Effective Date: 20 February 2026 | Last Updated: 20 February 2026
Contents
- Introduction
- Definitions
- What We Actually Process
- What We Do Not Process
- Legal Basis and Roles
- Your Obligations as Controller
- Our Obligations as Processor
- Sub-Processors
- International Data Transfers
- Security Measures
- Data Breach Notification
- Data Subject Rights
- Audit Rights
- Data Retention and Deletion
- Liability
- Governing Law
- Contact Us
1. Introduction
This Data Processing Agreement (“DPA”) forms part of the Terms and Conditions (the “Agreement”) between:
- You (the “Controller”) – the website owner who purchases, installs, and operates the Easy Social Proof Pro plugin on your WordPress website(s); and
- Easy Social Proof (the “Processor”, “we”, “us”, “our”) – the UK-based developer and operator of the Easy Social Proof Pro plugin and the easysocialproof.io website.
This DPA sets out the terms on which we process personal data in connection with your use of the Easy Social Proof Pro plugin. It is designed to ensure compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the EU General Data Protection Regulation (EU GDPR – Regulation 2016/679), and any other applicable data protection legislation.
By purchasing, installing, or using the Easy Social Proof Pro plugin, you agree to the terms of this DPA. If there is any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of personal data.
2. Definitions
In this DPA, the following terms have the meanings set out below. Any terms not defined here shall have the meaning given to them in the UK GDPR or EU GDPR.
- “Personal Data” means any information relating to an identified or identifiable natural person that we process in connection with the Plugin.
- “Processing” means any operation performed on Personal Data, including collection, storage, retrieval, use, and erasure.
- “Data Subject” means an identified or identifiable natural person whose Personal Data is processed.
- “Sub-Processor” means any third party engaged by us to process Personal Data on your behalf.
- “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.
- “Plugin” means the Easy Social Proof Pro WordPress plugin.
3. What We Actually Process
We are committed to the principle of data minimisation (Article 5(1)(c) of the GDPR). We only process personal data that is strictly necessary for the operation of the Plugin and do not collect or store any data beyond what is required for licence validation, avatar delivery, and subscription management. All social proof notification data remains entirely within your own WordPress database and never reaches our servers.
The only data we process is:
3.1 Licence Validation and Plugin Updates
The Plugin periodically communicates with our server to validate your licence and check for updates. During this process, our server receives:
- Your licence key.
- The URL of the WordPress site where the Plugin is installed.
- The IP address of the server making the request (inherent to any HTTP communication, not actively collected by us beyond standard server logs).
This data is used solely to verify that your licence is valid and to deliver Plugin updates. No other data is transmitted during this process.
3.2 AI-Generated Avatar Delivery
The Plugin can serve AI-generated avatar images from our server. These avatars depict fictional people created by artificial intelligence — they are not photographs of real individuals and contain no personal data. When your site requests an avatar image, our server receives:
- The URL of the requesting site (via the HTTP referrer header).
- The IP address of the server or visitor’s browser making the request (inherent to HTTP communication).
No personal data is contained in the avatar images themselves.
3.3 Account, Licence, and Subscription Management
When you purchase the Plugin, your account is created through WordPress core, not by our Plugin. We do not collect your email address or password — WordPress does. Our Plugin reads your user_email from your existing WordPress account to identify you. No separate name is collected; the display name used by the Plugin is your email address.
Data we store directly:
- Your licence key and activated site URL(s).
- Payment provider identifiers: Stripe customer ID, Stripe subscription ID, and/or PayPal subscription ID. These are reference codes used to link your account to your payment provider — they do not contain your name, card number, or billing address.
- Subscription metadata: chosen tier, payment provider name (Stripe or PayPal), subscription status (active, cancelled, expired, past due, trialing), billing period start and end dates, and cancellation timestamps.
Data we read but do not collect:
- Your email address (read from your existing WordPress user account, collected and stored by WordPress core).
Data we do not collect or store:
- First name, last name, phone number, billing address, or any other personal information beyond what is listed above.
- Passwords (handled entirely by WordPress core).
- Full payment card details (handled entirely by Stripe or PayPal — we never see or store card numbers).
The subscription metadata listed above (tier, status, dates, flags) is service data that does not identify you on its own. It only constitutes personal data when combined with the identifiers listed above (email, payment provider IDs).
4. What We Do Not Process
This is important: All social proof notification data — including your customers’ names, locations, purchase details, and any other personal data displayed in notifications — is stored entirely within your own WordPress database on your own server. This data is never transmitted to, received by, stored on, or accessible by our servers.
Specifically, we do not receive, process, or store:
- Names, email addresses, or any personal details of your website visitors or customers.
- Purchase or transaction data from your WooCommerce store or any other source on your site.
- Location or geographic data of your website visitors or customers.
- Browsing behaviour, cookies, or tracking data from your website visitors.
- Any special category data (e.g. health, religion, ethnicity, political opinions) as defined in Article 9 of the GDPR.
The Plugin reads data from your WordPress database locally on your server to generate social proof notifications. That data never leaves your hosting environment through the Plugin.
5. Legal Basis and Roles
5.1 Our Role
For the limited data described in Section 3, we act as a data processor on your behalf (for licence validation and avatar serving) and as a data controller in our own right for account and billing purposes.
5.2 Your Role
You are the data controller for all personal data processed by the Plugin on your WordPress website, including any personal data displayed in social proof notifications. You are solely responsible for ensuring that your use of the Plugin complies with applicable data protection law.
5.3 Lawful Bases
| Processing Activity | Lawful Basis |
|---|---|
| Licence validation and plugin updates (licence key, site URL, IP address) | Contract performance (Art. 6(1)(b)) – necessary to deliver and maintain the Plugin service you purchased. |
| Avatar image delivery (site URL, IP address via HTTP) | Contract performance (Art. 6(1)(b)) – necessary to deliver a feature of the Plugin you purchased. |
| Account and subscription management (licence key, site URLs, payment provider IDs, subscription metadata) | Contract performance (Art. 6(1)(b)) – necessary to manage your licence, process your subscription, and communicate with you about your purchase. |
6. Your Obligations as Controller
As the data controller for personal data processed by the Plugin on your website, you are responsible for:
- Ensuring that you have a valid lawful basis for collecting and displaying any personal data in social proof notifications on your website (e.g. customer names, locations, purchase details).
- Updating your own website’s privacy policy to disclose the use of social proof notifications and explain how visitor/customer data is used.
- Ensuring that any personal data displayed in notifications complies with all applicable data protection laws, including the GDPR, ePrivacy regulations, and any consumer protection or advertising standards laws in your jurisdiction.
- Configuring the Plugin’s anonymisation and display settings appropriately to minimise unnecessary exposure of personal data.
- Responding to data subject access requests and other rights requests from your own website visitors and customers — this is your responsibility as controller, as we do not hold this data.
7. Our Obligations as Processor
For the limited processing described in Section 3, we undertake to:
- Process Personal Data only for the purposes of licence validation, avatar delivery, and subscription and account management as described in this DPA.
- Not use Personal Data for any purpose other than providing and supporting the Plugin.
- Ensure that all personnel with access to Personal Data are bound by confidentiality obligations.
- Implement and maintain appropriate technical and organisational security measures as set out in Section 10.
- Notify you without undue delay in the event of a Personal Data Breach, as set out in Section 11.
- Assist you in responding to data subject requests to the extent the request relates to data we hold (i.e. licence and account data only).
- Delete or return Personal Data upon termination of the Agreement, as set out in Section 14.
- Not engage Sub-Processors without appropriate safeguards, as set out in Section 8.
- Immediately inform you if we believe an instruction from you would infringe applicable data protection law.
8. Sub-Processors
8.1 Authorisation
You provide us with general written authorisation to engage Sub-Processors for the limited processing activities described in this DPA. We ensure that any Sub-Processor is bound by data protection obligations no less protective than those in this DPA.
8.2 Current Sub-Processors
| Sub-Processor | Purpose | Location |
|---|---|---|
| Hosting provider (see Website for current details) | Server hosting for licence validation API and avatar image delivery. | As disclosed on our Website |
| Stripe, Inc. | Payment processing for Plugin purchases and renewals. | United States |
| PayPal Holdings, Inc. | Payment processing for Plugin purchases and renewals. | United States |
| Email service provider (see Website for current details) | Transactional email delivery (receipts, licence keys, renewal notices). | As disclosed on our Website |
8.3 Changes to Sub-Processors
We will update the sub-processor list on this page and provide at least 14 days’ notice before engaging a new Sub-Processor. If you have a reasonable objection on data protection grounds, notify us in writing within 14 days. We will work in good faith to resolve the concern. If no resolution is reached, you may terminate the Agreement without penalty.
9. International Data Transfers
Where Personal Data is transferred outside the UK or EEA (e.g. payment processing via Stripe in the United States), we ensure appropriate safeguards are in place, including:
- Adequacy decisions by the UK Secretary of State or the European Commission.
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- The UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs, where applicable.
You may request a copy of the relevant transfer safeguards by contacting privacy@easysocialproof.io.
10. Security Measures
Given the limited and low-risk nature of the data we process, we implement the following appropriate security measures:
- Encryption of all data in transit using TLS/SSL (HTTPS) for licence validation requests and avatar delivery.
- Encryption of stored account data at rest where technically appropriate.
- Regular security updates and patching of server software.
- Access to account and licence data restricted to authorised personnel only.
- Secure authentication for administrative access to our systems.
- Regular encrypted backups.
- Secure password hashing for any stored credentials.
We periodically review these measures to ensure they remain appropriate to the nature and volume of data processed.
11. Data Breach Notification
In the event of a Personal Data Breach affecting data we process on your behalf, we will:
- Notify you by email without undue delay and in any event within 72 hours of becoming aware of the breach.
- Provide a description of the nature of the breach, the data affected, the likely consequences, and the measures taken or proposed to address it.
- Cooperate with you and provide reasonable assistance to help you meet your own breach notification obligations under Articles 33 and 34 of the GDPR.
- Maintain a record of all breaches, including the facts, effects, and remedial action taken.
Given the limited data we process (licence keys, site URLs, payment provider identifiers, and subscription metadata), the risk of a breach involving sensitive personal data is low. However, we take our notification obligations seriously regardless.
12. Data Subject Rights
If we receive a data subject request relating to data we process on your behalf, we will promptly forward it to you and will not respond directly unless you instruct us to or we are legally required to do so.
We will assist you in responding to requests to the extent they relate to data we hold, specifically:
- Access and portability: We can provide the licence key, site URLs, payment provider identifiers (Stripe/PayPal IDs), and subscription metadata we hold for any given account. Your email address is stored by WordPress core, not by us.
- Rectification: We can correct account details upon your instruction.
- Erasure: We can delete account and licence data upon your instruction, subject to any legal retention requirements.
Important: Any data subject requests relating to personal data displayed in social proof notifications on your website (e.g. customer names, purchase data) must be handled by you directly. We do not hold this data and cannot assist with such requests.
13. Audit Rights
You have the right to verify our compliance with this DPA. Given the limited scope of processing, we will satisfy audit requests in the following way:
- We will make available all information reasonably necessary to demonstrate compliance with this DPA.
- You may conduct an audit or appoint an independent third-party auditor (bound by confidentiality and not a competitor) with at least 30 days’ written notice.
- Audits are limited to once per 12-month period unless a breach has occurred or a supervisory authority requires one.
- Audit findings will be treated as confidential and used solely for verifying compliance.
14. Data Retention and Deletion
| Data | Retention Period |
|---|---|
| Licence key and site URL(s) | Duration of active licence plus 12 months after expiry or cancellation. |
| Payment provider identifiers (Stripe customer ID, Stripe subscription ID, PayPal subscription ID) | Duration of active subscription plus 12 months after expiry or cancellation, unless required longer for tax/legal obligations. |
| Subscription metadata (tier, status, billing dates, cancellation data) | Duration of active subscription plus 12 months after expiry or cancellation. |
| Transaction/payment records | Up to 7 years (UK tax and accounting requirements). |
| Server logs containing IP addresses | Automatically purged within 30 days. |
Upon termination of the Agreement or upon your written request, we will securely delete all Personal Data we hold on your behalf within 30 days, except where retention is required by law. We will confirm deletion in writing upon request.
15. Liability
Each party’s liability under this DPA is subject to the limitations set out in the Agreement (Terms and Conditions).
Nothing in this DPA limits either party’s liability for death or personal injury caused by negligence, fraud, or any liability that cannot be excluded by law.
You acknowledge that, given we do not process your customers’ or visitors’ personal data, our liability in respect of any data protection claims arising from the content displayed in social proof notifications on your website is excluded to the maximum extent permitted by law.
16. Governing Law
This DPA is governed by and construed in accordance with the laws of England and Wales. Any dispute shall be subject to the exclusive jurisdiction of the courts of England and Wales.
Where processing is subject to the EU GDPR, the relevant provisions of the EU GDPR shall apply to the extent required.
17. Contact Us
If you have any questions about this Data Processing Agreement, please contact us:
Easy Social Proof
Email: privacy@easysocialproof.io
Website: easysocialproof.io
For more information about how we handle personal data, please see our Privacy Policy and Cookie Policy.
© 2026 Easy Social Proof. All rights reserved. This Data Processing Agreement was last reviewed on 20 February 2026.