Privacy Policy
Last Updated: March 17, 2026
Effective Date: March 17, 2026
Company: BuiltByGo LTD, a company registered in England and Wales
1. Introduction
This Privacy Policy explains how BuiltByGo LTD (“we”, “us”, “our”), trading as WP HealthKit, collects, uses, shares, and protects your personal data when you use our WordPress plugin security and quality audit platform at wphealthkit.com (the “Service”).
We are the data controller for the personal data we collect about you as a user of our Service. When you upload plugin source code for analysis, we act as a data processor on your behalf for that content, and as a data controller for the audit results and anonymised findings we generate.
This policy applies to all users of the Service, regardless of location. We comply with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and other applicable data protection laws.
By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.
2. Information We Collect
2.1 Information You Provide
Account Information. When you register, we collect your name, email address, and password. If you register via a third-party provider (such as Google or GitHub), we receive your name and email from that provider.
Billing Information. When you subscribe to a paid plan, we collect your billing name, billing address, and payment card details. Payment card data is processed and stored by Stripe, Inc., our payment processor. We do not store your full card number on our servers.
Plugin Source Code. When you upload a WordPress plugin ZIP file for audit, we receive and temporarily store the contents of that file. This may include PHP source code, JavaScript files, CSS, configuration files, and any other files contained in the archive. You should not include files containing passwords, API keys, database credentials, or other secrets in your uploads; if you do, these will be processed and stored alongside your plugin files.
Communications. When you contact us via email or through our support channels, we collect the content of your messages and any attachments you send.
2.2 Information Collected Automatically
Usage Data. We automatically collect information about how you interact with the Service, including: pages visited, features used, audit frequency, report downloads, time spent on pages, and referring URLs.
Device and Connection Data. We collect your IP address, browser type and version, operating system, device type, and screen resolution.
Cookies and Similar Technologies. We use cookies and similar tracking technologies as described in Section 8 of this policy.
2.3 Information from Third Parties
Stripe. We receive transaction confirmations, payment status, and subscription details from Stripe. We do not receive your full card number from Stripe.
3. How We Use Your Information
We process your personal data for the following purposes, each with a corresponding lawful basis under GDPR:
To provide the Service (Lawful basis: Performance of contract). We use your account information to manage your account, your uploaded plugin files to perform security and quality audits, and your billing information to process payments and manage subscriptions.
To communicate with you (Lawful basis: Performance of contract / Legitimate interest). We send transactional emails about your account, subscription, and audit results. We may also send service announcements and updates about changes to the Service.
To improve the Service (Lawful basis: Legitimate interest). We analyse usage data in aggregate to understand how the Service is used, identify areas for improvement, fix bugs, and develop new features. We balance this interest against your privacy rights by anonymising data where possible and minimising the data we retain.
To ensure security (Lawful basis: Legitimate interest). We use device and connection data to detect and prevent fraud, abuse, and unauthorised access. We monitor uploads to detect malicious content.
To comply with legal obligations (Lawful basis: Legal obligation). We retain billing and transaction records as required by UK tax law and financial regulations. We respond to valid legal requests from law enforcement and regulators.
To send marketing communications (Lawful basis: Consent). With your explicit opt-in consent, we may send newsletters, product updates, and promotional content. You can withdraw consent at any time by clicking the unsubscribe link in any marketing email or by contacting us.
4. Data Retention
We retain different categories of data for different periods based on the purpose of collection and our legal obligations:
Account information is retained for the duration of your active account plus 30 days after account closure to allow for account recovery requests.
Billing and transaction records are retained for 7 years after your last transaction, as required by UK tax law (Income Tax (Trading and Other Income) Act 2005, Companies Act 2006).
Uploaded plugin source code is retained for the duration of your active account. Upon account closure or at your request, uploaded files are permanently deleted within 90 days. You may request immediate deletion of specific uploads at any time during your active subscription.
Audit reports and findings are retained for the duration of your active account. Upon account closure, reports are deleted alongside the associated plugin files within 90 days.
Anonymised and aggregated data derived from audits (such as aggregate vulnerability statistics that cannot be linked to any individual user or plugin) may be retained indefinitely for research and service improvement.
Usage and analytics data is retained for 24 months from the date of collection. After 24 months, this data is either deleted or anonymised.
Communications and support tickets are retained for 3 years after resolution.
5. How We Share Your Information
We do not sell your personal data. We do not share your personal data with third parties for their own marketing purposes. We share your data only in the following circumstances:
5.1 Service Providers (Sub-processors)
We engage the following third-party service providers who process data on our behalf under data processing agreements:
Stripe, Inc. (San Francisco, USA) — Payment processing. Receives: billing name, billing address, payment card details, email address, transaction amounts. Stripe's Privacy Policy: https://stripe.com/privacy. Stripe is certified under the EU-U.S. Data Privacy Framework and the UK Extension to the Data Privacy Framework.
We may engage additional sub-processors for hosting, email delivery, analytics, and customer support. An up-to-date list of sub-processors is maintained at wphealthkit.com/subprocessors and we will notify you of any material changes.
5.2 Legal and Regulatory Disclosures
We may disclose your data where required by law, regulation, court order, or governmental request, or where we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others, investigate fraud, or respond to a lawful government request.
5.3 Business Transfers
In the event of a merger, acquisition, reorganisation, or sale of all or a portion of our assets, your personal data may be transferred as part of that transaction. We will notify you via email or prominent notice on our website before your data is transferred and becomes subject to a different privacy policy.
5.4 With Your Consent
We may share your data with third parties when you give us explicit consent to do so.
6. International Data Transfers
BuiltByGo LTD is based in the United Kingdom. When you use our Service, your data may be transferred to, stored, and processed in the UK and other countries.
Transfers from the EU to the UK. The European Commission has issued an adequacy decision for the UK (renewed December 19, 2025, valid until December 27, 2031), meaning your data can flow from the EU to the UK without additional safeguards.
Transfers from the UK to third countries. Where we transfer data outside the UK to countries that do not have an adequacy decision (such as the United States for Stripe processing), we rely on appropriate safeguards including: the UK International Data Transfer Agreement (IDTA), the UK Addendum to EU Standard Contractual Clauses, or the relevant data privacy framework certification of the receiving party.
Stripe transfers. Stripe is certified under the EU-U.S. Data Privacy Framework and the UK Extension to the Data Privacy Framework. Additionally, Stripe has executed Standard Contractual Clauses for EU and UK transfers.
You may request a copy of the relevant transfer safeguards by contacting us at the details in Section 13.
7. Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include encryption of data in transit (TLS 1.2+) and at rest, access controls limited to authorised personnel, regular security assessments of our infrastructure, and secure deletion procedures for plugin files.
While we take reasonable precautions to protect your data, no method of electronic storage or transmission is completely secure. We cannot guarantee absolute security.
In the event of a personal data breach that poses a high risk to your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours of becoming aware of the breach and will notify affected individuals without undue delay, in accordance with UK GDPR Article 33 and Article 34.
8. Cookies and Similar Technologies
8.1 What We Use
Strictly necessary cookies enable core functionality such as authentication, session management, and security. These cookies cannot be disabled without impairing the Service.
Analytics cookies help us understand how the Service is used so we can improve it. Under the UK Data (Use and Access) Act, analytics cookies used solely for service improvement purposes are subject to an opt-out rather than opt-in mechanism. You may disable these cookies at any time through our cookie preference centre.
We do not use advertising or marketing cookies on the Service.
8.2 Managing Cookies
You can manage your cookie preferences through our cookie preference centre, accessible via the cookie banner on first visit and at any time via a link in the footer of our website. You can also control cookies through your browser settings. Disabling certain cookies may affect the functionality of the Service.
8.3 EU Users
If you are located in the European Economic Area, analytics cookies require your explicit opt-in consent in accordance with EU ePrivacy requirements. Our cookie preference centre will present the appropriate consent mechanism based on your detected location.
9. Your Rights
9.1 Rights Under UK GDPR and EU GDPR
If you are located in the UK or European Economic Area, you have the following rights regarding your personal data:
Right of access. You may request a copy of the personal data we hold about you. We will respond within one month of your request.
Right to rectification. You may request correction of inaccurate personal data or completion of incomplete data.
Right to erasure. You may request deletion of your personal data where it is no longer necessary for the purpose for which it was collected, where you withdraw consent, or where processing is unlawful. Note that we may retain certain data where required by law (such as billing records for tax purposes).
Right to restrict processing. You may request that we restrict processing of your data in certain circumstances, such as while we verify the accuracy of data you have contested.
Right to data portability. You may request your personal data in a structured, commonly used, machine-readable format (JSON or CSV) and have it transmitted to another controller.
Right to object. You may object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
Rights related to automated decision-making. Our audit analysis is performed by AI-assisted tools. You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects on you. You may request human review of any audit findings.
To exercise any of these rights, contact us at [email protected]. We will respond within one month. If your request is complex, we may extend the response period by up to two additional months, and we will inform you of any extension within the first month.
9.2 Rights Under CCPA/CPRA (California Residents)
If you are a California resident, you have the following additional rights:
Right to know. You may request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collection, and the categories of third parties with whom we share it.
Right to delete. You may request deletion of your personal information, subject to certain exceptions.
Right to correct. You may request correction of inaccurate personal information.
Right to opt-out of sale or sharing. We do not sell your personal information. We do not share your personal information for cross-context behavioural advertising.
Right to non-discrimination. We will not discriminate against you for exercising your CCPA rights.
To exercise your CCPA rights, contact us at [email protected] or use the “Your Privacy Choices” link on our website. We will verify your identity before processing your request. We will respond within 45 days.
9.3 Complaints
If you believe we have not handled your data in accordance with this policy or applicable law, you have the right to lodge a complaint with:
UK: Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Website: https://ico.org.uk. Telephone: 0303 123 1113.
EU: Your local data protection authority. A list of EU data protection authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.
California: Office of the Attorney General, California Department of Justice, Attn: Public Inquiry Unit, P.O. Box 944255, Sacramento, CA 94244-2550.
10. Children's Privacy
The Service is designed for business use by WordPress developers, agencies, and site owners. It is not directed at children under the age of 16 (or under 13 in the United States). We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without appropriate consent, we will take steps to delete that data promptly.
11. Do Not Track
Some browsers transmit “Do Not Track” (DNT) signals. We do not currently respond to DNT signals because there is no industry-standard interpretation. However, you can manage your privacy preferences through our cookie preference centre and the rights described in Section 9.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by email (sent to the address associated with your account) or by posting a prominent notice on our website at least 30 days before the changes take effect.
We encourage you to review this policy periodically. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised policy.
Previous versions of this policy are available at wphealthkit.com/legal/privacy/archive.
13. Contact Us
If you have questions about this Privacy Policy, wish to exercise your data protection rights, or have concerns about how we handle your data, please contact us:
BuiltByGo LTD
Email: [email protected]
For data protection matters, you may also contact our data protection lead at [email protected].