Privacy
Important note on scope
This Privacy Notice explains how we collect, use, share, and protect personal data when you use the WPFlow website, create an account, contact us, sign up for the service, use the workspace, or otherwise interact with us. It sits alongside the Terms and the Cookie Policy.
1. Who we are
Nordic Creative Limited, trading as WPFlow, is the data controller for the personal data described in this Privacy Notice.
- Registered in England and Wales under company number 07580121.
- Registered office: Kemp House, 152 City Road, London EC1V 2NX.
- VAT number: 485 7059 50.
For privacy questions or rights requests, please use the Contact page.
2. The personal data we collect
We collect personal data in the following categories, depending on how you use WPFlow:
- Identity and account data: name, email address, account role, login identifiers, password hash, and account status.
- Website and site data: website URL, WordPress environment details, site connection metadata, and onboarding information you provide.
- Transaction and billing data: plan, credits, subscriptions, top-ups, invoices, payment status, and limited payment identifiers from payment providers.
- Request and support data: messages, uploads, request details, feedback, and records of our responses.
- Technical and device data: IP address, browser, operating system, device identifiers, and security and access logs.
- Usage and analytics data: pages viewed, events, and interactions on the website and product, subject to your cookie and consent choices where required.
- Marketing preferences: consent status, subscription choices, and whether you interact with marketing communications where enabled.
Please do not send sensitive personal data through free-text fields unless it is strictly necessary and you have the right to share it.
3. Where we get personal data from
- directly from you when you fill in forms, sign up, contact us, or use the service
- automatically through server logs, product events, cookies, and similar technologies, subject to your choices where required
- from third parties where relevant, such as payment providers, email providers, hosting providers, and security or analytics services
4. How we use personal data and our lawful bases
We use personal data only where we have a lawful basis under UK GDPR.
- Contract: to create and manage accounts, run onboarding, provide the service, process billing, and respond to service-related support requests.
- Legal obligation: to keep records required for tax, accounting, compliance, and lawful requests from regulators or authorities.
- Legitimate interests: to protect the service, prevent fraud, improve reliability, investigate misuse, and operate the website and product safely.
- Consent: for non-essential cookies, analytics, and marketing communications where consent is required.
Where we rely on legitimate interests, we assess necessity and balance that use against your rights.
5. Special category data and children
We do not intend to collect special category personal data as part of normal website or service operation.
WPFlow is intended for adults and business users, not children. If we learn that personal data has been provided by a child in circumstances where consent is required, we will take steps to address it as required by law.
6. Cookies and similar technologies
We use cookies and similar technologies to run the website, remember preferences, measure usage, and, where allowed, support marketing.
- Strictly necessary cookies are used for core site and service functions and do not require consent.
- Analytics cookies are only used where you consent.
- Marketing cookies are only used where you consent.
You can read more in the Cookie Policy and manage your choices through the relevant cookie settings tools where available.
7. Who we share personal data with
We share personal data only where necessary and proportionate with service providers that help us operate WPFlow, including hosting, infrastructure, email, billing, security, support, analytics, and payment providers.
We may also share personal data with professional advisers, regulators, law enforcement, courts, or other third parties where required or permitted by law.
Where a third party acts as an independent controller, its own privacy notice will apply to its processing.
8. International transfers
Personal data is primarily processed in the UK and in countries with appropriate safeguards through our service providers.
Where we make restricted transfers outside the UK without adequacy coverage, we use appropriate safeguards such as the UK International Data Transfer Agreement, the UK Addendum to Standard Contractual Clauses, or other lawful transfer mechanisms.
9. Data retention
We keep personal data only for as long as necessary for the purposes set out in this notice and to meet legal, accounting, security, and dispute requirements.
- account data: while the account is active and for a limited period afterwards where needed for security, fraud prevention, or compliance
- billing and transaction records: typically up to 6 years where required for accounting, tax, and contractual limitation purposes
- support records: typically 2 to 3 years after resolution, unless needed longer for complaints or disputes
- security and access logs: typically 6 to 12 months, longer where needed to investigate incidents
- marketing suppression and consent records: for as long as needed to respect your choices and demonstrate compliance
Where possible, we delete or anonymise data when it is no longer needed.
10. Security
We use appropriate technical and organisational measures to protect personal data, taking into account the risk and nature of the data involved.
- encryption in transit and, where appropriate, at rest
- access controls and role-based permissions
- logging, monitoring, and security review processes
- secure development, testing, and operational controls
No method of transmission or storage is completely secure, but we maintain a security programme designed to reduce risk and respond appropriately to incidents.
11. Your rights
Under UK GDPR, you may have rights including access, rectification, erasure, restriction, portability, and objection, especially in relation to direct marketing.
We respond without undue delay and usually within one month. That may be extended where legally permitted for complex or multiple requests.
To exercise your rights, please use the Contact page. We may ask for information to verify your identity before responding.
12. Marketing preferences
You can opt out of marketing at any time through unsubscribe links, account settings where available, or by contacting us.
Where we rely on consent, you can withdraw consent at any time. Withdrawal does not affect processing carried out before that withdrawal.
13. Automated decision-making and profiling
We may use automated tools to support fraud prevention, account security, and service personalisation. If we carry out solely automated decision-making with legal or similarly significant effects, we will provide the required safeguards and information.
14. Complaints
If you are unhappy with how we handle personal data, please contact us first so we can try to resolve the issue.
You also have the right to complain to the Information Commissioner’s Office. More information is available at ico.org.uk.
15. Third-party links and services
Our site may link to third-party websites or services. Their privacy practices are governed by their own notices, not this one.
16. User responsibilities
- you should ensure the information you provide is accurate and up to date
- you are responsible for keeping your account credentials secure
- if you provide another person’s personal data, you confirm you have the right to do so
17. Changes to this Privacy Notice
We may update this Privacy Notice from time to time to reflect changes in law, guidance, technology, or our processing. We will post the updated version on this page and update the “Last updated” date. For material changes, we may provide additional notice.