Privacy

Important Note On Scope

This Privacy Notice explains how Nordic Creative Limited, trading as WPFlow, collects, uses, stores, shares and protects personal data when you visit the WPFlow website, contact us, create an account, sign up for the service, connect a WordPress site, use the workspace, provision staging, submit requests, upload materials, review work, approve releases, manage billing or otherwise interact with WPFlow.

It should be read alongside the Terms and the Cookie Policy. The Terms include important rules about customer content, connected websites, credentials, staging environments, approvals, releases, customer responsibilities and data processing.

WPFlow is a business-focused service. It is not intended for children or for purely personal household use.

1. Who We Are

Nordic Creative Limited, trading as WPFlow, is the organisation responsible for WPFlow.

• Registered in England and Wales under company number 07580121.
• Registered office: Kemp House, 152 City Road, London EC1V 2NX.
• VAT number: 485 7059 50.

For privacy questions, rights requests or data protection concerns, please use the Contact page.

2. Our Role: Controller And Processor

WPFlow handles different types of personal data in different roles.

Where WPFlow Is Controller

WPFlow is usually the data controller for personal data we collect and use for our own business and service purposes, including:

• account, profile and login data;
• billing, subscription, invoice and payment-status data;
• contact, sales, support and feedback records;
• website analytics and cookie data, where used;
• service usage, security, audit and access logs;
• legal, compliance, fraud-prevention and business administration records.

Where we are controller, we decide why and how that personal data is processed and are responsible for complying with UK data protection law for that processing.

Where The Customer Is Normally Controller And WPFlow Is Processor

WPFlow customers connect WordPress sites and may allow WPFlow to copy, host, inspect, modify, test or otherwise process information contained in those sites and related staging environments. That information may include personal data belonging to the customer's own website visitors, customers, staff, users, leads or other third parties.

When we process that personal data only to provide WPFlow to the customer, we normally act as the customer's processor or service provider. The customer is normally the controller, or is responsible for making sure it has authority from the relevant controller if it is acting on behalf of another organisation.

This means the customer is responsible for making sure it has the legal right, authority, notices, consents, lawful basis and instructions needed to connect its website, share data with WPFlow, create staging environments and request work through WPFlow.

If your personal data appears in a customer's WordPress site, staging site, request, upload or release material, the relevant customer may be the controller. We may need to refer your request to that customer or act only on that customer's instructions, unless we are legally required or permitted to act directly.

WPFlow may still act as an independent controller for limited purposes connected with customer site data, such as security, abuse prevention, legal compliance, incident investigation, billing, audit records and protecting WPFlow, customers and other users.

3. The Personal Data We Collect

We collect different categories of personal data depending on how you use WPFlow.

Identity And Account Data

This may include your name, email address, company or organisation name, role, account permissions, login identifiers, password hash, account status and team membership.

Contact And Enquiry Data

This may include messages you send us, contact-form details, website URL, email address, support questions, feedback, attachments and records of our responses.

Website, Onboarding And Environment Data

This may include the website URL, WordPress environment details, site health and supportability information, plugin/theme information, hosting or deployment context, onboarding steps, site connection metadata, production/staging URLs, release status, publish mode, rollback notes and other information needed to assess, prepare and operate the service.

Customer Site Data And Staging Data

When a customer connects a WordPress site, WPFlow may process information from the connected live site, staging site, site clone, site snapshot, request thread, upload, release package, log or testing workflow.

Depending on the customer's site, this may include personal data contained in pages, posts, media, forms, comments, user accounts, customer records, order-related presentation data, contact submissions, metadata, configuration records, logs or other WordPress content. The exact categories depend on what the customer has placed on or connected to its website.

Customers should minimise, remove or mask personal data that is not needed for WPFlow to provide the service. Customers should not connect a site or provide data unless they have the right to do so.

Access, Credential And Secret-Related Data

This may include WordPress usernames, one-time WordPress Application Password details, connection tokens, access metadata and, where necessary for the service, other access details such as hosting, SFTP, SSH, database, API or deployment credentials.

Do not provide passwords, API keys, private keys, payment card details or other secrets through ordinary messages, uploads, contact forms or free-text fields unless WPFlow has specifically asked you to use that route. Use the secure access or credential process provided by WPFlow where available.

Request, Upload And Workspace Data

This may include request text, screenshots, design references, files, URLs, device context, acceptance criteria, approvals, revisions, staging review notes, release notes, evidence, feedback and thread history.

Transaction And Billing Data

This may include plan, subscription, Credit balance, PAYG credit purchase, auto top-up setting, invoice, payment status, billing contact, customer portal activity and limited payment identifiers received from payment providers. Full payment card details are handled by Stripe or another payment provider and are not stored by WPFlow in the ordinary course of business.

Technical, Device And Security Data

This may include IP address, browser, device, operating system, session metadata, authentication events, access logs, security logs, error logs, audit events, diagnostic data and abuse-prevention signals.

Usage And Analytics Data

This may include pages viewed, product events, interactions, feature usage, performance information, analytics data, first-party visitor or session identifiers, first-touch and last-touch attribution identifiers, referrer host, landing page, UTM campaign fields, safe campaign click identifiers and similar measurement data, subject to your cookie and consent choices where required.

Marketing Preference Data

This may include consent status, subscription choices, communication preferences, unsubscribe records and whether you interact with marketing communications where enabled.

Sales And Attribution Data

Where we run outreach or measure how WPFlow is found, this may include campaign source, lead source, company domain, keyed email hashes, self-reported source, signup attribution, payment-conversion attribution and related confidence scores. We do not use recipient-specific public tracking links for cold email, and we do not send email addresses or free-text signup details to analytics or advertising platforms.

4. Information Customers Must Not Provide Unless Necessary And Authorised

WPFlow needs access to enough information to provide a staging-first WordPress development service. However, customers remain responsible for what they choose to put on their live site, staging site, in request threads, uploads, support messages and access packs.

Unless it is strictly necessary, lawful, authorised and requested through an appropriate secure process, you must not provide WPFlow with:

• special category personal data, such as health data, biometric data, religious beliefs, political opinions, trade union membership or sexual orientation;
• criminal offence data;
• children's personal data;
• full payment card numbers or card security codes;
• account passwords, private keys, API keys, seed phrases or long-lived secrets;
• confidential legal, medical, financial or HR records;
• personal data belonging to another person unless you have the right to share it;
• data that your own privacy notice, contracts or laws do not allow you to share with WPFlow.

If you connect a site that contains personal data, sensitive data, regulated data or third-party confidential information, you confirm that you have the authority and lawful basis to allow WPFlow to process it for the service. You are responsible for telling WPFlow about any restrictions that apply before connecting the site or submitting the request.

If we reasonably believe that unnecessary sensitive data, secrets or unsafe material have been provided, we may reject a request, ask you to remove or sanitise the material, restrict processing, suspend access or take other reasonable steps to protect the service and affected individuals.

5. Where We Get Personal Data From

We collect personal data from:

• you directly, when you fill in forms, contact us, sign up, create an account, connect a site, submit requests, upload files, approve work or use the service;
• your organisation or team members, where they invite you, assign a role, submit information about you or manage the account;
• connected WordPress sites and staging environments, where a customer connects a site or asks us to provide the service;
• automated systems, including server logs, product events, cookies, security tools and similar technologies, subject to your choices where required;
• third parties where relevant, such as payment providers, hosting and infrastructure providers, email and support providers, security providers, analytics providers, sales/outreach providers and other service providers.

6. How We Use Personal Data And Our Lawful Bases

We only use personal data where we have a lawful basis under UK GDPR or where we process it as a processor on a customer's instructions.

Where we rely on legitimate interests, we assess whether the processing is necessary and balanced against your rights.

Where we process Customer Site Data or Staging Data as a processor, the customer is responsible for identifying the relevant lawful basis for its own processing and for giving WPFlow lawful instructions.

7. Cookies And Similar Technologies

We use cookies and similar technologies to run the website, remember choices, protect accounts, measure usage and, where permitted, support marketing.

Strictly necessary cookies and storage may be used for core site, security, account and service functions and do not usually require consent.

Analytics, measurement, advertising or marketing cookies are used only where consent is required and has been obtained.

Where measurement is active, WPFlow may use first-party attribution cookies and local storage to remember an anonymous visitor ID, current session ID, first-touch ID and last-touch ID. These help connect public website visits, signup intent and server-side Stripe conversion records without placing email addresses, names or free-text details in browser analytics events.

You can read more in the Cookie Policy. Where cookie settings tools are available, you can use them to manage relevant choices.

8. Special Category Data And Children

WPFlow does not intentionally collect special category personal data or children's personal data as part of ordinary website or service operation.

However, because customers may connect existing WordPress sites and create staging environments, a customer's site may contain personal data that WPFlow has not selected and may not know about in advance. Customers are responsible for ensuring that any such data is lawful to share with WPFlow and is not provided unless necessary and authorised.

WPFlow is intended for adults and business users. If we learn that children's personal data has been provided in circumstances where it should not have been, we will take reasonable steps to address it as required by law and the relevant customer instructions.

9. Who We Share Personal Data With

We share personal data only where necessary and proportionate for the purposes described in this Privacy Notice, the Terms or applicable law.

This may include sharing with:

• hosting, VPS, server, infrastructure and staging providers, currently including Hetzner where used for hosting or server infrastructure;
• payment and billing providers, including Stripe, which handles payment processing and payment-method storage through its own systems;
• secure credential and password-management providers, including 1Password where used to manage customer access information securely;
• version control, repository, deployment, release-evidence and audit-trail providers, including GitHub where used;
• email, notification, support, ticketing and customer communication providers;
• analytics, cookie, product-measurement and consent-management providers where used;
• security, monitoring, logging, backup, anti-abuse and incident-response providers;
• automation, AI, coding, QA or operational tooling providers used to support the governed WPFlow service;
• professional advisers, insurers, auditors, accountants and legal advisers;
• regulators, courts, law enforcement, tax authorities or other third parties where required or permitted by law.

Where a provider acts as our processor, we require it to process personal data only for authorised purposes and with appropriate safeguards. Where a provider acts as an independent controller, its own privacy notice will apply to its processing.

We do not sell personal data.

10. Payment Processing

WPFlow uses Stripe or another payment provider to handle payment authority, payment methods, subscriptions, invoices and related billing workflows.

WPFlow does not ordinarily store full card numbers or card security codes. Those details are handled by the payment provider. WPFlow receives limited billing and payment-status information, such as plan, invoice, payment status, customer identifier, payment-method type, card brand and last four digits where provided by the payment provider.

Do not send payment card details to WPFlow through contact forms, request threads, uploads, chat, email or support messages.

11. Credentials, Access Details And Secrets

WPFlow may need temporary or limited access details to connect to or work with a customer's WordPress site, staging environment, hosting account, repository, deployment flow or related tools.

Customers are responsible for ensuring that any access details they provide are authorised, appropriate, limited to what is needed and can be revoked or rotated. Where possible, customers should use temporary, scoped or one-time access methods.

WPFlow uses appropriate access controls and, where operationally appropriate, a managed password-management tool such as 1Password to store and manage customer access information. Credentials and secrets should not be pasted into ordinary request messages, uploads or contact forms unless WPFlow specifically instructs you to use that route.

After work, termination or decommissioning, customers should revoke or rotate any access details they provided where appropriate.

12. International Transfers

Personal data may be processed in the UK, the EEA and other countries where WPFlow or its service providers operate.

Where we make restricted transfers of personal data outside the UK without adequacy coverage, we use appropriate safeguards such as the UK International Data Transfer Agreement, the UK Addendum to Standard Contractual Clauses, Standard Contractual Clauses, transfer risk assessments, adequacy regulations or another lawful transfer mechanism.

Where a customer has specific data-location or transfer requirements for Customer Site Data or Staging Data, the customer should raise them before connecting a site or submitting a request. WPFlow may not be able to support every requirement within the standard service.

13. Data Retention

We keep personal data only for as long as necessary for the purposes described in this Privacy Notice, the Terms, customer instructions, operational needs, security requirements, legal obligations and dispute handling.

Typical retention periods and criteria include:

• account, team and profile data: while the account is active and for a limited period afterwards where needed for service administration, security, fraud prevention, legal compliance or disputes;
• contract, legal acceptance and account records: for the duration of the relationship and then as needed for limitation, tax, accounting, audit and compliance purposes;
• billing and transaction records: typically up to 6 years where required for accounting, tax and contractual limitation purposes;
• support records, request threads, feedback and customer communications: typically 2 to 3 years after resolution or account closure, unless needed longer for complaints, disputes, security, compliance or service history;
• uploads, design references, screenshots, request evidence and release notes: while needed for the request, staging review, release, QA, revision, support, dispute handling or account history, then deleted, anonymised or aged out where practical;
• Customer Site Data, Staging Data, site clones, snapshots, repositories and release assets: while the account, welcome-credit period, request, staging environment, release workflow or support issue is active, and afterwards for a limited period needed for rollback, QA, security, audit, dispute handling, legal compliance, deletion workflows and backup expiry;
• credentials, secrets and access details: only for as long as needed for the relevant access purpose, supportability checks, service delivery, security or dispute handling, after which they should be removed, rotated or disabled where practical;
• security, access and audit logs: typically 6 to 24 months, longer where needed to investigate incidents, protect the service, enforce terms or comply with law;
• marketing suppression and consent records: for as long as needed to respect your choices and demonstrate compliance.

When data is no longer needed, we delete, anonymise or decommission it where practical. Backup copies may remain until they expire through routine backup cycles. We may keep limited records where required or permitted for legal, security, accounting, audit or dispute purposes.

Where WPFlow processes Customer Site Data as a processor, deletion, return or retention may also depend on the customer's instructions and the Terms.

14. Security

We use appropriate technical and organisational measures designed to protect personal data, taking into account the nature of the data, the processing involved and the risks.

These measures may include:

• encryption in transit and, where appropriate, at rest;
• access controls, least-privilege access and role-based permissions;
• secure credential management, including use of a managed password-management tool such as 1Password where appropriate;
• payment processing through Stripe or another payment provider rather than storing full card details ourselves;
• logging, monitoring, audit trails and security review processes;
• staging-first delivery, release evidence and approval controls;
• version control, release tracking and rollback-aware records where supported;
• secure development, testing and operational controls;
• backup, recovery, incident-response and decommissioning processes;
• internal policies and controls for handling exceptions.

No method of transmission or storage is completely secure. Customers also have security responsibilities, including keeping account credentials secure, using authorised access routes, avoiding unnecessary secrets in messages, reviewing access permissions and revoking or rotating credentials where appropriate.

15. Your Rights

Under UK GDPR, you may have rights including:

• access to your personal data;
• rectification of inaccurate or incomplete data;
• erasure in certain circumstances;
• restriction of processing in certain circumstances;
• objection to processing in certain circumstances, including direct marketing;
• data portability in certain circumstances;
• withdrawal of consent where processing is based on consent.

To exercise your rights, please use the Contact page. We may ask for information to verify your identity before responding.

We respond without undue delay and usually within one month. That period may be extended where legally permitted for complex or multiple requests.

If your request relates to personal data contained in a customer's connected WordPress site, staging environment, upload, request or release material, the customer may be the controller. In that case, we may need to refer your request to the customer or act on the customer's instructions, unless the law requires or permits us to act directly.

16. Marketing Preferences

You can opt out of marketing at any time through unsubscribe links, account settings where available or by contacting us.

Where we rely on consent, you can withdraw consent at any time. Withdrawal does not affect processing carried out before that withdrawal.

We may keep suppression records to make sure we respect your marketing choices.

17. Automated Tools, AI And Profiling

WPFlow may use automated tools, AI-assisted tools and structured decision-support systems to help operate the service. This may include scoping requests, classifying risk, estimating credits, preparing build instructions, supporting QA, detecting fraud or misuse, improving reliability, routing support questions and protecting accounts.

These tools are used as part of WPFlow's governed workflow. Standard work is prepared on staging, and live publish remains subject to customer approval through the service workflow.

We do not carry out solely automated decision-making that has legal or similarly significant effects on individuals unless we provide the safeguards and information required by law.

Customers must not include sensitive personal data, secrets or unnecessary third-party data in request text, uploads or prompts unless it is necessary, lawful, authorised and submitted through an appropriate route.

18. Complaints

If you are unhappy with how we handle personal data, please contact us first so we can try to resolve the issue.

You also have the right to complain to the Information Commissioner's Office. More information is available at ico.org.uk.

19. Third-Party Links And Services

Our website, workspace or support materials may link to third-party websites, platforms, plugins, payment portals, hosting tools, repositories, documentation or services.

Their privacy practices are governed by their own notices, not this Privacy Notice. You should review their privacy information before using them or sharing personal data with them.

20. Customer And User Responsibilities

You are responsible for:

• providing accurate and up-to-date information;
• keeping your WPFlow account credentials secure;
• using appropriate roles and permissions for your team;
• ensuring you are authorised to act for the website, business or organisation you connect to WPFlow;
• ensuring you have the right to provide any personal data, Customer Site Data, Staging Data, uploads, credentials, secrets or third-party materials to WPFlow;
• providing your own privacy notices, cookie notices, consent tools and lawful bases where required for your website users, customers, staff, leads and visitors;
• telling WPFlow about any restrictions that apply to data before connecting a site or submitting a request;
• not providing unnecessary sensitive data, special category data, children's data, payment card data, passwords, API keys or secrets through unsafe channels;
• reviewing staging work, release notes and approval prompts carefully before approving live release;
• revoking or rotating credentials where appropriate after use, account closure or termination.

If you provide another person's personal data, you confirm that you have the right to do so and that the sharing is lawful.

21. Changes To This Privacy Notice

We may update this Privacy Notice from time to time to reflect changes in law, guidance, technology, service providers, security practices or our processing.

We will post the updated version on this page and update the "Last updated" date. For material changes, we may provide additional notice through the website, account, email or other appropriate channels.