Privacy Policy

AcceleratorWP ("we", "us") is the operator of acceleratorwp.com and for-wordpress.org. Both domains are run by the same person and same business; the data described in this policy is consolidated across them.

This policy covers visitors to acceleratorwp.com, recipients of our emails, customers of our digital products, and users of the Accelerator for WordPress plugin.

• Account information: when you purchase a product or create an account, we collect the email address you provide and any optional account credentials.
• Email lead data: when you submit one of our forms (newsletter, free site audit, coupon code, cheatsheet download), we collect the email you submit and the consent you give. See section 3.
• Usage data: standard non-personal analytics — browser type, page views, referrers — collected via Google Analytics 4 only after you accept the cookie banner.
• Communications: the content of any email you send us (support, sales, feedback) and our reply.

We do not collect special-category personal data (health, political opinion, religion, biometrics) and do not knowingly collect data from anyone under 16.

When you submit one of our forms, the following happens:

• Your email is encrypted at rest using AES-256-GCM before being stored. The encryption key is held outside the database.
• A peppered SHA-256 hash of the email is stored alongside the ciphertext. This is what we use for duplicate detection and lookups; we do not need to decrypt the email to know whether you have already signed up.
• Your IP address is stored only as a peppered SHA-256 hash. The raw IP is never written to disk. The hash is used for anti-abuse rate limiting (max 5 form submissions per IP per 10 minutes).
• We log the timestamp and the exact consent text shown to you at submission, so we can prove your consent was specific, informed, and freely given.
• We send the lead to Resend (our transactional email provider) so we can mail you the content you signed up for.

When you request a free site audit, you also submit the URL of a WordPress site to be scanned. We:

• Fetch the public HTML of the URL you submit, plus optionally run it through Google PageSpeed Insights.
• Detect plugin slugs, theme, cache plugin signatures, and measure TTFB. We do not log into the site, do not access private content, and do not store visitor PII from the scanned site.
• Generate a PDF report and email it to you. The PDF plus the scan metadata (URL, timestamp, score, plugin list) are stored in our database alongside your lead record so we can resend the report on request.

The URL you submit is treated as personal data because it identifies a site you operate or are responsible for. It is stored, encrypted along with the rest of the lead record, and deleted on the same retention schedule (section 11).

We do not collect or store your payment details (e.g. credit card numbers). All transactions are securely processed by our Merchant of Record, Paddle.com. When you make a purchase, your billing information is submitted directly to Paddle. You can review Paddle's Privacy Policy on their official website to understand how they handle your payment data.

• Provide, operate, and maintain our digital products and license keys.
• Send order confirmations, invoices, and product updates.
• Send the lead-magnet content you signed up for (newsletter, audit, coupon, cheatsheet).
• Respond to your customer-support requests.
• Improve our products and the rule library used by the plugin.
• Detect and prevent fraudulent activity, abuse, and unauthorized distribution of our software.

We do not use your information to build behavioural advertising profiles. We do not sell your data.

We use Google Analytics 4 to count visits and understand which pages and posts attract attention. The GA4 cookie is loaded only after you accept the cookie banner on your first visit. Until you accept, no analytics cookies are set, no events are sent.

A handful of strictly-necessary cookies / localStorage entries run regardless: theme preference, promo-bar dismissal, cookie consent record. These are stored only in your browser and are never read by us.

You can withdraw cookie consent at any time by clearing your browser's site data for acceleratorwp.com.

We do not sell, trade, or rent your personal information. We share data only with the following processors, and only the minimum needed for them to deliver their service:

• Paddle — payment processing and invoicing (Merchant of Record). Your billing data is processed by Paddle directly.
• Resend — transactional and broadcast email delivery for our newsletter, audit reports, coupons, and cheatsheets.
• Google (PageSpeed Insights)— when you submit a URL for a free site audit, that URL is sent to Google's public PageSpeed Insights API to fetch Lighthouse metrics. Google may log this URL.
• Google Analytics 4 — only after you opt in via the cookie banner.
• Cloudflare — DNS, CDN, and email routing for our domains. Inbound emails sent to addresses on our domains pass through Cloudflare Email Routing.

If you install the Accelerator for WordPress plugin on your site, the plugin communicates with our licensing server for license validation, heartbeat checks (approximately once per day), and — if enabled — anonymous performance telemetry. Data that may be transmitted includes:

• Site URL and license key — required for license validation on your permitted domains.
• WordPress and PHP versions — for compatibility and support diagnostics.
• Plugin inventory — the list of active plugin slugs on your site (no plugin content or data), used to match our Rule Library for skip-rule recommendations.
• Aggregate performance metrics — anonymized p50, p95, and p99 TTFB measurements, per-request-class distributions, and isolator activity counters used to improve the Rule Library and validate optimization outcomes.

No personally identifiable information about your site's visitors is collected or transmitted. Telemetry data is never sold or shared with third parties and is used only to improve the plugin. You can opt out of telemetry at any time from the plugin settings while retaining full plugin functionality.

Under the EU/UK GDPR and Türkiye's KVKK (Law No. 6698), you have the following rights regarding your personal data:

• Right of access — request a copy of the personal data we hold about you.
• Right to rectification — correct inaccurate data we hold about you.
• Right to erasure ("right to be forgotten") — request the deletion of your data. We delete the encrypted email, peppered IP hash, and metadata; a row stub with no identifying information may remain for aggregate analytics.
• Right to restrict processing — request that we stop processing your data while a complaint or correction is pending.
• Right to data portability — receive the data you have given us in a structured, machine-readable format.
• Right to object — to processing based on legitimate interest, including marketing.
• Right to withdraw consent — at any time, without penalty.
• Right to lodge a complaintwith your local supervisory authority (e.g. KVKK Kurumu in Türkiye, the Information Commissioner's Office in the UK, or your national data-protection authority in the EU).

To exercise any right, email [email protected]. We respond within one calendar month.

We keep personal data only as long as we need it for the purpose we collected it.

• Email lead records — kept for up to 24 months from the last activity (open, click, login, purchase). After 24 months of inactivity the record is automatically anonymized.
• Site audit reports — kept alongside the lead record on the same 24-month schedule.
• Order data — retained for the legal minimum applicable to invoices and tax records (typically 5 to 10 years depending on jurisdiction).
• Anti-abuse logs — IP submission log entries are kept for 90 days for rate-limiting purposes.

• All web traffic is served over HTTPS with HSTS enabled (two years, includes subdomains).
• Email addresses are encrypted at rest with AES-256-GCM. IP addresses are stored only as peppered SHA-256 hashes.
• The database is reachable only on the private Docker network that hosts our application; no public port is exposed.
• Daily encrypted database backups are retained on a 14-day rolling window plus first-of-month snapshots for ~13 months.
• Access to administrative systems uses SSH keys with two-factor authentication on the Dokploy panel.

No system is perfectly secure. If you believe your account has been compromised, email [email protected] immediately.

We may update this policy from time to time. The "Last updated" date at the top reflects the most recent change. Material changes (anything that affects the legal basis of processing or what we collect) will be announced on the home page and to existing newsletter subscribers at least 30 days before they take effect.

For privacy questions, data-deletion requests, or any other matter relating to this policy, write to [email protected]. For payment, billing, or subscription matters, contact Paddle at [email protected].

Postal contact and the legal entity name behind AcceleratorWP are available on request to the email above.