EU individual citizens have a right to erasure of their personal data, under the GDPR law. At UpdraftPlus, we are happy to extend this right to all users, world-wide, as we believe it is based upon good principles. You can read more about this legal right here, at the website of the UK Information Commissioner’s Office (the UK body which overseas data protection, including GDPR issues).
Data that we process
Firstly, you may want to familiarise yourself with how UpdraftPlus / UpdraftCentral process data, which you can read about here. If you have not got an updraftplus.com account (e.g. to use UpdraftCentral Cloud) then, as you can read there, we have no data that concerns you. You do not have an updraftplus.com account unless you created one (either manually, or by purchasing something). Please help us to invest as much resources as we can in improving our products by not asking us to delete data if we do not have any! To be clear: if you have no login at https://updraftplus.com/my-account/, then we do not have, and cannot process, any of your data, and thus have nothing to delete.
Data that we do not hold
Secondly – note that if you are using the free version of UpdraftPlus from https://wordpress.org/plugins/updraftplus/ or of UpdraftCentral from https://wordpress.org/plugins/updraftcentral/ , or any other wordpress.org plugin, then any data relating to updates of that version (i.e. updates requests sent to wordpress.org, and the information which they store relating to such requests/updates), or support of that version in their forum, is held by wordpress.org – i.e. the WordPress Foundation. We have no more access to it than you do. If you wish it to be deleted, then you will need to contact the WordPress Foundation.
Limitations upon rights to delete data
There are other laws, except the GDPR, which touch upon the deletion of data. In particular, there is some data which we are legally required to maintain for a time. For example, VAT (sales tax) laws require us to keep purchase data for audit purposes for a minimum of 10 years after purchase. UK data retention laws require us to keep webserver access logs for 6 months – after which they are automatically deleted. The GDPR also allows anonymization, instead of deletion of data, in some circumstances. Anonymization means that there is no way to trace the data back to you. Specific information follows.
What data we will delete or anonymize/scramble
- All your support form entries will be deleted from our website’s database. (This also happens automatically after 6 months).
- All your support ticket entries in our account with our support helpdesk software supplier (Helpscout) will be deleted.
- All your posts in our website support forum will be immediately deleted.
- If you are a customer, then your updraftplus.com account will be locked to prevent future logins. If you are not a customer, then it will be deleted. (See further below for the reason for the distinction).
- Any/all data in your UpdraftVault storage will be deleted.
- Any/all data in our licensing database tables concerning licences owned and sites connected will be deleted.
- Any/all entries in our UpdraftCentral Cloud database tables will be deleted.
- Any/all entries in our UpdraftClone database tables will be deleted.
- Any/all data pertaining to you in our MailChimp account will be deleted.
Things that are not deleted, or which are deleted later, with reasons
- Webserver access logs are deleted automatically after 6 months, but not before, for compliance with UK data retention laws, and for auditing and security purposes.
- We do not delete information out of our website backups, because this is technically too difficult to accomplish. However, they are stored encrypted after a number of months (depending on our current policy). We also keep a log of deletion requests so as to be able to a) demonstrate compliance and b) re-run any deletion requests in the event of needing to restore a backup.
- Sales records and data held by payment vendors (PayPal, Stripe) are retained for a minimum of 10 years, to comply with taxation/auditing laws, and our own accountancy and auditing requirements.
To request deletion of your personal data, please use this form. If you are not a paying customer, then you can leave the relevant fields empty, and explain in the message input area. If you are an EU citizen, then we are granted one month to respond to the request (usually, one month to carry it out). We will take steps to verify your identity, to prevent fraud/abuse (“social engineering” attacks).
Posted in: GDPR