This Privacy Policy describes how Nguyen Thanh Duc, a sole proprietor based in Hanoi, Vietnam (referred to as "we", "us", or "Mostify"), collects, uses, and protects your personal information when you use our website at wpmostify.com and the Mostify Pro WordPress plugin (collectively, the "Services").
We are committed to protecting your privacy and complying with applicable data protection laws, including the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), regardless of our location.
By using our Services, you agree to the collection and use of information in accordance with this policy.
1. Information We Collect
1.1 Information you provide
When you create an account or make a purchase, we collect:
- Account information — name, email address, and a password (stored as a salted bcrypt hash, never in plaintext).
- Payment information — handled entirely by Gumroad, our payment processor. We never see or store your full credit card details. We receive only a transaction ID, the email you used at checkout, and the plan you purchased.
- Communications — when you contact us via email or open a support ticket, we keep records of your messages and our replies.
1.2 Information collected automatically
- License + domain registrations — when you activate Mostify Pro on a WordPress site, we record the domain name, your IP address (used for rate-limiting and abuse detection), and the plugin version.
- Server logs — standard web server logs include IP addresses, user agents, and request timestamps. Retained for 30 days for security and debugging.
- Cookies — see Section 6 below.
1.3 Information from the Mostify Pro plugin
The plugin itself, when installed on your WordPress site, tracks page views and engagement metrics on your site. This data is stored in your own database — not on our servers. We never receive site-visitor information.
The plugin only contacts our servers for license verification (we receive your license code, the domain it's installed on, and the plugin version) — never visitor data from your site.
2. How We Use Your Information
We use your information to:
- Provide, operate, and maintain the Services
- Process transactions and deliver license codes
- Verify license validity and enforce domain limits
- Send transactional emails (license delivery, magic-login, support replies, billing notices)
- Respond to your support requests
- Comply with legal obligations (tax records, anti-fraud)
- Detect and prevent abuse, fraud, and security incidents
- Improve our Services through aggregated, non-identifiable analysis
We do NOT use your data for marketing emails to non-customers without consent, sell or share data with third parties for their marketing, or perform automated decision-making with significant effects on you.
3. Legal Basis for Processing (GDPR)
For users in the European Economic Area, we process your data on these legal grounds:
- Performance of a contract — to deliver the licensed plugin and updates
- Legitimate interests — fraud prevention, security, service improvement
- Legal obligations — tax record-keeping, responding to lawful requests
- Consent — for any non-essential cookies (you can withdraw at any time)
4. How We Share Your Information
We share information with these third parties strictly for service delivery:
| Recipient | Purpose | Data shared | Location |
|---|---|---|---|
| Gumroad | Payment processing + subscription management | Email, name, payment info | USA |
| Email provider (SMTP) | Transactional emails | Email address + email content | Varies (e.g., Mailgun) |
| Hosting provider | Server infrastructure | All Service data | Vietnam / Asia |
We do not sell your personal information to anyone, ever.
We may disclose information if required by law (court order, lawful request, etc.) or to protect our rights, your safety, or to prevent fraud.
5. International Data Transfers
We are based in Vietnam. Some service providers (Gumroad, possibly email or hosting providers) operate from other jurisdictions including the United States and the European Union.
For users in the EEA: where data leaves the EEA, we rely on Standard Contractual Clauses (SCCs) with our processors and on each processor's own GDPR compliance frameworks (Gumroad is GDPR-compliant).
For users in California: we treat your data subject to CCPA standards regardless of where it is processed.
6. Cookies
We currently use only essential cookies required to operate the Services:
- Session cookie (
mostify_session) — keeps you signed in; expires when you close the browser or after 24 hours of inactivity. - CSRF token cookie (
XSRF-TOKEN) — protects against cross-site request forgery; expires with the session. - Cookie-consent record (stored in your browser's localStorage as
mostify_cookie_consent_v1) — remembers that you've seen the cookie banner.
We do not use:
- Analytics cookies (Google Analytics, Plausible, etc.)
- Marketing or advertising cookies
- Tracking pixels (Facebook Pixel, etc.)
- Third-party advertising cookies
If we ever introduce non-essential cookies, we will update this policy and prompt for fresh consent.
You can disable cookies in your browser settings, but the Services may not function correctly without the essential ones above.
7. Data Retention
We retain your data only as long as necessary:
| Data type | Retention period |
|---|---|
| Active account data | While your account is active + 30 days after a deletion request |
| License + subscription records | 7 years (required for tax compliance) |
| Support tickets | 2 years after closure |
| Server logs | 30 days |
| Webhook + audit logs | 90 days |
After retention periods expire, data is permanently deleted or anonymized.
8. Your Rights
You have the right to:
- Access — request a copy of your personal data
- Rectification — correct inaccurate data
- Erasure — request deletion of your data ("right to be forgotten")
- Restriction — limit how we process your data
- Portability — receive your data in a machine-readable format
- Objection — object to processing based on legitimate interests
- Withdraw consent — at any time, where processing is consent-based
EU residents (GDPR): you can lodge a complaint with your local data protection authority.
California residents (CCPA): you have the right to know what personal information we collect, the right to delete it, and the right to opt out of sale (we do not sell, so this is automatic).
To exercise any of these rights, email us at ducntnz@gmail.com with the subject "Privacy Request: [your request]". We will respond within 30 days.
9. Security
We implement reasonable security measures:
- Passwords are hashed with bcrypt (industry standard)
- All data transmitted over HTTPS (TLS 1.2+)
- Database access restricted to authorized personnel
- Regular security audits of dependencies and code
No method of transmission over the internet is 100% secure. We strive to protect your data but cannot guarantee absolute security.
10. Children's Privacy
Our Services are not directed to anyone under 18. We do not knowingly collect data from children. If you believe a child has provided us with personal data, please contact us at ducntnz@gmail.com and we will delete it.
11. Changes to This Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the most recent version. Material changes will be communicated via email or a prominent website notice.
Continued use of the Services after changes constitutes acceptance of the updated policy.
12. Contact Us
For questions about this Privacy Policy or to exercise your rights:
Email: ducntnz@gmail.com
Address: Nguyen Thanh Duc, Hanoi, Vietnam
We aim to respond to all inquiries within 30 days.