Privacy Policy

When you visit our sites, create an account, or make a purchase, we may collect:Name and business/company nameContact information (email addresses, telephone numbers)Billing address and VAT number where applicablePayment information (processed securely via Stripe, we do not store full card numbers)Last four digits of your payment card and card brand (display purposes only)IP address, browser type and version, operating systemReferring URLs, pages visited, and exit pagesAccount credentials (passwords are hashed and never stored in plain text)Support ticket submissions and correspondence

When you install and activate any of our Plugins, the plugin communicates with our licensing server for licence verification, update delivery, and support. The following data is transmitted:Your site URL (domain name)WordPress administrator email address associated with the licencePlugin slug, version number, and licence statusWordPress version and PHP versionA unique site identifier (UUID) generated at registrationLicence key (transmitted as a SHA-256 hash only)Server IP address (as part of the HTTP request)Diagnostic data when submitting support tickets

Our Plugins periodically contact our licensing server to verify licence validity and check for updates. This occurs approximately every 10 minutes for plugins using the full Licence Module, and on each WordPress admin page load for plugins using Licence Lite. Each heartbeat transmits your site URL, plugin slug, site UUID, and a cryptographic token. No customer or end-user personal data from your WordPress site is transmitted during this process.

AJT Stripe Integration Pro installs a must-use plugin (ajt-sentinel.php) for licence compliance verification. The Sentinel performs local file integrity checks and verifies the plugin is running on the licensed domain. The Sentinel does not transmit any data independently; all communication goes through the plugin's existing heartbeat mechanism.

To be clear, our Plugins do not collect, transmit, or have access to:Your customers' personal data (names, emails, payment details)Your WordPress database contentsYour Stripe API keys or accounting credentialsYour Autotask PSA credentials or ticket dataContent from your invoices, contracts, or business documentsAny data entered into the customer portal by your end users

We use your website data for:Providing and managing your accountProcessing purchases and managing plugin licencesSending transactional emails (purchase confirmations, licence keys, renewal reminders, password resets)Providing technical supportAnalysing site usage to improve our productsWith your consent, sending marketing communications (you may unsubscribe at any time)

We use plugin data for:Verifying that your licence is valid and activeEnforcing activation limitsDelivering plugin updates to licensed sitesPreventing unauthorised redistribution of our softwareProviding technical support (diagnostic data helps troubleshoot)Generating aggregate, anonymised usage statistics

Our use of your personal data always has a lawful basis:Contract performance: Processing necessary to fulfil our obligations under your licence agreementLegitimate interests: Licence compliance verification, anti-piracy measures, aggregate analytics, product improvementConsent: Marketing communications (you may withdraw consent at any time)

Your data is stored on servers located within the United Kingdom. Our web hosting uses dedicated servers in UK data centres accredited with ISO 27001.

We take data security seriously and have implemented:AES-256-CBC encryption at rest for all personal data in our plugin databasesSHA-256 blind index hashes for email lookups without decrypting every recordLicence keys stored as SHA-256 hashes only (plain text shown once at generation)HMAC-SHA256 request verification with timestamp validation and nonce-based replay protectionRSA-256 (RS256) asymmetric cryptography for licence token signingTLS/HTTPS for all data in transitRestricted server access with monitoring

We retain data for the following periods:Active accounts: Duration of the customer relationshipLicence records: Duration of licence plus 12 months after expiryHeartbeat event logs: Automatically pruned after 30 daysOther licence audit events: Automatically pruned after 180 daysSupport tickets: Retained for 24 months after resolutionBilling records: 7 years (UK tax and accounting requirements)Replay-protection nonces: Automatically pruned after 10 minutes

We use the following third-party services:Stripe (stripe.com) - Payment processing. Card details are transmitted directly to Stripe and never stored on our servers. Stripe is PCI DSS Level 1 certified.Google Analytics - Anonymous website usage analytics. No personally identifiable information is shared.We do not sell, rent, or trade your personal data to any third parties.

We will not share your data with third parties except:Where legally required (e.g. complying with a court order)With third-party processors as described above, under appropriate agreementsWhere anonymised, aggregate statistics are shared (never including personally identifying information)

Your data is primarily stored within the United Kingdom. Some third-party processors (such as Stripe) may process data in the United States or other jurisdictions. Where data is transferred outside the UK, we ensure appropriate safeguards are in place in accordance with UK GDPR requirements, including standard contractual clauses where applicable.

These are required for the operation of our Sites and include WordPress session cookies, login cookies, and CSRF protection tokens.

We use Google Analytics cookies to understand how visitors use our Sites. These cookies collect anonymous usage data. You may opt out of analytics cookies without affecting your use of our Sites.

Before non-essential cookies are placed on your device, you will be shown a consent prompt. You may also manage cookies through your browser settings. Blocking all cookies (including strictly necessary cookies) may impair your ability to use certain features.

You may control your data in the following ways:Unsubscribe from marketing emails at any timeRequest a copy of all personal data we hold (Subject Access Request) by contacting our DPORequest correction of any inaccurate dataRequest deletion of your personal data, subject to legal obligationsManage cookie preferences through our consent tool or your browser settingsUnder the UK GDPR, no fee is payable for a Subject Access Request and we will respond within one month.

If you deactivate and uninstall one of our Plugins:The plugin's uninstall routine removes all locally stored plugin data from your WordPress siteThe Sentinel MU-plugin is removed if no other AJT plugins remain activeYour site registration record on our server is retained for 12 months after deactivation, then automatically purgedYou may request immediate deletion of your server-side record by contacting us

Our Sites and Plugins are not intended for use by children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

We may update this Privacy Policy from time to time. Any changes will be posted on our Sites and, where significant, notified to existing customers by email. We recommend that you review this page periodically.