Privacy policy

Webless, MB (“Webless”, “we”, “us” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our website and Services. It also describes your rights and choices regarding your personal information. We aim to be transparent and comply with applicable data protection laws, including the EU General Data Protection Regulation (GDPR).

By using the Webless website (https://webless.co) or purchasing/using our Services, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our practices, please do not use our site or services.

1. Who We Are

Webless, MB is the “data controller” of personal data collected through our website and Services. This means we determine how and why personal data is processed. Our contact details are:

• Business Name: Webless, MB
• Registered Address: Perkūnkiemio g. 19, LT-12120 Vilnius, Lithuania
• Company Code: 306673177
• Email: legal@webless.co

For any privacy-related questions, or to exercise your data protection rights, you can contact us at the above email address. We may not have a designated Data Protection Officer (DPO) since we are a small business, but we treat privacy seriously at the highest level of our organization.

2. What Data We Collect

We collect personal data that you provide to us, data that is collected automatically, and data from third-party sources (like Stripe) as needed to operate our Services. “Personal data” means any information related to an identified or identifiable natural person. The types of personal data we collect include:

2.1 Information You Provide Directly

• Contact and Identity Details: When you engage with us (such as by purchasing a service, creating an account, or contacting us), you may provide personal identifiers. This can include your name, surname, email address, billing address, phone number, company name, and if applicable business identification number or VAT number. For example, during checkout, Stripe will prompt for your name, email, and address which we receive for invoicing and contact purposes.
• Account Credentials: If an account is created for you on our platform, we will have a username (which may be your email) and a password. If we generate a password for you, you should change it later. All passwords we store are intended to be protected (hashed) in our system. We also assign an internal user ID to your account.
• Service Details / Website Credentials: After purchase, you will typically submit details about your WordPress site for us to perform the service. This includes sensitive access information: your website URL, WordPress admin username and password, hosting account login, domain registrar login, FTP/SFTP credentials, database credentials, Cloudflare or other CDN credentials, and any other relevant access. These login details are highly confidential and we collect them solely to provide the Service to you. We store them securely (see Security section) and only retain them as long as necessary (for ongoing services, until you remove or update them; for one-time services, until completion or account deletion).
• Support Communications: If you contact us via email, live chat, or support ticket, we will collect the information you choose to share. This may include your email address, the content of your messages, any screenshots or files you send, etc. We keep these communications as part of our records.
• Payment Information: We rely on Stripe to handle payment processing. We do not collect or store your full credit card details. When you enter payment data on the Stripe checkout form, that is sent directly to Stripe. However, we may receive certain payment-related information from Stripe: e.g., the type of card, the last four digits of your card, the cardholder name, payment amount, date, and status, and your billing address. We record transaction details (amount, currency, date, and whether payment succeeded) to manage your orders. If you use PayPal via Stripe, we might see the PayPal account email or an ID – similar limited info. We also get notified of refunds or chargebacks if they occur.
• Profile Information: If our dashboard allows you to add optional profile info (like an avatar or job title), and you choose to, we’ll store that. Typically, our service doesn’t require more than name and email for profile.
• Feedback/Survey Data: If we ever ask for feedback or you fill a survey, we’ll collect what you provide. For example, a testimonial or a review you give can be personal data if attached to your name. We would ask your consent to publish testimonials.
• Newsletter or Marketing Sign-up: If we have a newsletter or offer you to subscribe to marketing emails, and you opt-in, we will collect your email address (and possibly name) for that purpose. We will always obtain consent for marketing communications (unless you are an existing customer and the communication is about similar services, in which case we may rely on legitimate interest under e-privacy rules, but you will still have an easy opt-out).

2.2 Information We Collect Automatically

When you visit our website or use our dashboard, certain data gets collected automatically by virtue of your interaction with our site and services:

• Usage Data: We collect information about your activity on our site. This includes:
  • Device and Browser Information: like your IP address, browser type and version, device type (desktop/mobile), operating system, language preference, screen resolution.
  • Log Data: such as the pages you visited on our site, the time and date of your visit, time spent on pages, clickstream data (which links you click), and the page that referred you to our site (referrer URL).
  • Interactions: If you use our client dashboard, we might log actions like when you add a website, when you open a support ticket, etc., to maintain an audit trail.
  • Cookies and Similar Technologies: We use cookies on our site (see Section 6 for details). Cookies are small text files stored on your device that help us recognize you and remember preferences. For example, if you log into the dashboard, a session cookie keeps you logged in. We also use cookies for analytics to understand how visitors use our site.
• Analytics Data: We use Google Analytics (a popular web analytics service by Google) to collect information on website usage. Google Analytics may set cookies or use other identifiers to collect information such as your IP address, location (approximate, based on IP), pages viewed, and events (like button clicks). This helps us analyze web traffic and improve user experience. Google Analytics provides aggregated insights (we cannot directly identify you solely from this analytics data, especially since we have IP anonymization enabled if applicable). However, because Google Analytics does track IP which is personal data, we treat it accordingly. (More details in Section 6.1)
• Chat Interactions: If you use the Crisp live chat on our site, the chat widget automatically collects some data about your visit: e.g., which page you opened the chat on, your IP and browser info (to show region and system info), and if you provide an email in chat it links to that. Crisp might store a cookie to remember you for continuity of chat. The content of your chat messages with us is of course collected so we can respond.
• Captcha and Anti-Spam: We use Google reCAPTCHA on forms (like contact forms or sign-up forms) to distinguish bots from real users. reCAPTCHA will collect hardware and software information, such as device and application data, and check for any Google cookies on your browser, and generate a score or challenge. This means Google collects some personal data (like IP, mouse movements) for security purposes. We do not see this data directly, but by using reCAPTCHA, it’s collected by Google. It’s governed by Google’s Privacy Policy.
• Server Logs: Our web server automatically logs each request made to the server. These logs include your IP address, the request URL, date/time, and error codes (if any). We use these logs for security (e.g., to detect malicious activity) and to debug technical issues.

2.3 Information from Third Parties

In some cases, we receive personal data about you from third-party sources:

• Stripe: As mentioned, after a transaction, Stripe provides us details like your name, email, address, and payment status. If you use Stripe’s customer portal to manage your subscription, Stripe may send us updates (e.g., you changed your card or canceled a plan) so we can update our records.
• Referral Partners: If you were referred to us via a partner or affiliate link, we might receive basic info indicating who referred you (so we can reward them). This usually doesn’t involve your personal data beyond maybe an order identifier.
• Public Sources: For business customers, we might confirm company information via public registers. Also, if you leave reviews about our service publicly (like on social media or forums), we may see those, though we don’t actively profile users from social media.
• Cookies from third-party: Some third-party embedded elements on our site (like YouTube videos, or social media share buttons) may send certain info to those third parties, but we do not actively provide personal data to them. They might be collecting data via their embedded code. We try to minimize such data sharing unless necessary.

We do not purchase marketing lists or get your data from data brokers.

3. How We Use Your Data (Purposes and Legal Bases)

We only collect and use personal data for purposes that are justified under data protection law. Under the GDPR (if applicable), we need to have a valid legal basis for each use of your data. This section explains what we use data for, and the legal grounds we rely on (in parentheses).

3.1 To Provide and Perform Our Services (Contractual necessity)

We process personal data to enter into and fulfill our contracts with you:

• Account setup and verification: We use your email to create your user account and send you activation links or login credentials. We use your name and contact info to identify you as our customer in our system. We require your data to recognize you when you log in.
• Service delivery: We use the website credentials and information you provide to actually perform the WordPress services you requested. For example, we will use your WP admin login to log into your site and optimize it. We’ll use your hosting credentials to access the server if needed for maintenance tasks. We use your data to carry out all tasks you’ve paid for. Without this data, we literally cannot do the work (e.g., we can’t optimize a site we have no access to).
• Communication about the service: We process your email or phone to send service-related communications: e.g., confirming your order, sending progress updates, reports, alerts about your site status, or information about changes to the service. This includes responding to your inquiries and support requests. If an issue arises (like we need clarification or encounter a problem on your site), we’ll use your provided contact to reach you.
• Authentication and security: We use account credentials to authenticate you when you log in. We may use logs and device information to detect suspicious login attempts (for example, if a login occurs from an unusual IP, we might flag it).
• Payments and billing: We use payment-related info to process your payments and provide receipts/invoices. For instance, we use Stripe’s output (transaction IDs, last4 of card, country) to record that you’ve paid. We use your address to put on invoices (a legal requirement for VAT invoices). We might also use order history to provide customer support or refunds if applicable.

Legal Basis: This is primarily based on Contract – processing is necessary to perform the contract with you (Article 6(1)(b) GDPR) or to take steps at your request before entering a contract (e.g., handling a quote request). Even if you’re not an individual (e.g., you represent a company), we still process your contact data on the basis of our legitimate interest to fulfill the service contract with your company and communicate with you as their representative.

3.2 To Maintain and Improve Our Services (Legitimate interests)

We use data to run and enhance our business operations:

• Analytics and usage tracking: We analyze how users navigate our site, which pages are popular, how marketing campaigns perform, etc. This helps us improve the website design, fix usability issues, and optimize content. For example, Google Analytics data might show that few visitors reach the pricing page, indicating we need better navigation. The data is aggregated for trends.
• Service improvement: The details of issues that come up during service (like common website problems we encounter, or common customer requests) help us refine our offerings. We might compile anonymous or aggregated data about how much performance improved on average for customers to evaluate our methods.
• Security and abuse prevention: We use data like IP addresses, server logs, and behavioral patterns to detect and prevent fraudulent or malicious activity. For example, we might block an IP that makes repeated failed logins (brute force attempts), or use logs to investigate a hacking incident. We also keep credentials and data secure internally to prevent unauthorized access. If necessary, we might use certain data to blacklist bad actors.
• Debugging and development: If you encounter an error on our site or app, we might use log data or error reports to debug. For instance, if an API call fails for a certain user, we’ll look at the request data to identify the bug.
• Customer support records: We keep support ticket history so we can see past issues and solutions, which helps us handle future inquiries faster (and train staff).
• Marketing and business analytics: We might use non-sensitive data to evaluate the success of our marketing or to decide our business strategy. For example, we may track how many users from a certain country sign up, or what percentage of visitors convert to customers. We could use your city/country to understand where demand comes from (though typically individually this is not personal identification, on aggregate it’s stats). We may also infer your likely industry or site size based on info you gave, to tailor our services (e.g., if many e-commerce customers ask for uptime monitoring, we might add that feature).

Legal Basis: We rely on Legitimate Interests (Article 6(1)(f) GDPR) for these activities. Our legitimate interests are to operate an efficient, secure, and useful service, to understand and improve our business, and to protect our company from fraud or attacks. We have balanced these interests against your rights and believe our data use in this context is minimal and not overly intrusive (for instance, analytics data is largely pseudonymous and we respect Do-Not-Track preferences where possible). You have the right to object to processing based on legitimate interests (see Section 8, Your Rights).

3.3 To Communicate With You and Market (Consent or Legitimate interests)

We use data for communications and marketing as follows:

• Service Announcements: We will send you important administrative emails (e.g., changes to terms or privacy policy, security alerts, service outage notifications) as needed. This is considered part of the service/contract.
• Newsletters and Promotions: If you explicitly subscribe to our newsletter or ask for marketing updates, we will use your name and email to send you newsletters, product updates, special offers, or blog articles. These communications are only sent with your consent (Article 6(1)(a) GDPR) – i.e., you opted in. You can unsubscribe anytime by clicking the “unsubscribe” link in such emails or contacting us.
• Soft opt-in (Existing Customers): If you are a customer of ours, we may send you information about services similar to those you purchased, unless you opted out. For example, if we launch a new feature to our maintenance plan, we might email our current clients about it. We do this based on our legitimate interest in growing our business and keeping customers informed, and e-privacy laws that allow simplified consent for existing customer marketing of related products. However, we will always provide a clear opt-out mechanism in every such email.
• Targeted Advertising: Currently, we do not run third-party advertising on our site nor do we heavily profile users for ads. If in future we decide to do remarketing (e.g., show Webless ads on other platforms to people who visited our site), we will update this policy. That might involve cookies from ad networks (with consent via cookie banner if in EU).
• Responding to You: Any time you contact us (via email, chat, etc.), we use your provided info to respond personally. That might include reaching out for feedback after a support issue is resolved.

Legal Basis:

• For marketing emails to new subscribers, the basis is Consent – you will only get those if you chose to opt in.
• For communications to existing clients about similar services, the basis is Legitimate Interest (direct marketing) as recognized under GDPR recital 47 and applicable e-Privacy rules, as long as you haven’t opted out. We believe sending useful updates to our client base benefits both us and our clients; we do so in a minimally intrusive way. Nonetheless, you can opt out at any time, and we will honor that.
• General communications and service announcements are usually Contractual (to provide you with info relevant to your service usage) or Legal Obligation (if informing about data breaches, etc.).

3.4 To Comply with Legal Obligations (Legal obligation)

We will process personal data where necessary to fulfill our legal obligations, such as:

• Accounting and Tax: We keep records of transactions, including invoices with your name and address, to comply with tax law and accounting standards. For example, Lithuania’s laws might require us to retain invoices for 10 years. If you’re in the EU, VAT regulations might require us to report cross-border sales with certain customer info (like country).
• Regulatory compliance: If GDPR or other privacy laws require certain actions, like if you exercise a right (say, request data deletion), we will process that data to comply.
• Law Enforcement and Dispute Resolution: If we are required by a court order or subpoena to provide personal data, we will do so to comply with the law. Similarly, we may process data to the extent needed to establish or defend against legal claims. For instance, if there’s a legal dispute, we might preserve logs or communications as evidence (which is a legitimate interest and/or legal necessity).
• Consumer Rights: For customers in certain jurisdictions, we need to provide cancellation forms or refund processes. If a consumer exercises a statutory right (like the EU 14-day withdrawal), we’ll use their data to process that cancellation and refund, as required by law.
• GDPR Compliance: As a data controller under GDPR, we maintain records of processing activities and may log consents or objections from you to demonstrate compliance. If there’s a security breach that involves personal data, we may need to notify authorities and affected individuals, processing personal data as part of that procedure (e.g., logging what data was involved, contacting you by email).

Legal Basis: Article 6(1)(c) GDPR – processing is necessary for compliance with a legal obligation to which we are subject. We only do what the law mandates.

3.5 Other Purposes (with Notice/Consent)

If we want to use your data for a new purpose not covered by the above, we will update this Privacy Policy and, if required, obtain your consent. We will not exploit your data in unexpected ways. For example, we will not sell your data to third parties for their independent marketing, and we won’t use any personal information in ways incompatible with the purposes for which it was collected.

We do not engage in any automated decision-making or profiling that produces legal effects or similarly significant effects for you (as defined under GDPR Article 22). Any profiling (like basic analytics segmentation) we do is shallow and not used to make decisions about individuals in a way that harms them.

4. Cookies and Tracking Technologies

We use cookies and similar technologies on our website to provide and improve our services, as well as to gather analytics about our visitors. This section explains what these technologies are and how we use them.

4.1 What Are Cookies?

Cookies are small text files placed on your device (computer, smartphone, etc.) when you visit a website. They allow the website to recognize your device and remember information about your visit (e.g., your preferences or login status). Cookies can be “session cookies” (which last only until you close your browser) or “persistent cookies” (which stay on your device for a set period or until deleted).

We also may use other tracking technologies like:

• Web Beacons/Pixels: tiny graphic images or code snippets that track whether you’ve opened an email or visited a certain URL.
• Local Storage: Web apps can store data in your browser’s local storage similar to cookies.
• Analytics Scripts: code from third parties (like Google Analytics) that collects usage data.

4.2 Cookies We Use

We categorize cookies as follows:

• Necessary Cookies: These are essential for the website’s core functionality and cannot be disabled (without impairing the service). For example, the session cookie that keeps you logged in as you navigate the dashboard, or security cookies that help prevent cross-site request forgery. Another example: our cookie consent banner might set a cookie to remember your cookie preferences.
• Preferences Cookies: These remember choices you make to give you a more personalized experience. For instance, if our site is multilingual, a cookie might save your language choice.
• Analytics Cookies: These cookies collect information about how visitors use our site (pages visited, time spent, etc.). We use this information in aggregate to improve our site’s performance and design. We currently use Google Analytics (_ga, _gid, etc. cookies) which help distinguish users and throttle request rates. The data collected by these cookies (such as IP address, device info, site usage) is transmitted to Google and compiled to produce site usage reports for us.
• Marketing/Third-Party Cookies: At present, we do not have third-party ads on our site that set marketing cookies. However, if we embed content from others, like a YouTube video or a Twitter feed, those providers might set their own cookies. Also, Crisp live chat sets some cookies to function (like remembering chat state and user). Crisp’s cookie tracks a visitor ID so that if you navigate to a new page, the chat can continue seamlessly. We ensure none of these third-party cookies are used for advertising profiling on our site, just functional tracking.

Examples of specific cookies (for illustration):

• PHPSESSID or similar: session cookie for our site login.
• crisp-client/sessionid: used by Crisp chat to identify your chat session.
• _ga, _gid: Google Analytics cookies to distinguish users and sessions.
• cookie_consent: a cookie to remember that you closed the cookie banner or your preferences.

4.3 Your Choices

Upon your first visit to our site (and periodically as required), you may see a cookie consent banner if you are in a jurisdiction that mandates it (like the EU). We will request your consent for non-essential cookies (e.g., analytics) in compliance with legal requirements. You can accept or decline. If you decline, we either won’t set those cookies or will block those scripts.

Regardless of the banner, you can also control cookies via your browser settings:

• You can usually find an option to delete cookies and site data. You can also instruct your browser to not accept cookies from specific sites or altogether. Please note that if you block all cookies, some parts of our site (like logging in) may not work.
• For Google Analytics specifically, Google provides an opt-out browser add-on (tools like “Google Analytics Opt-out”).
• Our analytics is configured to anonymize IP addresses where applicable (last digits truncated) to enhance privacy.

Do Not Track (DNT): Our site currently does not respond to DNT signals in a uniform way, due to lack of consensus on standard. However, we treat any user who declines cookies as opted out of tracking.

4.4 Third-Party Tracking

As mentioned, we use:

• Google Analytics: Google may set cookies and collect usage data. Google acts as our data processor for analytics, meaning they process data only on our behalf. We have a Data Processing Agreement with Google for GA as required by GDPR. The data Google Analytics collects may be transferred to and stored on Google’s servers in the United States or other countries. Google is certified under data transfer frameworks (see Section 7 on international transfers).
• Crisp Chat: Crisp may place a cookie to maintain chat sessions. According to Crisp, their chat cookies are not used for marketing or tracking across sites; it’s just to enable functionalities like remembering chat history. Crisp, based in France, is GDPR-compliant. Data from chat (messages, visitor info) is stored on Crisp’s servers (which are likely in EU).
• reCAPTCHA: Google reCAPTCHA may set cookies or use existing Google cookies to perform risk analysis. This usually includes the Google “NID” cookie or others used by Google.com. We invoke reCAPTCHA only where needed (e.g., on a contact form) and as per Google’s terms, “your use of reCAPTCHA is subject to Google Privacy Policy and Terms of Use.” We have a notice near those forms about that.

We do not use any sneaky tracking techniques like canvas fingerprinting or supercookies.

5. How We Share or Disclose Data

We treat your personal data with care and do not sell it. However, in certain situations, we need to share some data with others. This section explains who we share data with and why.

5.1 Service Providers (“Processors”)

We use trusted third-party companies to help us deliver our services. These third parties process data only under our instructions and for the purposes we specify. We ensure they are bound by confidentiality and data protection obligations.

Key service providers include:

• Stripe: for payment processing. Stripe will receive your payment data (card details, billing info) directly when you pay. Stripe also provides us with limited info as described. Stripe is considered a data controller for the financial info you provide to them (since they use it for fraud prevention, etc.), and a processor for some data they pass to us. Stripe is headquartered in the US but has EU entities. We have accepted Stripe’s data processing addendum which includes the EU Standard Contractual Clauses for data transfers.
• Hosting Provider: Our website and database may be hosted on servers provided by a third-party hosting company (for example, it could be a cloud provider like AWS, DigitalOcean, etc., or a local hosting firm). This means any data stored on our site (your account data, etc.) resides on their servers. They technically could have access as the infrastructure provider, but they won’t use it except for storage and backup. We choose reputable hosts with strong security and privacy standards.
• Email Service: We might use an email sending service (like SendGrid, Mailgun, or our host’s SMTP) to send transactional emails (order confirmations, password resets) and any newsletter if applicable. This means your email address and the content of the email passes through that service. For example, if we use SendGrid for notifications, they process that under our instructions.
• Crisp: Crisp is our live chat provider. If you chat with us, Crisp processes those chat communications (acting as a processor). Crisp collects visitor data (IP, browser, etc.) and message content to relay to us and store conversation history. Crisp (Crisp IM SAS) is based in the EU (France) and is GDPR compliant.
• Google Analytics: Google acts as a data processor when providing analytics. They use the data to give us aggregated reports. (Note: Google may use the data for improving their analytics services, but our agreement with them restricts using it for any Google’s advertising or sharing raw data – we have settings to not share data for those additional purposes).
• Other Tools: We may use various SaaS tools internally that could have some of your data, such as:
  • Project management or notes tools (where we might note down client tasks, which could include your first name or site name).
  • Cloud storage or backup services (for example, we might keep backup copies of optimization reports or site backups on a secure cloud storage – though by default we store backups on your hosting or our servers, not on third-party unless needed).
  • Accounting software (your name, email, and invoice details could reside in our accounting or invoicing system for bookkeeping).
  • Customer support/ticketing system (if we use a dedicated helpdesk software or if Crisp itself manages tickets, your requests and our responses are stored there).

We ensure any such providers have appropriate data protection measures. We only share the minimum necessary for the task. For instance, our accountant might see your invoices which include your name and purchase details, but not your website credentials.

5.2 Within Our Company

Access to personal data within Webless is restricted on a need-to-know basis. Our small core team (including the managing director, Arnas Markūnas) will have broad access to customer data to manage accounts and services. Technical staff/contractors who work on your website will have access to the credentials and data needed for that work. We ensure all personnel are bound by confidentiality. If we hire sub-contractors or freelancers to assist with tasks, they act under our direction and we contractually obligate them to protect your data just as we do. We do not allow any staff to use client data for anything outside the work scope.

5.3 Business Transfers

If Webless is involved in a merger, acquisition, investment due diligence, reorganization, or sale of all or some of its assets, personal data may be transferred to the buyer or merged entity. We would ensure the new owner continues to handle your data according to this Privacy Policy or provides notice and obtains consent if required for any changes. For example, if another company acquires Webless, your customer data would likely be one of the transferred assets. We would inform you of any such change in ownership and the options you have.

5.4 Legal and Compliance

We may disclose your personal data when necessary to:

• Comply with the law: If we receive a lawful subpoena, court order, or other legal demand for data, and after evaluating its validity, we may have to turn over certain information (for example, law enforcement investigating fraud might lawfully require logs or account info). We will attempt to notify you (if permitted by law) of any such requests.
• Enforce our Terms and protect rights: We may disclose data to enforce our agreements or policies, or to respond to allegations of fraud or intellectual property infringement. For instance, if you engage in harmful conduct violating our Terms, we might share relevant data with investigators or attorneys to address it. Or if someone claims your site (which we worked on) is hosting illegal content, we might need to share your contact info with appropriate parties as part of resolving that.
• Emergency: If we believe in good faith that disclosure is necessary to prevent a threat to life, health, or security of an individual or the public, we may share information with the appropriate authority (e.g., providing info to police in a critical case).

5.5 With Your Consent or At Your Direction

If you explicitly request or consent to us sharing data with a third party, we will do so. For example, if you ask us to coordinate with another vendor (like your hosting provider’s support) and share information to troubleshoot your site, we will share as needed at your direction. Another example: if we ever run co-marketing or referrals, we would only share your contact with a partner if you opt-in.

We do not sell or rent your personal data to third-party marketers. We might share aggregated or anonymized information publicly or with partners – for example, publishing a statistic like “average speed improvement of X% across clients” or “we served clients in 15 countries” – but no individual would be identifiable from that.

6. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes outlined in this Policy, unless a longer retention period is required or permitted by law. Because different data serves different purposes, retention periods vary:

• Account Information: We keep your account data (like name, email, login credentials) as long as your account is active. If you delete your account or it’s been inactive for a long period, we will remove or anonymize the data in accordance with our standard procedures. Generally, if an account is inactive for over 2 years, we may purge it after notifying the last known email (unless there are ongoing services).
• Service Data (Credentials): The sensitive website access credentials you provide (WP admin, hosting, etc.) are stored for as long as you are using our Service for that site. If you are on a maintenance plan, we keep them until you cancel and ask for deletion (or remove the site from dashboard). If it’s a one-time service, we retain the credentials until the service is completed; afterwards, we recommend you change passwords, but we may keep them on file for a short period in case follow-up support is needed. We will purge or encrypt stored passwords when they are no longer needed. If you delete a site from our dashboard, our system deletes the stored credentials for it. (Backups or logs might still contain them for a short time, see below).
• Support Tickets/Communications: We may retain customer support emails and chat transcripts for historical reference and training. This helps if you have future issues and we need context. Unless you request deletion, we generally keep support correspondence for up to 5 years. This period helps us see patterns and also can be relevant for legal purposes (e.g., if a dispute arises, communications serve as evidence).
• Transaction and Billing Records: We retain invoices, payment records, and related billing information for at least the duration required by Lithuanian law and EU tax law, which is typically 10 years from the end of the financial year. We keep this data to comply with auditing and tax obligations. Even if you delete your account, we must retain invoice data associated with your name/business for this period.
• Analytics Data: Google Analytics data is stored by Google typically for 26 months (we have set our GA data retention to 26 months, which resets on new activity). We mainly look at aggregated analytics, not user-level, but raw data gets auto-deleted after that period. Our server logs that contain IP addresses are usually rotated and deleted within 12 months or sooner, unless needed for security analysis (some critical security logs might be kept longer if we suspect malicious activity from a certain IP).
• Marketing Data: If you have consented to receive newsletters, we will keep your contact information until you unsubscribe or the email address bounces. If you unsubscribe, we will stop sending and ideally remove you from the list promptly. We might however keep a suppression record (your email) to ensure we don’t accidentally re-add you – that is indefinite in a suppression list, but solely to respect your opt-out.
• Backup Copies: Our systems may create backup copies of data (for disaster recovery). These backups are usually cycled. For example, daily backups might be kept for 7 days, weekly for a month, etc. If your data is deleted from the live system, it might persist in encrypted backups until those backups expire and are overwritten. We have a retention schedule for backups (commonly 30-90 days max for any personal-data-containing backup).
• Legal Holds: If we are in a legal dispute or under investigation relating to your account or services, we may retain relevant data until it is resolved, even if it would normally be deleted. Also, if you exercise certain rights like erasure, some data may be kept as required (e.g., we might keep a record that person X requested deletion on Y date to demonstrate compliance, or retain minimal info to not re-contact you).
• General: When we no longer have a legitimate need or obligation to retain your personal information, we will securely delete or anonymize it. For instance, we might anonymize usage data (so it’s not linked to you) and keep aggregated stats indefinitely since anonymized data is not personal.

If you request deletion of your data (see Your Rights section), we will endeavor to delete applicable data promptly, unless retention is required.

7. International Data Transfers

We are based in Lithuania (European Union), but we utilize services and infrastructure that may involve transferring your personal data across international borders:

• If you are located outside the European Economic Area (EEA): When you provide data to us, it will be transferred to and processed in the EU (Lithuania or other EU countries where our servers or processors reside). By using our services, you acknowledge your data will be processed in the EU, which may have different data protection laws than your country.
• If you are located in the EEA or UK: Many of our third-party processors are based outside the EEA, so your data might be transferred to “third countries” lacking an EU adequacy decision (like the United States). For example:
  • Stripe, Google, Crisp might store or access data on servers in the US or elsewhere.
  • Our cloud hosting could be in EU data centers, but backups or support might involve personnel in other regions.
  • Email and support tools could route data globally (depending on provider).

Whenever we transfer personal data out of the EEA, we ensure appropriate safeguards are in place, as required by GDPR Chapter V:

• We rely on the European Commission’s Standard Contractual Clauses (SCCs) as a primary mechanism. For instance, our agreements with Stripe and Google include SCCs, committing them to protect EU data to European standards. We have reviewed any supplementary measures as needed post-Schrems II decision, such as encryption in transit and at rest.
• Some of our providers (like Google, if under EU Analytics, and possibly Stripe) have also certified under frameworks like the EU-U.S. Data Privacy Framework (if applicable in 2025) or similar schemes. (Stripe was part of Privacy Shield and likely will comply with new frameworks).
• Data Localization: Where feasible, we choose EU data centers. For example, Crisp stores data in Europe, so chat data stays in EU. We aim to keep hosting and primary storage in the EU.
• If none of the above apply, we would ask for your explicit consent for the transfer in specific cases, or rely on another Article 49 derogation (e.g., if the transfer is necessary for performing a contract with you – like if you’re outside EU and we have to send your data back to you).

We regularly monitor updates in international data transfer regulations. If a service doesn’t meet EU requirements, we will seek alternatives or ensure risk mitigations. You can contact us for more information about specific transfer safeguards for your data.

8. Your Rights and Choices

If you are in the EU/EEA or other jurisdictions with similar privacy laws, you have certain rights regarding your personal data. Webless is committed to honoring these rights. Below is a summary of your data subject rights and how to exercise them:

• Right to Be Informed: You have the right to be provided with clear, transparent information about how your data is used. We fulfill this through this Privacy Policy and by answering any questions you send us.
• Right of Access: You can request a copy of the personal data we hold about you, as well as supplementary information (like the purposes of processing, categories of data, etc., much of which is in this policy). This is commonly known as a “Data Subject Access Request.” We will provide you with a copy of your data, usually in electronic form, subject to some exceptions (e.g., we might not include confidential business information or others’ data). For additional copies, we may charge a reasonable fee if allowed by law.
• Right to Rectification: If any personal data we have is inaccurate or incomplete, you have the right to have it corrected. For instance, if your name is misspelled in our records or you changed your contact info, please let us know and we will update it. Many basic profile details you can also correct yourself by logging in to your account settings (if applicable).
• Right to Erasure: Also known as the “Right to be Forgotten.” You can ask us to delete or remove your personal data in certain circumstances. This right is not absolute – for example, we cannot delete data we are required to keep by law (like transaction records), or when we have overriding legitimate grounds (like preventing fraud or resolving disputes). But we will honor deletion requests for data that’s no longer necessary for purpose or where you withdraw consent (and no other basis applies), etc. If you close your account or withdraw consent, we will delete applicable data, except for that which we must retain.
• Right to Restrict Processing: You can request that we limit processing of your data in specific situations. For instance, if you contest the accuracy of your data, you can ask us to pause processing (aside from storage) until we verify or correct it. Or if you object to processing (see below) and we are considering that objection. Another example: if you want to erase data but need it kept for a legal claim, we can restrict processing instead of full deletion at your request.
• Right to Data Portability: For data you provided to us and that we process by automated means on the basis of consent or contract, you have the right to obtain it in a structured, commonly used, machine-readable format, and you have the right to have it transmitted to another controller where technically feasible. In practice, this could apply to things like your profile info or perhaps the credentials you gave (though those are probably better just collected again for security). We will provide portable data where applicable in CSV or similar format.
• Right to Object: You have the right to object to certain processing activities on grounds relating to your particular situation. Specifically, you can object at any time to processing of your personal data which is based on legitimate interests (Art. 6(1)(f) GDPR), including profiling based on those interests. If you object, we must stop that processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is for the establishment or defense of legal claims. For example, if you object to our use of your data for analytics or direct marketing, we will stop. Right to object to direct marketing: This is absolute – if you object to or opt-out from marketing communications, we will cease marketing to you. You can opt out of emails by clicking unsubscribe or by contacting us.
• Right not to be subject to Automated Decisions: We do not do automated decision-making producing legal or similarly significant effects without human involvement. If we ever did, you’d have the right to not be subject to such decision unless certain conditions are met (like you gave consent).
• Right to Withdraw Consent: If we rely on consent for any processing, you have the right to withdraw that consent at any time. For instance, if you consented to our newsletter, you can unsubscribe (withdraw consent) and we will stop sending. Withdrawing consent doesn’t affect the lawfulness of processing done before the withdrawal.
• Right to Complain to a Supervisory Authority: If you believe your data protection rights have been violated, you have the right to lodge a complaint with a data protection supervisory authority in your country. For example, if you are in Lithuania, you can contact the State Data Protection Inspectorate (VDAI) at ada@ada.lt or by phone +370-5-2791445. If you’re in another EU country, you can find the contacts for your authority via the European Data Protection Board website. We would, however, appreciate the chance to address your concerns directly before you approach a regulator, so please consider reaching out to us first.

How to Exercise Your Rights: You can exercise any of your rights by contacting us at legal@webless.co. Please clearly state what you are requesting (e.g., “I want a copy of my data” or “Please delete my account data except invoice records”). We may need to verify your identity before acting on certain requests (to ensure we don’t give your data to an imposter). For example, we might ask you to confirm from the email address associated with your account or provide certain info that only you would know.

We will respond to your request within one month of receipt, or inform you if we need more time (up to an additional two months for complex requests, as allowed by GDPR). There is generally no fee for exercising rights, but if requests are manifestly unfounded or excessive (e.g., repetitive), we may charge a reasonable fee or refuse, as permitted by law.

Note: Some rights may not apply depending on your jurisdiction. For instance, GDPR rights apply to EU residents; similar rights exist in UK, and other regions like California have their own rights (e.g., access and deletion under CCPA). We aim to extend core rights to all users where feasible, but our legal obligations might differ. California residents, for example, can request a notice of what categories of personal info we share with third parties for their direct marketing (though we don’t share for direct marketing). If you’re in California or another region with specific laws (like Brazil’s LGPD, etc.), contact us and we will address your rights in line with applicable law.

9. Security Measures

We employ a variety of security measures to protect your personal data from unauthorized access, disclosure, alteration, and destruction. We take the security of data seriously, especially given the sensitive nature of credentials clients entrust to us.

Our security practices include:

• Encryption: Our website and dashboard use HTTPS with TLS encryption to ensure that data transmitted between your browser and our servers is encrypted in transit. Likewise, sensitive information (such as passwords) is encrypted at rest. For example, account passwords are hashed (we do not store plaintext passwords). For stored website credentials (like your WP admin password), we utilize database encryption or at least secure obfuscation. Any sensitive fields in our database are protected such that even if the database were compromised, the attacker would not easily retrieve plain credentials.
• Access Controls: Internally, we restrict access to personal data only to those who need it. Our team members and contractors have unique logins and are required to use strong passwords. Wherever feasible, we use two-factor authentication (2FA) for administrative access (for instance, to server control panels, cloud services, etc.). We maintain different access levels – e.g., not all staff can access the full database or full list of client credentials. Developers working on your site get the credentials relevant to that site and are bound by confidentiality.
• Secure Storage: The databases and servers we use are secured by firewalls and regularly updated. We choose reputable hosting with strong physical and network security. We apply security patches and updates to our software dependencies regularly to mitigate vulnerabilities.
• Monitoring and Logging: We log admin access and significant actions in our systems. Suspicious activities (multiple failed logins, unusual IP access) are monitored. We employ security tools to detect malware or unauthorized access on our systems. If any anomaly is detected (like a possible intrusion), our team is alerted for investigation.
• Testing: We periodically review our code and systems for security issues. This may include vulnerability scanning of our website or employing third-party security audits. We also harden the WordPress sites we maintain by recommending security plugins or best practices to our clients.
• Confidentiality Training: All Webless personnel (and contractors) are trained to handle personal data securely and are under contractual obligations to maintain confidentiality. We instruct them on safe practices, such as never sharing credentials over insecure channels and avoiding storing client info on personal devices without encryption.
• Backup and Recovery: We keep backups (as mentioned) but those backups are secured (encrypted if containing personal data). We also have incident response plans. For example, if a data breach were to occur despite our safeguards, we have a procedure to contain it, assess scope, notify affected parties and authorities as required, and remediate.
• No Absolute Guarantee: While we strive to protect your data, no system is 100% secure. The internet by its nature has risks. We thus cannot guarantee absolute security of information, and you should understand your transmission of data to us is at your own risk. For example, email communications might not be fully secure end-to-end; if you send us extremely sensitive info via email, understand that email can be intercepted. We encourage you to use our secure form or dashboard to submit credentials rather than email, when possible. We echo the standard disclaimer: “no method of transmission over the Internet is 100% secure”. That said, once we receive your data, we apply rigorous standards to keep it safe.
• Your Role: Security is a partnership. You also play a role in safeguarding data. We urge you to use strong, unique passwords for your account with us and for the credentials you give us. If we set a temporary password for something, change it afterwards. Don’t share your account password with others. Also, be aware of phishing – Webless will not ask you for your password via email. If you suspect any unauthorized access to your data or account, contact us immediately so we can help secure it.

In the event of a data breach that affects your personal data, we will follow applicable laws in notifying you and the authorities. This means if a breach is likely to result in a high risk to your rights and freedoms, we will inform you without undue delay with details and mitigation steps.

10. Third-Party Links and Services

Our website or communications may contain links to third-party websites or integrate third-party services which we do not control. This Privacy Policy applies only to Webless’s collection and processing of your data. If you click a link to an external site or service, or engage with third-party content, their privacy policies and terms will apply to any data you provide to them.

For example:

• If our blog links to an article on another site, and you follow it, any data that site collects about you is governed by its own privacy practices.
• If we offer a social media login or you click “share” to Facebook/Twitter from our site, those interactions are with the third-party platform, not us.
• If we embed a YouTube tutorial video on our site, YouTube/Google may collect data from that embed (like viewing activity, or set cookies) – that’s under Google’s policies.
• Our payment checkout is essentially on Stripe’s domain (pay.webless.co is a Stripe-hosted page); Stripe’s privacy notice is presented there and they handle the info you submit.
• Crisp chat is embedded but if you wanted to read Crisp’s own privacy notice, they have one published (we link to it in the chat if needed).

We are not responsible for the privacy, security, or practices of these outside entities. We encourage you to review the privacy policies of any third-party sites or services you visit or use.

For clarity, if you provide personal information to any third party via our site (for example, signing up for an offer from a partner through a frame on our site), that information is handled according to that third party’s policy. We might receive some info back from them (if it’s meant for us to deliver a service), which then becomes subject to this Privacy Policy.

Third-party services we integrate (like those listed in Section 5.1) are acting on our behalf in context of our service to you. But if you go use them independently (like if you sign up for a Crisp account as a user, or pay Stripe directly), that’s outside our scope.

In short: please exercise caution when following links or using external services. We aim to only partner with reputable parties, but we can’t guarantee how they handle your data. If you find any external link on our site that you believe is problematic or leads to questionable practices, let us know and we will consider removing it.

11. Children’s Privacy

Our website and Services are not directed to children under the age of 18, and we do not knowingly collect personal data from anyone under 18. If you are under 18, please do not use our services or provide any personal information to us (you may browse informational parts of our site, but should not attempt to sign up or send personal info).

We understand and comply with laws like COPPA (in the US) and GDPR’s provisions for children’s data. We do not solicit or process data of minors in any intentional way. Our services (WordPress maintenance, etc.) are generally business-oriented and require entering a contract, so they are intended for adults or minors at least the age of digital consent with parental involvement.

If we discover that we have unintentionally collected personal data from a child under 18, we will delete that data as soon as possible. For example, if a 16-year-old somehow signed up and provided info, once we realize that, we will cancel the account and remove the data. If you believe we might have any information from or about a minor under 18, please contact us promptly.

Parents or guardians: If you become aware that a child under your care has provided us with information, contact us at legal@webless.co. We will work with you to remove any such data and cease any further collection from that child.

12. Updates to This Privacy Policy

We may update this Privacy Policy from time to time in response to changing legal, technical, or business developments. When we update our Policy, we will take appropriate measures to inform you, consistent with the significance of the changes made:

• Minor changes (e.g., clarifications, grammar fixes, or updates that do not materially affect your rights) may be posted without specific notice, other than updating the “Last Updated” date at the top.
• For significant changes (e.g., if we start processing data for new purposes, or implement new data sharing that you should know about), we will provide a more prominent notice. This may include posting a notice on our homepage, dashboard, or sending you an email notification, prior to the change becoming effective, if required by law.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. If we have your email on file, we may also send a summary of changes.

Any changes will be effective when posted, unless stated otherwise. If you continue to use our website or services after the updated Policy takes effect, it means you accept the revised Privacy Policy. If you do not agree with the changes, you should stop using our services and can request that we delete your data (as per Section 8).

For historical reference, we will keep prior versions of the Privacy Policy (and Terms) archived, and you can request a copy if needed to see what has changed.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please do not hesitate to contact us:

• Email: legal@webless.co
• Postal Mail: Webless, MB – Privacy Inquiry, Perkūnkiemio g. 19, LT-12120 Vilnius, Lithuania
• Website: You can also reach out via our contact form or live chat on https://webless.co (though for formal privacy requests, email is preferred so we can authenticate and track the request).

We will address your inquiry as soon as possible, and at most within the timeframes provided by applicable law. Your trust is important to us, and we are committed to resolving any privacy-related issues in a fair and transparent manner.