OpsGate
Log inGet started →

Privacy Policy

Last updated: June 2026

1. What we collect

When you create an account, we collect your name and email address. When you use the Service, we collect:

  • WordPress plugin inventory from connected sites (plugin names, versions, update status)
  • PHP error batches from connected sites (error class, message, file, line — rate-limited, no customer data)
  • WooCommerce order volume signals on Starter+ (aggregate counts only, no order contents or customer details)
  • Scan results, scores, and artifacts generated by OpsGate analysis
  • Session identifiers stored as httpOnly cookies
  • IP address and user agent for session security records

2. What we do not collect

  • WordPress user data, passwords, or personally identifiable information from your site visitors
  • WooCommerce customer names, addresses, or payment information
  • Post content, page content, or media files
  • Database contents beyond the signals listed above

3. Data storage

All data is stored in a PostgreSQL database on the OpsGate operator's VPS. Data does not leave the server unless you explicitly export or share a report via a signed shareable link. No data is transmitted to third-party analytics platforms, data brokers, or advertising networks.

4. Email

Transactional email (alerts, password reset, report delivery) is sent via opsgate-mail, a self-hosted SMTP server with DKIM signing. Your email address is used to deliver these messages and is not shared with third parties.

5. Cookies

OpsGate sets one functional cookie: og_session — an httpOnly, Secure, SameSite=lax session identifier. This cookie is required for the web console to function. It is not used for tracking or analytics.

6. Third-party services

OpsGate uses the following third-party services:

  • Stripe — payment processing for paid tiers. Your payment information is handled directly by Stripe and is not stored by OpsGate.
  • WPVulnerability — vulnerability intelligence source. Plugin slugs are queried against this public database.
  • NIST NVD — CVE database. Plugin slugs are queried for CVSS data.
  • Anthropic Claude — AI executive summaries and CVE context (when AI is enabled). Plugin inventory and scan results are submitted to generate summaries. No personally identifiable information is included.

7. Data retention

Scan results and artifacts are retained indefinitely while your account is active. PHP error batches are retained for 30 days. Sessions expire after 14 days of inactivity. Upon account deletion, all data is removed within 30 days.

8. Your rights

You may request a copy of your data, correction of inaccurate data, or deletion of your account and associated data by contacting support. Account deletion removes all associated scan history, artifacts, sessions, and entitlements.

9. Changes to this policy

Material changes to this policy will be communicated via the email address on your account before taking effect.

Questions? support@opsgate.ca