Terms of Service
Last Updated: March 18, 2026
Effective Date: March 18, 2026
Company: BuiltByGo LTD, a company registered in England and Wales
1. Agreement to Terms
These Terms of Service (“Terms”) constitute a legally binding agreement between you (“you”, “your”, “Customer”) and BuiltByGo LTD (“we”, “us”, “our”, “Company”), trading as WP HealthKit, governing your access to and use of the WP HealthKit platform, website, APIs, CLI tools, GitHub integrations, and related services (collectively, the “Service”).
By creating an account, uploading content, or otherwise using the Service, you agree to be bound by these Terms, our Privacy Policy, and our Acceptable Use Policy (Section 8). If you are using the Service on behalf of an organisation, you represent and warrant that you have authority to bind that organisation to these Terms.
If you do not agree to these Terms, do not use the Service.
2. Description of Service
2.1 Overview
WP HealthKit is an AI-powered WordPress plugin and theme security, quality, and accessibility auditing platform. The Service analyses uploaded WordPress plugin and theme source code and generates comprehensive audit reports covering security vulnerabilities, coding standards compliance, type safety, accessibility, quality, and related findings.
2.2 Verification Layers
The Service employs 49 verification layers (45 deterministic + 4 AI) in its audit process:
- Wordfence CVE Database — checks against known vulnerability databases for identified CVEs.
- Composer Dependency Audit — scans third-party dependencies for known security advisories.
- Secret Detection — identifies hardcoded credentials, API keys, and other secrets in source code.
- PHP Compatibility — verifies compatibility across specified PHP versions.
- PHPCS WordPress Coding Standards — evaluates adherence to WordPress coding standards using PHP_CodeSniffer.
- PHPStan Type Safety — performs static type analysis to identify type-related errors.
- AI Security Engine — AI-powered deep analysis of security patterns and vulnerabilities.
- AI Quality Engine — AI-powered assessment of code quality, maintainability, and best practices.
- AI Accessibility Engine — AI-powered review of accessibility compliance and WCAG adherence.
- AI Theme Engine — AI-powered analysis specific to WordPress theme standards and best practices.
Not all verification layers may apply to every audit. The layers used depend on the type of code submitted (plugin or theme) and the features available on your plan.
2.3 Additional Features
The Service also includes, depending on your plan:
- PDF Audit Reports — downloadable reports with optional white-label branding (Agency tier).
- Embeddable Audit Badges — verifiable badges with HMAC-based integrity verification for display on your website or README.
- Public Plugin Directory — an opt-in directory showcasing audited plugins (see Section 7).
- Plugin Leaderboard — ecosystem health statistics and rankings based on audit scores.
- Re-Audit System — discounted re-audits of previously audited plugins within a defined window.
- CRA Compliance Kit — Cyber Resilience Act compliance documentation generation (Agency tier).
- GitHub Actions Integration — automated audit workflows for CI/CD pipelines (Agency tier).
- WP-CLI Plugin — command-line interface for triggering and retrieving audits.
- Bulk Audit API — batch audit submission for multiple plugins in a single request (Agency tier).
- Team Seats — multi-user access under a single account (Agency tier; see Section 10).
- Dashboard with Trends — historical audit data and score tracking over time (Pro and Agency tiers).
2.4 Nature of the Service
The Service is an analytical tool, not a guarantee of security. Our audits identify known vulnerability patterns, coding standards issues, and quality concerns based on automated analysis at a point in time. The Service does not and cannot guarantee that any plugin or theme is free from all vulnerabilities, including zero-day exploits, configuration-dependent issues, or vulnerabilities arising from interactions with other software. You remain solely responsible for the security and quality of your plugins and themes.
Deterministic tools (PHPCS, PHPStan, Wordfence CVE, Composer audit, secret detection, and PHP compatibility) provide verified findings based on established rulesets. AI-generated findings from the AI Security, Quality, Accessibility, and Theme engines should be reviewed by a qualified developer, as AI analysis may contain inaccuracies or miss context-specific nuances.
3. Autofix Service Terms
3.1 Nature of Auto-Fix Suggestions
The Service includes automated code fix functionality (“Autofix”), which generates suggested code modifications for issues identified during audits. Autofix suggestions are generated through a combination of deterministic rule-based transforms and AI-powered code generation.
Autofix suggestions are exactly that — suggestions. They are not guaranteed fixes. Every suggestion is a proposed code modification that you must review, evaluate, and test before applying to any codebase. We do not warrant or represent that any Autofix suggestion will resolve the identified issue, will function correctly in your specific environment, or will be free from errors, regressions, or unintended side effects.
3.2 Your Responsibility to Review and Test
You are solely responsible for reviewing, testing, and validating all Autofix suggestions before applying them to your code. By using the Autofix feature, you acknowledge and agree that:
(a) You will review every suggested code change before accepting or applying it.
(b) You will test all applied fixes in a staging or development environment before deploying to production. You should never apply Autofix suggestions directly to a live production environment without thorough testing.
(c) You will verify that applied fixes do not introduce new issues, break existing functionality, or conflict with other code in your project.
(d) You will maintain backups of your original code before applying any Autofix suggestions so that you can revert changes if necessary.
(e) You have sufficient technical expertise (or access to someone who does) to evaluate whether a suggested fix is appropriate for your specific codebase and use case.
3.3 No Guarantee of Fitness
Autofix suggestions are generated based on automated analysis and pattern recognition. They are not hand-crafted by a human developer, have not been tested against your specific plugin environment, and do not account for factors including but not limited to: your specific server configuration, PHP version, WordPress version, other installed plugins or themes, custom modifications, hosting environment constraints, or third-party integrations.
Our verification pipeline (including syntax checking, re-analysis, type checking, and optional activation testing) is designed to catch obvious errors in generated fixes. However, passing our verification pipeline does not constitute a guarantee that a fix is correct, complete, safe, or suitable for production deployment. Verification reduces risk but does not eliminate it.
3.4 Confidence Scores and Badges
The Service assigns confidence scores and visual badges (such as “Verified”, “Review”, or “Manual Fix Required”) to Autofix suggestions. These scores reflect the results of our automated verification pipeline and are provided as guidance only. A “Verified” status indicates that the suggestion passed our automated checks — it does not mean the fix is guaranteed to work in your environment or that you may skip your own review and testing.
3.5 AI-Generated Fixes
Where Autofix suggestions are generated using AI models (indicated as “AI fix available” in the dashboard), you additionally acknowledge that:
(a) AI-generated code may contain subtle errors, edge cases, or logic issues that automated verification cannot detect.
(b) AI models generate code based on patterns and training data. Generated fixes may not reflect the optimal approach for your specific codebase.
(c) You should apply the same level of scrutiny to AI-generated fixes as you would to code submitted by any external contributor — review, test, and validate before merging.
3.6 Deterministic Fixes
Deterministic Autofix suggestions (such as coding standards formatting, PHP version upgrades, and template-based security patches) are generated using rule-based tools without AI involvement. While deterministic fixes are generally more predictable than AI-generated fixes, they are still automated suggestions and the same review and testing obligations in Section 3.2 apply. Deterministic tools may produce incorrect results in edge cases, unusual code structures, or when interacting with non-standard coding patterns.
3.7 Exclusion of Liability for Applied Fixes
To the maximum extent permitted by applicable law, we shall not be liable for any loss, damage, or harm arising from your decision to apply, deploy, or use any Autofix suggestion, including but not limited to: data loss, security vulnerabilities introduced by the fix, broken functionality, downtime, revenue loss, or any other direct or indirect damages. Your application of any Autofix suggestion is at your sole risk.
4. Account Terms
4.1 Eligibility
You must be at least 16 years old to use the Service. If you are under 18, you represent that you have your parent or guardian's consent. The Service is intended for use by WordPress developers, agencies, and site owners.
4.2 Account Registration
You must provide a valid email address to create an account. You agree to provide accurate, current, and complete information during registration and to update such information as necessary. Each person may maintain only one account. We reserve the right to suspend or terminate accounts that contain materially inaccurate information or duplicate accounts.
4.3 Account Security
You are responsible for maintaining the confidentiality of your account credentials, including your password and any API keys, and for all activity that occurs under your account. You must notify us immediately at [email protected] if you become aware of any unauthorised access to your account.
5. Subscription Plans and Billing
5.1 Plans
The Service is offered under tiered subscription plans and a pay-per-use option, each with different features, usage limits, and pricing as described on our pricing page. The current plans are:
- Free — 2 tokens per month, basic features, no cost.
- Pro — £29/month, 30 audits per month, dashboard with trends, API access, re-audit discount.
- Agency — £149/month, 200 audits per month, white-label PDF reports, 5 team seats, bulk audit API (up to 10 plugins per request), GitHub Actions integration, CRA compliance kit.
- Single Audit — £4.99 one-time payment for a single audit with no subscription required.
- Enterprise — £499/month, 500 tokens per month, custom SLA, dedicated support, SSO, custom integrations, and volume pricing available on request.
We reserve the right to modify plan features, usage limits, and pricing, and to introduce new plans at any time, subject to the notice requirements in Section 5.5.
5.2 Free Plan
The Free plan provides limited access to the Service at no charge. We may modify or discontinue the Free plan at any time without notice. The Free plan is provided “as is” with no service level commitments.
5.3 Paid Subscriptions
Paid subscriptions (Pro and Agency) are billed in advance on a recurring basis (monthly or annually, as selected at the time of purchase). Subscriptions auto-renew at the end of each billing cycle. By subscribing to a paid plan, you authorise us to charge your payment method on file for the applicable subscription fee on each billing date.
5.4 Payment Processing
Payments are processed by Stripe, Inc. By providing your payment information, you agree to Stripe's terms and conditions (https://stripe.com/legal). We do not store your full payment card details on our servers.
5.5 Price Changes
We may change subscription prices with at least 30 days' advance notice sent to the email address associated with your account. Price changes take effect at the start of your next billing cycle following the notice period. If you do not agree to a price change, you may cancel your subscription before the new price takes effect.
5.6 Re-Audit Discount
If you re-audit the same plugin within 30 days of a previous audit, a 50% discount is applied automatically. This discount applies to Pro and Agency subscribers and to single audit purchases where the original audit was also a paid audit.
5.7 Failed Payments
If a payment fails, we will attempt to process the charge again using your stored payment method. If payment cannot be collected after reasonable attempts over a 30-day period, we may suspend your account. If payment remains outstanding for 60 days, we may terminate your account in accordance with Section 14.
5.8 Taxes
All prices are exclusive of applicable taxes unless stated otherwise. You are responsible for any sales tax, VAT, or other taxes applicable to your subscription, except for taxes based on our net income.
6. Cancellation and Refunds
6.1 Cancellation by You
You may cancel your subscription at any time through your account Settings page or via the Stripe customer portal. Cancellation takes effect at the end of your current billing cycle. You will retain access to paid features until that date.
6.2 Refund Policy
We offer a 14-day money-back guarantee on your first subscription purchase. If you are not satisfied with the Service within 14 days of your initial subscription, contact us at [email protected] for a full refund. This guarantee applies to your first subscription only and does not apply to renewals or single audit purchases.
Beyond the 14-day guarantee, subscription fees are generally non-refundable. However, the following exceptions apply:
EU/UK consumer cooling-off period. If you are a consumer (not acting for business purposes) located in the UK or EU, you have the right to cancel within 14 days of your initial subscription purchase and receive a full refund under the Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013. This right does not apply to renewals.
Billing errors. If we charge you incorrectly, we will issue a refund for the overcharged amount within 30 days of notification.
Service unavailability. If the Service is materially unavailable for a continuous period exceeding 72 hours due to issues within our control, you may request a pro-rated credit for the affected period.
6.3 Downgrade
You may downgrade from a paid plan to the Free plan or to a lower-tier paid plan at any time. Downgrades take effect at the start of your next billing cycle. Upon downgrade, you may lose access to features and data associated with the higher plan tier, including but not limited to team seats, white-label settings, CRA compliance kits, and bulk audit API access.
7. Public Directory and Leaderboard
7.1 Opt-In Listing
The public plugin directory is strictly opt-in. Your audit results will never appear in the public directory unless you explicitly toggle the “List in public directory” option for a specific plugin. You may opt in or opt out at any time.
7.2 Information Displayed Publicly
If you opt in, the following information is displayed on your plugin's public profile:
- Plugin name and version
- Overall risk level
- Finding counts by severity
- Coding standards score
- Readiness badges
- Executive summary (first two sentences only)
- Positive observations
7.3 Information Never Displayed Publicly
The following information is never shown publicly under any circumstances:
- Individual finding details
- Code fixes or Autofix suggestions
- Proof of concepts
- Source code or code snippets
- Full audit reports
7.4 Removal
You can remove your plugin from the public directory at any time. Removal takes effect immediately. We also reserve the right to remove any listing that violates these Terms, contains misleading information, or is otherwise inappropriate.
7.5 Leaderboard
The plugin leaderboard and ecosystem health statistics use aggregated data from opted-in plugins only. Leaderboard rankings are calculated automatically based on audit scores and are provided for informational purposes. We do not guarantee the accuracy or completeness of leaderboard rankings.
8. Acceptable Use Policy
8.1 Permitted Use
You may use the Service to audit WordPress plugins and themes that you own, have developed, or have been authorised to audit by the rights holder. You may use audit results to improve the security and quality of those plugins and themes.
8.2 Prohibited Conduct
You agree not to:
(a) Upload plugins or code that you do not own or have authorisation to audit.
(b) Use audit findings to attack, exploit, or gain unauthorised access to any system, website, or service.
(c) Upload content that is intentionally malicious, including malware, ransomware, or exploit code, unless clearly labelled and submitted through a designated malware analysis channel (if offered).
(d) Attempt to reverse-engineer, decompile, disassemble, or otherwise derive the source code or underlying algorithms of the Service, including the AI security, quality, accessibility, and theme engines.
(e) Circumvent or attempt to circumvent usage limits, rate limits, or access controls, including through automated scripts or bots not authorised by us.
(f) Access or attempt to access other users' accounts, uploaded files, or audit reports.
(g) Use the Service for any purpose that violates applicable law or regulation.
(h) Resell, sublicence, or redistribute access to the Service without our prior written agreement.
(i) Remove, alter, or obscure any proprietary notices, watermarks, or attribution in the Service or audit reports.
(j) Use the Service in any way that could damage, disable, overburden, or impair our infrastructure.
(k) Scrape, crawl, or use automated means to extract data from the public plugin directory, leaderboard, or any other part of the Service beyond what is provided through our official API.
8.3 Responsible Disclosure
If our audit identifies a previously unknown vulnerability in a third-party plugin, we encourage responsible disclosure practices. You should notify the affected plugin developer and allow a reasonable period (at least 30 days) for remediation before any public disclosure.
8.4 Enforcement
We reserve the right to suspend or terminate your account if you violate this Acceptable Use Policy. Where practicable, we will provide notice and an opportunity to remedy the violation before taking action, except where immediate action is necessary to protect the Service or other users.
9. Plugin Code Handling and Data Processing
9.1 Transmission and Analysis
Plugin and theme source code is transmitted to our servers via TLS encryption and analysed in an isolated environment. The original plugin ZIP is stored securely for up to 30 days to enable the autofix feature (patched ZIP download), after which it is automatically deleted. Only the account holder can access their stored files. The structured audit report (findings, scores, recommendations, and metadata) is retained indefinitely.
9.2 Temporary Disk Storage
Plugin code may be temporarily written to disk for deterministic analysis tools (PHPCS and PHPStan). Temporary files are deleted immediately after analysis completes. We do not retain copies of your source code beyond what is necessary to complete the audit.
9.3 AI Analysis
AI-powered analysis is performed via Anthropic's API. Code snippets are sent to Anthropic for analysis. Anthropic does not retain submitted data for model training purposes per their data retention policy. We select AI providers that offer zero-retention data processing agreements where available.
9.4 No Source Code Sharing
We do not share your source code with any third party, except as described in Section 9.3 (AI analysis via Anthropic) and as strictly necessary to perform the audit. Your source code is never made available to other users, displayed in the public directory, or used for any purpose other than generating your audit report.
9.5 Report Storage
Audit reports are stored in an encrypted database. Reports are retained for 12 months on the Free plan, or for the duration of your subscription plus 90 days on paid plans. You may request earlier deletion by contacting us.
10. Team Seats (Agency Plan)
10.1 Included Seats
The Agency plan includes 5 team seats. Each seat allows one additional user to access the Service under your Agency account with full Agency-tier capabilities.
10.2 Team Owner Responsibility
The account owner (the person who created the Agency account and holds the billing relationship) is responsible for the actions of all team members. Team members are bound by these Terms, and any violation by a team member may result in consequences for the entire team account.
10.3 Access Management
The team owner can invite and remove team members at any time through the account settings. When a team member is removed, their access to the Agency account and its data is revoked immediately. Individual audit data created by a team member remains associated with the team account.
11. API and Integration Terms
11.1 API Access
API access is available on Pro and Agency plans. API keys are issued per account and must be kept confidential. You are responsible for all activity conducted using your API keys.
11.2 Rate Limits
API requests are subject to rate limits that vary by plan tier. Current rate limits are published in our API documentation. We may adjust rate limits with reasonable notice. Exceeding rate limits may result in temporary throttling or suspension of API access.
11.3 Bulk Audit API
The bulk audit API (Agency plan only) allows submission of up to 10 plugins per request. Bulk audit requests are subject to the same terms and conditions as individual audits. Each plugin in a bulk request counts against your audit allocation.
11.4 GitHub Actions Integration
The GitHub Actions integration (Agency plan only) allows you to trigger audits as part of your CI/CD pipeline. You are responsible for configuring the integration correctly and for securing any credentials stored in your GitHub repository settings. We are not responsible for any exposure of API keys or audit results caused by misconfiguration of your CI/CD pipeline.
11.5 WP-CLI Plugin
The WP-CLI plugin allows you to trigger and retrieve audits from the command line. The WP-CLI plugin is provided under the same terms as the Service. You are responsible for keeping the WP-CLI plugin updated and for securing API credentials stored on your server.
11.6 API Revocation
We may revoke API access for abuse, including but not limited to: exceeding rate limits persistently, using the API to scrape or redistribute audit data, or using the API in violation of these Terms.
12. Embeddable Badges
12.1 Badge Usage
The Service provides embeddable audit badges that you may display on your website, plugin README, or marketing materials. Badges are verified using HMAC-based integrity checks to prevent tampering.
12.2 Requirements
When displaying an embeddable badge, you must ensure that the badge links to the authentic WP HealthKit verification URL. You must not modify the badge image, alter the verification link, or display a badge for an audit that has been superseded by a newer audit with a lower score, unless the badge automatically updates.
12.3 Revocation
We reserve the right to revoke or disable badges for accounts that violate these Terms or that display badges in a misleading manner.
13. CRA Compliance Kit
13.1 Scope
The CRA (Cyber Resilience Act) compliance kit generation feature (Agency plan only) produces documentation intended to assist with Cyber Resilience Act compliance. The generated documentation is based on the audit findings and your plugin metadata.
13.2 Not Legal Advice
CRA compliance kits are generated as a convenience tool and do not constitute legal advice. The generated documentation may not be sufficient for full CRA compliance, which depends on your specific circumstances, jurisdiction, and the nature of your software. You should consult with qualified legal counsel to determine your compliance obligations.
14. Termination
14.1 Termination by You
You may delete your account at any time through your account settings or by contacting us at [email protected]. Upon account deletion, we will handle your data as follows:
- Public directory listings are removed immediately.
- All associated audit reports, account data, and team data are deleted within 30 days.
- You may export your data before deletion by contacting us.
14.2 Termination by Us
We may terminate or suspend your account: (a) immediately, if you commit a material breach of these Terms that is incapable of remedy or that you fail to remedy within 14 days of notice; (b) immediately, if your use of the Service poses a security risk to us or other users; (c) immediately, if required by law or regulation; or (d) on 30 days' notice, for any reason or no reason.
14.3 Effect of Termination
Upon termination: (a) your licence to use the Service terminates immediately; (b) we will cease processing your Customer Content; (c) you may export your data within 30 days of termination by contacting us; (d) after the 30-day export period, your Customer Content and audit reports will be deleted in accordance with our Privacy Policy; (e) public directory listings are removed immediately; (f) team members lose access immediately.
14.4 Survival
The following sections survive termination of these Terms: Section 3 (Autofix Service Terms), Section 9 (Plugin Code Handling), Section 16 (Intellectual Property), Section 18 (Disclaimer of Warranties), Section 19 (Limitation of Liability), Section 20 (Indemnification), Section 21 (Governing Law), and Section 22 (Dispute Resolution).
15. Data Retention
15.1 Audit Reports
Audit reports are retained for 12 months on the Free plan. On paid plans (Pro and Agency), reports are retained for the duration of your active subscription plus 90 days after cancellation or expiry.
15.2 Account Deletion
When you delete your account, all associated data — including audit reports, team data, API keys, badge configurations, and public directory listings — is permanently deleted within 30 days. Public directory listings are removed immediately upon account deletion.
15.3 Opt-Out from Public Directory
If you opt out of the public directory (without deleting your account), your listing is removed immediately. Your audit data remains available to you in your dashboard.
16. Intellectual Property
16.1 Our Intellectual Property
The Service, including its underlying technology, audit engines, AI models, algorithms, analysis methodologies, user interface, branding, documentation, and all related intellectual property, is owned by BuiltByGo LTD and is protected by copyright, trade mark, and other intellectual property laws. The WP HealthKit name, logo, and badge designs are our trademarks. Nothing in these Terms grants you any right, title, or interest in our intellectual property except the limited licence to use the Service as described in these Terms.
16.2 Your Content
You retain all ownership rights in any plugins, themes, source code, and materials you upload to the Service (“Customer Content”). Your code remains yours — we claim no ownership over it. By uploading Customer Content, you grant us a limited, non-exclusive, non-transferable licence to access and analyse that content solely for the purpose of providing the Service and generating audit reports for you. This licence terminates when your Customer Content is deleted from our systems.
You represent and warrant that you have all necessary rights and permissions to upload Customer Content to the Service, and that doing so does not infringe any third party's intellectual property rights.
16.3 Audit Reports
Audit reports generated by the Service are licensed to you for your use. You may share reports with your own clients, contractors, or team members who have a legitimate need to review them. Agency plan subscribers may share white-label reports with their clients. You may not publicly publish complete audit reports without our prior written consent.
16.4 Embeddable Badges
You may use embeddable audit badges on your website, README files, and marketing materials, provided that the badges link to the authentic WP HealthKit verification URL. This licence to use badges is revocable and may be terminated if you violate these Terms.
16.5 Anonymised Data
We may retain and use anonymised, aggregated data derived from audits (such as statistical trends about common WordPress vulnerability patterns) that cannot be linked to you or your plugins. We may use such data for research, benchmarking, ecosystem health statistics, the plugin leaderboard, and service improvement, including in publicly available reports.
16.6 Feedback
If you provide us with suggestions, ideas, or feedback about the Service (“Feedback”), you grant us an unrestricted, perpetual, irrevocable, royalty-free licence to use, modify, and incorporate that Feedback into the Service without obligation to you.
17. White-Label and Agency Terms
17.1 Agency Plan
The Agency plan permits you to use the Service on behalf of your clients and to present audit reports under your own branding, subject to the terms of this section and any additional Agency agreement.
17.2 White-Label Reports
You may rebrand PDF audit reports with your own logo, company name, and colour scheme when using the Agency plan's white-label feature. You must not misrepresent the origin of the underlying analysis or imply that you developed the audit technology yourself.
17.3 Client Responsibility
You are responsible for ensuring that your clients' use of audit reports complies with these Terms. You are liable for any violations committed by your clients to the extent you facilitated or authorised such use.
18. Disclaimer of Warranties
THE SERVICE IS PROVIDED “AS IS” AND “AS AVAILABLE” WITHOUT WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, OR STATUTORY.
To the maximum extent permitted by applicable law, we disclaim all warranties, including but not limited to implied warranties of merchantability, fitness for a particular purpose, non-infringement, and any warranties arising from course of dealing or usage of trade.
Without limiting the foregoing, we do not warrant that:
(a) The Service will identify all security vulnerabilities, coding issues, accessibility problems, or quality concerns in any plugin or theme.
(b) Audit results will be error-free, complete, or accurate in all respects.
(c) The Service will be uninterrupted, timely, or free from defects.
(d) Any plugin or theme that passes our audit is secure, free from vulnerabilities, or fit for any particular use.
(e) Our recommendations, if implemented, will prevent security breaches or other incidents.
(f) AI-generated analysis from the AI Security, Quality, Accessibility, or Theme engines will be free from inaccuracies.
(g) Any Autofix suggestion, whether deterministic or AI-generated, will resolve the identified issue, will be free from errors or regressions, or will function correctly in your specific environment.
(h) CRA compliance kit documentation will be sufficient for full regulatory compliance.
(i) Embeddable badges or public directory listings accurately reflect the current security posture of any plugin.
You acknowledge that security analysis is inherently limited and that no audit can identify all possible vulnerabilities, including zero-day exploits, vulnerabilities arising from specific server configurations or plugin interactions, sophisticated targeted attacks, or vulnerabilities introduced after the audit is performed. Deterministic tools (PHPCS, PHPStan, Wordfence CVE, Composer audit) provide verified findings; AI-generated findings should be reviewed by a qualified developer. The Service does not replace professional security review for critical applications. You are solely responsible for the security of your plugins, themes, and the systems on which they are deployed.
Nothing in these Terms excludes or limits any warranty that cannot be excluded or limited under applicable law. In particular, nothing in these Terms affects your statutory rights as a consumer under the Consumer Rights Act 2015 (UK).
19. Limitation of Liability
19.1 Exclusion of Certain Damages
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL WE BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, OR ANY LOSS OF PROFITS, REVENUE, DATA, GOODWILL, OR BUSINESS OPPORTUNITY, WHETHER BASED IN CONTRACT, TORT, STRICT LIABILITY, OR OTHERWISE, EVEN IF WE HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Without limiting the generality of the foregoing, we shall not be liable for:
(a) Any security breach, data loss, system compromise, or other harm arising from vulnerabilities in your plugins that were not identified in our audit, or from your failure to implement recommendations made in our audit reports.
(b) Any loss, damage, downtime, data corruption, security vulnerability, broken functionality, or other harm arising from your application of any Autofix suggestion, whether deterministic or AI-generated, including where the suggestion was marked as “Verified” by our verification pipeline.
(c) Any harm resulting from your failure to review, test, or validate Autofix suggestions in a staging or development environment before deploying to production.
(d) Any damages arising from acting on audit recommendations, AI-generated analysis, or CRA compliance documentation.
(e) Any harm caused by reliance on public directory listings, leaderboard rankings, or embeddable badge status.
19.2 Liability Cap
OUR TOTAL AGGREGATE LIABILITY TO YOU FOR ALL CLAIMS ARISING FROM OR RELATED TO THESE TERMS OR THE SERVICE SHALL NOT EXCEED THE GREATER OF: (A) THE TOTAL FEES YOU PAID TO US IN THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM, OR (B) ONE HUNDRED POUNDS STERLING (£100).
19.3 Exceptions
The limitations in this Section 19 do not apply to: (a) liability arising from our gross negligence or wilful misconduct; (b) liability arising from a breach of our data protection obligations under applicable law that results in a personal data breach; (c) liability that cannot be excluded or limited under applicable law, including liability for death or personal injury caused by negligence and liability under the Consumer Rights Act 2015 (UK).
19.4 Basis of the Bargain
You acknowledge that the fees charged for the Service reflect the allocation of risk set out in this Section 19 and that we would not provide the Service without these limitations.
20. Indemnification
20.1 Your Indemnification of Us
You agree to indemnify, defend, and hold harmless BuiltByGo LTD and its directors, officers, and employees from and against any third-party claims, damages, losses, liabilities, and expenses (including reasonable legal fees) arising from: (a) your use of the Service in violation of these Terms; (b) your Customer Content, including any claim that your uploaded plugin infringes a third party's intellectual property rights; (c) your violation of any applicable law or regulation; or (d) your negligent or wrongful acts or omissions.
20.2 Our Indemnification of You
We will indemnify, defend, and hold harmless you from and against any third-party claims that the Service (excluding Customer Content) infringes a valid patent, copyright, or trade mark of a third party, provided that: (a) you notify us promptly in writing of the claim; (b) you give us sole control of the defence and any settlement; and (c) you provide reasonable cooperation at our expense.
Our indemnification obligation does not apply if the claim arises from: (i) your modification of the Service; (ii) your use of the Service in combination with products not provided by us; or (iii) your use of the Service in violation of these Terms.
20.3 Indemnification Cap
All indemnification obligations under this Section 20 are subject to the liability cap set out in Section 19.2.
21. Governing Law
These Terms are governed by and construed in accordance with the laws of England and Wales, without regard to conflict of law principles.
If you are a consumer resident in the UK, you will benefit from any mandatory provisions of the law of the country in which you are resident. Nothing in these Terms affects your rights as a consumer to rely on such mandatory provisions.
If you are a consumer resident in the EU, you will benefit from any mandatory provisions of the law of your country of residence, and nothing in these Terms restricts your rights under such provisions.
22. Dispute Resolution
22.1 Informal Resolution
Before initiating formal proceedings, you agree to contact us at [email protected] to attempt to resolve any dispute informally. We will endeavour to resolve disputes within 30 days of receipt of your written notice.
22.2 Jurisdiction
Subject to any mandatory consumer protection laws that may apply, the courts of England and Wales shall have exclusive jurisdiction over any dispute arising from or related to these Terms.
22.3 EU Consumers
If you are a consumer resident in the EU, you may also bring proceedings in the courts of your country of residence. You may additionally use the European Commission's Online Dispute Resolution platform at https://ec.europa.eu/consumers/odr.
23. Service Availability
23.1 Uptime Target
We target 99.9% uptime for the Service but do not guarantee it. The Service may be temporarily unavailable due to maintenance, updates, or circumstances beyond our control.
23.2 Scheduled Maintenance
We will announce scheduled maintenance in advance where practicable. Scheduled maintenance windows will be communicated via the Service dashboard or by email.
23.3 Rate Limit Adjustments
We may adjust API rate limits and usage quotas with reasonable notice to ensure fair use and service stability for all users.
24. General Provisions
24.1 Entire Agreement
These Terms, together with our Privacy Policy and any additional agreements you enter into with us (such as an Agency agreement or Data Processing Addendum), constitute the entire agreement between you and us regarding the Service and supersede all prior agreements and understandings.
24.2 Severability
If any provision of these Terms is found to be invalid or unenforceable by a court of competent jurisdiction, that provision shall be enforced to the maximum extent permissible, and the remaining provisions shall remain in full force and effect.
24.3 Waiver
Our failure to enforce any right or provision of these Terms shall not constitute a waiver of that right or provision. Any waiver must be in writing and signed by an authorised representative of BuiltByGo LTD.
24.4 Assignment
You may not assign or transfer these Terms or your rights under them without our prior written consent. We may assign these Terms in connection with a merger, acquisition, or sale of all or substantially all of our assets, provided the assignee agrees to be bound by these Terms.
24.5 Force Majeure
We shall not be liable for any delay or failure to perform our obligations under these Terms to the extent that such delay or failure is caused by events beyond our reasonable control, including but not limited to natural disasters, acts of government, internet or telecommunications failures, power outages, or cyberattacks.
24.6 Notices
Notices to you will be sent to the email address associated with your account. Notices to us should be sent to [email protected]. Notices are deemed given when sent by email (provided no delivery failure notice is received).
24.7 Third-Party Rights
These Terms do not confer any rights on any person other than the parties to these Terms and their permitted successors and assigns, except as expressly stated in these Terms.
25. Changes to These Terms
We may modify these Terms from time to time. We will notify you of material changes by email at least 30 days before the changes take effect. Your continued use of the Service after the effective date of the revised Terms constitutes your acceptance of the changes.
If you do not agree to the revised Terms, you must stop using the Service and cancel your account before the changes take effect.
Previous versions of these Terms are available at wphealthkit.com/legal/terms/archive.
26. Contact Us
If you have questions about these Terms, please contact us:
BuiltByGo LTD
Email: [email protected]