Privacy Policy

Effective Date: March 28, 2022
Last Updated: November 12, 2025

Starter WP, Inc. (“Starter WP,” “we,” “us,” “our,” or “Company”) respects your privacy and is committed to transparent data practices. This Privacy Policy explains how we collect, use, retain, share, and protect information when you visit our website (https://starterwp.com), use our services (website design, managed WordPress hosting, AI-powered optimization recommendations), or otherwise interact with us.

By using our website or services, you consent to the practices described in this policy. If you do not agree with our practices, please do not use our services.

1. Information We Collect

We collect personal information in the following ways:

1.1 Information You Directly Provide

Contact Forms & Inquiries:

When you submit contact forms, request a consultation, or email us, we collect: name, email address, phone number (optional), company name, website URL, and any message content you provide.
This information is used to respond to your inquiry and discuss our services.

Service Registration & Account Creation:

When you sign up for Starter WP services, we collect: full name, email address, company name, billing address, phone number, and website details (domain name, current host, site description).
We use this to provision your account, deliver services, and provide support.

Payments & Billing:

When you purchase services through Square, we receive: name, email address, billing address, and payment method information.
Important: We do not store your full credit card, debit card, or bank account details. Square processes and securely stores all payment information per PCI DSS standards. We only receive a tokenized reference to your payment method and transaction confirmations.
We retain billing records for 7 years to comply with tax and accounting regulations.

Support & Communications:

When you contact support via email, the Customer Portal, or other channels, we collect the content of your messages, attachments, and any information you share to resolve issues.
We retain support tickets and correspondence for 2 years after your account closes, or as needed for dispute resolution.

Service-Related Data:

When you use Growth or Performance tier services, we collect WordPress site data needed to generate AI-powered optimization recommendations, including: site pages, posts, images, metadata, plugin/theme configuration, current design elements, content structure, performance metrics, page load times, Core Web Vitals, and technical site analysis.
This data is accessed directly from your WordPress site via our systems and analyzed to provide personalized recommendations.
This data is used solely to provide personalized recommendations and is shared with third-party AI services (see Section 3.2) to generate insights.
Site content analyzed for recommendations is not used for marketing, training models on your specific data, or other purposes without your explicit consent.

1.2 Automatically Collected Data

Analytics via Matomo:
We use Matomo, a privacy-friendly, self-hosted analytics platform that does NOT share data with third parties. Matomo collects:

Browser type and version
Operating system and device type
Pages visited, duration on page, and scroll depth
Referring website
Approximate geographic location (city-level, anonymized; no precise coordinates)
Search queries used to reach us

Privacy Protections:

IP addresses are anonymized before storage (last octet removed)
No third-party tracking cookies are used
No advertising networks have access to your data
Matomo data is stored on our infrastructure (DigitalOcean servers in the US) and never transferred to external parties
You can opt out of analytics collection by clearing your browser cookies or using a do-not-track (DNT) signal (see Section 6 for details)

Server & Infrastructure Logs:
When you visit our website or access hosted services, our servers automatically record:

HTTP request details (method, path, status code)
Access timestamps
Referrer information
User-agent (browser identification)
Anonymized IP address (partial)

These logs are retained for 30 days for security monitoring and then purged.

Hosted Site Infrastructure & Content Data:
For customers using our managed WordPress hosting:

We collect server performance data (CPU, memory, database query volume, bandwidth) to monitor site health and uptime.
We access and analyze your site content, including pages, posts, images, plugins, themes, and technical structure to generate AI-powered optimization recommendations. This analysis is performed automatically by our AI systems and is necessary to provide the optimization features included in your service tier.
We may also access site content when you request support, troubleshooting, or manual implementation of recommendations.
Your site content is analyzed using third-party AI services (see Section 1.1: Service-Related Data and Section 3.2: AI-Powered Recommendations).

2. How We Use Your Information

We use information we collect for the following purposes:

Service Delivery:

Provision and configure your website and hosting environment
Deliver managed hosting services, daily backups, security updates, and maintenance
Generate AI-powered optimization recommendations
Monitor site uptime and performance per our SLA
Provide technical support and troubleshooting

Communication:

Respond to your inquiries and support requests
Send transactional emails (account confirmation, billing receipts, service notifications, password resets)
Send service updates, maintenance notices, and status notifications
Send optimization recommendations and performance reports (for Growth/Performance tiers)
Notify you of changes to our Terms of Service or Privacy Policy

Business Operations:

Process and manage billing and payments
Improve our website, products, and user experience
Analyze aggregate usage trends to optimize infrastructure and services
Audit and maintain records for legal and tax compliance
Monitor for fraud, security threats, and policy violations

Legal & Compliance:

Comply with applicable laws, regulations, and legal obligations
Enforce our Terms of Service and other agreements
Protect the rights, safety, and property of Starter WP, our customers, and the public
Defend against legal claims

With Your Consent:

Send marketing communications or promotional offers (only if you opt in; see Section 6 for unsubscribe details)
Use anonymized site data to improve our recommendation algorithms (you can opt out)

We do NOT use your information for automated decision-making or profiling that produces legal or similarly significant effects.

3.1 We Do NOT Sell Your Data

Starter WP does not sell, rent, or lease your personal information to third parties for marketing purposes. We never have and never will.

3.2 Trusted Service Providers

We may share information with third-party service providers who process data on our behalf under Data Processing Agreements (DPAs) that require them to protect your data with the same level of care we do:

Payment Processing:

Square, Inc. (Block, Inc.) (https://squareup.com) – processes payments and stores tokenized payment methods. Square is PCI DSS Level 1 certified. We share: name, email, billing address, transaction details.

Infrastructure & Hosting:

DigitalOcean LLC (https://www.digitalocean.com) – hosts our website and customer sites; provides server infrastructure, backups, security patches, and DDoS protection. We share: all hosted site data (files, databases, user accounts, content). DigitalOcean's data centers are located in the US (NYC region). DigitalOcean maintains SOC 2 Type II compliance.

Website Security & Performance:

Cloudflare, Inc. (https://www.cloudflare.com) – provides DDoS protection, SSL/TLS encryption, firewall services, and content delivery. We share: HTTP request metadata, anonymized IP addresses, performance logs.

Email Delivery:

SendGrid (https://sendgrid.com) and/or Mailgun (https://mailgun.com) – transactional and service email delivery. We share: email address, recipient name, message content (transactional emails and support responses).

AI-Powered Recommendations:

Anthropic (Claude API) (https://anthropic.com), OpenAI (GPT API) (https://openai.com), and Perplexity (https://perplexity.ai) – used to generate optimization recommendations and content analysis. We share: site page content, plugin/theme configurations, design elements, performance metrics, and aggregate content analysis (NO customer personal information like names, email addresses, billing data, or customer lists).
Third-party AI services process data per their Privacy Policies; we recommend reviewing them at the links above.
You can contact us at [email protected] to understand exactly what data was sent to AI services for analysis of your specific site.

Incident Monitoring & Status Communication:

Atlassian Statuspage (https://www.atlassian.com/software/statuspage) – displays hosting status and incident updates. Status page data is public; no personal information is posted there.

Customer Portal & Support:

Starter WP Custom Platform – internally developed and hosted on DigitalOcean infrastructure. Manages support tickets, customer portal access, account management, and backup downloads. We share: email address, name, support ticket content, account data.

All third-party service providers are contractually obligated to:

Use data only for the purposes we specify
Maintain appropriate security safeguards
Delete or return data when no longer needed
Not disclose data to other third parties without authorization

3.3 Legal Obligations & Enforcement

We may disclose your information when required by law or in response to legal process:

Lawful requests from government agencies, law enforcement, or courts (subpoena, warrant, court order)
To comply with applicable laws, regulations, and industry standards
To enforce our Terms of Service and other legal agreements
To protect the rights, safety, and property of Starter WP, our customers, employees, or the public
To prevent, detect, or investigate fraud, security breaches, or illegal activity
In the event of a merger, acquisition, bankruptcy, or sale of assets (you will be notified)

When legally permitted, we will notify you before disclosing your information to authorities, except where prohibited by law.

For customers subject to GDPR:

Starter WP acts as a Data Processor for content and site data you upload
You (the customer) are the Data Controller
We process data only on your instructions and per our Data Processing Agreement (DPA)
A DPA is automatically included in your service agreement; contact [email protected] to request a signed copy or modifications

For customers subject to CCPA:

We are a “Service Provider” under CCPA
We do not sell personal information and will not retain, use, or disclose personal information except as necessary to perform our services
See Section 9 for additional California resident disclosures

4. Data Security

Starter WP takes data security seriously and implements industry-standard safeguards:

Encryption & Network Security:

HTTPS (TLS 1.2+) encryption for all website and portal traffic
End-to-end encryption for payment data (via Square)
Firewall and network segmentation
DDoS protection via Cloudflare

Infrastructure Security:

Servers hosted on DigitalOcean with regular security updates and patching
Automated security vulnerability scanning
Intrusion detection and prevention systems
Regular backup verification and disaster recovery testing

Access Controls:

Employee access to customer data limited to those with operational need
Multi-factor authentication (MFA) for administrative accounts
Role-based access controls (RBAC)
Audit logging of administrative actions

Data Protection:

Daily encrypted backups of customer sites (retained 30 days, extended to 60 days post-cancellation)
Anonymized analytics (IP addresses stripped before storage)
API keys and secrets stored securely using environment-based encryption

Compliance & Audits:

GDPR and CCPA compliance measures in place
SOC 2 Type II audit planned upon revenue milestone achievement
Annual third-party security assessment

Important Limitation:
No method of transmission or storage is 100% secure. While we implement industry-standard safeguards, we cannot guarantee absolute security. You are responsible for:

Keeping your WordPress login credentials confidential and secure (use minimum 16-character passwords)
Enabling two-factor authentication (2FA) on your account
Never sharing credentials via email or unsecured channels
Reporting suspected security breaches immediately to [email protected]

5. Data Retention

We retain personal information only as long as necessary for the purposes outlined in this policy, or as required by law. Specific retention schedules:

Contact & Inquiry Data:

Retained for 2 years after last contact, then deleted

Customer Account Data (Active):

Retained while your account is active
Name, email, billing address, payment method reference: indefinite (as long as account exists)
Upon account closure: 7 years (for tax and financial records)

Customer Account Data (Inactive):

After account cancellation: 90 days (to allow account recovery)
After 90 days: purged unless legal hold applies

Billing & Transaction Records:

Retained for 7 years to comply with tax regulations (IRS requirement)

Backups:

Daily backups: 30-day retention (automatic)
Upon cancellation: extended to 60 days for download (see Section 6A)
After 60 days post-cancellation: permanently deleted

Support Tickets & Correspondence:

Retained for 2 years after ticket closure
After 2 years: archived and purged

Analytics Data (Matomo):

Raw event data: 90 days
Aggregated reports: indefinite (no personal data)
Historical individual session data: deleted after 90 days

Server & Infrastructure Logs:

Retained for 30 days, then purged

Cookies & Tracking Data:

Session cookies: deleted upon browser close
Persistent cookies (optional, opt-in only): deleted upon opt-out or expiration

Temporary Data:

Data provided for demos, trial periods, or consultations: deleted after 30 days if no account created

Legal Holds:

Data subject to ongoing litigation, legal investigation, or regulatory inquiry may be retained longer

You may request deletion of your data at any time (see Section 7: Your Rights).

6. Cookies, Tracking, and Your Choices

6.1 Cookies & Similar Technologies

What We Use:

Session cookies (temporary): Required for website functionality, login, and form submission. Deleted when you close your browser.
Analytics cookies (optional): Matomo analytics identifiers. Only set if you accept analytics collection (or opt in if prompted).

What We Do NOT Use:

Third-party advertising cookies
Retargeting/behavioral tracking cookies
Social media tracking pixels (Facebook Pixel, Twitter, etc.)
Marketing automation cookies
Google Analytics or other third-party analytics platforms

6.2 How to Manage Cookies & Tracking

Opt Out of Matomo Analytics:

Use the Matomo opt-out form on our website (https://starterwp.com/privacy-policy/)
Clear your browser cookies (all sites)
Enable “Do Not Track” (DNT) in your browser settings
Use an ad blocker or privacy extension (uBlock Origin, Privacy Badger, etc.)

Browser Controls:

Chrome: Settings > Privacy and Security > Cookies and other site data > Block all cookies
Firefox: Settings > Privacy & Security > Enhanced Tracking Protection > Strict
Safari: Preferences > Privacy > Cookies and website data > Block all
Edge: Settings > Privacy, search, and services > Tracking prevention > Strict

Note: Disabling cookies may impact website functionality (e.g., you may need to log in more frequently).

6.3 Do Not Track (DNT)

Most browsers allow you to set a “Do Not Track” signal. We respect DNT signals and will not use advertising or behavioral tracking if DNT is enabled. However, we may still collect analytics data if you have not opted out via other means.

Opt-In Model:

We only send marketing emails if you explicitly opt in during signup or account creation
You may receive service-related emails (billing, updates, support) even if you don’t opt in to marketing

Unsubscribe:

Every marketing email contains an “Unsubscribe” link
Click to remove yourself from mailing lists instantly
Or visit https://starterwp.com/unsubscribe/ to manage preferences

7. Your Rights

Depending on your location, you have the following rights regarding your personal information:

7.1 Universal Rights (All Locations)

Right to Access:

Request a copy of all personal information we hold about you in a structured, machine-readable format

Right to Correction:

Request that we correct inaccurate or incomplete information
Contact us at [email protected] with details

Right to Deletion (Right to be Forgotten):

Request deletion of your personal information, subject to legal retention obligations
We will delete your data within 30 days unless we must retain it by law

Right to Withdraw Consent:

Withdraw consent for specific uses of your data at any time
Withdrawal does not affect prior processing that was lawful

Right to Lodge a Complaint:

File a complaint with your local data protection authority if you believe we have violated your rights
For EU residents: your national Data Protection Authority
For California residents: California Attorney General

If you are subject to GDPR, you have these additional rights:

Right to Data Portability:

Request your data in a portable, machine-readable format (JSON, CSV, XML)
We will provide this within 30 days

Right to Restrict Processing:

Ask us to limit how we use your data while you dispute accuracy or legality
We will restrict processing except where legally required

Right to Object:

Object to processing of your data for marketing, analytics, or profiling
We will comply unless we have legitimate legal grounds to continue

Right to Not Be Subject to Automated Decision-Making:

We do not use automated decision-making that produces legal effects
AI recommendations are advisory only; you decide whether to implement them

Data Processing Agreement (DPA):

GDPR requires a DPA between controller and processor
A DPA is automatically included in your service terms
Request a signed copy at [email protected] if needed

7.3 CCPA Rights (California Residents)

If you are a California resident, you have these additional rights:

Right to Know:

Know what personal information is collected, used, shared, or sold

Right to Access:

Access a copy of personal information we hold about you

Right to Delete:

Request deletion of personal information (with exceptions for legal compliance)

Right to Opt-Out of Sale/Sharing:

Opt out of “sale” or “sharing” of personal information
Starter WP does not sell or share your personal information; this right does not apply

Right to Limit Use:

Limit our use of sensitive personal information (we don't collect sensitive info)

Right to Non-Discrimination:

We will not discriminate against you for exercising CCPA rights

CCPA Verification:

We may request reasonable verification of your identity before processing your request

7.4 How to Exercise Your Rights

To request any of the above, contact us at:

Email: [email protected]
Mail: Starter WP, Inc., 3824 Cedar Springs Rd #510, Dallas, TX 75219
Portal: Submit a request via your Customer Portal (if applicable)

What to Include:

Your full name and email address
Specific request (access, deletion, correction, portability, opt-out)
Timeframe (we respond within 30 days for GDPR/CCPA; within 60 days if complex)
Any supporting documentation

Response Timeline:

We will respond to your request within 30 days (or 45 days for complex requests)
If we deny your request, we will explain the legal reason
Requests are free, except for unreasonable repetition (we may charge a nominal fee)

8. Data Breach Notification

If we discover a security breach that compromises your personal information, we will:

Notify you within 30 days via email to your registered email address
Provide details including:
- Nature of the breach
- Types of information affected
- Likely consequences
- Steps we are taking to respond
- Steps you should take to protect yourself
- Our contact information for further inquiries
Notify regulatory authorities if required by law (GDPR requires notification to data protection authorities; CCPA may require notification to Attorney General)
Post a notification to our status page (https://starterwp.statuspage.io) if the breach affects hosting services

We maintain cyber liability insurance to cover data breach response costs.

9. International Users & Data Transfers

9.1 US-Based Operations

Starter WP is a US-based company operating under Delaware law. Our servers and data processors are located in the United States (DigitalOcean data centers in NYC region).

9.2 Data Transfers Outside Your Country

If you are located outside the United States, your personal information will be transferred to, stored in, and processed in the United States. The United States may have different data protection laws than your country of residence. By using our services, you consent to this transfer.

For EU/EEA residents, we ensure lawful data transfers through:

Data Processing Agreement (DPA) with Standard Contractual Clauses (SCCs)
DigitalOcean's Privacy Shield/SCCs (infrastructure provider)
Transfer Impact Assessment confirming adequate safeguards

Contact [email protected] to request our Transfer Impact Assessment or DPA.

10. Third-Party Links & Services

Our website may link to third-party websites, apps, and services (WordPress.org, DigitalOcean, Stripe, etc.). We are not responsible for the privacy practices, content, or security of third-party sites.

We encourage you to:

Review their privacy policies before providing information
Understand their data practices differ from ours
Contact them directly with privacy questions

Examples of third parties you may interact with:

WordPress.org (WordPress documentation and plugins)
DigitalOcean (infrastructure details)
Stripe (payment processing details)
Cloudflare (security services)

Starter WP is not liable for breaches, privacy violations, or data misuse by third parties.

11. Children’s Privacy

Starter WP services are not directed to children under 13 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children under 13.

If we discover we have collected information from a child under 13, we will:

Delete such information immediately
Notify the parent or guardian
Comply with applicable laws (COPPA in the US, etc.)

If you believe we have collected information from a child, contact us immediately at [email protected].

12. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, law, or other factors. The “Last Updated” date at the top of this policy will reflect the most recent revision.

Material changes (changes that significantly affect your privacy rights) will be communicated via:

Email to your registered address (at least 30 days’ notice)
Prominent notice on our website
Notice within your Customer Portal (for active customers)

Non-material changes may be posted without notice.

Your Consent:

Continued use of our services after changes take effect constitutes your acceptance of the updated policy
If you do not agree with changes, you may cancel your account (see Terms of Service Section 4)

13. State-Specific Disclosures

13.1 California (CCPA/CPRA)

Categories of Information Collected (past 12 months):

Identifiers (name, email, IP address, account ID)
Commercial information (purchase history, billing address, transaction details)
Internet activity (pages visited, referrer, browser type, analytics data)
Professional information (company name, job title, industry)
Device information (browser, OS, device type)
Geolocation (city-level, anonymized; no precise coordinates)

Sources:

Directly from you (contact forms, account creation, purchases)
Automatically (analytics, server logs)
Third parties (payment processors, email providers)

Uses:

Service delivery, billing, support, analytics, legal compliance, fraud prevention

Sharing:

Shared with service providers (Stripe, DigitalOcean, Cloudflare, SendGrid)
NOT sold or rented

Your Rights:

Right to know, access, delete, opt-out (see Section 7.3)
Right to non-discrimination if you exercise CCPA rights

Shine the Light Request:

California Civil Code Section 1798.83 allows CA residents to request information about sharing of personal information with third parties
We do not share personal information for third-party marketing; request can be made to [email protected]

13.2 Virginia (VCDPA)

Virginia residents have the following rights:

Right to access personal information
Right to delete personal information
Right to correct inaccurate information
Right to opt-out of targeted advertising and profiling

Contact [email protected] to exercise these rights.

13.3 Colorado, Connecticut, Utah (Similar State Privacy Laws)

These states have similar privacy laws. We comply with all applicable obligations. Contact [email protected] with questions.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

Email: [email protected]

Mailing Address:
Starter WP, Inc.
3824 Cedar Springs Rd #510
Dallas, TX 75219
USA

Legal Contact (For DPA/Legal Matters):
[email protected]

Privacy Officer:
For complex privacy matters or data subject requests, our Privacy Officer will review and respond to all inquiries within 30 days.

Escalation:
If you are unsatisfied with our response, you may file a complaint with your local data protection authority (EU) or state Attorney General (US).

15. Additional Resources

Our Terms of Service: https://starterwp.com/terms-and-conditions/
Hosting Service Level Agreement (SLA): https://starterwp.com/hosting-sla/
Customer Portal: https://app.starterwp.com (for account security, backups, data downloads)
Data Processing Agreement (DPA): Available upon request at [email protected]
Matomo Analytics: https://matomo.org/privacy-policy/ (for details on Matomo’s privacy practices)
GDPR: https://gdpr-info.eu/
CCPA: https://oag.ca.gov/privacy/ccpa

Document Version: 2.0
Prepared for: Starter WP, Inc.
Effective Date: November 12, 2025

This privacy policy is binding and applies to all customers and visitors of Starter WP services.