Privacy Policy

Last updated: March 16, 2026

1. Data Controller

AboveWP Agents ("Service") is a product of:

Bit Balance Ltd. is the data controller responsible for your personal data processed through AboveWP Agents. We have not appointed a Data Protection Officer as we do not meet the mandatory thresholds under GDPR Article 37. For any data protection inquiries, please contact us at management@abovewp.com.

2. Information We Collect

We collect the following categories of personal data:

Account Data

When you register, we collect your name, email address, and password (stored as a cryptographic hash). If you sign up via a social provider (Google, GitHub, Apple), we receive your name, email, and profile picture from that provider.

Payment Data

Payment processing is handled by Lemon Squeezy (Lemon Squeezy, LLC). We do not store your full credit card number, CVC, or bank details on our servers. We receive and store your Lemon Squeezy customer ID, subscription status, plan details, and billing email for subscription management.

WordPress Site Data

When you connect a WordPress site, we access and store information necessary for our AI agents to operate, including: core version, installed plugins and themes (names, versions, update status), site health indicators, server environment details, and agent execution logs. We do not access or store your site's content (posts, pages, media, user data) unless explicitly required by a specific agent action you have reviewed and approved.

Usage Data

We automatically collect information about how you interact with the Service: pages visited, features used, agent configurations, execution history, and click patterns. This data helps us improve the Service.

Communication Data

When you contact us via email or our in-app chat, we store the content of those communications to provide support and improve our Service.

3. Legal Basis for Processing

Under the General Data Protection Regulation (GDPR), we process your personal data based on the following legal grounds:

Processing Activity Legal Basis
Account creation and management Performance of contract (Art. 6(1)(b))
Payment processing via Lemon Squeezy Performance of contract (Art. 6(1)(b))
WordPress site management by AI agents Performance of contract (Art. 6(1)(b))
Transactional emails (account, billing) Performance of contract (Art. 6(1)(b))
Analytics (Google Analytics, Microsoft Clarity) Consent (Art. 6(1)(a))
Marketing (Meta Pixel) Consent (Art. 6(1)(a))
Security monitoring and fraud prevention Legitimate interest (Art. 6(1)(f))
Legal compliance and tax obligations Legal obligation (Art. 6(1)(c))

4. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service
  • Process payments and manage subscriptions
  • Execute AI agent tasks on your connected WordPress sites
  • Send transactional communications (account confirmations, billing receipts, agent execution reports)
  • Provide customer support
  • Monitor and improve security, performance, and reliability
  • Analyze usage patterns to improve user experience (with your consent)
  • Measure advertising effectiveness (with your consent)
  • Comply with legal obligations, including tax reporting

5. WordPress Site Data

Our AI agents require access to your WordPress sites to perform their tasks. When you connect a site:

  • We access plugin, theme, and core version information to check for updates and vulnerabilities.
  • We access site health data and server environment details for performance monitoring.
  • Agent execution logs (what actions were taken, when, and the results) are stored for your review.
  • We do not access your site's content (posts, pages, media, comments, user accounts) unless a specific agent action requires it and you have explicitly approved that action.
  • WordPress site credentials (API keys, application passwords) are encrypted at rest and never exposed in logs, support interfaces, or to AI providers.

6. Cookies and Tracking Technologies

We use cookies and similar technologies for essential functionality, analytics, and marketing. We obtain your explicit consent before setting any non-essential cookies, in compliance with the EU ePrivacy Directive and GDPR.

For detailed information about the cookies we use, their purposes, and how to manage your preferences, please see our Cookie Policy.

7. Data Sharing and Third Parties

We do not sell your personal information. We share data with the following categories of third parties, only to the extent necessary to provide and improve the Service:

Provider Purpose Data Shared
Amazon Web Services (AWS) Cloud hosting and infrastructure All service data (encrypted at rest and in transit)
AWS Bedrock AI model gateway (routes requests to AI providers) WordPress site metadata (no credentials or user content)
Lemon Squeezy Payment processing Name, email, payment details
OpenAI AI agent processing (via AWS Bedrock) WordPress site metadata (no credentials or user content)
Anthropic (Claude) AI agent processing (via AWS Bedrock) WordPress site metadata (no credentials or user content)
Google (Gemini) AI agent processing (via AWS Bedrock) WordPress site metadata (no credentials or user content)
Google Analytics Website analytics (consent required) Anonymized usage data, IP address (anonymized)
Microsoft Clarity UX analytics (consent required) Anonymized session recordings, heatmap data
Meta (Facebook) Advertising measurement (consent required) Page visit data, conversion events

All third-party providers are bound by data processing agreements (DPAs) where required under GDPR. Our infrastructure is hosted on AWS, and AI requests are routed through AWS Bedrock to AI providers (OpenAI, Anthropic, Google), which process data under their enterprise/API terms and prohibit using your data to train their models.

8. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States (where our AI providers and payment processor are based). When we transfer data outside the EEA, we ensure appropriate safeguards are in place:

  • EU-US Data Privacy Framework certifications where applicable
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data processing agreements with all providers

9. Data Retention

  • Account data: Retained for the duration of your account. Upon deletion, personal data is removed within 30 days.
  • Agent execution logs: Retained for 90 days, then automatically deleted.
  • Backups and snapshots: Retained according to your plan's backup retention policy.
  • Payment records: Retained for 10 years as required by Bulgarian tax law.
  • Analytics data: Retained by Google Analytics for 14 months. Microsoft Clarity retains data for 13 months.
  • Communication records: Retained for 2 years after your last interaction.

10. Data Security

We implement industry-standard technical and organizational measures to protect your personal data, including:

  • Encryption of all data in transit (TLS 1.2+) and sensitive data at rest
  • Secure credential storage using AES-256 encryption for WordPress site API keys
  • Content Security Policy (CSP) headers with nonce-based script execution
  • Regular security audits and vulnerability assessments
  • Role-based access controls and principle of least privilege
  • Automated monitoring for unauthorized access attempts

While we take all reasonable measures to protect your data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

11. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights:

  • Right of access (Art. 15): You can request a copy of all personal data we hold about you.
  • Right to rectification (Art. 16): You can request correction of inaccurate or incomplete personal data.
  • Right to erasure (Art. 17): You can request deletion of your personal data, subject to legal retention requirements.
  • Right to restriction (Art. 18): You can request that we restrict processing of your data in certain circumstances.
  • Right to data portability (Art. 20): You can request your data in a structured, commonly used, and machine-readable format.
  • Right to object (Art. 21): You can object to processing based on legitimate interests at any time.
  • Rights related to automated decision-making (Art. 22): Our AI agents provide recommendations but do not make automated decisions with legal or similarly significant effects without your explicit approval.
  • Right to withdraw consent (Art. 7(3)): Where processing is based on consent (analytics and marketing cookies), you can withdraw consent at any time via the cookie consent banner or by contacting us. Withdrawal does not affect the lawfulness of processing before withdrawal.

To exercise any of these rights, contact us at management@abovewp.com. We will respond within 30 days. You can also manage some of these rights directly through your account settings (profile data, account deletion).

12. Right to Lodge a Complaint

If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority. For Bulgaria, the relevant authority is:

  • Commission for Personal Data Protection (CPDP)
  • Bulgarian: Комисия за защита на личните данни (КЗЛД)
  • Address: 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria
  • Website: www.cpdp.bg
  • Email: kzld@cpdp.bg

13. Children's Privacy

AboveWP Agents is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that a child under 18 has provided us with personal data, we will take steps to delete that information promptly. If you believe we have collected data from a child, please contact us at management@abovewp.com.

14. AI Data Processing

Our Service uses third-party AI providers (OpenAI, Anthropic, Google) via AWS Bedrock to power our WordPress management agents. All AI requests are routed through AWS Bedrock, which acts as a secure gateway. When AI agents process tasks:

  • Only WordPress site metadata (plugin versions, theme data, health indicators) is sent to AI providers via AWS Bedrock. Your site credentials are never shared.
  • AI providers process this data under their enterprise API terms, which prohibit using your data to train their models. AWS Bedrock does not store or use your data for model training.
  • AI-generated recommendations are suggestions only — critical actions require your explicit approval before execution.
  • We do not use AI to make automated decisions that produce legal effects or similarly significant effects on you.

15. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

  • Notify the Bulgarian Commission for Personal Data Protection (CPDP) within 72 hours of becoming aware of the breach, as required by GDPR Article 33.
  • Notify affected users without undue delay if the breach is likely to result in a high risk to your rights and freedoms, as required by GDPR Article 34.
  • Provide details of the nature of the breach, the likely consequences, and the measures taken to address it.

16. Changes to This Policy

We may update this privacy policy from time to time. When we make material changes, we will notify you by email or through a prominent notice on the Service. The "Last updated" date at the top indicates when the policy was last revised. We encourage you to review this policy periodically.

17. Contact Information

For any questions or concerns about this privacy policy or our data practices, contact us at: