← auctollo.com

Privacy Policy

Effective date: June 2, 2026 · Last updated: June 2, 2026

W3 EDGE, LLC d/b/a Auctollo ("Auctollo," "we," "us," or "our") operates the Indexation WordPress plugin and the cloud platform at app.auctollo.com (collectively, the "Service"). This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and what rights you have.

1. Information We Collect

1.1 Indexation WordPress Plugin

The Indexation Plugin operates entirely on your server by default. We collect personal information from the Plugin only when you explicitly opt in to cloud services or beta features via the consent banner or onboarding wizard. When you opt in, we collect:

DataWhy we collect it
Email addressAccount creation, waitlist communications, transactional email
Website domain / URLAssociate your WordPress site with your Auctollo account
WordPress versionCompatibility monitoring and support
PHP versionCompatibility monitoring and support
Plugin versionFeature eligibility and update notices
WordPress display nameWelcome messaging
Consent timestamp and statusGDPR record-keeping, compliance audit trail
UTM parametersUnderstanding acquisition channels

Until you interact with the consent banner or account-creation step, no personal data is transmitted to our servers.

1.2 Auctollo Cloud Platform (app.auctollo.com)

Account data: email address (required); display name and avatar URL (from your OAuth provider if you sign in via Google, Microsoft, or GitHub); timestamps.

Subscription and billing: Stripe customer ID and subscription ID; subscription tier, status, and billing period; monthly credit balance and reset date. We do not store payment card numbers — Stripe handles all payment processing and is PCI DSS compliant.

Connected sites: WordPress site URL and name; WordPress version, PHP version, plugin version; site status and last-seen timestamp.

API keys: key prefix (first 8 characters — safe for display and logging); label, creation time, last-used, expiration, and revocation timestamps. The full API key is SHA-256 hashed at creation and never stored in plaintext.

Usage / audit log: feature slug, credits consumed, timestamp, third-party AI provider used, provider cost in USD, request ID, and optional context data (JSON, capped at 2,048 bytes). This log is immutable.

OAuth tokens: token hashes (SHA-256 only; full tokens are never stored), prefixes, scopes, expiration, revocation, and rotation metadata.

1.3 Server Logs

We collect standard server logs including IP addresses and user-agent strings for security, fraud prevention, and operational debugging. IP addresses are not linked to user profiles for marketing purposes.

2. How We Use Your Information

PurposeLegal basis (EU / UK GDPR)
Providing, operating, and improving the ServiceContract performance
Processing payments and managing subscriptionsContract performance
Sending transactional emails (sign-in links, receipts, renewal notices)Contract performance
Sending product and marketing emailsLegitimate interest (opt-out any time)
Security monitoring, fraud prevention, rate limitingLegitimate interest
Analytics to improve the ServiceLegitimate interest
Complying with legal obligationsLegal obligation
Enforcing our Terms of Service and AUPLegitimate interest

We do not sell your personal information. We do not use your content or site data to train AI models.

3. Third-Party Service Providers

We share personal data only with the processors listed below, each contractually required to protect your data and use it only to provide services to us.

Sub-processorRoleData sharedPrivacy policy
Supabase (AWS US-East-1)Database, authentication, edge functionsAll platform data listed in Section 1.2supabase.com/privacy
StripePayment processing and subscription managementEmail, billing amounts, Stripe customer and subscription IDsstripe.com/privacy
Mailchimp (Intuit)Transactional and marketing emailEmail, name, domain, version metadata, subscription tagsmailchimp.com/legal/privacy
VercelWeb application hosting and CDNServer logs, session cookies, IP addressesvercel.com/legal/privacy-policy
InngestBackground job queue for AI features, credit events, and sitemap triggersJob payloads — feature identifiers, credit amounts, and context datainngest.com/privacy
AnthropicAI feature processingContent submitted to AI features (URLs, titles, meta descriptions)anthropic.com/privacy
OpenAIAI feature processing (fallback)Content submitted to AI featuresopenai.com/privacy
Google (Vertex AI / Gemini API)AI feature processing (fallback)Content submitted to AI featurespolicies.google.com/privacy
Google Tag Manager / GA4Website analyticsAnonymized usage events, anonymized IP — loaded only with your explicit consent in Plugin settingspolicies.google.com/privacy
AWS Route 53DNS routing for auctollo.com and app.auctollo.comDomain-resolution queries only — no personal dataaws.amazon.com/privacy

We do not use advertising networks, data brokers, cross-site behavioral tracking, or sell data to any third party for their independent marketing purposes.

4. Content Submitted to AI Features

When you use AI-powered features (Indexation Troubleshooter, AI redirect suggestions, schema audit, meta-tag scan), relevant data — such as URLs, page titles, and meta descriptions — is transmitted to a third-party AI provider to generate the requested output. We use providers whose standard API terms state that customer data is not used to train their models. You can review which provider processed each request in your usage audit log on the Auctollo dashboard.

5. Cookies and Tracking

See our Cookie Policy for full details. In summary: we use strictly necessary session cookies for authentication, and optional analytics cookies (Google Tag Manager / GA4) only with your explicit consent in the Plugin settings. We do not use advertising or cross-site tracking cookies.

6. Data Security

We implement industry-standard security measures: TLS/HTTPS for all data in transit; SHA-256 hashing of API keys and OAuth tokens; Supabase Row-Level Security (RLS) policies for per-user data isolation; Stripe PCI DSS Level 1 compliance for payment data; and access restricted to authorized Auctollo personnel. If you discover a security vulnerability, please disclose it responsibly to legal@auctollo.com.

7. Data Retention

Data typeRetention period
Account profileUntil account deletion
Subscription records7 years (tax and legal obligation)
Usage / audit log24 months, then anonymized
Revoked API keys90 days after revocation, then deleted
Expired / revoked OAuth tokens30 days after expiry or revocation, then deleted
Waitlist entriesUntil erasure request
Server logs90 days rolling
Database backups30 days rolling

8. Your Rights and Choices

All Users

  • Access: Request a copy of the personal information we hold about you.
  • Correction: Request correction of inaccurate or incomplete data.
  • Deletion: Request deletion of your account and personal data.
  • Portability: Receive your data in a machine-readable format.

EU and UK Residents (GDPR / UK GDPR)

In addition to the above rights:

  • Restriction: Ask us to restrict processing of your data.
  • Object: Object to processing based on legitimate interest.
  • Withdraw consent: For consent-based processing (marketing emails, analytics cookies), withdraw at any time.
  • Supervisory authority complaint: Lodge a complaint with your local data protection authority.

California Residents (CCPA / CPRA)

  • Right to know what personal information we collect and use.
  • Right to delete personal information we hold about you.
  • Right to opt out of sale — we do not sell personal information.
  • Right to non-discrimination for exercising your rights.

How to Exercise Your Rights

WordPress plugin users: Use WordPress's built-in privacy tools at Tools → Export Personal Data and Tools → Erase Personal Data. The Plugin registers its data categories with WordPress's privacy framework.

Platform users: Email privacy@auctollo.com with the subject "Privacy Request — [Action]" (e.g., "Privacy Request — Data Deletion"). We will acknowledge within 5 business days and respond within 30 days.

9. Children's Privacy

The Service is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, contact privacy@auctollo.com.

10. International Data Transfers

Auctollo is based in the United States, and data is stored and processed primarily on Supabase / AWS US-East-1 infrastructure. For EU/UK residents, we rely on Standard Contractual Clauses (SCCs) and Supabase's EU data transfer mechanisms to safeguard cross-border transfers.

11. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Notification will be sent to the email address on your account and will describe the nature of the breach, the categories and approximate volume of data affected, likely consequences, and the measures taken or proposed.

EU and UK residents: We will also notify the relevant supervisory authority within 72 hours where required by GDPR Article 33.

To report a suspected security issue: legal@auctollo.com

12. Changes to This Policy

We will post changes to this page and update the "Last updated" date. For material changes, we will notify you by email or via a dashboard notice at least 30 days before the change takes effect.

Privacy inquiries: privacy@auctollo.com
W3 EDGE, LLC d/b/a Auctollo
9450 SW Gemini Drive PMB 22185, Beaverton, OR 97008-7105, US