WP Security Audit is a plugin which allows web site administrators to monitor internal web site usage for auditing and security purposes.
This privacy notice pertains to this web site, and describes our provision of the WP Security Audit plugin to web site administrators. It also details what we do with our customers’ data in order to provide the plugin.
If you are a user of the WP Security Audit plugin as a web site administrator, you have an obligation to detail your use of the plugin in your own privacy notice – WP Security Audit Log plugin privacy notice.
WHO WE ARE
WP Security Audit Log is developed by Kypri Ltd, a company registered in the United Kingdom under number SC514191 whose registered office is at 42 Charlotte Square, Edinburgh, EH2 4HQ. Email contact: firstname.lastname@example.org.
For the purposes of the Data Protection Act 1998, GDPR, and the forthcoming Data Protection Bill, the data controller is (as above). Our ICO Data Controller registration number is ZA310527.
WHAT INFORMATION WE COLLECT, AND WHY
Upon installing the WP Security Audit plugin on your self-hosted WordPress site, administrators will have the choice to opt in to telemetry data being sent to freemius.com. This will include:
- Your name and email address, which we will use for notifications of upgrades and product enhancements,
- Your site’s URL, WordPress version, PHP version and list of installed plugins and themes.
We access this data via our own account on freemius.com. Freemius.com has no direct access to any of the telemetry data sent to their site and can only access it upon request, such as in the case of a technical support request.
We use telemetry information strictly for the improvement of the plugin and to respond to support queries. If you do not want to opt in to telemetry, this will not impact your use of the plugin in any way.
AUDIT AND ACTIVITY LOGS
Neither we nor Freemius collect any of the information generated by installations of our plugin on end user sites (i.e. the WordPress audit trail).
Neither we nor Freemius have access to the data collected by any installation of our plugin (i.e. the WordPress audit trail).
Our web site uses Stripe cookies to assist you in the checkout process. Following is the list of cookies that Stripe sets when you access our web site:
_stripe_sid (term 30 minutes)
_stripe_mid (term 1 year)
Both these cookies are used by Stripe payment gateway to measure web traffic and to also to also distinguish users sessions. For more information refer to: https://stripe.com/cookies-policy/legal
GOOGLE ANALYTICS COOKIES
We use Google Analytics to learn how our users are using the website and how the website is performing. All the data on Google Analytics is anonymous. Following is a list of cookies that Google Analytics sets when you access our website:
_ga (term 2 years)
_gid (term 24 hours)
These cookies are used by Google Analytics service to store a unique user ID so the platform can determine if two or more distinct hits belong to the same user or not. For more information refer to: https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage
_gat (term 1 minute)
This cookie does not store any user information. It is just used by Google to limit the number of requests that have to be made to Google’s advertising networks. For more information refer to: https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage
We use the ShareThis service to add the social media buttons at the bottom of every blog post allowing you to easily share articles. Following are the details of a cookie that the ShareThis service sets when you access our website:
_unam (term 10 months)
This cookie is used by ShareThis, a service that allows you to use the share buttons on our blog posts to easily share content on social networks like Twitter, Facebook and LinkedIn. The service ShareThis identifies you personally only if you previously signed up apart with ShareThis and you gave your consent.
To opt out of Google and other third party cookies, visit YourOnlineChoices.eu.
We use Hotjar to learn about website visitor behavior patterns. We do this to find out things such as the number of visitors to the various parts of the site. We collect this information in a way which does not personally identify anyone. Following are the details of a cookie that the Hotjar service sets when you access our website:
_hjIncludedInSample (term 365 days)
This session cookie is set to let Hotjar know whether a visitor is included in the sample which is used to generate Heatmaps, Funnels, Recordings, etc.
_catAccCookies (term 365 days)
WHO ELSE PROCESSES YOUR DATA?
If you purchased the premium add-ons of our plugin prior to the 18th of January 2018 your data, including your billing details, is stored by us for customer service and subscription renewals.
We do not store, or have any access to, any payment information such as credit card numbers or addresses.
WHERE IS YOUR DATA?
Our web site is hosted in the United States and the hosting provider is compliant with the EU – U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework – more info.
MailChimp data is stored in the United States. MailChimp is compliant with the EU – U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework – more info.
Freemius data is stored in the United States. Freemius is a GDPR ready service – more info.
Hotjar data is hosted on Amazon AWS eu-west-1 in Ireland (EU) – more info.
HOW LONG DO WE KEEP YOUR DATA?
Newsletter: we keep your email address, first and last name on MailChimp until you unsubscribe from our newsletter.
Freemius: we keep your email address, first and last name, web site information and billing details (no cardholder or payment data is stored by us or Freemius) until you opt-out or cancel your premium subscription.
Web site – If you made any purchases on this site prior to the 18th of January 2018, we retain your customer data (Email address, first and last name, and billing details) until you no longer renew your subscription.
HOW DO WE PROTECT YOUR DATA?
We ensure that all the software we use is the latest and most secure version available on the market. We also ensure that all the online services we work with and where your data is stored (such as Freemius and MailChimp) are compliant with European data protection standards as well as the regulations of their respective countries.
WHAT ABOUT MY RIGHTS?
To discuss any privacy concerns you have as a customer of our plugin or a user of this web site, or to invoke your privacy rights under European law, please contact us on email@example.com.
Please note that as we have no access to any of the audit log and security data generated by users of the plugin, we cannot assist you in invoking your privacy rights pertaining to installations of the plugin. You will need to contact the administrator of the site using the plugin to invoke your rights.
PRIVACY NOTICE FOR THE WP SECURITY AUDIT LOG PLUGIN USERS
If you use the WP Security Audit log plugin on your web site, you must advise your site visitors of this in your privacy notice. We suggest using the following text. Please note this text is not exhaustive. It is your responsibility to accurately reflect your data capture and retention through the plugin in your privacy notice.
SECURITY MONITORING AND AUDITING
We use the WP Security Audit Log plugin as a security monitoring and auditing plugin to create a log of data about the ways that our web site is used by those who have login access to it. This information is collected and retained by the web site administrator for, as the name might suggest, security and auditing purposes.
Once activated, the plugin logs a timestamped record of when a logged-in user takes the following actions:
- Logs in and out;
- Creates, deletes or modifies or views a post (be it a page, post or a post with a custom type);
- Creates, deletes or modifies tags;
- Creates, modifies, deletes, or approves comments;
- Creates, modifies or deletes widgets and menus;
- Creates, modifies (this including changing the password), deletes a user or views another users’ profile;
- Installs, activates, deactivates, or uninstalls a theme or plugin;
- Changes system settings such as reading, general, or permalinks;
- (remove as applicable) Takes actions on a multisite network such as creating a new site, creating a new user on the network, adding a user to a site, changing its role, etc;
- (remove as applicable) Takes actions on a BBPress forum such as creating a new forum, deleting entries, changing forum settings, etc;
- (remove as applicable) Takes actions on a WooCommerce installation such as creating a new product, changing store settings, modifying the product, etc.
The timestamped record includes the following information:
- The user’s login name
- The user’s actual name as entered when their account was set up
- The user’s WordPress role (Author, editor, etc)
- The IP address from which the user accessed the site
- The time and date of each action detailed above while the user was logged in.
The data captured by the WP Security Audit Log plugin is stored by the web site administrator for a period of [the time the administrator has specified in the plugin settings] solely for security and auditing purposes.
Information captured by WP Security Audit Log is accessed only by the administrators of the web site and is stored on the web site’s database. These administrators may be located outside the European Union.
Information captured by the WP Security Audit Log is not shared with third parties except in the case of law enforcement requests.
In your privacy notice, please detail the security precautions you take to protect the information generated by the WP Security Audit Log plugin.
This privacy notice has last been updated on the 28th of May 2018.