Privacy Policy
Last updated: March 2026
1. Data Controller
The controller responsible for data processing on this website pursuant to Art. 4(7) GDPR is:
emmgee Digital Agency
Michael Großklos
Köllerbachweg 6
66376 Dillingen
Germany
Email: privacy@wpfaker.com
See our Impressum for full contact details.
2. Overview of Data Processing
This privacy policy explains how we collect and process personal data when you use our website (wpfaker.com), documentation (docs.wpfaker.com), and the WPfaker WordPress plugin. We process personal data only to the extent necessary and in accordance with the EU General Data Protection Regulation (GDPR / DSGVO) and the German Federal Data Protection Act (BDSG).
3. Server Log Files
Our hosting provider Netlify automatically collects and stores information in server log files that your browser transmits when you visit our website. This includes:
- IP address
- Date and time of the request
- Page requested (URL)
- HTTP status code
- Browser type and version
- Operating system
- Referrer URL
This data cannot be attributed to a specific person. It is not merged with other data sources. Log files are automatically deleted after 30 days.
Legal basis: Legitimate interest (Art. 6(1)(f) GDPR). The processing is necessary for stable and secure operation of the website.
4. Account Registration and Authentication
Email / Password Registration
When you create an account, we collect:
- Email address
- Name (optional)
- Password (stored as a salted cryptographic hash — we cannot read your password)
Legal basis: Performance of a contract (Art. 6(1)(b) GDPR). An account is required to purchase and manage licenses.
Social Login (OAuth)
You may sign in using Google, GitHub, or Apple. When you do, the provider shares your email address and basic profile information (name, profile picture) with us. We do not receive or store your password from these providers.
The respective provider's privacy policy applies to the data they process:
Legal basis: Consent (Art. 6(1)(a) GDPR). You actively choose to sign in via a social provider. You can revoke access at any time through the provider's account settings.
5. License Purchase and Payment
Payment Processing
Payments are handled by Creem (Creem OÜ, Estonia). When you initiate a purchase, you are redirected to Creem's checkout. We do not collect or store credit card numbers or bank account details. Creem shares the following with us after a successful purchase:
- Transaction ID
- Product purchased (plan type)
- Customer ID
See Creem's Privacy Policy for how they process your payment data.
Legal basis: Performance of a contract (Art. 6(1)(b) GDPR).
License Activation
When you activate WPfaker on a WordPress site, the plugin transmits:
- License key
- Site URL
- Site fingerprint (a hashed, non-reversible identifier derived from site configuration)
- Plugin version
- IP address (of the WordPress server)
This data is used solely to enforce license terms (e.g., activation limits) and to deliver updates.
Legal basis: Performance of a contract (Art. 6(1)(b) GDPR).
6. Email Communications
Transactional Emails
We send service-related emails (e.g., license delivery, account notifications, password resets) via Migadu (Migadu GmbH, Switzerland). Your email address is transmitted to Migadu's servers for delivery.
See Migadu's Privacy Policy for how they process your data. Migadu is based in Switzerland, which the European Commission recognizes as providing an adequate level of data protection (Art. 45 GDPR).
Legal basis: Performance of a contract (Art. 6(1)(b) GDPR).
Newsletter
We use Resend (Resend, Inc., USA) to manage our mailing list and send newsletter emails. When you subscribe, the following data is transmitted to Resend:
- Email address
- Name (if provided)
- Topic subscriptions (which mailing lists you opted into)
- Engagement data (delivery status, opens, clicks — for troubleshooting and improving our communications)
Subscriptions use a double opt-in process: after signing up, you receive a confirmation email and must click the confirmation link before being added to the list. You can unsubscribe at any time via the link in every email or by contacting us.
See Resend's Privacy Policy for how they process your data.
Legal basis: Consent (Art. 6(1)(a) GDPR). You can withdraw your consent at any time by unsubscribing.
Support Requests
When you submit a support ticket, we collect:
- Email address
- Name (if provided)
- Message content and any attachments
Support tickets are processed on our own self-hosted system. No data is shared with third parties for this purpose.
Legal basis: Performance of a contract (Art. 6(1)(b) GDPR) for license-related support; legitimate interest (Art. 6(1)(f) GDPR) for general inquiries.
7. Cookies
We use only technically necessary cookies. No tracking, analytics, or advertising cookies are set.
| Cookie | Purpose | Duration |
|---|---|---|
better-auth.session_token | Authentication session | 7 days |
cc_cookie | Cookie consent preferences | 182 days |
Legal basis: Legitimate interest (Art. 6(1)(f) GDPR). These cookies are strictly necessary for site functionality and do not require consent under § 25(2) TDDDG.
8. Data Sharing and Third-Party Processors
We do not sell your personal data. We share data only with the following processors, each under a data processing agreement (Art. 28 GDPR):
| Processor | Purpose | Location |
|---|---|---|
| Netlify, Inc. | Website hosting, CDN | USA |
| Creem OÜ | Payment processing | Estonia (EU) |
| GitHub, Inc. | Plugin distribution (downloads) | USA |
| Migadu GmbH | Transactional email delivery | Switzerland |
| Resend, Inc. | Newsletter and mailing list | USA |
| Hetzner Online GmbH | API server and database hosting | Germany |
All fonts, icons, and static assets are self-hosted. No visitor data is transmitted to third-party CDNs during normal page visits.
9. International Data Transfers
Some of our processors are based in the United States. Data transfers to the USA are covered by:
- The EU-U.S. Data Privacy Framework (DPF) — Netlify and GitHub are certified under the DPF, ensuring an adequate level of data protection as recognized by the European Commission (Art. 45 GDPR).
- Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR — used as an additional safeguard where applicable.
10. Data Retention
- Account data: Retained as long as your account is active. Deleted within 30 days of account deletion.
- License and activation data: Retained for the duration of the license. After expiration or cancellation, retained for up to 12 months for abuse prevention, then deleted.
- Payment records: Retained for 10 years as required by German tax law (§ 147 AO, § 257 HGB).
- Server log files: Automatically deleted after 30 days.
- Support tickets: Retained for 24 months after the last reply, then deleted.
- Newsletter data: Retained until you unsubscribe. Deleted from Resend within 30 days of unsubscription.
- Cookie consent preferences: 182 days.
11. Your Rights Under GDPR
You have the following rights regarding your personal data:
- Right of access (Art. 15 GDPR) — obtain confirmation of whether and which personal data we process about you
- Right to rectification (Art. 16 GDPR) — correct inaccurate data
- Right to erasure (Art. 17 GDPR) — request deletion of your data, unless legal retention obligations apply
- Right to restriction of processing (Art. 18 GDPR) — restrict processing under certain conditions
- Right to data portability (Art. 20 GDPR) — receive your data in a structured, machine-readable format
- Right to object (Art. 21 GDPR) — object to processing based on legitimate interest at any time
- Right to withdraw consent (Art. 7(3) GDPR) — withdraw any consent given, without affecting the lawfulness of prior processing
To exercise any of these rights, contact us at privacy@wpfaker.com. We will respond within 30 days.
12. Right to Lodge a Complaint
If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority pursuant to Art. 77 GDPR. The competent authority for us is:
Unabhängiges Datenschutzzentrum Saarland
Die Landesbeauftragte für Datenschutz und Informationsfreiheit
Fritz-Dobisch-Straße 12
66111 Saarbrücken
Germany
Website: www.datenschutz.saarland.de
13. SSL/TLS Encryption
This website uses SSL/TLS encryption for security and to protect the transmission of personal data and other confidential content. You can recognize an encrypted connection by the "https://" prefix in your browser's address bar.
14. Automated Decision-Making
We do not use automated decision-making or profiling as described in Art. 22 GDPR.
15. Changes to This Policy
We may update this privacy policy to reflect changes in our practices or legal requirements. The "Last updated" date at the top indicates when the latest revision was made. For significant changes, we will notify registered users by email.
16. Contact
For privacy-related questions or to exercise your data subject rights, contact us at: