WC Studio

WC Studio Privacy Policy

Effective: 1 Feb 2024 | Last updated: 4 Jul 2025

WC Studio (“WC Studio,” “we,” “our,” or “us”) provides managed WooCommerce hosting, software, APIs, and related communities (collectively, the “Services”). This notice explains how we collect, use, share, and protect your personal data when you:

  • Visit our websites
  • Use our apps, APIs, support channels, or Facebook community, or
  • Otherwise interact with us offline or online.

If you are an end-user of a store that runs on WC Studio

Your data is controlled by that store owner. WC Studio acts only as a processor. Please contact the store owner directly to exercise your privacy rights.

1. What data we collect & why

CategoryExamplesPurposeLegal basis
Account & contactName, email, phone, billing & shipping addressCreate and maintain your account; fulfil ordersContract
PaymentTokenised card ID, last four digits (full card data is never stored by us)Process payments, prevent fraudContract / Legitimate interest
UsageIP address, device ID, pages visited, clicks, error logsImprove performance, security, analytics, marketingLegitimate interest
Marketing preferencesNewsletter opt-ins, webinar sign-upsSend marketing you requestConsent
SupportChat transcripts, tickets, attachmentsTroubleshoot issues, train support agentsLegitimate interest
CommunityFacebook group posts, profile pictureOperate and moderate the communityLegitimate interest
RecruitmentRésumé, LinkedIn profile, interview notesEvaluate job candidatesLegitimate interest / Consent (where required)

We do not solicit sensitive personal data (e.g., health, religion). Please do not send it to us.

1 GDPR / UK GDPR lawful bases.

2. Cookies & similar technology

We use first- and third-party cookies for:

  • Essential — log-in, cart functionality, fraud prevention
  • Analytics — product improvement and usage statistics
  • Marketing — showing relevant ads on other sites

You can manage your preferences at any time via the Cookie Settings panel or your browser settings. A detailed Cookie Policy is available on our site.

3. How we share data

We never sell your personal data. We share it only with:

  • Service providers — hosting, CDN, payment processors, email platforms, analytics, advertising, customer-support tools — bound by confidentiality agreements.
  • Legal or safety needs — where required to comply with law, court order, or to protect rights.
  • Business transfers — if we merge, sell, or reorganise, data will transfer under the same privacy commitments.

A current list of sub-processors is published in our Sub-Processor List.

4. International transfers

When personal data leaves your jurisdiction, we rely on one or more of the following safeguards:

  • Participation in the EU-U.S. and Swiss-U.S. Data Privacy Framework,
  • European Commission Standard Contractual Clauses, or
  • other adequacy mechanisms recognised by applicable law.

5. Security

  • Encryption in transit using TLS 1.2+
  • AES-256 encryption at rest
  • Role-based access controls and mandatory multi-factor authentication for staff
  • Regular penetration testing and log audits

No Internet service is 100 % secure, but we follow industry best practice to protect your data.

6. Data retention

Data typeRetention rule
Orders & invoices6 years (tax and accounting requirements)
Support tickets3 years after closure
Marketing consentUntil you opt out or after 24 months of inactivity
Backup snapshotsRolled every 30 days

We may retain data longer if required to meet legal obligations, resolve disputes, or enforce agreements.

7. Your rights

  • Access / Portability — obtain a copy of your data.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure — request deletion (subject to legal limitations).
  • Restriction / Objection — limit or contest processing.
  • Withdraw consent — unsubscribe from marketing at any time.

EU / UK residents

You may also lodge a complaint with your local Data Protection Authority if you believe we have not addressed your concern.

California residents (CCPA / CPRA)

We do not sell personal information. You have the right to know, delete, or opt out of “sharing” for cross-context advertising. Submit requests via the contact details below.

8. Children

Our Services are not directed to children under 13 (or the minimum age in your country). We delete any such data we discover.

9. Changes to this policy

We will post any revisions here with an updated “Last updated” date. For material changes, we will notify account holders at least 30 days in advance.