What this policy covers
PluginAudit ("we," "us," "our") operates pluginaudit.io and provides a WordPress plugin vulnerability scanning service. This policy describes what information we collect from site visitors, scan users, subscribers, and businesses we contact via outreach, how we use that information, and the rights you have regarding it.
From scan users
When you run a free scan on PluginAudit, we collect:
- The URL you submit for scanning
- Your IP address for rate limiting purposes (5 scans per day per IP)
- Basic analytics events: page views, scan initiated, scan completed
Free scans do not require an account, email address, or any personal information.
From subscribers
When you purchase a PluginAudit monitoring subscription, we collect:
- Email address (for scan alerts and account communication)
- Payment information — collected and stored exclusively by Stripe; PluginAudit never sees, stores, or handles your card number
- Subscription metadata: signup date, plan type, and billing status
From cold outreach recipients
PluginAudit may contact WordPress agencies and freelancers using business contact information obtained through Apollo.io, a third-party business data provider. This includes business names, contact names, job titles, and business email addresses. We do not purchase consumer contact lists.
If you receive an outreach email from us and have not subscribed, the only information we hold about you is what was obtained at the time of contact. You may opt out at any time by clicking the unsubscribe link in any email or by replying with "unsubscribe." Upon opt-out, your email is moved to a suppression list and you will not be contacted again.
Automatically collected information
We run a lightweight custom analytics system that records page views, scan events, and checkout clicks. We do not use Google Analytics, Facebook Pixel, or any third-party tracking scripts. Netlify, which hosts our pages, may collect standard server logs including IP addresses for security purposes.
Scan and subscriber data is used only to
- Perform the vulnerability scan you requested and generate your report
- Enforce rate limits to prevent abuse
- Process, manage, and renew your subscription through Stripe
- Send scan alert emails to monitoring subscribers
- Respond to support requests you initiate
- Notify you of material changes to the service or these policies
Our commercial email practices
All commercial emails sent by PluginAudit comply with the federal CAN-SPAM Act. Every outreach email includes:
- Clear identification of PluginAudit as the sender
- An honest, non-deceptive subject line
- A functioning unsubscribe mechanism
- A contact email address for opt-out requests
Unsubscribe requests are honored within 10 business days. To opt out of all PluginAudit communications at any time, click the unsubscribe link in any email or contact scan@pluginaudit.io.
Who processes data on our behalf
We work with the following providers to operate the service. Each processes data only to the extent necessary to fulfill their function:
- Stripe — payment processing and subscription billing. Privacy Policy
- SendGrid (Twilio) — email delivery for outreach and alerts. Privacy Policy
- Railway — backend server infrastructure. Privacy Policy
- Netlify — static page hosting. Privacy Policy
- WPScan — vulnerability database for plugin security data. Privacy Policy
- Apollo.io — business contact enrichment for outreach. Privacy Policy
We do not authorize any of these providers to use your personal information for their own marketing or advertising purposes.
What we scan and how
When you submit a URL for scanning, PluginAudit sends HTTP requests to the publicly accessible pages of that website to detect installed WordPress plugins and their versions. This is the same information visible to any visitor of the website.
We match detected plugins against a database of known vulnerabilities (CVEs) to generate your security report. Scan results are stored to generate shareable report URLs. We do not access password-protected areas, admin panels, databases, or any non-public resources on the scanned site.
If you are the owner of a site that has been scanned and wish to have the scan results removed, contact scan@pluginaudit.io and we will delete the report within 5 business days.
What cookies we use and why
PluginAudit does not set first-party advertising or tracking cookies. Two types of third-party cookies may be set:
- Stripe.js cookies — set during checkout to enable fraud detection and secure payment sessions. These are strictly functional.
- Netlify operational cookies — short-lived session identifiers used for load balancing and security. These do not track you across other sites.
No cookies are set by simply using the free scanner or reading informational content on pluginaudit.io.
How long we keep your data
Free scan results are retained for 90 days to support shareable report URLs, after which they are deleted.
Active subscriber records are retained for the life of your subscription. After cancellation, billing records are retained for up to 90 days for reconciliation purposes, after which personal information is deleted.
Rate-limiting IP data is retained for 24 hours and then discarded.
Opt-out suppression records containing only an email address and opt-out date are retained indefinitely to prevent re-contact. This is required for CAN-SPAM compliance.
This service is not for minors
PluginAudit is a B2B service directed at business professionals. We do not knowingly collect personal information from anyone under the age of 13. If we discover we have inadvertently received such information, we will delete it promptly. Contact scan@pluginaudit.io if you believe this has occurred.
Requests you can make at any time
- Access — request a copy of the personal data we hold about you
- Correction — request that inaccurate information be corrected
- Deletion — request deletion of your data, including scan reports
- Opt-out — opt out of outreach emails at any time
Submit requests to scan@pluginaudit.io. We respond within 5 business days.
If PluginAudit is acquired or sold
If PluginAudit undergoes a merger, acquisition, or asset sale, user information may be transferred to the acquiring entity. We will use commercially reasonable efforts to require the acquiring entity to honor this policy. If a material change in data handling would result, we will notify active subscribers by email prior to the change taking effect.
How updates are handled
We may update this Privacy Policy from time to time. The date at the top of this page reflects the most recent revision. For material changes, active subscribers will be notified by email at least 14 days before the changes take effect.