Privacy Policy

wp-scan.org ("we", "us", "our") is the trading name of an individually operated software service available at wp-scan.org, operated by Rajan Gupta, based in India.

This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our website and scanning service ("Service").

Contact: support@wp-scan.org

a) Account Registration
When you create an account, we collect your full name, email address, and encrypted password. Your plan type and registration date are also recorded.

b) Payment Data
Payments are processed through PayPal (international) and Razorpay (India). We never see, store, or have access to your card number, bank account, or CVV. We receive only:

• Your payment-registered email address
• Transaction ID issued by the payment processor
• Amount paid and currency
• Plan purchased

This data is used solely to verify your purchase and issue your license key.

c) Uploaded Files
ZIP files you upload for scanning are extracted to a private, non-public temporary directory on the server, analysed for vulnerability patterns, then permanently deleted — typically within seconds of the scan completing. We do not read, copy, share, or retain the contents of your uploaded files beyond what is necessary to run the scan.

d) Scan History
For logged-in users, we store a summary record of each scan: the filename, the count of findings by severity, and the date. The actual file contents are never retained server-side.

e) Downloadable Reports
If you choose to generate a downloadable HTML report, it is stored on the server for a maximum of 15 days under an unguessable private token URL, then automatically deleted. No account login is required to access the download link, but the link is not indexed or shared.

f) Server & Access Logs
Our web server automatically records your IP address, browser user-agent, pages visited, referring URL, and timestamps. These logs are retained for up to 30 days for security, abuse prevention, and debugging.

PayPal (International): users outside India are redirected to PayPal's secure checkout page. Your payment details are entered on PayPal's infrastructure, not on our server. PayPal's Privacy Policy governs data you share with them. Payments are received into a PayPal account operated by Rajan Gupta. PayPal's standard Buyer Protection applies.

Razorpay (India): users in India may pay via Razorpay, which supports Cards, UPI, NetBanking, and EMI. Your payment details are entered on Razorpay's secure infrastructure. Razorpay's Privacy Policy governs data shared with them. Razorpay is a registered Indian payment aggregator regulated by the Reserve Bank of India.

We do not use any third-party analytics, tracking pixels, session-recording tools, or advertising networks.

We do not use Google Analytics, Google Tag Manager, Facebook Pixel, Microsoft Clarity, Hotjar, or any similar service. We do not track you across websites. We do not build behavioural profiles.

The only usage data we collect is limited to what is described in sections 2(d) (scan history summaries) and 2(f) (server access logs), both of which are stored on our own server and never shared with third parties for advertising or profiling purposes.

The only external services this site contacts are:

Payment processors (PayPal and Razorpay): when you make a payment, you are redirected to their secure checkout. See section 4 for details.

Google Fonts: pages load the Inter typeface from fonts.googleapis.com. This causes your browser to make a request to Google's servers, which may log your IP address. No cookies or tracking identifiers are set by Google Fonts. If you prefer, you can disable web fonts in your browser without affecting Service functionality. Google Privacy Policy.

Tailwind CSS CDN: our interface styles are loaded from cdn.tailwindcss.com. This causes your browser to make a standard HTTP request to retrieve the stylesheet. No cookies are set by this CDN.

Hosting provider — Hostinger: our server is hosted by Hostinger. Hostinger processes server-level data (IP logs, disk storage, uptime monitoring) as a data processor under a data processing agreement. Hostinger Privacy Policy.

We do not use any advertising networks, social media embeds, retargeting pixels, CDN-based fingerprinting services, or any other third-party data sharing.

We use essential cookies and local storage only. No analytics cookies, no advertising cookies, no third-party tracking of any kind.

Essential cookies (always active — no consent required under GDPR):

• PHPSESSID — standard PHP session cookie. Keeps you logged in during your browser session. Expires when you close your browser or after 2 hours of inactivity. Set by our server only.
• wps_remember — persistent login token (set only if you tick "Remember me" at login). Stored as an HTTP-only, Secure cookie. Expires in 30 days. Used solely to restore your session without a password on return visits.
• wps_ref — affiliate referral cookie. Set only when you first arrive via a referral link (?ref=). Used solely to attribute a purchase commission to the referring user. Expires in 30 days. Not used for cross-site tracking.

Local storage (browser-side only, never sent to our server):

• wps_cookie_notice_dismissed — records whether you have dismissed the cookie notice. Never sent to our server.

You can clear all cookies and local storage via your browser settings at any time. Clearing PHPSESSID will log you out. Clearing wps_remember will disable the Remember Me function.

If you are on a Monthly or Yearly plan (which auto-renew via PayPal), you have an unconditional right to stop future charges at any time.

How to cancel:

• Via your dashboard (if the feature is enabled): log in → My License → "Cancel Subscription". You will be asked to confirm your password. We will process the cancellation and notify you by email.
• Via PayPal directly: log in at paypal.com → Settings → Payments → Manage Automatic Payments → find wp-scan.org → Cancel. This stops future billing immediately on PayPal's side.
• Via email: email support@wp-scan.org — we will cancel within 1 business day.

Cancellation stops future billing. Your access continues until the end of your current paid period. See our Cancellation Policy for full details.

Depending on where you are located, you have the following rights regarding your personal data. We honour all requests regardless of your location.

• Right of access (Art. 15 GDPR / CCPA): request a copy of all personal data we hold about you.
• Right to rectification (Art. 16 GDPR): request correction of inaccurate or incomplete data. You can also update your name and email directly from your dashboard.
• Right to erasure / "right to be forgotten" (Art. 17 GDPR / CCPA): request permanent deletion of your account and all associated personal data. We will comply within 30 days, subject only to mandatory legal retention obligations (e.g. payment records for tax compliance).
• Right to restrict processing (Art. 18 GDPR): request that we limit how we use your data while a dispute is being resolved.
• Right to data portability (Art. 20 GDPR): receive your personal data in a machine-readable format (JSON or CSV on request).
• Right to object (Art. 21 GDPR): object to processing of your data for marketing purposes at any time — reply "unsubscribe" to any of our emails or email us directly.
• Right to cancel recurring payments: unconditional right to stop future billing at any time. See section 8 above for how.
• CCPA (California residents): we do not sell or share your personal information with third parties for commercial purposes. You have the right to know what data we hold and to request its deletion.
• India DPDP Act 2023: you have the right to access, correct, and erase your personal data. Grievance Officer contact: support@wp-scan.org.

To exercise any right, email support@wp-scan.org. We will acknowledge within 72 hours and respond in full within 30 days.

EEA/UK users: if you are unsatisfied with our response, you may lodge a complaint with your local supervisory authority (e.g. ICO in the UK, your national DPA in the EU).

We implement the following technical and organisational security measures:

• All data in transit is encrypted via HTTPS / TLS 1.2+
• Passwords are hashed using bcrypt (cost factor ≥ 10) — we cannot recover plaintext passwords
• Optional two-factor authentication (TOTP) is available for all accounts
• Database credentials and configuration files are stored outside the public web root
• Uploaded files are stored in a server directory blocked from HTTP access via .htaccess
• Remember-me tokens are stored hashed; a compromised token cannot be used to derive your password
• No third-party scripts are loaded that could exfiltrate your data

No internet-connected system is 100% secure. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users within 72 hours of becoming aware.

wp-scan.org is a professional developer tool intended for adults (18+). It is not directed at or accessible to children under 13 (or under 16 for EEA users). We do not knowingly collect personal data from minors. If you believe a child has submitted data to us, please contact us immediately and we will delete it without delay.

Our primary server is hosted by Hostinger (EU data centre, Lithuania). Data you submit is processed on this server.

When you make a payment, transaction data is processed by PayPal (USA, EU Standard Contractual Clauses apply) or Razorpay (India, RBI-regulated).

When our pages load the Inter font, your browser contacts fonts.googleapis.com (Google, USA). This is a one-time stylesheet request; no personal data beyond a standard IP log is involved.

No personal data is transferred to any country without either an adequacy decision, Standard Contractual Clauses, or equivalent safeguard.

For users in the EEA or UK, we rely on the following legal bases:

• Contract (Art. 6(1)(b)): processing your account data, license, and scan history is necessary to deliver the Service you purchased.
• Legal obligation (Art. 6(1)(c)): retaining payment records for 7 years is required by Indian tax law.
• Legitimate interests (Art. 6(1)(f)): server access logs (security, abuse prevention, debugging) and sending transactional emails (license delivery, password reset).
• Consent (Art. 6(1)(a)): we rely on consent only for sending optional marketing emails. You may withdraw this consent at any time by replying "unsubscribe" or emailing us.

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. We will notify registered users by email of any material changes at least 14 days before they take effect. Continued use of the Service after the effective date constitutes acceptance.

For any privacy-related questions, data requests, or complaints:

Email: support@wp-scan.org
Grievance Officer (India DPDP Act): Rajan Gupta — same email above
Operator: Rajan Gupta, India
Website: wp-scan.org

We aim to respond to all legitimate privacy requests within 30 days. For urgent requests (e.g. suspected unauthorised access to your account), we will respond within 72 hours.