WC Studio Privacy Policy
Effective: 1 Feb 2024 | Last updated: 4 Jul 2025
WC Studio (“WC Studio,” “we,” “our,” or “us”) provides managed WooCommerce hosting, software, APIs, and related communities (collectively, the “Services”). This notice explains how we collect, use, share, and protect your personal data when you:
- Visit our websites
- Use our apps, APIs, support channels, or Facebook community, or
- Otherwise interact with us offline or online.
If you are an end-user of a store that runs on WC Studio
Your data is controlled by that store owner. WC Studio acts only as a processor. Please contact the store owner directly to exercise your privacy rights.
1. What data we collect & why
| Category | Examples | Purpose | Legal basis |
|---|---|---|---|
| Account & contact | Name, email, phone, billing & shipping address | Create and maintain your account; fulfil orders | Contract |
| Payment | Tokenised card ID, last four digits (full card data is never stored by us) | Process payments, prevent fraud | Contract / Legitimate interest |
| Usage | IP address, device ID, pages visited, clicks, error logs | Improve performance, security, analytics, marketing | Legitimate interest |
| Marketing preferences | Newsletter opt-ins, webinar sign-ups | Send marketing you request | Consent |
| Support | Chat transcripts, tickets, attachments | Troubleshoot issues, train support agents | Legitimate interest |
| Community | Facebook group posts, profile picture | Operate and moderate the community | Legitimate interest |
| Recruitment | Résumé, LinkedIn profile, interview notes | Evaluate job candidates | Legitimate interest / Consent (where required) |
We do not solicit sensitive personal data (e.g., health, religion). Please do not send it to us.
1 GDPR / UK GDPR lawful bases.
2. Cookies & similar technology
We use first- and third-party cookies for:
- Essential — log-in, cart functionality, fraud prevention
- Analytics — product improvement and usage statistics
- Marketing — showing relevant ads on other sites
You can manage your preferences at any time via the Cookie Settings panel or your browser settings. A detailed Cookie Policy is available on our site.
3. How we share data
We never sell your personal data. We share it only with:
- Service providers — hosting, CDN, payment processors, email platforms, analytics, advertising, customer-support tools — bound by confidentiality agreements.
- Legal or safety needs — where required to comply with law, court order, or to protect rights.
- Business transfers — if we merge, sell, or reorganise, data will transfer under the same privacy commitments.
A current list of sub-processors is published in our Sub-Processor List.
4. International transfers
When personal data leaves your jurisdiction, we rely on one or more of the following safeguards:
- Participation in the EU-U.S. and Swiss-U.S. Data Privacy Framework,
- European Commission Standard Contractual Clauses, or
- other adequacy mechanisms recognised by applicable law.
5. Security
- Encryption in transit using TLS 1.2+
- AES-256 encryption at rest
- Role-based access controls and mandatory multi-factor authentication for staff
- Regular penetration testing and log audits
No Internet service is 100 % secure, but we follow industry best practice to protect your data.
6. Data retention
| Data type | Retention rule |
|---|---|
| Orders & invoices | 6 years (tax and accounting requirements) |
| Support tickets | 3 years after closure |
| Marketing consent | Until you opt out or after 24 months of inactivity |
| Backup snapshots | Rolled every 30 days |
We may retain data longer if required to meet legal obligations, resolve disputes, or enforce agreements.
7. Your rights
- Access / Portability — obtain a copy of your data.
- Rectification — correct inaccurate or incomplete data.
- Erasure — request deletion (subject to legal limitations).
- Restriction / Objection — limit or contest processing.
- Withdraw consent — unsubscribe from marketing at any time.
EU / UK residents
You may also lodge a complaint with your local Data Protection Authority if you believe we have not addressed your concern.
California residents (CCPA / CPRA)
We do not sell personal information. You have the right to know, delete, or opt out of “sharing” for cross-context advertising. Submit requests via the contact details below.
8. Children
Our Services are not directed to children under 13 (or the minimum age in your country). We delete any such data we discover.
9. Changes to this policy
We will post any revisions here with an updated “Last updated” date. For material changes, we will notify account holders at least 30 days in advance.