuse detection, and security	Art. 6(1)(f) GDPR, legitimate interest in secure and stable website operation	Hosting providers, security services	For as long as required for security, error analysis, and abuse prevention; thereafter deletion or anonymization
Cookie-free web analytics with Matomo	Visited pages, timestamps, referrers, shortened or anonymized IP address, technical browser information, device information, usage events without Matomo tracking cookies	Analysis of website usage, improvement of content, performance, usability, and technical stability	Art. 6(1)(f) GDPR, legitimate interest in improving our website and services	WP STAGING, self-hosted Matomo installation	In accordance with our internal deletion and anonymization periods; aggregated statistics may be stored for longer
Customer account and license management	Name, email address, billing address, account data, license key, license status, purchase history, activated domains, license activity	Creating and managing the customer account, providing downloads, license verification, activation, renewal, support, and abuse prevention	Art. 6(1)(b) GDPR, contract performance; Art. 6(1)(f) GDPR, legitimate interest in license management, security, and abuse prevention	WP STAGING, hosting providers, internal systems	For the duration of the customer and license relationship and beyond, where required for support, security, legal obligations, or legal claims
Orders, invoices, and accounting	Name, email address, billing address, order data, payment status, invoice data, tax information, order-related communication data	Processing purchases, issuing invoices, accounting, tax obligations, and documenting legal obligations	Art. 6(1)(b) GDPR, contract performance; Art. 6(1)(c) GDPR, legal obligations	WP STAGING, payment providers, tax advisors, accounting and hosting service providers	In accordance with statutory retention periods, usually up to 10 years
Payment processing via Stripe	Name, email address, billing address, payment data, IP address, device and transaction data, fraud prevention data	Processing credit card and other Stripe payments, fraud prevention, payment checks, and security checks	Art. 6(1)(b) GDPR, contract performance; Art. 6(1)(f) GDPR, legitimate interest in secure payment processing and fraud prevention	Stripe Payments Europe, Ltd. / Stripe, Inc.	In accordance with statutory, contractual, and payment-related retention periods
Payment processing via PayPal	Name, email address, billing address, payment data, IP address, transaction data	Processing PayPal payments, payment confirmation, fraud prevention, and handling payment-related inquiries	Art. 6(1)(b) GDPR, contract performance; Art. 6(1)(f) GDPR, legitimate interest in secure payment processing and fraud prevention	PayPal Europe S.à r.l. et Cie, S.C.A.	In accordance with statutory, contractual, and payment-related retention periods
Support requests via Help Scout	Name, email address, message content, attachments, technical information, license data, website or server information, log files, communication history	Handling support requests, error analysis, customer communication, quality assurance, and traceability of previous support cases	Art. 6(1)(b) GDPR, contract performance or pre-contractual measures; Art. 6(1)(f) GDPR, legitimate interest in efficient support and troubleshooting	Help Scout Inc., email and hosting service providers	For as long as required for support, contract performance, quality assurance, security, and legal claims
Direct email communication	Name, email address, communication content, attachments, technical email metadata	Handling inquiries, business communication, contract-related communication, and support communication	Art. 6(1)(b) GDPR, where contract-related; Art. 6(1)(f) GDPR, legitimate interest in communication and documentation	Email hosting providers, internal systems	For as long as the communication is required for the respective purpose, legal obligations, or legal claims
Website security and protection	IP address, request URL, request headers, user agent, login events, timestamps, blocked requests, firewall and security events	Protection against attacks, malware, brute-force attempts, unauthorized access, abuse, and security incidents	Art. 6(1)(f) GDPR, legitimate interest in securing our website, customer accounts, license systems, and technical infrastructure	WP STAGING, hosting providers, security service providers such as Wordfence / Defiant, Inc.	For as long as required for security, abuse prevention, error analysis, and legal claims
Newsletter and product information	Email address, name, consent status, subscription timestamp, technical delivery and sending data, possibly interests or product relation	Sending newsletters, release notes, security information, product information, and offers for our own products and services	Art. 6(1)(a) GDPR, consent; where legally permitted, Art. 6(1)(f) GDPR for existing customer information about our own similar products	Email and newsletter service providers, internal systems	Until consent is withdrawn, you unsubscribe, or as long as processing is required for the respective purpose
Cloud backup authentication via WP STAGING	Domain name, technical connection data, IP address of the website, timestamp, OAuth-related technical data where required for the connection	Connecting the WP STAGING plugin with selected cloud storage providers such as Google Drive, Dropbox, pCloud, OneDrive, DigitalOcean Spaces, Amazon S3, or Wasabi S3	Art. 6(1)(b) GDPR, contract performance; Art. 6(1)(f) GDPR, legitimate interest in secure technical provision of the feature	WP STAGING, selected cloud storage provider, where applicable WP STAGING authentication server	No storage of backup contents by WP STAGING; technical log data only for as long as required for security, debugging, or abuse prevention
Contact via social networks	Profile name, publicly visible profile data, message content, communication data, platform metadata	Handling inquiries, communication, responding to public posts or support requests	Art. 6(1)(f) GDPR, legitimate interest in communication and handling inquiries; where applicable Art. 6(1)(b) GDPR for contract-related inquiries	Respective platform, such as X/Twitter, LinkedIn, Facebook, and internal systems	In accordance with the storage rules of the respective platform and for as long as required for handling or documentation
Review of publicly available information in individual cases	Publicly accessible information, public statements, profile information, technical or business context information	Protecting our rights, abuse prevention, investigating security incidents, or responding to public claims	Art. 6(1)(f) GDPR, legitimate interest in legal defense, security, and abuse prevention	Internal systems, where applicable legal advisors	Only for as long as required for the specific case, legal claims, or security purposes

We do not sell your personal data. We disclose personal data only to service providers, processors, authorities, or other third parties where this is necessary for the purposes described in this Privacy Policy, required by law, or based on your consent.

Personal data about you may in some cases be made available to our trusted partners in order to provide the service to you or improve your customer experience.

We work only with processing partners that can ensure an appropriate level of protection for your personal data. We disclose your personal data to third parties or authorities where we are legally required to do so. We may disclose your personal data to third parties if you have consented to this or if there are other legal grounds for doing so.

Our Processing Partners and Related Third Parties:

Email Management

Our email servers are hosted by Domainfactory and are located in Germany.
Emails sent to us are stored on these servers.

The company address of Domainfactory is:

Domainfactory GmbH
Oskar-Messter-Str. 33
85737 Ismaning
Germany
Privacy Policy

PayPal Payment

You can choose PayPal as a payment provider in our shop. When you make a purchase, we automatically transmit the data of the data subject to PayPal.

If you select PayPal as your payment method, we transmit the data required for payment processing to PayPal. The legal basis is Art. 6(1)(b) GDPR where the processing is necessary for the performance of the contract, and Art. 6(1)(f) GDPR for fraud prevention and secure payment processing.

The personal data transmitted to PayPal includes first name, last name, address, email address, IP address, and other data required for payment processing. The company address of PayPal Europe is:

PayPal Europe S.à.r.l. & Cie. S.C.A.
22-24 Boulevard Royal
2449 Luxembourg
Privacy Policy

Stripe Payment

If you choose a payment method supported by Stripe in our online shop, we use Stripe as a payment provider. We transmit the data required for payment processing to Stripe.

The data transmitted to Stripe may include, in particular, first name, last name, billing address, email address, IP address, payment data, device information, transaction data, and other information required for payment processing, fraud prevention, and security checks.

The legal basis is Art. 6(1)(b) GDPR where the processing is necessary for the performance of the contract, and Art. 6(1)(f) GDPR for fraud prevention and secure payment processing.

Company address:

Stripe
185 Berry Street, Suite 550
San Francisco, CA 94107
Privacy Policy

Web Hosting

This website and its database are stored on virtual server machines provided by DigitalOcean.

Company address:

DigitalOcean, LLC.
101 Ave of the Americas 10th Floor
New York, 10013.
UNITED STATES
Privacy Policy

Security

We use Wordfence, a security service provided by Defiant, Inc., to protect our website against attacks, malware, unauthorized access, brute-force login attempts, and other security threats.

For this purpose, security-related data such as IP addresses, requested URLs, request headers, user-agent information, login-related events, timestamps, blocked requests, and firewall events may be processed.

This processing is necessary to protect our website, services, customer accounts, license systems, and technical infrastructure. The legal basis is our legitimate interest in securing our website and services pursuant to Art. 6(1)(f) GDPR.

Depending on configuration and security events, data may be processed by Defiant, Inc. in the United States. Where personal data is transferred outside the EU/EEA, we rely on appropriate safeguards such as a data processing agreement, standard contractual clauses, or other applicable transfer mechanisms.

Backup Cloud Providers

Google Drive

WP STAGING offers two ways to connect your website with Google Drive.

One-click connection via our authentication server auth.wp-staging.com using the OAuth authentication protocol
Connection using your own Google API keys

We do not store backup contents on our servers. If our authentication server is contacted as part of the OAuth process, technically necessary connection data such as IP address, timestamp, and domain may be processed temporarily. This data is not used for tracking or marketing and is stored only for as long as necessary for security, error analysis, or abuse prevention.

When using our authentication server auth.wp-staging.com, we would technically be able to see the IP address of your website and the domain name.

This Privacy Policy therefore applies only if you use the integrated WP STAGING app for authentication with Google Drive.
If you configure WP STAGING to use your own Google API keys, our authentication server is not used for the OAuth process. In this case, no backup contents and no OAuth access tokens are transmitted to our servers as part of Google Drive authentication.

As mentioned above, using Google Drive with WP STAGING involves visiting our authentication server auth.wp-staging.com as part of the authentication process (OAuth). In any case, no backup data or other data from your WordPress website is sent to our servers. This data remains on the server where you host WordPress. When you see the Google permission screen, you will be asked to grant the WP STAGING plugin access to your server.

The Google Drive authentication process means:

We generally do not store client IP addresses in our server logs. If we store them, this is done only for technical debugging purposes and for a maximum of a few hours during the debugging process. After debugging, the logs are deleted.
We do not perform any further processing of the log files.
We do not store any other data, neither your email address nor access tokens nor anything else.
No further data is sent from our servers or implicitly collected in the process of using Google Drive. Any future changes to this Privacy Policy will be made on this page.

Dropbox

You can use the cloud upload option to upload backups to the Dropbox service.

We do not store backup contents on our servers. If our authentication server is contacted as part of the OAuth process, technically necessary connection data such as IP address, timestamp, and domain may be processed temporarily. This data is not used for tracking or marketing and is stored only for as long as necessary for security, error analysis, or abuse prevention.

Dropbox, Inc.
1800 Owens St
San Francisco, CA 94158
copyright@dropbox.com

pCloud

You can use the pCloud upload option to upload backups to the pCloud service.

pCloud International AG,
74 Zugerstrasse Str, 6340 Baar,
Switzerland

Microsoft OneDrive

If you connect OneDrive, your backup archives are encrypted locally and then transferred to the Microsoft cloud. They are stored in data centers managed by Microsoft, which may be located outside your jurisdiction. Microsoft is a self-certified participant in the EU-US Data Privacy Framework and relies on standard contractual clauses for other cross-border transfers. You can revoke OneDrive access at any time under WP Staging → Storage.

Company address:
Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA

DigitalOcean Spaces

If Spaces is enabled, WP STAGING uploads backup files to DigitalOcean’s object storage service. DigitalOcean stores data in the region selected by you, such as AMS3 or NYC3, but may replicate metadata to the United States. The company provides standard contractual clauses for GDPR compliance. Disable the Spaces key in the plugin settings to stop all transfers.

Company address:
DigitalOcean Holdings, Inc., 101 Avenue of the Americas, 10th Floor, New York, NY 10013, USA

Amazon S3

Backups sent to S3 are stored in the AWS region selected by you. Amazon may process and replicate data within that region across availability zones to ensure durability. AWS participates in the EU-US Data Privacy Framework and supports standard contractual clauses. Delete the S3 access key in WP STAGING to stop uploads, and request deletion through your AWS console if needed.

Company address:
Amazon Web Services, Inc., 410 Terry Ave N, Seattle, WA 98109-5210, USA

Wasabi S3

Activating Wasabi sends encrypted backups to the Wasabi storage region selected by you. Wasabi commits to keeping data in the selected region and provides a GDPR data processing addendum with standard contractual clauses. Removing your Wasabi keys from WP STAGING stops future transfers; existing objects can be deleted from your Wasabi bucket at any time.

Company address:
Wasabi Technologies, Inc., 75 Arlington St, Suite 810, Boston, MA 02116, USA

Social Networks

If you contact us through social networks such as X/Twitter, LinkedIn, Facebook, or similar platforms, we process the information you provide to handle your request. The use of these platforms is not required in order to use our products or support.

The privacy policies of the respective providers also apply to data processing on the respective platforms.

We make reasonable efforts to protect your personal data. We use secure protocols for communication and data transmission, such as HTTPS. We use anonymization and pseudonymization where appropriate. We monitor our systems for possible vulnerabilities and attacks.

Although we make reasonable efforts, we cannot guarantee the security of information. However, we will notify the competent authorities of personal data breaches where required. We will also notify you if a breach is likely to result in a risk to your rights or freedoms. We will take appropriate measures to prevent security breaches and to support the authorities in the event of a breach.

If you have an account with us, please note that you must keep your username, email address, and password confidential.

Children

We do not knowingly intend to collect information from children. Our services are not directed at children.

Cookies and Similar Technologies

We use cookies and similar technologies only to the extent necessary for the operation of our website, our shop, our customer account, payment processing, or the security of our services. We do not use marketing cookies, advertising cookies, Microsoft Clarity, or Google reCAPTCHA.

For web analytics, we use a self-hosted Matomo installation. Matomo is configured so that no Matomo tracking cookies are set. The analytics run without cookies and are used exclusively to better understand the use and technical quality of our website and to improve our content, products, and services.

We do not set marketing cookies, advertising cookies, or Matomo tracking cookies. Therefore, we currently do not display a cookie banner. Where technically necessary cookies are set, this is done on the basis of Section 25(2) No. 2 TDDDG. The subsequent processing of personal data is based, where applicable, on Art. 6(1)(b) GDPR for contract performance, Art. 6(1)(c) GDPR for compliance with legal obligations, or Art. 6(1)(f) GDPR based on our legitimate interest in secure and functional website and shop operation.

Name / Technology	Provider	Purpose	Category	Retention Period	Legal Basis
Matomo, cookieless	WP STAGING, self-hosted	Reach measurement, technical analysis, and improvement of our website. Matomo is configured so that no Matomo tracking cookies are set.	Cookie-free web analytics	No cookie in the browser. Analytics and usage data are deleted or anonymized server-side in accordance with our internal deletion periods.	Art. 6(1)(f) GDPR, legitimate interest in improving and maintaining the technical stability of our website
WordPress login cookies, e.g. `wordpress_logged_in_`, `wordpress_sec_`	WP STAGING	Authentication of logged-in users and protection of the customer account.	Technically necessary	Session or until logout; longer if “Remember me” is selected.	Section 25(2) No. 2 TDDDG; Art. 6(1)(b) GDPR
WordPress settings cookies, e.g. `wp-settings-`, `wp-settings-time-`	WP STAGING	Storage of user interface and account settings for logged-in users.	Functional / technically required for logged-in users	Usually up to 1 year.	Section 25(2) No. 2 TDDDG; Art. 6(1)(f) GDPR
Shopping cart and checkout cookies, e.g. shop or payment session cookies	WP STAGING / shop system	Storage of the shopping cart, execution of the order process, and prevention of checkout errors.	Technically necessary	Session or until completion or cancellation of the order process.	Section 25(2) No. 2 TDDDG; Art. 6(1)(b) GDPR
Stripe cookies, e.g. `__stripe_mid`, `__stripe_sid`, or comparable Stripe technologies	Stripe Payments Europe, Ltd. / Stripe, Inc.	Payment processing, fraud prevention, and secure processing of credit card and other Stripe payments. These technologies are used only in connection with checkout or payment processing.	Technically required for payment processing and fraud prevention	Depending on the Stripe technology, session to up to 1 year.	Section 25(2) No. 2 TDDDG; Art. 6(1)(b) GDPR; Art. 6(1)(f) GDPR

You can delete or block cookies at any time through your browser settings. If you block technically necessary cookies, certain functions of our website, in particular login, customer account, shopping cart, or checkout, may be restricted or unavailable.

Do you have questions about our Privacy Policy?
You can reach us through our contact form or at the following postal address:

Controller
René Hermenau
Zur Alten Schleuse 3
21266 Jesteburg
Germany

Email: support@wp-staging.com

Complaint to a supervisory authority
You also have the right to lodge a complaint with a data protection supervisory authority. In particular, the State Commissioner for Data Protection of Lower Saxony may be competent.

The State Commissioner for Data Protection of Lower Saxony
Prinzenstraße 5
30159 Hanover
Germany
Email: poststelle@lfd.niedersachsen.de

We reserve the right to make changes to this Privacy Policy.
The last change was made on May 18, 2026.