Data protection and privacy

Privacy policy

TeamUpdraft, including UpdraftPlus, UpdraftVault, UpdraftCentral, UpdraftClone, WP-Optimize and All-In-One Security (AIOS), are trademarks of Updraft WP Software Ltd.

UK registered company number: 8570611, VAT number: 202 1260 80

This privacy policy has been compiled to better serve those who are concerned with how their ‘Personally Identifiable Information’ (PII) is being used online. PII is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context. Please read our privacy policy carefully to get a clear understanding of how we collect, use, protect, or otherwise handle your Personally Identifiable Information in accordance with our website.

Personal information we collect:

When ordering on our site, you may be asked to enter your name, email address, billing address, phone number, credit card information or other details to help you with your experience.

When do we collect information?

We collect information from you when you place an order, subscribe to a newsletter or enter information on our site.

How do we use your information?

We may use the information we collect from you when you register, make a purchase, sign up for our newsletter, respond to a survey or marketing communication, surf the website, or use certain other site features in the following ways:

• To improve our website in order to better serve you.
• To allow us to better service you in responding to your customer service requests.
• To quickly process your transactions.

How do we protect your information?

As per the Data Protection Act 1998, your personal information is contained behind secured networks and is only accessible by a limited number of persons who have special access rights to such systems, and are required to keep the information confidential. In addition, all information you supply is encrypted during transport via Transport Layer Security (TLS).

We implement a variety of security measures when a user places an order, enters, submits, or accesses their information to maintain the safety of your personal information.

Credit card information

We do not directly store your credit card information. Credit card information handling is performed by a 3rd party payment processor (Stripe, or PayPal).

All payment transactions are processed through a gateway provider and no card details or card tokens are stored on our servers. We do store other billing, order and contact information on our servers.

Do we use ‘cookies’?

Yes. Cookies are small files that a site or its service provider transfers to your computer’s hard drive through your Web browser (if you allow) that enables the site’s or service provider’s systems to recognize your browser and capture and remember certain information. For instance, we use cookies to help us remember and process the items in your shopping cart. They are also used to help us understand your preferences based on previous or current site activity, which enables us to provide you with improved services. We also use cookies to help us compile aggregate data about site traffic and site interaction so that we can offer better site experiences and tools in the future.

We use cookies to:

• Help remember and process the items in the shopping cart.
• Understand and save user’s preferences for future visits.
• Compile aggregate data about site traffic and site interactions in order to offer better site experiences and tools in the future.
  We may also use trusted third-party services that track this information on our behalf (e.g. Google Analytics).

You can choose to have your computer warn you each time a cookie is being sent, or you can choose to turn off all cookies through your browser settings. Since all browsers are a little different, look in your browser’s Help Menu to learn the correct way to modify your cookies.

If you turn cookies off, some features that make your site experience more efficient may not function properly.

Third-party disclosure

We do not sell, trade, or otherwise transfer to outside parties your Personally Identifiable Information. Credit card information handling is performed by a 3rd party payment processor (Stripe and/or PayPal).

Third-party links

Occasionally, at our discretion, we may include or offer third-party products or services on our website. These third-party sites have separate and independent privacy policies. We therefore have no responsibility or liability for the content and activities of these linked sites. Nonetheless, we seek to protect the integrity of our site and welcome any feedback about these sites.

Email newsletter

This website operates an email newsletter program, used to inform subscribers about products and services supplied by this website. Users can subscribe through an online automated process should they wish to do so but do so at their own discretion. Some subscriptions may be manually processed through prior written agreement with the user.

Subscriptions are taken in compliance with UK Spam Laws detailed in the Privacy and Electronic Communications Regulations 2003. All personal details relating to subscriptions are held securely and in accordance with the Data Protection Act 1998. No personal details are passed on to third parties or shared with companies / people outside of the company that operates this website. Under the Data Protection Act 1998 you may request a copy of personal information held about you by this website’s email newsletter program.

Email marketing campaigns published by this website or its owners may contain tracking facilities within the actual email. Subscriber activity is tracked and stored in a database for future analysis and evaluation. Such tracked activity may include; the opening of emails, forwarding of emails, the clicking of links within the email content, times, dates and frequency of activity [this is not a comprehensive list].

This information is used to refine future email campaigns and supply the user with more relevant content based around their activity.

In compliance with UK Spam Laws and the Privacy and Electronic Communications Regulations 2003 subscribers are given the opportunity to unsubscribe at any time through an automated system. This process is detailed at the footer of each email campaign. If an automated un-subscription system is unavailable clear instructions on how to un-subscribe will be detailed instead.

Opting out:

Users can set preferences for how Google advertises to you using the Google Ad Settings page. Alternatively, you can opt out by visiting the Network Advertising Initiative Opt Out page or by using the Google Analytics Opt Out Browser add on.

California Online Privacy Protection Act

As a UK-based company, whilst neither affirming nor denying that we are bound to accept the requirements of foreign laws, nevertheless, to comply with CalOPPA, we agree to the following:

Users can visit our site anonymously.

You will be notified of any Privacy Policy changes:

• Users can visit our site anonymously.
• You will be notified of any Privacy Policy changes on our Privacy Policy Page
• You can change your personal information by logging in to your account
• We do not allow third-party behavioural tracking

In addition to the points above, as a UK-registered company, we are registered under UK data protection laws, such as the UK Data Protection Act 1998, and are subject to the resulting data protection requirements.

 

Implications of having a TeamUpdraft account

N.B. Simple use of any TeamUpdraft plugin (UpdraftPlus, UpdraftVault, UpdraftCentral, UpdraftClone, WP-Optimize and All-In-One Security (AIOS), etc.) does not necessarily mean that you have a TeamUpdraft account. You only have a TeamUpdraft account if you created one (please see the details below).

Creating a TeamUpdraft account

In order to buy premium plugins, you have to create a TeamUpdraft account. (In the case of purchases, this is done when you go through the checkout in our shop). When you do so, you will be asked to give your email address and create a password. With an account at TeamUpdraft, you can use the purchased facility (if it is a software-as-a-service purchase), download your software or invoices, or claim support.

Creating an account in itself does not allow us to:

• Make purchases, or access your PayPal account in any way. That is technically impossible. All payments handled by PayPal are managed on their site (www.paypal.com). All that we get to know about it is that PayPal sends us a notification that the payment has cleared – and our PayPal account balance then increases. All details of how you paid, bank accounts, bank cards, etc., remain entirely between you and PayPal. That’s PayPal’s design, it’s great, and we have no desire or power to change it. The exception to this is subscription purchases, which provide us with a secure token which can (only) be used to subsequently make a repeat purchase of the same item later.
• Do anything with your WordPress site. It is not your WordPress password. It can’t be used to log in to your WordPress site or do anything else on it. (Of course, if you subsequently explicitly connect a WordPress site to our remote control application, then the purpose of that application is remote control. We, however, have no legal right to exercise this facility; only you do, unless you specifically ask us to do so (e.g., as part of a support request)).

If someone gets hold of your TeamUpdraft password:

They can log in to your TeamUpdraft account (you can prevent that by turning on two-factor security). From there, they can view details of your purchases. They could also claim licences for software that you purchased on their sites. If you have connected other services, then they can do more. If you have purchased storage space, then they could store their backups in your storage space. If you have connected sites to our remote control application, UpdraftCentral, then they could control your connected site. We underline our recommendation of two-factor security.

Connecting to your TeamUpdraft account

You will need to type in your TeamUpdraft username and password into your WordPress site when connecting to your account, in order to claim your purchases. This then allows you to receive automatic updates through the usual WordPress dashboard. If at any time you don’t wish to receive updates, or wish to not connect to your account any more, then simply remove the username from your settings.

Data processing and privacy

Concerning data processing in relation to the use of any TeamUpdraft plugin, storage, site cloning, and other features, and visiting our websites, please see the information on our Team Updraft privacy policy. You must agree to these uses in order to have a TeamUpdraft account.

Right to deletion

You have a right to delete your account at any time. This will, out of technical necessity, mean that connected services (e.g., access to plugin updates, use of storage space, use of remote control application) will stop working. It will not cause the plugins themselves, installed on your WordPress site, to stop working (there is no requirement to maintain a TeamUpdraft account in order for the plugins to operate). If you wish to delete your account, then please make a request here. We will need to authenticate your request to prevent abuse. Please note that we will need to retain some data on any purchases in order to comply with taxation and auditing laws (note that the EU’s GDPR regulation specifically recognizes that the right to deletion does not apply to data that other laws require to be maintained).

EU individual citizens have a right to erasure of their personal data under the GDPR law. At TeamUpdraft, which includes UpdraftPlus, UpdraftVault, UpdraftCentral, UpdraftClone, WP-Optimize and All-In-One Security (AIOS), we are happy to extend this right to all users worldwide, as we believe it is based on good principles. You can read more about this legal right at the website of the UK Information Commissioner’s Office (the UK body which oversees data protection, including GDPR issues).

Data that we process

If you have not created an account, then we do not have any data concerning you. You do not have an account unless you created one either manually or by purchasing something. To ensure we can allocate our resources effectively towards improving our products, we kindly ask that you verify whether you have an account with us before requesting data deletion. If you do not have a login at our website, then we do not have any of your data to process or delete.

Data that we do not hold

If you are using the free versions of any of our plugins from WordPress.org (e.g., UpdraftPlus, WP-Optimize, AIOS, etc.), then any data relating to updates of that version (i.e., update requests sent to WordPress.org, and the information which they store relating to such requests/updates), or support of that version in their forum, is held by WordPress.org – i.e., the WordPress Foundation. We have no more access to it than you do. If you wish it to be deleted, then you will need to contact the WordPress Foundation.

Limitations upon rights to delete data

There are other laws, except the GDPR, which touch upon the deletion of data. In particular, there is some data which we are legally required to maintain for a time. For example, VAT (sales tax) laws require us to keep purchase data for audit purposes for a minimum of 10 years after purchase. UK data retention laws require us to keep web server access logs for 6 months, after which they are automatically deleted. The GDPR also allows anonymisation instead of deletion of data in some circumstances. Anonymisation means that there is no way to trace the data back to you. Specific information follows.

What data we will delete or anonymise/scramble

• All your support form entries will be deleted from our website’s database. (This also happens automatically after 6 months).
• All your support ticket entries in our account with our support helpdesk software supplier (Freescout) will be deleted.
• All your posts in our website support forum will be immediately deleted.
• If you are a customer, then your TeamUpdraftaccount will be locked to prevent future logins. If you are not a customer, then it will be deleted. (See further below for the reason for the distinction).
• Any/all data in your UpdraftVault storage will be deleted.
• Any/all data in our licensing database tables concerning licences owned and sites connected will be deleted.
• Any/all entries in our UpdraftCentral Cloud database tables will be deleted.
• Any/all entries in our UpdraftClone database tables will be deleted.
• Any/all data pertaining to you in our MailChimp account will be deleted.

Things that are not deleted, or which are deleted later, with reasons

• Webserver access logs are deleted automatically after 6 months, but not before, for compliance with UK data retention laws, and for auditing and security purposes.
• We do not delete information out of our website backups, because this is technically too difficult to accomplish. However, they are stored encrypted after a number of months (depending on our current policy). We also keep a log of deletion requests so as to be able to a) demonstrate compliance and b) re-run any deletion requests in the event of needing to restore a backup.
• Sales records and data held by payment vendors (PayPal, Stripe) are retained for a minimum of 10 years, to comply with taxation/auditing laws, and our own accountancy and auditing requirements.

Requesting deletion

To request deletion of your personal data, please use this form. If you are not a paying customer, then you can leave the relevant fields empty, and explain in the message input area. If you are an EU citizen, then we are granted one month to respond to the request (usually, one month to carry it out). We will take steps to verify your identity, to prevent fraud/abuse (“social engineering” attacks).

On January 1st, 2020, the California Consumer Privacy Act (CCPA) introduced new data privacy rights for California residents, requiring companies that conduct business in the state of California to implement structural changes to their privacy programs. The new law is a response to the increasing role personal data plays in business practices and the personal privacy implications surrounding the collection, use, and protection of personal information.

Though TeamUpdraft (including UpdraftPlus, UpdraftVault, UpdraftCentral, UpdraftClone, WP-Optimize and All-In-One Security (AIOS)) may not necessarily meet the criteria necessary to comply with the CCPA law (1. Have $25 million or more in annual sales; 2. Buys, sells, or shares information on 50,000 or more individuals, households, or devices; 3. Derives more than half of our annual revenue from selling personal information), we have made every effort to meet and achieve CCPA compliance for the privacy rights of our California-based customers. As such, we are providing this CCPA-specific privacy notice to supplement the information and

disclosures already contained in our privacy policy. This notice applies only to individuals residing in California with an account from whom we collect personal information.

What is the CCPA?

The CCPA allows any California consumer to demand to see all the information a company has saved on them, as well as a full list of all the third parties that data is shared with. In addition, the California law allows consumers to sue companies if the privacy guidelines are violated, even if there is no breach.

Much like the GDPR law that was enacted in May 2018, many of the same rules on the use of customer data are represented in the CCPA. However, the CCPA takes a broader view than the GDPR of what constitutes private data.

How does CCPA differ from GDPR?

• GDPR applies to the processing of all personal data, regardless of what that data is intended for or how it will be processed.
• The CCPA is more specific regarding what kinds of data are protected and under what circumstances. While GDPR has strict user “opt-in” consent options before companies can access any of your data, CCPA only requires companies to supply the option to “opt-out” when user information is going to be actively sold or shared.
• The CCPA does not provide the same protection to a wider range of user data types that the GDPR does. These include:
  • Data that is already legally available to the public
  • Medical information that’s protected under California’s Confidentiality of Medical Information Act (CMIA) or the federal Health Insurance Portability and Accountability Act (HIPPA)
  • Personal information covered by California’s Driver’s Privacy Protection Act
  • And other similar data sets.

We do not sell personal information

The following categories of personal information have been defined by the CCPA. This information may have been collected and/or disclosed for a business purpose by ourselves in the last twelve months. The examples of the personal information provided in each category are taken from the CCPA and are included so you can better understand the specific information contained within a category.

[INCLUDE TABLE]

Use of personal information

As the new CCPA has now come into force we wanted to clarify that TeamUpdraft meets the criteria necessary to be in accordance with the specific CCPA business and commercial purposes, as detailed below:

1. Auditing related to a current interaction with you and concurrent transactions, including, but not limited to auditing compliance with this specification and other standards.
2. Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.
3. Debugging to identify and repair errors that impair existing intended functionality.
4. Short-term, transient use.
5. Contracting with service providers to perform services on our behalf, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business or service provider.
6. Undertaking internal research for technological development and demonstration.
7. Undertaking activities to verify or maintain the quality or safety of our services, and to improve, upgrade, or enhance our services.
8. Otherwise enabling or effecting, directly or indirectly, a commercial transaction.
9. For other purposes for which we provide specific notice at the time the information is collected.

TeamUpdraft’s collection and disclosure of personal information

In thd last year, TeamUpdraft has collected personal information from general sources including you, your use of our services, your devices, our affiliates, our vendors, and our service providers.

Your California privacy rights

If you are a California resident, the CCPA allows you to exercise the following rights.

Right to know and access. You may submit a verifiable request for information regarding the: (1) categories of personal information collected or disclosed by us; (2) purposes for which categories of personal information are collected by us; (3) categories of sources from which we collect personal information; and (4) specific pieces of personal information we have collected about you during the past twelve months.

Right to delete. Subject to certain exceptions, you have the option to delete personal information about you that we have collected from you.

Verification. Requests for access to or deletion of personal information are subject to our ability to reasonably verify your identity in light of the information requested and pursuant to relevant CCPA requirements, limitations, and regulations.

Right to equal service and price. You have the right not to receive discriminatory treatment for the exercise of your CCPA privacy rights, subject to certain limitations.

Shine the light. We do not rent, sell, or share your personal information with non affiliated companies for their direct marketing purposes, unless we have your permission.

Submit requests. To exercise your rights under the CCPA, you can deactivate and purge your account (similar to the GDPR “right to erasure” – “right to be forgotten”) by sending us a customer support request under “This is a GDPR/CCPA-related query” in the “What kind of support request is this?” option.

If you have any further questions or queries, please leave a comment below and we will get back to you as soon as possible.

We export data for all users who have a TeamUpdraft account (via a purchase or direct sign-up – you do not have one merely by using the free versions of UpdraftPlus, WP-Optimize, or All-In-One Security) into a Mailchimp account managed by our partner. (You can see details of the strict data processing agreement with our partner here).

Any campaign or multiple-recipient email that we send with Mailchimp goes to a list which is a defined subset of this data. The fields we import into our Mailchimp account are the full name (to allow personal addressing of emails), email address (so that the email can reach the recipient), and purchase history (so that we can create mail-outs that target the desired set of people, e.g., notifying of an important enhancement for a product you have bought, without mailing people who have not bought it).

Under the GDPR right to be forgotten, any user who requests to be forgotten will have their data deleted from our website, which in turn will be deleted automatically from Mailchimp.

TeamUpdraft does not fall under the requirements of article 37 of the GDPR, and as such, is not mandated to designate a single individual as the legally named data protection officer. (The GDPR does not intend this to imply, and this in no way implies, a lessening in our data protection responsibilities). If you have any data protection issues that you want to address with us, then please feel free to do so by contacting our support team here.

This privacy policy is published by the creators of UpdraftPlus, Updraft WP Software Ltd (UK) (please see the footer of this page for company registration number). It applies only if you are using our built-in app for authentication. If you configure UpdraftPlus to use your own app, then it does not apply, and in that case no data comes to any of our servers.

Use of pCloud with UpdraftPlus involves visiting our authentication server (website) as part of the authentication (OAuth) flow. Note that no backup data or other data from your WordPress site goes to our servers – this all remains on your server on which you are hosting WordPress. The authentication procedure will cause:

• Your IP address to be logged in our webserver logs. No further processing of these logs is carried out. These logs are kept for 6 months in accordance with UK law, and then automatically deleted. We carry out no further processing on them. They are not shared with any third party.
• (If authentication succeeds) your pCloud account identifier may be stored in the authentication server’s database, so that the necessary authentication token can be given to your site if it requests it again. We carry out no further processing on them. They are not shared with any third party. Note that at the time of writing, we do not currently perform this storage, as pCloud’s authentication procedures do not make it technically advantageous. (We merely reserve the right to do so if it becomes technically helpful in future).

No other data is sent or implicitly gathered by any of our servers in the process of using pCloud. Any changes to this privacy policy in future will be notified of on this page.

This privacy policy is published by the creators of UpdraftPlus, Updraft WP Software Ltd. (please see the footer of this page for company registration number). It applies only if you are using our built-in app for authentication. If you configure UpdraftPlus to use your own app, then it does not apply, and in that case no data comes to any of our servers.

Use of Microsoft OneDrive with UpdraftPlus involves visiting our authentication server (website) as part of the authentication (OAuth) flow. Note that no backup data or other data from your WordPress site goes to our servers – this all remains on your server on which you are hosting WordPress. The authentication procedure will cause:

• Your IP address to be logged in our webserver logs. No further processing of these logs is carried out. These logs are kept for 6 months in accordance with UK law, and then automatically deleted. We carry out no further processing on them. They are not shared with any third party.
• (If authentication succeeds) your Microsoft OneDrive account identifier may be stored in the authentication server’s database, so that the necessary authentication token can be given to your site if it requests it again. We carry out no further processing on them. They are not shared with any third party. Note that at the time of writing, we do not currently perform this storage, as OneDrive’s authentication procedures do not make it technically advantageous. (We merely reserve the right to do so if it becomes technically helpful in future).

No other data is sent or implicitly gathered by any of our servers in the process of using Microsoft OneDrive. Any changes to this privacy policy in future will be notified of on this page.

This page is intended to explain what data is accessed or processed during usage (both installation and ongoing usage) of the UpdraftPlus backup/restore plugin, both free and Premium versions. In the general case this is “nothing – or, if using an explicit online service, then the minimum required to deliver that service” – but you can and should read the full details below. If you explicitly take other actions whose obvious nature is to sign up for something – e.g. sign up for a newsletter, or follow us on Twitter – then these may involve some data sharing. In such cases, the information will be available in the place where that action is taken. This page is intending to describe plugin usage only.

General note on logging of server requests

In the case of any HTTP requests sent to our servers (including not just explicit visits in your web browser, but API calls made by any software involved), under UK law these requests are logged and stored for 6 months. They are then automatically rotated. We do not process these logs for other purposes except as part of normal server operation (e.g. summarising statistics, or searching for information on particular server events, e.g. investigating unusual load or access patterns). They are never processed for any marketing purposes. Note that this information is assumed in all sections below where it applies and is not repeated.

General notes on data collection and sharing

Where any data needs to be processed by us for an indicated or necessary usage described on this page, then the definition of “us” includes our partner, Xibo Limited (UK registered company 6841995), who provide us with various support services in both customer support and product development, under a strict data sharing agreement for defined usages only. Where “third parties” are mentioned below, these references exclude Xibo.

When taking and restoring backups

In the general case, taking and restoring backups does not result in any communications at all with any of our servers. i.e. No data is gathered by us, and hence none is processed in any way. Neither is there any other gathering of telemetric data on the WordPress dashboard in UpdraftPlus. i.e. There is no observation of how you use the plugin within your WordPress install, and no reporting back of the resulting data to our servers.

In the case of backup destinations which provide security via an OAuth communication flow which uses our authentication server as part of the OAuth protocol (this includes Dropbox, Google Drive, Google Cloud and Microsoft OneDrive in cases where you have not explicitly set up a personal application for authentication), out of necessity of the OAuth protocol, an authentication token passes through our authentication server. No personally identifiable information is stored, or processed, by us as part of this procedure.

Connecting for updates in paid versions

If you connect UpdraftPlus for receiving updates in your WordPress dashboard, then the information on which site has been connected to receive updates is stored in our database. It is used only via automated code to then send back information on update availability upon request from your site, and for other directly related tasks (e.g. providing information on upcoming licence expiry events). When an update request is sent, it includes your WordPress, PHP and UpdraftPlus version numbers, current language in WordPress, whether your install is a multisite install or not, and the PHP memory limit. Our plugin updates server is capable of using this information to decide what is an appropriate update for you. We reserve the right to summarise this data (i.e. anonymise and aggregate it) for the purpose of producing aggregated statistics on our user base, which we may use to guide our development.

News feed

UpdraftPlus may fetch a news feed from our blog and display headlines within the WP admin dashboard. This news feed is fetched from Feedburner, a service operated by Google. As a consequence, we do not receive (and therefore do not process) any data when this is done.

This privacy policy is published by the creators of UpdraftPlus, Updraft WP Software Ltd (UK) (please see the footer of this page for company registration number). It applies only if you are using our built-in app for authentication. If you configure UpdraftPlus to use your own app, then it does not apply, since in that case no data comes to any of our servers (and so no policy for handling that data is needed). Also you may want to note Google’s own terms and conditions (which forbid use of consumer Google Drive accounts for commercial purposes.)

Note that Google Drive does not provide a security model that keeps any data stored via an app (such as UpdraftPlus) separate from other data stored by the same app. i.e. It is not suitable for storing data that belongs to separate websites if administrators of those websites should not be able to access each other’s data. That is not an UpdraftPlus decision, that is the Google Drive security model; Google wants you to instead use Google Cloud for commercial use. (Other commercial storage providers are available, of course).

Use of Google Drive with UpdraftPlus involves visiting our authentication server (website) as part of the authentication (OAuth) flow. Note that no backup data or other data from your WordPress site goes to our servers – this all remains on your server on which you are hosting WordPress. So, when you see the Google permission authorisation screen, it is asking you about what the plugin, running on your webserver, will be able to do.

The authentication procedure will cause:

• Your IP address to be logged in our webserver logs. No further processing of these logs is carried out. These logs are kept for 6 months in accordance with UK law, and then automatically deleted. We carry out no further processing on them. They are not shared with any third party.
• (If authentication succeeds) your Google account identifier to be stored in the authentication server’s database, so that the necessary authentication token can be given to your site if it requests it again. We carry out no further processing on them. They are not shared with any third party.

No other data is sent or implicitly gathered by any of our servers in the process of using Google Drive. Any changes to this privacy policy in future will be notified of on this page.

 

Site-to-site cloning

When using UpdraftPlus Premium’s “site-to-site clone” feature, there are no communications with any of our servers, and hence no data is either stored or processed by us.

Temporary cloning

When using UpdraftPlus’s “temporary clone” (“UpdraftClone”) feature, your site needs to communicate with our servers in order to establish entitlement (i.e. that you have sufficient ‘credits’, of whatever sort), and request the clone to be created, including the specifics of the clone desired (including WP version to install, PHP version, and the username who created the clone so that they can log in on it). Data on how many clones you currently have active is stored in our databases. It is not processed for any purpose beyond providing the service, and advising you of the credit level on your account and any appropriate actions to take. It is not shared with any third party. When your clone is created, it will have its own VPS (Virtual Private Server), not shared with any other site or customer. Your site will send your backup data directly to the new WordPress install on the clone directly (i.e. not using our servers as an intermediary). We do not access the cloned site except for explicitly requested support, and for general monitoring of the health of the platform. We do not take, or keep, any copy of your data; i.e. when the clone is destroyed, none of your data from it remains.

When you use UpdraftPlus to initiate a new clone, your webserver may make a request to ipinfo.io (or a similar service, if we change it in future) to work out which country your server is located in, in order to show you a suitable default region choice for your clone). You can prevent this lookup and selection of a default choice by defining the constant UPDRAFTPLUS_DO_NOT_USE_IPINFO with value true in your site’s wp-config.php file.

If you are using UpdraftVault as your storage option, then your site will communicate with our servers over a secure SSL connection to obtain a credential (a ‘token’) (i.e. verify that you currently have an account with us). This token is then used to communicate with our object storage servers which are part of the Amazon AWS platform. Your backup data itself does not pass through any of our servers. All data on this platform is encrypted using server-side encryption (SSE). You can additionally use the feature in UpdraftPlus Premium to encrypt your database backup file using your own key. We do not process any of your backup data in any way (except in response to an explicit support request). It will be retrieved directly to your UpdraftPlus install, or to your computer via your web browser if you use the Vault browser, upon your request. There are no circumstances in which your backup data is processed for any other purpose than backup and restoration, and it is not shared with any other parties.

Use of Google Analytics with UpdraftCentral involves visiting our authentication server (website) as part of the authentication (OAuth) flow. Note that no data from your WordPress site goes to our servers – this all remains on your server on which you are hosting WordPress. The authentication procedure will cause:

• Your IP address to be logged in our webserver logs. No further processing of these logs is carried out. These logs are kept for 6 months in accordance with UK law, and then automatically deleted. We carry out no further processing on them. They are not shared with any third party.
• (If authentication succeeds) your Google account identifier to be stored in the authentication server’s database, so that the necessary authentication token can be given to your site if it requests it again. We carry out no further processing on them. They are not shared with any third party.

No other data is sent or implicitly gathered by any of our servers in the process of using Google Analytics. Any changes to this privacy policy in future will be notified of on this page.

UpdraftCentral self-hosted

If you are using the self-hosted version of UpdraftCentral (whether free or paid) then no data is sent to, or processed by, any of our servers. Communications are only between your servers on which the controlled site, and dashboard, are. In the case of the paid version, the above section on connecting for updates also applies.

UpdraftCentral Cloud

If you are using our hosted UpdraftCentral product, UpdraftCentral Cloud, then our servers necessarily store information on which sites you have connected to UpdraftCentral, how many licences you have purchased, and they dispatch commands to those sites in accordance with UpdraftCentral’s normal operation. We do not process any data stored or obtained for unrelated purposes. If you approach your licence limit then we may inform you and present your options for upgrades. UpdraftCentral Cloud data is not shared with any third party.