Privacy Policy

Albert — albertwp.com and paid add-ons

Last updated: 21-04-2026 Effective: 21-04-2026

This Privacy Policy explains how Your Mark Media (“we“, “us“) collects and uses personal data when you visit albertwp.com (the “Site“), buy the paid add-ons for the Albert WordPress plugin (“Add-ons“), or use those Add-ons on your WordPress site.

We are the controller of your personal data:

Your Mark Media Bruggemaat 34, 7623MD, Borne, The Netherlands KVK: 53699262 Privacy contact: info@albertwp.com

We want this policy to be useful, not decorative. If anything is unclear, email us.

1. Scope

This policy covers:

  • The Site (albertwp.com): browsing, creating an account, buying and managing Add-ons, getting support.
  • The Add-ons (Albert Premium, Albert for WooCommerce) and their interaction with our license and update server.
  • Support interactions by email or any support channel we provide.

This policy does not cover:

  • Albert Core, the free plugin distributed via WordPress.org. Albert Core runs entirely on your WordPress site and does not send operational data to us.
  • Third-party AI assistants and other tools that you connect to Albert via the Model Context Protocol (MCP) or similar interfaces. Those services have their own privacy policies. When you connect Albert to a third-party AI client, data flows directly between your WordPress site and that client — we are not in the middle and do not receive or store that data.
  • Your customers’ personal data processed inside WordPress. You are the controller of that data; we do not receive it.

2. What personal data we collect

2.1 When you visit the Site

  • Technical data your browser sends automatically: IP address, user-agent, pages viewed, referrer, approximate location derived from IP, timestamps.
  • Cookies and similar technologies — see Section 7.

2.2 When you create an account and buy an Add-on

  • Identity and contact data: name, email address, company name (optional), billing address, country, and VAT ID (for business buyers).
  • Account data: username, hashed password, preferences, purchase history, License Keys, the domains where each License Key is activated.
  • Payment data: we use Stripe and PayPal to process payments. We receive confirmation that a payment succeeded or failed and a token representing the payment method, but we do not store your full card or bank account details.
  • Invoicing data: the data required to issue a legally valid invoice.

2.3 When you use an Add-on on your WordPress site

When an Add-on on your site talks to our license/update server, we receive:

  • License Key and activation status;
  • Site URL (the domain where the Add-on is installed);
  • IP address of the request;
  • Add-on version, Albert Core version, WordPress version and PHP version — to deliver the right updates and diagnose compatibility;
  • Approximate time and frequency of update checks.

We do not collect content from your WordPress site, posts, users, orders, customer data, API keys, or AI conversations through normal operation of the Add-ons.

If the Add-ons ever include an opt-in diagnostics or usage telemetry feature, it will be off by default, clearly described, and only collect what is stated at the opt-in screen.

2.4 When you contact support

When you email support or submit a ticket we receive your email, the content of your message and any attachments, and — if relevant — system information you voluntarily share (WordPress debug logs, error messages, screenshots). Please redact anything sensitive before sending.

2.5 Marketing

If you opt in, we use your email address to send product updates and occasional marketing emails. You can unsubscribe at any time via the link in every email.

3. Why we use your data, and the legal basis (GDPR Art. 6)

PurposeData categoriesLegal basis
Provide the Site, your account, and downloadsAccount, identity, technicalContract (Art. 6(1)(b))
Process payments and issue invoicesIdentity, payment, invoicingContract; legal obligation for tax/accounting (Art. 6(1)(b), (c))
Activate and validate licenses; deliver updatesAccount, License Key, Site URL, IP, version dataContract (Art. 6(1)(b))
Prevent license abuse, fraud and security incidentsAccount, technical, License Key activation dataLegitimate interests (Art. 6(1)(f)) — protecting our business and lawful customers
Provide supportSupport content and attachmentsContract; legitimate interests (Art. 6(1)(b), (f))
Service-related notifications (renewal reminders, security notices, important changes)Identity, accountContract; legal obligation where applicable (Art. 6(1)(b), (c))
Marketing to existing customers (soft opt-in where permitted, otherwise opt-in)IdentityLegitimate interests or consent (Art. 6(1)(f) or (a)); you can object/withdraw at any time
Analytics and product improvement (privacy-friendly)Technical, aggregatedLegitimate interests (Art. 6(1)(f)) or consent where the law requires
Comply with legal obligations (tax, accounting, legal requests)As requiredLegal obligation (Art. 6(1)(c))
Defend legal claimsAs requiredLegitimate interests (Art. 6(1)(f))

Where we rely on legitimate interests, we have balanced them against your rights and interests. You can always object — see Section 9.

4. Who we share your data with

We do not sell personal data. We share it only with the following categories of recipients:

  • Payment processors — Stripe Payments Europe, Limited (Ireland) and PayPal (Europe) S.à r.l. et Cie, S.C.A. (Luxembourg) — for payment processing, fraud prevention and compliance with their own legal obligations.
  • License and update infrastructure — the systems that run albertwp.com and our license server, hosted on Hetzner, Germany.
  • Email and communication providers — [TRANSACTIONAL EMAIL PROVIDER, e.g. Postmark / Mailgun / SendGrid] for transactional email; [MARKETING PROVIDER, e.g. MailerLite / ConvertKit], if applicable, for opt-in marketing.
  • Analytics — [ANALYTICS PROVIDER, e.g. Plausible / Fathom / Matomo / GA4]. We aim to use privacy-friendly analytics wherever possible.
  • Support tooling — [SUPPORT TOOL, e.g. help desk], if applicable.
  • Professional advisers — accountants, auditors, lawyers, under duties of confidentiality.
  • Authorities and law enforcement — when legally required, in line with Section 6.
  • Successors — in a merger, acquisition or sale of assets, your data may transfer to the successor entity; we will notify you.

Each of these recipients is either a processor acting on our instructions under a Data Processing Agreement (GDPR Art. 28), an independent controller for specific purposes (such as payment processors), or a joint controller where appropriate. A current list of processors is available on request.

5. International transfers

Where personal data is transferred outside the European Economic Area (EEA), we rely on appropriate safeguards under GDPR Chapter V, typically:

  • Adequacy decisions by the European Commission (for example, for recipients in the United Kingdom);
  • Standard Contractual Clauses adopted by the European Commission, combined with supplementary measures where needed (for example, for some US-based processors);
  • Where applicable, certification under the EU–US Data Privacy Framework.

You can request a copy of the safeguards in place by emailing [PRIVACY EMAIL].

6. Retention

We keep personal data only as long as needed for the purposes described, or as required by law:

  • Account data: while your account is active; deleted or anonymised [12] months after account closure, unless a longer period is required by law.
  • Orders, invoices and tax records: 7 years, as required by Dutch tax law (Article 52 of the Dutch General Tax Act — Algemene wet inzake rijksbelastingen).
  • License activation logs: duration of the license plus [12] months, for support and abuse prevention.
  • Support tickets: up to [24] months after resolution.
  • Server logs: up to [90] days, then deleted or anonymised.
  • Marketing data: until you unsubscribe or object, and for a short period afterwards for audit purposes.
  • Backups: data in rolling backups is overwritten within [30–90] days.

After these periods we delete or irreversibly anonymise the data, unless a legal claim or obligation requires us to keep it longer.

7. Cookies and similar technologies

We use cookies and similar technologies on the Site for:

  • Strictly necessary — login session, checkout, fraud prevention;
  • Functional — remembering preferences;
  • Analytics — understanding how the Site is used, in aggregated form.

We only set non-essential cookies with your consent via the cookie banner. You can change your preferences at any time via the “Cookie settings” link in the footer. See our separate Cookie Policy [LINK] for details of each cookie.

8. Automated decision-making

We do not use automated decision-making that produces legal or similarly significant effects on you (GDPR Art. 22). Fraud-prevention tools operated by payment processors may include automated scoring; where that affects you, the relevant processor’s privacy notice applies and you can ask us to intervene.

9. Your rights under the GDPR

You have the following rights regarding your personal data:

  • Access (Art. 15) — ask what we hold and get a copy;
  • Rectification (Art. 16) — correct inaccurate or incomplete data;
  • Erasure (Art. 17) — ask us to delete data in certain circumstances (“right to be forgotten”);
  • Restriction (Art. 18) — ask us to limit processing while we check something;
  • Portability (Art. 20) — receive data you provided in a structured, machine-readable format;
  • Objection (Art. 21) — object to processing based on legitimate interests, including profiling; always honoured for direct marketing;
  • Withdraw consent (Art. 7(3)) — where we rely on consent, you can withdraw it at any time, without affecting prior processing.

To exercise any of these rights, email [PRIVACY EMAIL] from the email address associated with your account. We may ask for reasonable information to verify your identity. We respond within one month; if a request is complex we may extend that by two further months and will tell you why.

If you believe we have not handled your data lawfully, you have the right to lodge a complaint with a supervisory authority. In the Netherlands, that is the Autoriteit Persoonsgegevens (https://autoriteitpersoonsgegevens.nl). You can also complain to the supervisory authority where you live or work.

10. Security

We apply technical and organisational measures appropriate to the risk, including:

  • Encryption in transit (TLS) for the Site, the license server and our APIs;
  • Encryption at rest for sensitive data where supported;
  • Access controls, least-privilege administration, and strong authentication for internal systems;
  • Regular software updates, vulnerability monitoring and backups;
  • Vendor due diligence and Data Processing Agreements with our processors.

No system is perfectly secure. If we discover a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the supervisory authority within 72 hours and, where the risk is high, notify you without undue delay (GDPR Art. 33–34).

11. Children

The Add-ons and the Site are not directed to children under 16, and we do not knowingly collect personal data from them. If you believe a child has provided us personal data, please contact us and we will delete it.

12. Changes to this policy

We may update this policy from time to time. The “Last updated” date at the top shows when it was last changed. Material changes will be announced on the Site or by email before they take effect. Please review the policy periodically.

13. Contact

For any question about this policy, to exercise your rights, or to make a complaint:

  • Email: info@albertwp.com
  • Post: Your Mark Media, Bruggemaat 34, Borne, The Netherlands

We aim to resolve concerns quickly and directly. You always retain the right to contact the supervisory authority described in Section 9.