Privacy Policy

Last updated: %s

1. Who we are

This Privacy Policy describes how SYSWP / SYSWP BR ("we", "us"), with registered office at Rua Bacurau 3103, Residencial Salvação, Santarém, Pará, Brasil, CEP 68037-035 (Brasil), processes personal data in connection with SysWP Shield.

Data Protection contact: [email protected].

2. What data we collect

We collect the minimum needed to provide the service:

Account data: Email, name, hashed password, language preference. Provided by you when you sign up.
Billing data: Stripe customer ID, subscription state. We do NOT store full card numbers — Stripe handles that.
Usage data: Login timestamps, IP of last login, sites you connect, anonymized request counts. Used for product analytics + abuse prevention.
Threat-intel data (opt-in): IPs your sites have blocked, the bot signals that triggered the block, country code, ASN. Sent only when the threat-intel-write feature is enabled.
Support correspondence: Anything you send via the contact form or email. Retained as long as needed to help you.

3. Why we process it

Contractual necessity — to deliver the service you signed up for.
Legitimate interest — to keep the network safe and prevent abuse.
Legal obligation — tax records, fraud prevention.
Consent — for optional features like the threat-intel network.

4. Who we share it with

We use a small number of subprocessors:

Stripe — Payment processing. Card data goes directly to Stripe and never touches our servers.
SMTP / Email provider — Transactional email delivery (verification, password reset, alerts). Email body and recipient are shared with the SMTP provider.
ipinfo.io — IP geolocation enrichment. Anonymized IP queries only.
Hosting — Server hosting. Encrypted at rest and in transit.

We do not sell, rent, or trade your personal data with anyone.

5. Threat intelligence network

When the threat-intel-write feature is active on a site you own, the plugin shares the following with our network:

Sent: blocked IP address, bot signals that triggered the block, max bot score, country code, ASN, timestamp.
NOT sent: visitor browsing history, page content, form submissions, cookies, user IDs, logged-in user info.
You can disable this at any time in the plugin Settings → General.

6. How long we keep it

Data	Retention
Account data	Until you delete your account, then 30 days for legal/billing reconciliation.
Billing records	7 years (tax law).
Threat reports	24h for consensus computation; 7 days for the consensus list itself; then permanent deletion.
Login attempts	7 days.
Email queue	30 days for sent items, indefinite for failed (so we can retry / debug).

7. Your rights

Under GDPR (and most modern privacy laws) you have the right to:

Access — request a copy of your personal data.
Rectification — correct inaccurate data.
Erasure — delete your account and associated data.
Portability — receive your data in a machine-readable format.
Objection — opt out of processing based on legitimate interest.

To exercise any of these rights, write to: [email protected].

8. Security

Passwords are hashed with Argon2id. All data in transit is TLS-encrypted. API credentials are stored server-side; the plugin only ever holds them locally on your WordPress install. Backups are encrypted at rest.

9. Cookies and analytics

Essential session cookie: we use one session cookie for authentication on the dashboard. It is necessary for the product to function and does not require consent.

Analytics (optional, consent-based): we use SysWP Radar (radar.syswp.com.br, hosted in Brazil, owned by SysWP) to understand traffic patterns and improve the product. It does NOT load before your explicit consent via the banner that appears on your first visit. You can accept, reject, or change your decision at any time.

We do not use: Google Analytics, Google Tag Manager, Facebook Pixel, or any third-party marketing/retargeting cookies. Removed on 2026-05-17 as part of LGPD/GDPR alignment.

10. International data transfers

Your personal data is primarily processed in Brazil (SysWP Radar) and on the servers hosting our SaaS. When we use third-party services (Stripe for payments, SMTP provider for emails), limited international transfer may occur:

• Stripe (USA) — for payment processing. Stripe is PCI DSS Level 1 certified.
• SMTP provider — may be in EU/USA. Only your email + subject line is transmitted.
• ipinfo.io (USA) — only public IP addresses are sent for geographic enrichment of threat reports. No user personal data.

By signing up to SysWP, you expressly consent to these transfers as necessary for the service to function (contract execution).

11. Changes to this policy

We will notify you by email at least 14 days before any material change takes effect.

12. Contact

SYSWP / SYSWP BR · Rua Bacurau 3103, Residencial Salvação, Santarém, Pará, Brasil, CEP 68037-035 · [email protected]