Skip to main content
InfinitePlugins
TermsPrivacyRefund

Privacy Policy

Effective April 2026

We collect the minimum data needed to run the Service. No ad networks, no tracking pixels, no data brokers. This policy explains what we do keep, why, and how to exercise your rights under the GDPR.

1. What we collect

When you browse

  • Standard web-server logs (IP, user-agent, URL, timestamp) — kept 30 days.
  • Essential cookies for session state. No third-party tracking cookies. We don't run analytics of any kind.

When you create an account

  • Your email address and a salted + hashed password (scrypt; we never see your plaintext password).
  • Your account creation date + last-login timestamps.

When you purchase

  • The plugin you bought, the amount paid, and the billing email — stored so your downloads stay available.
  • Card details are never on our servers. Stripe processes payment and returns an opaque reference we store.

2. What we don't collect

No browsing history across sites. No social-login profiles. No marketing-opt-in demographics. No location data beyond your IP's approximate region (from server logs).

3. Cookies

We use exactly these cookies:

  • ip_user_session — your signed-in user session. Essential.
  • ip_admin_session — signed-in admin session (admin staff only).
  • ip_cookie_ack — remembers that you saw the cookie notice.

All are httpOnly + SameSite=Lax + Secure (on HTTPS). No third-party cookies are set from our domain.

4. Third parties

We share data only with processors essential to running the Service:

  • Stripe — payment processing. Their privacy policy: stripe.com/privacy.
  • Transactional email provider — for sending password-reset, verification, and order-receipt emails. They receive only the recipient address and email body.
  • Hosting infrastructure — standard cloud hosting, inside the EU where feasible.

We don't sell or rent your data. We don't allow third parties to use it for their own marketing.

5. Legal basis for processing (GDPR Art 6)

  • Contract — account creation, order processing, download delivery, receipts. Processing is necessary to perform the contract you entered when you signed up or purchased.
  • Legal obligation — retention of invoice/order records (10 years) and VAT records under EU/national tax law.
  • Legitimate interests — rate limiting, abuse detection, security audit logs, per-customer download watermarking (to detect license violations). We balance these against your privacy by minimising what we log and hashing identifiers where feasible.

We do not rely on consent for any core processing. You are therefore not asked to agree to any cookie or tracking banner — we only set cookies strictly necessary to operate the Service.

6. Your rights (GDPR)

If you're in the EU, EEA, UK, or Switzerland, you have the right to:

  • Access the data we hold about you.
  • Rectify inaccurate data.
  • Erase your account and associated data ("right to be forgotten").
  • Export your data in a portable format.
  • Object to specific uses or restrict processing.
  • Lodge a complaint with your national data protection authority. For the operator of this Service (based in the EU), the lead supervisory authority is [TO-BE-FILLED: e.g. Datenschutzkonferenz / your national DPA].

Email privacy@infiniteplugins.com from the address on your account. We reply within 30 days. If you've lost access to that email address, contact support — recovery requires manual identity verification.

Automated decision-making: we do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you. Fraud scoring happens at the Stripe layer for payment authorisation only; see their privacy policy for details.

Data Protection Officer: our processing does not meet the Art 37 thresholds that require appointing a DPO. Your privacy contact is the controller above.

5a. International transfers

We prefer processors based in the EU/EEA. Where a processor operates outside (for example, Stripe processes some data in the US), transfers rely on EU Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework. We review processor safeguards at least annually.

7. Data retention

  • Account data: until you delete your account, or 3 years of inactivity.
  • Order records: 10 years (required for tax/accounting).
  • Web-server logs: 30 days.
  • Audit log of admin actions: 2 years.

8. Security

Passwords hashed with scrypt. Sessions rotated on password change. Rate limits + account lockout on authentication. Full HTTPS with HSTS. No plaintext passwords are ever stored or transmitted to us.

9. Changes

We'll email account holders about material changes at least 14 days before they apply. The effective date above is updated when the policy changes.

10. Contact (controller)

Controller: [TO-BE-FILLED: legal entity name], [TO-BE-FILLED: registered address], [TO-BE-FILLED: country]. Operating under the trading name "InfinitePlugins".

Privacy contact: privacy@infiniteplugins.com

Before launch, replace the [TO-BE-FILLED] placeholders with your registered legal entity name, address, and lead supervisory authority. These are required disclosures under GDPR Article 13.

© 2026 InfinitePlugins. Made in Europe. Home · Plugins
Privacy Policy — InfinitePlugins