Privacy Policy

Last updated: 26 April 2026

Who we are

GuardingWP is operated by Ramon Horst Media. If you have questions about this policy, contact us at hello@guardingwp.com.

What data we collect and why

Scan logs

When you run a scan, we log your IP address, the timestamp, and the URL you submitted. We retain this data for 90 days, after which it is automatically deleted.

Why: Abuse prevention. The scanner makes outbound HTTP requests on your behalf. Logging is necessary to detect misuse, respond to complaints, and comply with our legal obligations.

Legal basis: Legitimate interest (GDPR Art. 6(1)(f)). We have a proportionate interest in preventing the scanner from being used to probe sites without authorisation.

Account data (Pro users)

If you create an account, we store your email address and a hashed version of your password. We never store your password in plain text. If you sign in with Google, we store your email and Google account ID — your Google password is never shared with us.

Why: To provide the service — automated scans, scan history, and email alerts require an account.

Legal basis: Contract (GDPR Art. 6(1)(b)).

Scan history (Pro users)

Pro accounts store the results of automated weekly scans. This data is tied to your account and retained for as long as your account is active. You can delete it at any time from your dashboard.

Legal basis: Contract (GDPR Art. 6(1)(b)).

Scanner email follow-ups

If you submit your email address on the public scanner to receive a copy of your report, we store your email, the URL you scanned, the report contents, the IP that captured the email, and the plugin slugs/versions detected on that site. We use this to send you the report (Day 0), four follow-up nudges over the next two weeks, and an alert if a new vulnerability is later disclosed for one of the plugins we detected on your site.

Why: You explicitly asked to receive a copy of your scan results, and the follow-ups are tightly tied to that report (helping you act on the findings, alerting you to new risks affecting the same site).

Legal basis: Legitimate interest (GDPR Art. 6(1)(f)). Every email contains a one-click unsubscribe link; opting out also stops vulnerability alerts.

Payment data

Payments are processed by Stripe. We do not store your card number or payment details. Stripe may retain payment data in accordance with their own privacy policy.

Marketing attribution (Google Ads click ID)

If you arrived from a Google Ads click, the URL contains a gclid parameter that Google appended. We store that single identifier in a first-party cookie on our own domain for up to 90 days. If you sign up, the identifier is saved alongside your account record so we can periodically upload paid signups to Google Ads (server-side, in batch) for conversion attribution. We do not load any Google JavaScript on this site and Google does not set any cookie on guardingwp.com.

Why: To measure which ad campaigns drive paid signups, without subjecting you to a cookie banner or third-party tracking pixels.

Legal basis: Legitimate interest (GDPR Art. 6(1)(f)). The processing is limited (one short identifier), purpose-bound (attribution only), and uses no cross-site tracking.

Cookies

We set up to two first-party cookies, on our own domain only. We do not use third-party tracking cookies, advertising cookies, or third-party analytics.

  • Session cookie (gwp_session) — set when you create an account or sign in; deleted when you log out. Required for the service to function.
  • Attribution cookie (gwp_gclid) — set only if you arrived from a Google Ads click. Stores the Google click identifier for up to 90 days so we can later report a paid signup back to Google Ads via their server-side API. Deleted immediately after you sign up. No Google JavaScript loaded; Google sets no cookie on this site.

Who we share data with

We do not sell or share your personal data with third parties for marketing purposes. The only third parties that receive data as part of operating the service are:

  • Stripe — payment processing
  • Hetzner — server hosting (data stored in Nuremberg, Germany)
  • Google — if you choose to sign in with Google
  • WPVulnerability.net — plugin slug lookups during scans (no personal data sent)
  • Google Ads — if you arrived via a paid Google Ads click and then signed up, we periodically upload that click identifier to Google Ads server-side so the campaign can attribute the signup. No browser-side tracking, no other personal data shared.

Your rights

Under GDPR you have the right to access, correct, or delete your personal data. You can:

  • Delete your account and all associated data from your dashboard settings
  • Request a copy of your data by emailing hello@guardingwp.com
  • Request deletion of scan logs tied to your IP by contacting us

We will respond to data requests within 30 days.

Data retention

  • Scan logs (anonymous): 90 days
  • Account data: retained until you delete your account
  • Scan history (Pro): retained until you delete it or close your account
  • Attribution click ID (cookie): up to 90 days, or until you sign up (whichever comes first)
  • Attribution click ID (account): retained on your account record for the lifetime of the account; reported once to Google Ads

Changes to this policy

If we make material changes to this policy, we will update the date at the top of this page. Continued use of GuardingWP after changes constitutes acceptance.