Privacy Policy

This Privacy Policy explains what happens to your personal data when you use the WP Maintenance Agent service (“WPMA”, “the Service”) and its dashboard at wpma.kreiswolke.com. “Personal data” means all data that can be used to personally identify you. We handle your personal data confidentially and in accordance with the GDPR and this policy.

1. Controller

The controller responsible for processing within the Service is:

Anders und Anders Digipart GbR, operating the Service under its Kreiswolke brand
Am Schacht 35, 52223 Stolberg, Germany
Email: legal@digipart.eu · Phone: +49 (0)2402 / 9058823

The controller is the natural person or legal entity that, alone or jointly with others, determines the purposes and means of the processing of personal data.

2. Scope of this policy

This policy covers the WP Maintenance Agent web application and dashboard and the account you create there. The free WP Maintenance Agent WordPress plugin runs on your own web server; it is the tool the Service operates through and does not, by itself, transmit personal data to us beyond what the Service requests on your instruction.

3. What we process, why, and on what legal basis

3.1 Account data

Your email address, an optional display or agency name, and a password (stored only as a salted bcrypt hash — never in plaintext), plus your email-verification status and account/plan metadata. Purpose: to create and operate your account and to authenticate you. Legal basis: Art. 6(1)(b) GDPR (contract).

3.2 WordPress site-connection data

For each site you connect: the site URL, a WordPress username, and a WordPress Application Password. The Application Password is encrypted at rest with AES-256-GCM and is used solely to perform the maintenance actions you request, via the plugin’s authenticated interface. Legal basis: Art. 6(1)(b) GDPR. Where a site you connect contains your own clients’ personal data, WPMA acts as a processor on your behalf; an order-processing agreement under Art. 28 GDPR is available on request.

3.3 Site operational data

Plugin, theme and WordPress-core inventory and versions, PHP and database versions, health signals and disk/error-log excerpts, uptime checks, maintenance run logs, hardening configuration, and any site notes you enter. Purpose: to deliver the maintenance, monitoring and reporting features and to reason about update order and risk. Legal basis: Art. 6(1)(b) and Art. 6(1)(f) GDPR (our legitimate interest in providing and securing the Service).

3.4 AI processing (Anthropic)

To plan maintenance, the Service sends site technical metadata (§3.3) to our AI sub-processor Anthropic via its API. We send no WordPress credentials, site content, or user database. The data is technical, not personal, and obvious identifiers (email and IP addresses) are automatically stripped from error-log excerpts before sending — site notes you write are sent as you wrote them. Anthropic does not use API data to train its models and retains it only briefly for abuse-prevention under its commercial terms. This involves a transfer to the USA (§5); EU data residency is available on request and in dedicated plans.

The in-app assistant runs on Anthropic’s Haiku model and only classifies what you ask — it does not receive your site data. Per message we send Anthropic just three things: a fixed instruction prompt (no customer data), the message you type (max 2,000 characters), and optionally the name of the site you were just viewing (max 200 characters, so a phrase like “check it again” can be resolved). The model returns only an interpreted action; our server then runs the query against our own database and sends the result straight to your browser — never back through the AI. No site data, reports, logs, notes, or credentials reach Anthropic; the only customer text transmitted is what you type. As above, this data is not used to train Anthropic’s models, is retained only briefly, and involves a transfer to the USA (§5). Legal basis: Art. 6(1)(b) and (f) GDPR.

3.5 Transactional email (Resend)

We use Resend to send service emails — verification links, password resets, maintenance reports, and alerts. Your email address and the message content are processed. This involves a transfer to the USA (§5). Legal basis: Art. 6(1)(b) and (f) GDPR.

3.6 Hosting (Hetzner, Germany)

The application and database are hosted on servers operated by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany — physically located in Germany (EU). A data-processing agreement under Art. 28 GDPR is in place, under which the host processes data only on our instructions. Legal basis: Art. 6(1)(f) GDPR.

3.7 Payments (Stripe — for paid plans)

If you purchase a paid plan, payment and billing data are processed by Stripe (Stripe Payments Europe, Ltd. for customers in the EU; Stripe, Inc. in the USA). We do not receive or store full card data. Transfers to the USA are based on the EU Standard Contractual Clauses. See Stripe’s Privacy Policy. Legal basis: Art. 6(1)(b) GDPR.

3.8 Connected third-party assistants (optional, you initiate)

You may connect an external AI assistant (for example Claude via claude.ai) through our “Connected apps” feature. If you do, you authorize that third party to access your fleet data through a scoped, revocable access token; that party’s handling of the data is governed by its own terms. You can revoke any connection at any time in Settings. Legal basis: Art. 6(1)(a) GDPR (consent — you initiate it and can withdraw it).

3.9 Server logs

Our servers automatically record standard technical access data (IP address, timestamp, requested resource, browser/user agent) for security, abuse-prevention and operation. Legal basis: Art. 6(1)(f) GDPR. Retention: 30 days, then automatic deletion.

3.10 Cookies and local storage

The Service sets a single essential session cookie (first-party) to keep you signed in, and stores your theme preference (light/dark) in your browser’s local storage. We do not use advertising, analytics or third-party tracking cookies, and the application loads no fonts, scripts or other resources from third-party content-delivery networks (no connection to Google Fonts or similar services is established). Because the session cookie and theme setting are strictly necessary to provide a service you requested, they are set on the basis of § 25(2) TDDDG and Art. 6(1)(f) GDPR, and no cookie consent banner is required. You can delete cookies and local storage at any time in your browser settings; doing so will sign you out.

4. Recipients and sub-processors

In the course of providing the Service we work with the following processors. We only disclose personal data on the basis of a valid data-processing agreement and only to the extent necessary.

We do not sell personal data, and we do not share it beyond what is necessary to provide the Service or where we are legally obliged to do so.

5. International transfers

Your account, credential and site data are stored in Germany (EU). Some sub-processors (§3.4 Anthropic, §3.5 Resend, §3.7 Stripe) process data in the USA. Such transfers are safeguarded by the EU Standard Contractual Clauses and, where applicable, the EU–U.S. Data Privacy Framework and/or the derogations of Art. 49(1) GDPR where strictly necessary to perform our contract with you.

6. Retention

We follow the storage-limitation principle (Art. 5(1)(e) GDPR) and keep personal data only as long as necessary for the purposes above:

• Account and connected-site data: for as long as your account is active.
• Maintenance run logs and archives: according to your plan and your configured retention settings.
• Unverified sign-ups: deleted automatically after 7 days.
• Server logs: 30 days (§3.9).
• On account closure: personal data is deleted or anonymized within 30 days; encrypted credentials are deleted immediately when you disconnect a site or close your account.
• Statutory exception: invoices and accounting records for paid plans are retained for the periods required by German tax and commercial law (§ 147 AO, § 257 HGB — generally 6 to 10 years).

7. Your rights

Under the GDPR you have the right to:

• Access your personal data and information about how it is processed (Art. 15);
• Rectification of inaccurate data (Art. 16);
• Erasure of your data (Art. 17);
• Restriction of processing (Art. 18) — for example while a dispute over accuracy is being verified;
• Data portability in a common, machine-readable format (Art. 20);
• Object to processing based on our legitimate interest (Art. 21); and
• Withdraw consent at any time, with effect for the future, where processing is based on consent (e.g. §3.8).

To exercise any right, contact legal@digipart.eu. We do not engage in automated decision-making with legal effect, nor in direct advertising.

You also have the right to lodge a complaint with a supervisory authority. For our establishment this is the Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW); you may alternatively contact the authority in your own EU member state of residence.

8. SSL/TLS encryption

For security and to protect the transmission of confidential content, this Service uses SSL/TLS encryption throughout. You can recognize an encrypted connection by the “https://” prefix and the lock icon in your browser’s address bar. When encryption is active, the data you transmit to us cannot be read by third parties.

9. Data security

We apply appropriate technical and organizational measures, including: AES-256-GCM encryption of WordPress Application Passwords at rest, bcrypt-hashed account passwords, hashed API and OAuth tokens (plaintext never stored), TLS in transit, cryptographic request-signing for destructive plugin operations, and access controls that isolate each account’s data.

10. Changes to this policy

We may update this policy as the Service evolves or the law changes. Material changes will be communicated by email and/or in-app. The current version is always available at wpma.kreiswolke.com/privacy.

11. Contact

Anders und Anders Digipart GbR — Kreiswolke
Am Schacht 35, 52223 Stolberg, Germany
legal@digipart.eu