Information We Collect
Free Surface Scans (No Account Required)
- The URL you submit for scanning
- Scan results (security headers, detected vulnerabilities, exposed files)
- Your IP address (for rate limiting and abuse prevention)
Registered Accounts
- Name and email address
- Password (hashed, never stored in plain text)
- Site URLs and scan history
- Payment information (processed and stored by Stripe; we never see or store your card details)
Deep Scans and Cleanup
- SSH connection details (host, port, username, password or key) — encrypted at rest using AES-256
- WordPress installation path
- Server file information discovered during scanning (file paths, checksums, modification dates)
- Cleanup communication messages and file attachments
Partner API
- Company name and contact email
- API usage logs (endpoints called, timestamps, response codes)
- Webhook URLs and delivery history
- IP addresses for whitelisting
- Branding assets (logo, colors) if white-label features are used
How We Use Your Data
- To perform the security scans and cleanup services you request
- To display your scan results, history, and reports
- To process payments via Stripe
- To send scan completion notifications, cleanup status updates, and account-related emails
- To improve our vulnerability detection accuracy and malware signature database
- To enforce rate limits, prevent abuse, and maintain service security
- To analyze aggregate usage patterns (not individual data) for service improvement
What We Don't Do
- We never sell, rent, or trade your personal data to third parties
- We never access your WordPress admin during surface scans
- We never store your payment card details (handled entirely by Stripe)
- We never share individual scan results publicly without your explicit consent
- We never use your SSH credentials for any purpose other than the requested scan or cleanup
- We never send marketing emails unless you explicitly opt in
Third-Party Services
We use the following third-party services that may process your data:
- Stripe — Payment processing. Stripe's privacy policy applies to payment data. stripe.com/privacy
- Google Analytics — Anonymous website usage analytics (page views, traffic sources). We use this to understand how visitors use our public pages. No personally identifiable information is sent to Google Analytics. Google Privacy Policy
We do not use advertising networks, retargeting pixels, or social media tracking scripts.
Data Retention
- Free scan results: Retained for 90 days, then automatically deleted
- Registered user data: Retained until you delete your account
- SSH credentials: Encrypted at rest; retained while the site is active in your account. You can delete a site at any time to remove stored credentials.
- Cleanup messages and attachments: Retained for 1 year after cleanup completion
- API logs: Retained for 90 days for debugging and audit purposes
- Payment records: Retained as required by tax and financial regulations
Cookies
We use only essential cookies:
- Session cookie — Required for login and scan history tracking
- CSRF token — Required for form security
We do not use advertising cookies, tracking cookies, or third-party cookie-based analytics beyond Google Analytics (which uses its own cookies as described in Google's privacy policy).
Data Security
- All data is transmitted over HTTPS (TLS 1.2+)
- SSH credentials are encrypted at rest using AES-256 via Laravel's encryption
- Passwords are hashed using bcrypt (never stored in plain text)
- Database and Redis are accessible only from internal Docker network (not exposed to the internet)
- Server access is restricted to key-based SSH authentication only
- We perform regular security audits of our own infrastructure
Your Rights
You have the right to:
- Access your personal data — view your account, scan history, and stored information via your dashboard
- Correct inaccurate data — update your name and email from your account settings
- Delete your data — request full account deletion by contacting us
- Export your data — request a copy of your scan results and account data
- Withdraw consent — stop using the Service at any time; delete your account to remove all stored data
To exercise any of these rights, email support@wpvanguard.com. We will respond within 30 days.
Partner API and Data Processing
When partners use the API to scan sites on behalf of their clients, WP Vanguard acts as a data processor. The partner is the data controller and is responsible for obtaining appropriate consent from their end users. Partners must not submit personally identifiable information through the API beyond what is necessary for the scan.
Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users. The "Last updated" date at the top of this page indicates when the policy was last revised.