Privacy Policy
Effective 2026-04-30
This Privacy Policy describes how WebProManager ("we", "us", "our") collects, uses, shares, and protects information when you use our website, dashboards, APIs, browser extensions, command-line tools, WordPress plugin, and any related services (the "Service"). It applies to information we process as a controller for our own business purposes and to information we process as a processor on behalf of our customers (such as backups, site metadata, and form submissions imported from connected sites).
Quick summary
- We collect what we need to run the Service, bill you, and keep your sites safe.
- We never sell your data and we do not use Customer Data to train AI models.
- Backups, screenshots, and connector secrets are encrypted at rest.
- You can export everything tied to your account, or delete it, from Settings.
What we collect
- Account data: name, email address, hashed password, recovery codes (hashed), TOTP secret (encrypted), preferred timezone, communication preferences.
- Billing data: billing email, billing address (when applicable), VAT/tax ID (when applicable), Stripe customer and subscription identifiers, last four digits and brand of the payment method. We never see or store your full card number — Stripe handles that as a PCI-DSS Level 1 service provider.
- Connected site data ("Customer Data"): URLs, plugin/theme/core metadata and versions, site health metrics, uptime check results, error log excerpts, on-demand screenshots, and full backups of WordPress sites or CMS exports of Webflow sites. For Webflow, also: form submissions, asset metadata, redirect lists, and custom-code snippets that you ask us to manage.
- Connector credentials: WordPress per-site signing keys, Webflow OAuth tokens, AWS/R2 storage keys you provide, all encrypted at rest.
- Diagnostics: request logs (IP address, user agent, request route, response code) for the most recent thirty days, used to debug issues and detect abuse.
- Communications: emails and support tickets you send us, and our replies.
- Cookies: a single first-party session cookie used to keep you signed in and a CSRF token cookie. We do not set third-party tracking cookies inside the application.
How we use it
- To run the Service: monitor uptime, apply updates, take and store backups, run visual regression checks, deliver alerts, and surface diagnostics.
- To bill you, via Stripe.
- To send transactional email (alerts, security notices, password resets, receipts) — these cannot be opted out of while the account is active.
- To send product announcements only if you explicitly opt in.
- To detect and stop abuse, fraud, and security incidents.
- To comply with legal obligations.
- To improve the Service through aggregated, de-identified usage analytics. We do not use Customer Data to train machine-learning models.
Legal bases for processing (EEA/UK)
If you are in the EEA, the UK, or another jurisdiction with similar law, our legal bases are: (a) contract — to provide the Service you signed up for; (b) legitimate interests — to keep the Service secure, prevent abuse, and improve product quality, balanced against your rights; (c) legal obligation — for tax records and lawful requests; and (d) consent — for marketing email, where required.
Where your data lives
Our application database is hosted in the region you signed up from (US or EU; we will confirm at signup and on request). Backups, screenshots, and CMS exports are stored in object storage (Cloudflare R2 or AWS S3, depending on your plan), encrypted at rest with AES-256-GCM under keys managed in our environment. WordPress connector secrets and Webflow OAuth tokens are encrypted at rest with a key kept separately from the database.
Where data crosses borders out of the EEA or UK, we rely on Standard Contractual Clauses or other approved transfer mechanisms.
Sub-processors we share with
We share the minimum information required with the following service providers, each bound by a written data-processing agreement:
- Stripe — payments, invoicing, tax calculation.
- SendGrid (or your configured SMTP provider) — transactional email delivery.
- Cloudflare — object storage (R2), DNS, CDN, headless browser rendering for visual regression.
- Amazon Web Services — S3 object storage when you choose it as the backup destination.
- Webflow — when you connect a Webflow account, we hold your OAuth token (encrypted) and use it strictly for sites you import.
- Anthropic — when you opt in to AI-assisted features (for example, alt-text suggestions for CMS images), the relevant content is sent to Anthropic's API for inference and is not used by us or them to train models.
- Hosting and managed-database providers — to operate our infrastructure.
- Law enforcement or regulators — only when compelled by valid legal process, and only the minimum data required. We will tell you about a request unless legally prohibited.
Security
We follow industry-standard practices, including: encryption in transit (TLS 1.2+) and at rest (AES-256-GCM); HMAC-signed requests between the connector plugin and our API; bcrypt password hashing; optional two-factor authentication on every account; least-privilege access controls; audit logging of administrative actions; and routine vulnerability scanning. No system is impenetrable. If we discover a security incident affecting your data, we will notify you without undue delay and, where required, within seventy-two hours, and provide details we know at that time.
Retention
- Account data: kept for the life of the account, deleted within thirty days of account closure.
- Backups and screenshots: sixty days by default, configurable on enterprise plans; deleted on account closure once retention expires.
- Diagnostic logs: thirty days.
- Billing records: retained for as long as required by tax and accounting law (typically seven years).
Your rights
Subject to applicable law, you have the right to:
- Access the data we hold about you.
- Correct inaccurate data.
- Export your data — visit Settings » Account » Export to download a JSON archive.
- Delete your account, with a thirty-day grace period for recovery — Settings » Account » Delete.
- Object to processing based on legitimate interests.
- Restrict processing in certain circumstances.
- Withdraw consent for any consent-based processing, without affecting prior lawful processing.
- Lodge a complaint with your local data-protection authority.
If you would rather email us than use the dashboard: support@webpromanager.com. We respond to verified requests within thirty days, and within forty-five days for complex requests, with notice.
California privacy rights
If you are a California resident, you have the rights described above in addition to specific rights under the CCPA/CPRA, including the right to know what personal information we collect, the right to delete it, the right to correct it, and the right to limit the use of sensitive personal information. We do not sell or share personal information for cross-context behavioural advertising.
Customer Data — your customers' rights
When we process Customer Data on your behalf as a processor, we follow your instructions. If a person exercises a privacy right against you for data we hold for you, contact us and we will help you respond.
Children
The Service is not directed to children under sixteen. We do not knowingly collect personal information from anyone under sixteen. If you believe a child has provided us information, contact us and we will delete it.
Cookies and tracking
Inside the application we use only first-party essential cookies (session and CSRF). Marketing pages may use a privacy-respecting analytics provider; if so, it will be disclosed in the cookie banner shown to first-time visitors. We do not use behavioural-advertising cookies. The Service honors the Global Privacy Control signal where applicable.
Changes
If we change this policy materially, we will update the effective date, notify active customers by email, and surface an in-app notice on next sign-in. For minor edits we will update the effective date.
Contact
Questions, complaints, or rights requests: support@webpromanager.com. EU/UK customers may also contact our representative through that address; we will route the request appropriately.
This document is starter language and is not legal advice. Have a qualified privacy lawyer review and adapt it to your specific operations and jurisdictions before relying on it.
Questions about this document? Email support@webpromanager.com.