WP TenderWPWP Tender
WordPress
Back to home

Privacy Policy

Effective June 1, 2026

This policy describes how Kuvarssoft Technology ("we", "us") handles personal data when you use WP Tender — the SaaS control plane at https://wptender.com and the companion WP Tender Agent plugin you install on the WordPress sites you choose to manage. We act as a data controller for account data and as a data processor for the customer site content the agent backs up, migrates and replicates on your instruction.

1. The short version

  • We collect only what we need to operate the service.
  • We never sell your data and never use it to train AI models.
  • Backup artefacts and replicated content stay in your infrastructure or your own cloud accounts (Google Drive, S3, R2). We hold only the credentials you give us, encrypted at rest.
  • You can export everything we hold about you, correct it, or delete it. Email [email protected].

2. What data we collect

2.1 Account data

  • Email address (account identity + login + transactional mail);
  • Password hash (Argon2id; we never store plaintext);
  • Display name and organization name you choose;
  • Optional Google account email if you sign in with Google;
  • Tenant timezone and notification preferences.

2.2 Billing data

Subscriptions are processed by Freemius on our behalf. We receive plan, status, license key, license expiration and (for refunds) the masked card brand and last-4. We never see your full card number, CVC, or billing address — those stay with Freemius and their PCI-certified processors.

2.3 Paired site metadata

For each WordPress site you connect we store: site URL, site name, an encrypted hub token, plan snapshot, plugin/theme version, server metrics (CPU, RAM, disk %), screenshot thumbnails, scheduled backup configuration, and a stream of plain-text event messages (e.g. "backup complete", "restore failed"). Backup ZIPs themselves are NOT uploaded to the manager — they stay on the customer site or on your connected cloud destination.

2.4 Operational data

  • IP address of the device that signed in (rate-limit + abuse defence; rolling 30-day retention);
  • User-agent string (browser fingerprint, used to detect impossible-travel logins);
  • Cookies for session continuity (see § 7).

2.5 Cloud provider credentials

If you connect Google Drive, Amazon S3 or Cloudflare R2 as a backup destination, we store the credentials (refresh token for Google, access key + secret access key for S3/R2) AES-encrypted on Organization records. These never leave the manager except to be pushed, on your explicit request, to a paired site so the agent can upload directly to your storage. We do not enumerate your bucket contents.

3. How we use your data

  • To run the service — authentication, pairing sites, scheduling jobs, surfacing logs and events;
  • To handle billing and license enforcement;
  • To send transactional email (account verification, password reset, invoice receipts, alerting for failed backups or expired licenses);
  • To respond to support requests;
  • To investigate abuse, fraud or security incidents;
  • To meet our legal obligations (tax, anti-money-laundering, court orders directed at us).

We do not use your data for behavioural advertising, do not share it with data brokers, and do not feed it into AI training pipelines.

4. Who we share data with

We disclose data to a narrow set of sub-processors strictly to deliver the service. Each is bound by a data-processing agreement that constrains their use to our instructions.

  • Freemius (United States) — billing, license management.
  • Cloudflare (United States) — CDN, DDoS protection, DNS.
  • Google (United States) — sign-in with Google + Drive API for connected cloud backups.
  • Yandex Cloud (Türkiye region) — production hosting for the manager dashboards.
  • Postmark / our transactional email partner — outbound system mail.

We will disclose data when required by lawful court order in our governing jurisdiction. We will challenge overbroad requests and, where lawful, notify the affected customer.

5. International transfers

Manager-side production data is stored in Türkiye. Sub-processors listed above may process data in the United States or other jurisdictions. We rely on Standard Contractual Clauses (SCCs) or equivalent safeguards where required, and only share what is operationally necessary.

6. Retention

  • Account data — retained while the account is active and 30 days after closure to allow account recovery.
  • Billing records — retained as long as Turkish accounting law requires (currently 10 years for invoices).
  • Event logs and metrics — rolling 90 days unless your plan explicitly extends it.
  • Screenshots — last 10 per site; older ones are pruned automatically.
  • Tickets — 24 months from last reply, then archived.

7. Cookies & local storage

We use one cookie — an HTTP-only, SameSite=Lax iron-session cookie — for sign-in. We use localStorage to remember UI preferences (theme, refresh interval, filter state). We do not run third-party advertising or analytics scripts. The marketing site uses anonymous GoatCounter-style page-view counts for capacity planning; you can opt out in the footer.

8. Your rights

You can act on your data at any time by emailing [email protected]. We confirm receipt within 5 business days and resolve requests within 30 days unless the law permits a longer window for unusually complex requests, in which case we will tell you the new deadline.

  • Access — receive a portable copy of everything we hold about you.
  • Rectification — correct anything that is wrong.
  • Erasure — "right to be forgotten", subject to the retention rules in § 6.
  • Portability — export your data in a structured machine-readable format.
  • Objection — limit processing for specific purposes.
  • Complaint — lodge a complaint with the Turkish Personal Data Protection Authority (KVKK) or your local data-protection authority.

9. Security

  • TLS 1.2+ on every endpoint; no plaintext fallback.
  • Passwords stored as Argon2id with per-user salt.
  • Cloud credentials and hub tokens encrypted with AES-256-GCM keyed off a server-side secret.
  • Database backups encrypted at rest and stored in the same Türkiye region as the primary.
  • Quarterly third-party penetration tests; report findings via [email protected] for coordinated disclosure.

10. Children

WP Tender is a B2B SaaS product and is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a minor has used our service, contact [email protected] and we will delete the account.

11. Changes to this policy

Material changes are announced at least 30 days in advance by email to your account address and via an in-dashboard banner. The effective date at the top reflects the version currently in force.

12. Contact

Data controller: Kuvarssoft Technology, Istanbul, Republic of Türkiye.
Privacy & data-subject requests: [email protected]
Security disclosure: [email protected]

© 2026 Kuvarssoft Technology · wptender.com

Privacy Policy — WP Tender · WP Tender