1. Our Products

WPMU DEV Dashboard and API: The Dashboard plugin is used to connect your WPMU DEV account with your WordPress installation and sends to WPMU DEV the following information:

• WordPress/BuddyPress version and size
• Installed plugins/themes
• Site URL

The WPMU DEV API does NOT:

• Track any personal or user information
• Data is not sold or shared with any third-party
• Is only used for statistical, security, and support related requirements (this includes the ability to push security updates should it be required)

Some of our plugins require the WPMU API key and the WPMU DEV Dashboard plugin to be in place in order to make their features and services possible. These include:

1. Defender Pro
2. Integrated Video Tutorials
3. Hummingbird Pro
4. SmartCrawl Pro
5. Snapshot Pro
6. Smush Pro
7. Shipper Pro
8. WPMU DEV Dashboard Plugin

A few of our plugins may also send end-user or site visitor personal information to WPMU DEV, depending on the settings in place in your WordPress installation.

If you use any of these plugins, you should list WPMU DEV as a 3rd-party service provider or Data Processor in your Privacy Policy or data area of your website.

These plugins are:

Defender:

• Defender synchronizes blocked/allowlisted IP data with the Hub.
• If you choose to activate ‘Audit Logging’ in Defender Pro, we will track and store site and user activity, such as IP addresses, usernames, comments, posts, login attempts, setting changes, and upload timestamps on our secure servers. ‘Audit Logging’ is an optional feature that can be turned off in the Defender plugin.

Snapshot Pro:

• Used to store backups of your WordPress database, so this may include any personal information that is also in your WordPress database. You can fully delete backups at any time.

Some plugins may make use of cookies in order to provide the functionality desired.

You may be required to alert your site’s visitors and users to the use of the cookies in your Privacy Policy or Cookie area of your website.

Cookies may be added to your site(s) when the following WPMU DEV plugins are active:

• Beehive (when Google Analytics or Google Tag Manager are integrated. See below.)
• Defender
• Hustle
• WPMU DEV Dashboard (when Analytics is enabled. See below.)

See the WPMU DEV Plugins chapter in our Cookie Declaration document for more information about plugin cookies.

Many of our plugins have features built-in that allow for integrations with various 3rd party services.

When using these plugins with these 3rd-party services, you may be required to provide this information to your end-users or site visitors in your Privacy Policy or Legal/Terms area of your website. Depending on the circumstances, you may also be required to gain the consent of your site’s visitors as well.

These plugins are:

• Forminator Pro: Google reCAPTCHA, HubSpot, Slack, Campaign Monitor, ActiveCampaign, Google Sheets, Trello, MailChimp, and AWeber
• Beehive: Google Analytics, Google Tag Manager
• Hummingbird: Cloudflare and BunnyCDN
• Smush: BunnyCDN
• Hustle: reCAPTCHA, Zapier, various email services including MailChimp, AWeber, Constant Contact, GetResponse, Sendy, Mad Mimi, Infusionsoft, Campaign Monitor, ConvertKit, social platforms like Facebook, Twitter, Pinterest, LinkedIn, Reddit, Vkontakte, 500px, Houzz, Instagram, Twitch, YouTube, Telegram, WhatsApp, and Email
• WPMU DEV Dashboard: Mixpanel/Matomo (analytics), LiveChatInc (in dashboard support)
• Defender Pro: Google’s blacklist monitoring
• The Hub Client: HubSpot

By default, we don’t receive any data on how our plugins and their features are used. However, by opting into usage tracking, you’re helping us to improve our products based on real world usage. Opting-in ensures that we’re spending our resources on the most impactful improvements for you.

Usage tracking is not a default setting, requires opt-in consent, and can be started or stopped at any time for the following plugins from within their respective Settings areas.

• Hummingbird
• Smush
• SmartCrawl
• Forminator
• Defender

When usage tracking is enabled, it will send our developers basic data about how you are using our products on your site. Enabling usage tracking helps us to:

• Understand what features are being used by our users so we can make better development decisions and make more useful features.
• Understand the environments in which our products are used so we can ensure wider compatibility.
• Understand the number of sites impacted by a change to a product or feature and to act more quickly in resolving issues.
• Write better documentation.

The Snapshot plugin, in order to upload a backup of your site to the Google Drive destination, requires authentication of connection. The Google Authentication application is to connect your WPMU DEV storage space with your Google Drive account. This is done so that a site’s backups can be uploaded to the Google Drive account.

After the Google Drive Authentication process is complete, we save a Gmail address, a Google Drive folder’s directory ID along with the Google access token on our servers, which is connected with your WPMU DEV account.

The authentication token is used for the following purposes:

• Uploading backups to a Google Drive account.
• Deleting backups created with Snapshot, when the time for rotation comes.
• Showing the email account associated with the destination.

You may revoke the connection at any time by deleting the Google Drive destination from the plugin – found in Snapshot Pro > Snapshot Backups > Destinations. Deleting the Google Drive destination will remove the Authentication Token.

If you want to revoke ALL access privileges from Snapshot to your account, please follow these instructions:

1. Go to the Security section of your Google Account.
2. Under “Third-party apps with account access,” select Manage third-party access.
3. Select the app or service you want to remove.
4. Select Remove Access.

Important: If you remove account access from a third-party app or service, it may retain info you provided from:

• When you signed in with your Google Account.
• When you granted additional Google Account access to the app or service.

Once all access privileges are revoked, the Google Authentication application will not be able to access any more info from your Google Account.

The authentication token is not shared with any third party. No other data is sent or implicitly gathered by us in the process of using Google Drive. Any changes to this Privacy Policy will be accompanied by a notification on this page.

In order to upload backups to Dropbox, Snapshot requires an authenticated connection. When a Dropbox destination is authenticated, an account identifier (token) is stored in a database on the authentication server in order to maintain an active connection with the destination within Snapshot. The token is not shared with any third-party service.

The token is used for the following purposes:

• To create an application directory and subdirectory in the connected Dropbox account to which full site backups will be uploaded.
• To upload full site backups to the connected Dropbox account.
• To delete uploaded backups from the connected Dropbox account, as necessary when the maximum number of uploaded backups has been reached.
• To view basic information about the connected Dropbox account, such as username and email address.

Authentication Mechanism

The WPMU DEV Hub API calls various endpoints exposed by the Dashboard plugin installed on a WordPress site. For example, to trigger a plugin update on the site, or to enable the Dashboard to fetch information about available updates.

When connecting to the database of a WordPress site, authentication of these API calls is ensured by signing each request with a HMAC of the parameters, a nonce to avoid replay attacks, and the shared private API key of that user.

User Authorization Mechanism

The principle of least privilege is respected for all actions initiated from the WPMU DEV Hub.

Only programmatic access is made to a WordPress site or database by the Hub API based on user preferences (setting a plugin update schedule, Hub triggered actions, etc).

Users can create sub-accounts for the Hub and define their role restrictions to a high level of specificity.

Database Queries

The Hub and all WPMU DEV plugins use WPDB class parameterization and escaping functions for all database queries, thereby avoiding the risk of SQL injection.

Logging Mechanism

Logs contain sufficient data to enable the ability to investigate issues without revealing unnecessary or personally identifiable information (PII) that could be leveraged by a malicious actor.

All API calls from the WPMU DEV Hub to a WordPress site with the WPMU DEV Dashboard plugin installed are recorded in access logs. Additional log detail can be enabled via a define added to the wp-config.php file. No PII is contained in the logs.

The Clients & Billing portal in the Hub does not store any data related to the credit cards used by your clients as their Payment Method. This data is sent securely to Stripe and is stored securely only there. Please see the Stripe Global Privacy Policy for details.

The following information, as entered by you or your clients in their Client Profile, is stored in both the WPMU DEV database and is synced to and from Stripe:

• Client name
• Client email address
• Client contact number
• Client billing address

The following information, related to the products & pricing plans in your Clients & Billing portal, is also stored in the WPMU DEV database and is synced to and from Stripe.

• Products
• Plans
• Invoices
• Invoice lines
• Invoice lines taxes
• Invoice tax
• Subscriptions
• Subscription items
• Subscriptions taxes
• Tax rates

If you still have questions or need assistance after reading this document, please don’t hesitate to contact our support superheroes using the available options under the Support tab in your Hub or via the Support tab in your WPMU DEV Dashboard.