Privacy Policy

wp-scan.org ("we", "us", "our") is the trading name of an individually operated software service available at wp-scan.org, operated by Rajan Gupta, based in India.

This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our website and scanning service ("Service").

Contact: support@wp-scan.org

a) Account Registration
When you create an account, we collect your full name, email address, and encrypted password. Your plan type and registration date are also recorded.

b) Payment Data
Payments are processed through PayPal (international) and Razorpay (India). We never see, store, or have access to your card number, bank account, or CVV. We receive only:

• Your payment-registered email address
• Transaction ID issued by the payment processor
• Amount paid and currency
• Plan purchased

This data is used solely to verify your purchase and issue your license key.

c) Uploaded Files
ZIP files you upload for scanning are extracted to a private, non-public temporary directory on the server, analysed for vulnerability patterns, then permanently deleted — typically within seconds of the scan completing. We do not read, copy, share, or retain the contents of your uploaded files beyond what is necessary to run the scan.

d) Scan History
For logged-in users, we store a summary record of each scan: the filename, the count of findings by severity, and the date. The actual file contents are never retained server-side.

e) Downloadable Reports
If you choose to generate a downloadable HTML report, it is stored on the server for a maximum of 15 days under an unguessable private token URL, then automatically deleted. No account login is required to access the download link, but the link is not indexed or shared.

f) Server & Access Logs
Our web server automatically records your IP address, browser user-agent, pages visited, referring URL, and timestamps. These logs are retained for up to 30 days for security, abuse prevention, and debugging.

PayPal (International): users outside India are redirected to PayPal's secure checkout page. Your payment details are entered on PayPal's infrastructure, not on our server. PayPal's Privacy Policy governs data you share with them. Payments are received into a PayPal account operated by Rajan Gupta. PayPal's standard Buyer Protection applies.

Razorpay (India): users in India may pay via Razorpay, which supports Cards, UPI, NetBanking, and EMI. Your payment details are entered on Razorpay's secure infrastructure. Razorpay's Privacy Policy governs data shared with them. Razorpay is a registered Indian payment aggregator regulated by the Reserve Bank of India.

We use the following analytics tools. These are loaded only after you explicitly accept cookies via our cookie consent banner. If you decline, none of these scripts are loaded.

Google Tag Manager (GTM): used to manage analytics tags. GTM itself does not collect personal data; it acts as a container for the tools below. Google Privacy Policy.

Microsoft Clarity: a session analytics tool that records anonymised heatmaps and user session replays to help us understand how visitors use the site. Clarity does not collect personally identifiable information. IP addresses are anonymised. Microsoft Privacy Statement.

If you have previously accepted cookies and wish to withdraw consent, you may clear your browser's localStorage (key: wpsCookieConsent) or email us to request removal of any analytics data associated with your session.

Google Sheets: a private Google Sheet (accessible only to us) logs license issuance records for internal bookkeeping. No personal data is shared publicly via this sheet. Google Privacy Policy.

Google Fonts & CDN resources: pages load the Inter typeface from Google Fonts and Tailwind CSS via CDN. These services may log your IP address and browser version via standard HTTP request logs. No advertising or cross-site tracking cookies are set by these services.

Hosting provider: our server is hosted by Hostinger. Hostinger processes server-level data (IP logs, uptime monitoring) as a data processor under their Privacy Policy.

Essential (always active):

• PHPSESSID — server-side session cookie that keeps you logged in. Expires when you close your browser or after 2 hours of inactivity.
• wpsCookieConsent — localStorage key storing your cookie preference (accept/decline). Never sent to the server.
• wps_ref — optional affiliate tracking cookie set only when you arrive via an affiliate link. Expires in 30 days.

Analytics (only with consent):

• Google Tag Manager cookies (e.g. _ga, _gid) — set only after you accept analytics cookies. Expire in 2 years / 24 hours respectively.
• Microsoft Clarity cookies (_clck, _clsk) — set only after consent. Used for session analytics. Expire in 1 year / 1 day respectively.

We do not use advertising cookies, retargeting pixels, or cross-site tracking of any kind. You can withdraw consent at any time by clearing your browser's localStorage or by using your browser's cookie management settings.

Depending on where you are located, you may have the following rights regarding your personal data:

• Access: request a copy of the personal data we hold about you
• Correction: request correction of inaccurate or incomplete data
• Deletion: request deletion of your account and personal data (subject to legal retention requirements)
• Objection: object to processing of your data for marketing purposes
• Portability: receive your data in a structured, machine-readable format
• Withdraw consent: withdraw cookie consent at any time without affecting prior use

To exercise any right, email us at support@wp-scan.org. We will respond within 30 days. If you are located in the EEA or UK, you may also lodge a complaint with your local data protection authority.

We implement the following technical and organisational measures to protect your data:

• All data in transit is encrypted via HTTPS (TLS 1.2+)
• Passwords are hashed using bcrypt — we cannot recover plaintext passwords
• Database credentials are stored outside the public web root
• Uploaded files are stored in a directory blocked from HTTP access via .htaccess
• Sensitive directories and configuration files are blocked at the server level

Despite these measures, no system connected to the internet is 100% secure. You use the Service at your own risk.

wp-scan.org is a developer tool intended for adults (18+) and is not directed at children under 13. We do not knowingly collect personal data from minors. If you believe a child has submitted data to us, please contact us immediately and we will delete it promptly.

Our server is located in the European Union (Hostinger EU data centre). If you are accessing the Service from outside the EU, your data may be transferred internationally. For India-based users, data is processed under Indian IT Act 2000 and IT (Amendment) Act 2008 provisions. Payment data for Indian users is processed locally by Razorpay, which is regulated by the Reserve Bank of India.

We may update this Privacy Policy from time to time. The "last updated" date at the top of this page reflects the most recent revision. For material changes, we will send an email notice to registered users. Continued use of the Service after the effective date of any change constitutes your acceptance of the revised policy.

For any privacy-related questions, requests, or complaints:

Email: support@wp-scan.org
Operator: Rajan Gupta, India
Website: wp-scan.org

We aim to respond to all legitimate privacy requests within 30 days.