Privacy Policy – GDPR Compliant

Table of Contents

Updated: April 2026

This Privacy Policy explains how MINBO QRE SRL (Company No. 37814865), its wholly owned subsidiaries, and the WP Ghost websites (“WP Ghost”, “we”, “our”, or “us”) collect, use, store, and protect personal data in connection with our websites, products, and services.

We are committed to full compliance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and all applicable data protection laws. We encourage you to read this policy carefully before using our services.

1. Data Controller and Processor Roles

For account registration, billing, support, and general use of our websites, MINBO QRE SRL acts as the Data Controller, meaning we determine the purposes and means of processing your personal data.

For data processed through the WP Ghost plugin installed on a customer’s own WordPress website:

  • The website owner acts as the Data Controller and is responsible for their own users’ data.
  • WP Ghost acts as a Data Processor only where optional cloud features are explicitly enabled by the website owner.
  • WP Ghost does not determine how website owners use the plugin on their own websites and is not responsible for data processing decisions made by website owners.

If you are a visitor to a website that uses the WP Ghost plugin, please contact that website’s owner regarding their privacy practices.

We process personal data only where we have a lawful basis to do so under GDPR. The legal bases we rely on are:

  • Performance of a contract (Article 6(1)(b) GDPR): to provide purchased services, manage your account, process payments, and deliver plugin functionality.
  • Legitimate interests (Article 6(1)(f) GDPR): to operate, secure, improve, and promote our services, and to prevent fraud and abuse, where these interests are not overridden by your rights.
  • Legal obligation (Article 6(1)(c) GDPR): where processing is necessary to comply with applicable laws, including tax, accounting, and regulatory requirements.
  • Consent (Article 6(1)(a) GDPR): where we ask for your consent, including for marketing communications and non-essential cookies. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

3. Personal Data We Collect

We may collect and process the following categories of personal data:

  • Identity data: Full name, username, account credentials.
  • Contact data: Email address, support correspondence.
  • Billing and transactional data: Payment details (processed by Paddle), order history, subscription status.
  • Technical data: IP address, browser type, operating system, referring URLs, and website usage data collected through analytics tools.
  • Communications data: Messages submitted via our contact form or support system.

We do not collect sensitive personal data such as health information, political opinions, or biometric data.

Personal data means any information relating to an identified or identifiable natural person.

4. Personal Data Collected by the WP Ghost Plugin

The WP Ghost plugin is designed with privacy in mind. By default, it does not transmit personal data to WP Ghost servers. Optional cloud features, when enabled by the website owner, may involve limited data transmission as described below.

4.1 User Events Log (Optional Cloud Storage)

If the User Events Log Cloud Storage feature is enabled by the website owner, activity data is transmitted to secure WP Ghost servers solely to provide centralized reporting to that website owner.

This feature:

  • Is disabled by default and must be explicitly activated by the website owner.
  • Stores data for a maximum of 30 days, after which it is automatically and permanently deleted.
  • Is used solely to provide activity reporting to the website owner and is not shared with third parties or used for any marketing purpose.

The data transmitted may include:

  • Action name
  • Post ID and post type
  • Post name and attachment name
  • Plugin name
  • Username of the acting user

4.2 Security Threats Log (Aggregated Statistics Only)

Detailed security threat data is stored locally on the website’s own database in the hmwp_logs table and is never transmitted to WP Ghost servers in identifiable form.

For statistical and service improvement purposes only, WP Ghost may transmit aggregated, non-personal data to the WP Ghost Dashboard, strictly limited to:

  • Date
  • Total number of detected threats

No IP addresses, URLs, request details, usernames, visitor data, or any other personally identifiable information are transmitted as part of this statistical reporting.

5. How We Collect Personal Data

We collect personal data through the following methods:

  • Directly from you when you register an account, make a purchase, submit a support request, or contact us through our website.
  • Automatically through your interaction with our website, including via cookies, analytics tools, and server logs.
  • From third parties such as our payment processor Paddle, where necessary to complete transactions and manage billing.

6. How We Use Your Personal Data

We use personal data only for the purposes for which it was collected or for compatible purposes. Specifically, we may use your data to:

  • Create and manage your WP Ghost account.
  • Process payments, manage subscriptions, and handle billing inquiries.
  • Deliver purchased products, updates, and license keys.
  • Provide customer and technical support.
  • Send transactional communications, including purchase confirmations, renewal reminders, and service notices.
  • Improve our products, services, and website through analytics and user feedback.
  • Detect, investigate, and prevent fraud, abuse, and security incidents.

We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects.

7. Disclosure of Personal Data

We do not sell, rent, or trade your personal data. We may share personal data with the following categories of recipients only where necessary:

  • Paddle.com — our payment processor and Merchant of Record, for the purpose of processing transactions and managing billing.
  • Service providers — trusted third-party providers who assist in operating our website and services, bound by appropriate data processing agreements.

All third parties with whom we share personal data are required to handle it securely and in accordance with applicable data protection law.

8. Data Security

We take the security of your personal data seriously and implement appropriate technical and organizational measures to protect it against unauthorized access, loss, alteration, or disclosure. These measures include:

  • Access controls and role-based permissions.
  • Strong authentication mechanisms for system access.
  • Encryption of data in transit using TLS/HTTPS.
  • Encryption of sensitive data at rest where appropriate.
  • Regular review of security practices and infrastructure.

No method of transmission or storage is completely secure. While we strive to protect your personal data, we cannot guarantee absolute security. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority as required by GDPR.

9. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Specific retention periods are:

  • User Events Log (cloud): Maximum 30 days, with automatic and permanent deletion thereafter.
  • Aggregated threat statistics: Retained in minimal, non-personal statistical form indefinitely for service improvement purposes.
  • Account and subscription data: Retained for the duration of your active account and for a reasonable period thereafter to handle any post-cancellation queries or disputes.
  • Billing and transactional records: Retained for the period required by applicable Romanian tax and accounting laws, typically 10 years.
  • Support communications: Retained for the duration of the support relationship and for a reasonable period thereafter.

When personal data is no longer required, it is securely deleted or anonymized.

10. International Data Transfers

MINBO QRE SRL is based in Romania, within the European Economic Area (EEA). Where personal data is transferred outside the EEA — for example, to service providers or payment processors operating in non-EEA countries — we ensure that appropriate safeguards are in place in accordance with GDPR requirements. These safeguards may include:

  • Standard Contractual Clauses approved by the European Commission.
  • Transfers to countries recognized by the European Commission as providing an adequate level of data protection.

You may request information about the specific safeguards applicable to any such transfer by contacting us using the details in Section 15.

11. Your Rights Under GDPR

If you are located in the European Union or European Economic Area, you have the following rights regarding your personal data:

  • Right of access: to obtain a copy of the personal data we hold about you.
  • Right to rectification: to have inaccurate or incomplete data corrected.
  • Right to restrict processing: to request that we limit how we use your data in certain circumstances.
  • Right to object: to object to processing based on legitimate interests or for direct marketing purposes.
  • Right to data portability: to receive your personal data in a structured, commonly used, machine-readable format.
  • Right to lodge a complaint: with your national data protection supervisory authority. In Romania, this is the Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) at www.dataprotection.ro.

To exercise any of these rights, please contact us using the details in Section 15. We will respond to all legitimate requests within 30 days. In complex or multiple cases, we may extend this period by a further 60 days, in which case we will notify you of the extension and the reason for it.

We will not charge a fee for exercising your rights unless requests are manifestly unfounded or excessive.

12. Cookies and Web Analytics

We use cookies and similar tracking technologies on our website to:

  • Ensure core website functionality and security.
  • Analyze website performance and visitor behavior.
  • Improve user experience and content relevance.

Cookies that are not strictly necessary for website functionality will only be placed with your explicit consent, in accordance with GDPR and the ePrivacy Directive.

You may manage or withdraw your cookie preferences at any time through your browser settings or our cookie consent tool. Please note that disabling certain cookies may affect the functionality of our website.

For more information about the specific cookies we use and their purposes, please refer to our Cookie Policy or contact us directly.

13. Children’s Privacy

Our services are not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you believe we have inadvertently collected personal data from a child under 13, please contact us immediately and we will take prompt steps to delete that data.

14. Changes to This Privacy Policy

We may update this Privacy Policy at any time to reflect changes in our data practices, legal requirements, or business operations. The most current version is always available at wpghost.com/privacy-policy and is identified by the date shown at the top of the page.

It is your responsibility to review this Privacy Policy periodically. Your continued use of WP Ghost products or services after the effective date of any update constitutes acceptance of the revised Privacy Policy.

15. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data rights, please contact us via our official website contact form.

For formal or legal correspondence, please write to:

MINBO QRE SRL Company No. 37814865 Romania

We will respond to all data protection inquiries within 30 days.