- 1. Data Controller and Processor Roles
- 2. Legal Basis for Processing
- 3. Types of Personal Information Collected
- 4. Personal Information Collected by the WP Ghost Plugin
- 6. Use of Personal Information
- 7. Disclosure of Personal Information
- 8. Storage and Security of Personal Data
- 9. Data Retention
- 10. International Data Transfers
- 11. Your Rights Under GDPR
- 12. Cookies and Web Analytics
- 13. Children’s Privacy
- 14. Policy Updates
- 15. Contact Information
- Assessment
This Privacy Policy explains how MINBO QRE SRL (Company No. 37814865), its wholly owned subsidiaries, and the WP Ghost websites (“WP Ghost”, “we”, “our”, or “us”) collect, use, and protect personal data.
We are committed to complying with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applicable data protection laws.
1. Data Controller and Processor Roles
For account registration, billing, and website use, MINBO QRE SRL acts as the Data Controller.
For data processed through the WP Ghost plugin installed on a customer’s website:
- The website owner acts as the Data Controller
- WP Ghost acts as a Data Processor only where optional cloud features are enabled
WP Ghost does not determine how website owners use the plugin on their own websites.
2. Legal Basis for Processing
We process personal data under the following legal bases:
- Performance of a contract (Article 6(1)(b) GDPR) – to provide purchased services and plugin functionality
- Legitimate interests (Article 6(1)(f) GDPR) – to operate, secure, and improve our services
- Consent (Article 6(1)(a) GDPR) – where required, including marketing communications
3. Types of Personal Information Collected
We may collect the following information:
- Username
- Email address
- Contact details
- Billing and transactional information
- Website usage and analytics data
Personal data means any information relating to an identified or identifiable natural person.
4. Personal Information Collected by the WP Ghost Plugin
4.1 User Events Log (Optional Cloud Storage)
If the User Events Log Cloud Storage feature is enabled, activity data is transmitted to secure WP Ghost servers to provide centralized reporting.
This feature:
- Is disabled by default
- Requires explicit activation by the website owner
- Stores data for 30 days
- Automatically and permanently deletes data after 30 days
The information may include:
- Action Name
- Post ID
- Post Type
- Username
- Post Name
- Plugin Name
- Attachment Name
This data is used solely to provide activity reporting and is not shared with third parties or used for marketing purposes.
4.2 Security Threats Log (Aggregated Statistics Only)
Detailed security threat data remains stored locally on the website in the hmwp_logs database table.
For statistical and reporting purposes, WP Ghost may transmit aggregated, non-personal data to the WP Ghost Dashboard, limited strictly to:
- Date
- Total number of detected threats
No IP addresses, URLs, request details, usernames, or visitor data are transmitted as part of this reporting.
5. Methods of Data Collection
We collect personal data:
- Directly from you (e.g., account registration, purchases, support requests)
- Automatically through website interaction and analytics tools
6. Use of Personal Information
We may use personal information to:
- Provide and operate WP Ghost services
- Process payments and transactions
- Deliver customer support
- Improve service functionality and security
- Communicate operational updates
- Send marketing communications where consent has been given
- Prevent fraud and enforce user terms
7. Disclosure of Personal Information
We may disclose personal data to:
- Our payment processor (Paddle.com) for transaction processing
- Professional advisers (lawyers, accountants, auditors)
We do not sell personal data.
8. Storage and Security of Personal Data
Personal data is stored on secure servers operated by us or trusted service providers.
We implement appropriate technical and organizational security measures, including:
- Access controls
- Authentication mechanisms
- Data encryption where appropriate
9. Data Retention
- Cloud User Events Logs: 30 days (automatic deletion)
- Aggregated threat statistics: minimal, non-personal statistical records
- Billing and transactional records: retained as required by applicable tax and accounting laws
10. International Data Transfers
Where personal data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are implemented in accordance with GDPR requirements.
11. Your Rights Under GDPR
Under GDPR, you have the right to:
- Access your personal data
- Rectify inaccurate data
- Request erasure of your data
- Restrict processing
- Object to processing
- Request data portability
To exercise your rights, please contact us using the details below.
12. Cookies and Web Analytics
We use cookies and similar technologies to:
- Ensure website functionality
- Analyze performance
- Improve user experience
- Provide relevant marketing communications where consent has been given
You may control cookie preferences through your browser settings.
13. Children’s Privacy
Our services are not directed at children under 13. We do not knowingly collect personal data from children.
14. Policy Updates
We may update this Privacy Policy to reflect legal or operational changes. Updates will be published on our website.
15. Contact Information
If you have questions regarding this Privacy Policy or your data rights, please contact us via our official website contact form.
Assessment
This version:
- Clearly defines controller/processor roles
- States legal basis
- Clarifies optional cloud logging
- Separates aggregated threat stats
- Mentions retention
- Mentions international transfers
- Lists GDPR rights
- Sounds professional for EU businesses
Updated: Feb 2026