Connect WP Develop API

Data Processing Addendum (DPA)

Last Updated: November 8, 2025
Between:
https://connect.wpdevelopapi.com/ (“Processor”)
and
Plugin Operators / Site Owners using plugins integrated with the WC Collector API (“Controller”)

1. Purpose and Scope

This Data Processing Addendum (“DPA”) forms part of the Privacy Policy and Terms of Service and governs the processing of data submitted through the WC Crash Collector API operated by [Company Name].
This DPA applies only to the extent that the General Data Protection Regulation (GDPR), the Digital Personal Data Protection Act (DPDP) 2023, or equivalent data protection laws apply to the processing of data by the Processor.

The DPA ensures that the Processor processes information received through the Service only for the specific purpose of collecting, storing, and analysing plugin crash and diagnostic reports.

2. Roles of the Parties

  • The Controller (you, the plugin/site owner) determines what diagnostic data is collected and decides whether crash reporting is enabled.
  • The Processor ([Company Name]) provides and maintains the infrastructure (API endpoints, databases, etc.) for receiving and managing crash reports.

In most cases, the Processor acts as a sub-processor for plugin developers who distribute plugins embedding the WC Reporter library.

3. Data Categories Processed

The Service processes only technical and non-personal information by default. This may include:

  • Plugin slug and version;
  • Site URL or hostname;
  • WordPress version, PHP version;
  • Theme name and version;
  • Operating system name and release;
  • Error message, file path, and stack trace;
  • Timestamp and request metadata (e.g., IP used for rate limiting, not stored long-term).

The Service is not intended to collect any personal data such as user names, emails, addresses, or payment information.

If the Controller chooses to include such information in diagnostic data (e.g., via custom exception messages), the Controller acknowledges that responsibility for that disclosure lies solely with them.

4. Processor Obligations

The Processor shall:

  1. Process data only on documented instructions from the Controller and solely for the purpose of operating the crash collection service.
  2. Maintain appropriate technical and organisational measures (TOMs) to safeguard data, including:
    • Encrypted HTTPS transport (SSL/TLS);
    • Restricted database access via least privilege;
    • Periodic log rotation and automatic cleanup;
    • Secure token authentication for API access.
  3. Ensure that persons authorised to process data have committed to confidentiality.
  4. Assist the Controller in responding to data subject requests (e.g., deletion or export).
  5. Notify the Controller without undue delay of any personal data breach affecting crash data.
  6. Delete or anonymise records after the configured retention period (default 90 days).
  7. Allow audits or inspections only where legally required and within reasonable operational limits.

5. Controller Obligations

The Controller (site/plugin owner) is responsible for:

  1. Obtaining and recording end-user consent (via plugin settings) before enabling crash reporting;
  2. Ensuring that the transmitted data does not include personal data unless necessary;
  3. Providing transparency to end-users through their own privacy policy referencing the WC Collector system;
  4. Complying with applicable data protection regulations when configuring plugins.

6. Sub-Processors

The Processor may engage third-party service providers (e.g., hosting providers, database vendors) for infrastructure and maintenance.
All such sub-processors are contractually bound to ensure equivalent data protection and security standards.

A list of current sub-processors may include:

  • Hosting Provider: [Your Hosting Provider Name, e.g., Hostinger / LiteSpeed Cloud]
  • Cloud Infrastructure: [If any]
  • Email/Notification Service: (if applicable)

7. Data Retention & Deletion

Data is retained for the period specified by the option wc_collector_retention_days (default 90 days).
After this period:

  • Records are automatically deleted from the database;
  • Any related backup data is securely purged during the next rotation cycle.

Controllers can request early deletion by contacting [contact email].

8. International Data Transfers

If the Controller operates outside the jurisdiction of the Processor, data may be transferred to or accessed from countries that do not have equivalent data protection laws.
In such cases, the Processor ensures appropriate safeguards (e.g., contractual clauses, regional hosting compliance).

9. Development Mode & Local Environments

In Development Mode (when wc_collector_dev_mode is set to yes):

  • SSL verification may be bypassed to allow local testing (e.g., self-signed certificates).
  • Data transmitted during such tests should never contain production or personal data.
  • The Controller assumes full responsibility for any information transmitted while in dev mode.

10. Data Subject Rights

Upon written request from a Controller, the Processor will:

  • Delete or export any crash records associated with a given site URL;
  • Confirm deletion after successful cleanup;
  • Provide log evidence where required by law.

Requests can be made to [contact email] with reasonable verification of identity.

11. Limitation of Liability

Both parties acknowledge that diagnostic data processed through the Service has minimal personal risk.
To the extent permitted by law, liability under this DPA is limited to direct damages resulting from proven breaches of this agreement, not exceeding the amount paid (if any) for the Service in the preceding 12 months.

12. Duration and Termination

This DPA remains in effect as long as the Controller uses the Service.
Upon termination, the Processor will:

  • Delete or anonymise all retained data within 30 days;
  • Provide confirmation upon request.

13. Governing Law

This DPA is governed by the same jurisdiction as defined in the Terms of Service

Disputes shall be subject to the courts of New Delhi, India.

14. Contact

If you have questions about this DPA or wish to exercise any privacy rights, please contact:


Email: connect@wpdevelopapi.com

Website: https://connect.wpdevelopapi.com/