Plugins Documentation How It Works About Support My Account Browse Plugins

Privacy Policy

Effective: May 13, 2026 Last updated: June 3, 2026

This policy explains what Bodholdt Labs collects when you use bodholdtlabs.com or any of the WordPress plugins we publish, how we use it, who we share it with, and the rights you have over it. We wrote this in plain English on purpose — if anything here is unclear, email us at [email protected].

1. Who we are

Bodholdt Labs is an independent one-person software studio operated as a sole proprietorship by Kyle Bodholdt in California, United States. We design and sell WordPress plugins (and, in the future, Unity plugins) directly to customers from our own infrastructure.

For the purposes of the California Consumer Privacy Act (CCPA) and the EU/UK General Data Protection Regulation (GDPR), the data controller is:

Kyle Bodholdt, d/b/a Bodholdt Labs Based in California, United States Contact: [email protected]

2. What we collect, and why

We only collect what we actually need to sell you a plugin, deliver your license, and keep the site secure. Here is the full list.

When you buy a plugin

  • Email address (you provide it at checkout). We use it to deliver your license key, send receipts, and reach you about your subscription.
  • Payment information (card details, billing address, name on card). This is handled by Stripe — we never see your full card number. Stripe shares back the last four digits, card brand, expiry, and country, which we store with your order record.
  • Billing country — used by Stripe to calculate any applicable sales tax (VAT/GST).
  • Order metadata — which plugin and which tier you bought, the price you paid, the transaction ID, your subscription status (active / canceled / past due), and any non-expiring support-credit balance attached to your account.
  • License key activations — the domain name(s) where you activate the plugin. We use this to enforce site limits (e.g., 5 sites on the Pro tier). We do not collect any other information about those sites.

When you contact support

  • Your email message and email address. We use it to answer you and resolve the issue. We keep support history so we can pick up where we left off if you write again. If we use our support desk’s optional AI co-pilot to help draft a reply, the content of your request is sent to Anthropic for that purpose and is not used to train their models.

When you simply visit the site

  • IP address and basic request metadata (browser user-agent, referring URL, requested page, timestamp). These are processed automatically by our CDN and security stack and used to deliver pages, block abuse, and aggregate traffic patterns.
  • Browser-set cookies — see Section 4 below.

We do not collect: real-time location, device IDs, advertising identifiers, biometric data, financial-account numbers, government IDs, or social-graph data. We do not run behavioral retargeting pixels (no Facebook Pixel, no Google Ads, no LinkedIn Insight tag).

How our plugins handle data on your own site

The section above covers data we collect through bodholdtlabs.com. Our plugins also process data — but that processing happens on your WordPress site, through services you connect, and we never receive it. For full transparency, here is what each product sends, and to whom:

  • Bodholdt Backup for Google Drive — after you connect your Google account, the plugin uploads the backups it creates to your Google Drive and lists/downloads/deletes only the backups it made (Google OAuth + Google Drive API). The data travels between your server and Google; we never see your Google credentials or your backups. Governed by Google’s terms and privacy policy.
  • Bodholdt Backup for OneDrive — the same, using your Microsoft account (Microsoft OAuth + Microsoft Graph / OneDrive API). Backups move between your server and Microsoft; we never receive them. Governed by Microsoft’s terms and privacy statement.
  • Bodholdt Licensing — if you run your own license server with it, it processes your customers’ emails, license keys, and payments on your infrastructure and your Stripe account. We never receive your customers’ data.
  • Bodholdt Tickets (and the free Bodholdt Tickets edition) — stores your customers’ tickets in your database. Optional features reach outside services only when you enable them and supply your own keys: the AI co-pilot sends ticket text to Anthropic using your Anthropic API key (drafts only, never auto-sent); browser Web Push sends agent notifications through your agents’ own browser push services. We never receive your tickets.
  • Bodholdt Contact — a contact-form widget; submissions are stored on your site and delivered through your site’s own email. No external service is involved.
  • License checks & updates — all paid plugins periodically validate their license key against our license server at bodholdtlabs.com to confirm the subscription is active and to offer updates. This sends the license key and the activated site domain (see Section 2); nothing about your site’s content is sent.

3. Who processes your data on our behalf (subprocessors)

We use a small number of third-party services to run the business. Each is listed below with its role and a link to its own privacy policy. You can ask us at any time for the current list.

Service What it does Data it sees
Stripe, Inc. (privacy) Payment processing Card details, billing address, IP at checkout
Cloudflare, Inc. (privacy) DNS, CDN, web application firewall, DDoS protection Visitor IP, request metadata, occasional cached pages
Wordfence (Defiant, Inc.) (privacy) WordPress firewall and malware scanning Visitor IP, request metadata for threat detection
Postmark (ActiveCampaign, Inc.) (privacy) Outbound transactional email — license keys, receipts, password resets, account notifications Your email address, the subject line and body of the email
Microsoft 365 (Microsoft Corporation) (privacy) Hosting our @bodholdtlabs.com support mailbox and receiving inbound mail Email you send to us and our replies
Anthropic, PBC (privacy) AI-assisted drafting of support replies (our Bodholdt Tickets co-pilot), when enabled The content of support requests we choose to process with AI

We will update this section whenever we add or remove a subprocessor.

We do not sell your personal information to anyone, and we do not share it with advertisers or data brokers.

4. Cookies and similar technologies

We use a small set of cookies, all functional, none for advertising:

  • WordPress session cookies — set when you log in to your account, used to keep you logged in.
  • Cloudflare cookies — set by our CDN to route requests efficiently and to identify abusive traffic. See Cloudflare’s Cookie Notice.

We do not use cookies to track you across other websites, and we do not persist any pricing-page or shopping state to localStorage / sessionStorage — the billing-interval toggle on /buy-plugins/ is held in memory only and resets on page reload. We do not have a cookie consent banner because we do not load any cookies that require opt-in consent under GDPR or ePrivacy for the basic functioning of the site. If we ever add analytics or advertising cookies in the future, we’ll publish a consent banner before that change goes live.

5. How long we keep your data

  • Order and license records: as long as your license is active, plus seven years after cancellation, to satisfy U.S. tax and accounting requirements.
  • Support emails: indefinitely while we have a relationship with you, unless you ask us to delete them.
  • Server access logs (IP, user-agent, URL): rotated automatically — typically 30 days at Cloudflare, 14 days at the origin server. Wordfence keeps a longer retention for security events (default 30 days).

6. Your rights

Everyone

  • Access — you can request a copy of the personal data we hold about you.
  • Correction — you can ask us to fix anything that’s wrong.
  • Deletion — you can ask us to delete your account and all associated data. Note that we may need to retain order records for tax compliance even after account deletion.
  • Portability — you can ask for your data in a structured, machine-readable format.

If you’re in the EU/UK (GDPR)

In addition to the rights above, you can:

  • Object to processing or restrict processing where the legal basis is our legitimate interest.
  • Withdraw consent for processing that’s based on consent. (We don’t currently rely on consent as a legal basis for anything except optional newsletter opt-ins.)
  • Lodge a complaint with your local supervisory authority. A list of EU authorities is at edpb.europa.eu.

If you’re in California (CCPA / CPRA)

In addition to the rights above:

  • Right to know the specific pieces of personal information we have collected about you.
  • Right to opt out of sale or sharing — we don’t sell or share your personal information for cross-context behavioral advertising, so there is nothing to opt out of, but you have the right to confirm that.
  • Right to limit use of sensitive personal information — we don’t collect sensitive personal information as defined by the CPRA.
  • No discrimination for exercising your privacy rights.

To exercise any of these rights, email [email protected] from the email address associated with your account. We’ll respond within 30 days. We may need to verify your identity before acting on the request.

7. International data transfers

We’re based in California, and our servers and subprocessors are mostly U.S.-based. If you access the site from outside the U.S., your data will be transferred to and processed in the United States. Where we transfer EU/UK personal data to U.S. subprocessors, we rely on the European Commission’s Standard Contractual Clauses (SCCs) as the legal mechanism, which our subprocessors (Stripe, Cloudflare) have in place.

8. Children’s privacy

Bodholdt Labs is a business-tool marketplace. Our products are not directed at children under 16. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us with personal information, please email us and we will delete it.

9. Security

We take reasonable steps to protect your data:

  • All traffic is encrypted in transit via HTTPS (TLS 1.2 or higher).
  • Card data never touches our server — Stripe Checkout handles it directly.
  • Passwords are stored hashed (bcrypt) — we never see your plaintext password.
  • Two-Factor Authentication is required on the admin account.
  • The WordPress install is behind Cloudflare’s WAF and Wordfence’s firewall, with the WP login URL relocated to a non-default path.

No system is perfectly secure. If we ever experience a breach affecting your personal information, we will notify you and the relevant regulators within the timeframes required by applicable law (72 hours under GDPR, “without unreasonable delay” under California breach-notification law).

10. Changes to this policy

We may update this policy as the business grows. When we make a material change, we’ll update the “Last updated” date at the top and, where appropriate, email customers whose data we hold. Continued use of the site after a change means you accept the updated policy.

11. Contact

Privacy questions, data requests, or concerns:

[email protected]

We aim to respond within two business days.