Legal

Privacy Policy

Version date: 7 June 2026

This Privacy Policy explains how WPenguin ("WPenguin", "we", "us" or "our") collects, uses, shares, and protects your personal data when you visit our website, join our waitlist, or use our managed WordPress hosting services. We are committed to handling your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Note: WPenguin is currently operated by an individual trading as WPenguin, pending formal incorporation. Our registered company details will be added here upon incorporation.

1. Who We Are (Data Controller)

WPenguin is the data controller responsible for your personal data in connection with our website and services. For any questions about this policy, or to exercise your data protection rights, you can contact us by email at [email protected].

2. Personal Data We Collect

2.1 Waitlist and Marketing

When you join our waitlist, we collect the email address you provide. We also collect any campaign tracking parameters (UTM parameters such as utm_source, utm_medium, utm_campaign, utm_content, and utm_term) that are present in the link you arrived through, so we can understand which campaigns are effective.

2.2 Account and Billing

When you sign up for a paid plan, we collect the information needed to create and manage your account, such as your name, email address, and account preferences. Payments and card details are collected and processed directly by Stripe, our payment processor — we do not store your full card details on our systems.

2.3 Technical and Usage Data

When you use our website or portal, we may collect technical data such as your IP address, browser type, device information, and basic interaction data, which is used to operate the service securely and to diagnose problems.

2.4 Support Communications

If you contact us, or interact with our AI assistant or support team, we collect the contents of those communications so we can respond and improve our service.

3. How We Use Your Data and Lawful Bases

We only process your personal data where we have a lawful basis to do so under UK GDPR:

  • Consent — for adding you to our waitlist and sending you launch and marketing updates. You can withdraw consent at any time by unsubscribing or emailing us.
  • Performance of a contract — to create and manage your account, provision and maintain your hosting, process payments, and provide support.
  • Legitimate interests — to secure our platform, prevent fraud and abuse, understand which marketing campaigns work, and improve our services. We balance these interests against your rights and freedoms.
  • Legal obligation — to retain billing and accounting records and to comply with applicable law.

4. How Long We Keep Your Data

We keep your personal data only for as long as necessary for the purposes for which it was collected:

  • Waitlist data is retained until you unsubscribe or ask us to delete it, or until it is no longer needed for marketing purposes.
  • Account data is retained for the duration of your subscription and for a reasonable period afterwards to handle queries.
  • Billing and accounting records are retained for a minimum of 6 years, as required by UK accounting and tax law.

5. Who We Share Your Data With

We do not sell your personal data. We share it only with trusted third parties who act as our processors and are bound by appropriate data protection obligations:

  • Stripe — to process subscription payments securely (PCI-DSS compliant).
  • Hosting and infrastructure providers — including our cloud server provider and Cloudflare, which provides content delivery, DNS, and security/DDoS protection for our website and portal.
  • Email and communications providers — to send transactional and, where you have consented, marketing emails.

We may also disclose personal data where required to comply with a legal obligation, court order, or lawful request from a regulatory or government authority. A current list of sub-processors is available on request.

6. International Transfers

Where any of our processors transfer personal data outside the UK, we take steps to ensure an adequate level of protection, such as relying on a UK adequacy decision or putting in place appropriate safeguards (for example, the International Data Transfer Agreement or Standard Contractual Clauses).

7. Cookies and Similar Technologies

Our website uses a small number of cookies and similar technologies. These include cookies that are strictly necessary for the site and portal to function (for example, to keep you signed in), and we may use cookies or URL parameters to measure the effectiveness of our marketing campaigns. We do not use intrusive advertising trackers. You can control or block cookies through your browser settings, though some parts of the service may not work correctly if you do.

8. Your Rights

Under UK GDPR, you have the following rights in relation to your personal data:

  • Access — to request a copy of the personal data we hold about you.
  • Rectification — to ask us to correct inaccurate or incomplete data.
  • Erasure — to ask us to delete your personal data, subject to our legal obligations.
  • Restriction — to ask us to limit how we use your data in certain circumstances.
  • Objection — to object to processing based on our legitimate interests, and to object to direct marketing at any time.
  • Portability — to receive certain data in a structured, commonly used, machine-readable format.
  • Withdraw consent — where we rely on your consent, to withdraw it at any time.

To exercise any of these rights, please contact us at [email protected]. We will respond within one month. You also have the right to lodge a complaint with the UK's supervisory authority, the Information Commissioner's Office (ICO), at ico.org.uk, though we'd appreciate the chance to address your concerns first.

9. Data on Your Hosted Site

The personal data of your site's visitors (such as form submissions, comments, or order details collected through your WordPress site) is controlled by you. For that data, you are the data controller and WPenguin acts as a processor on your behalf. You are responsible for ensuring its collection and processing complies with applicable data protection law, including providing appropriate privacy notices to your visitors.

10. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction, or damage. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant parties without undue delay, in line with our legal obligations.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will publish the updated version on this page and, where the change is significant, we will take reasonable steps to notify you. Please check this page periodically for the latest version.

12. Contact Us

If you have any questions about this Privacy Policy, how we handle your personal data, or wish to exercise any of your rights, please contact us by email at [email protected].

This Privacy Policy was last updated on 7 June 2026. Please check our website for the most current version.