General Data Protection Regulation (GDPR)
Last updated: July 10, 2026
FlyWP is committed to full compliance with the EU’s General Data Protection Regulation (GDPR) Regulation (EU) 2016/679. The GDPR entered into force on 24 May 2016 and became applicable on 25 May 2018, and it applies across the entire European Economic Area (EEA). The regulation strengthens individuals’ data-protection rights and unifies privacy rules across the EU single market.
In practice, any organization that processes personal data about people in the EU/EEA whether established inside or outside the EU, must follow the GDPR. Specifically, an organization outside the EU that “offers goods or services” to, or “monitors the behaviour” of, EU/EEA residents falls within its scope. FlyWP’s commitment is to process all personal data lawfully, fairly, and transparently, as required by Article 5 of the GDPR, and to implement appropriate technical and organizational measures, encryption, access controls, and more to protect that data.
Scope: Who Must Comply
FlyWP applies GDPR standards to all EU/EEA personal data handled through our services, regardless of whether FlyWP, the customer, or an end user is the source of that data. The GDPR defines personal data as any information relating to an identified or identifiable person; for example, a name, email address, IP address, or payment details. Under Article 5, personal data must be processed lawfully, fairly, and transparently; collected only for specified purposes; and kept only as long as necessary.
- If you are a FlyWP customer (our direct user), you are the Data Controller of the personal data you collect or generate for example, your own customers’ contact data on a WordPress site you host through FlyWP. FlyWP is then the Data Processor, processing that data on your instructions (hosting it on your cloud servers, taking backups, performing migrations, and so on).
- If FlyWP collects personal data directly (for example, your account-registration details or support requests), FlyWP is the Data Controller for that information.
FlyWP may therefore act as both controller and processor, depending on context. We never use customer data for unrelated purposes. All processing of EU/EEA personal data is carried out under one of the lawful bases set out in Article 6 (such as performance of a contract or legitimate interests) and is always secured as required by law.
FlyWP’s Data Collection and Processing
FlyWP collects and processes only the personal data necessary to provide and improve our services. This typically includes:
- Account and Contact Data: When you sign up for FlyWP, we collect your name, email address, billing address, and payment information. Payments are handled by Stripe; FlyWP also operates an in-app wallet/credit balance for account funding. We do not store raw card numbers, card processing is performed by Stripe under its own GDPR-compliant program. Our billing records (amount, date, product, invoices) are retained for accounting and tax purposes.
- Authentication Data: Passwords are stored only as salted hashes, never in plaintext. FlyWP supports two-factor authentication (TOTP) for all user accounts, and you may sign in through social login (Google, GitHub, or X/Twitter). API access is granted through revocable personal access tokens.
- Service Usage Data: We collect technical data about how you use FlyWP, login timestamps, IP addresses, browser/user-agent, and feature usage to operate, secure, and improve the service. For security and auditing we retain logs (for example, server and error logs) for a limited period, in line with the GDPR’s storage-limitation principle.
- Customer Content (Hosted Data): When you use FlyWP’s server-management and hosting features, the content on your WordPress sites including any end-user-generated content is processed only on your behalf. FlyWP does not scan or analyze your site content for any purpose other than delivering the service you requested. Your hosted data resides on the cloud servers you provision (DigitalOcean, Vultr, AWS, Akamai/Linode, Hetzner, or a custom “bring-your-own-server” provider), and FlyWP accesses it only to perform tasks you authorize (backups, cloning, deployments, monitoring, and similar operations).
- Infrastructure Credentials: To manage your servers, FlyWP stores connection secrets such as cloud-provider API keys, SSH keys, database and system passwords, and SFTP credentials. All such secrets are encrypted at rest (see Security Measures below).
- Support and Communications Data: We store correspondence support tickets, live-chat transcripts, and emails related to your account. These may contain personal data you choose to provide when seeking help, and are treated as confidential.
- Cookies and Analytics: Our website and dashboard use cookies and product-analytics tooling to improve the user experience and secure the service. We collect no more personal data via cookies than necessary, and you may opt out of non-essential cookies. For full details, see our Privacy Policy.
All processing by FlyWP takes place on secured systems protected by access controls and encryption, consistent with the GDPR’s accountability and security requirements.
FlyWP’s Data Protection Role
Under the GDPR, a Data Controller determines why and how personal data is processed, while a Data Processor acts on the controller’s documented instructions. For FlyWP:
- Controller: FlyWP is the controller for personal data we collect directly. Such as account-registration data, billing details, and support requests. We decide the purposes of that processing (providing the FlyWP service, billing, and support).
- Processor: FlyWP is a processor for personal data that customers load onto, or generate through, our platform. For example, content on your managed WordPress sites or IP addresses in your server logs. Here the customer is the controller, and FlyWP processes the data solely to carry out the customer’s instructions. As a processor, FlyWP meets the obligations of Article 28, including acting only on documented instructions, ensuring the confidentiality of personnel, engaging subprocessors under equivalent terms, and assisting the controller with data-subject requests and breach response.
In either role, FlyWP upholds GDPR standards: as a controller we honor data-subject rights over the data we hold, and as a processor we act only under lawful instructions from our customers.
Data Processing Agreement (DPA)
FlyWP provides a standard GDPR Data Processing Agreement to customers who handle EU/EEA personal data through our platform. Our DPA sets out the security and privacy measures we maintain and commits FlyWP to its GDPR obligations, including confidentiality, breach notification, and subprocessor management.
Requesting the DPA. If your organization requires a signed DPA with FlyWP, contact us at [email protected] or through your account administrator. We will promptly provide our template DPA or incorporate it into your contract.
What the DPA covers. Among other things, the DPA addresses personal-data breach notification (FlyWP will inform affected controllers without undue delay), the up-to-date list of subprocessors, international-transfer safeguards, and audit rights (customers may request reasonable evidence of our security compliance).
By offering a DPA alongside our compliance program, FlyWP helps customers meet their own GDPR obligations as controllers of their users’ data.
Subprocessors and Third Parties
FlyWP engages a limited set of third-party subprocessors to deliver and improve our services. We use only subprocessors that provide sufficient guarantees of GDPR compliance, and we require appropriate data-transfer mechanisms (such as Standard Contractual Clauses or adequacy decisions) where data leaves the EU/EEA.
| Subprocessor | Purpose | Data involved |
|---|---|---|
| DigitalOcean, Vultr, AWS, Akamai/Linode, Hetzner | Cloud server infrastructure (provisioned by the customer) | Hosted site data, server logs, IP addresses |
| Stripe | Payment and subscription processing | Billing details, payment metadata |
| FreeScout | Primary customer support & ticketing | Support correspondence, account data |
| Crisp | In-app live chat | Chat transcripts, contact data |
| PostHog | Product analytics | Usage events, device/IP data |
| weMail | Product & marketing email | Name, email, subscription status |
| Postmark / Resend / Mailgun / Amazon SES | Transactional email delivery | Name, email, message content |
| Cloudflare | DNS, CDN, and bot protection (Turnstile) | IP addresses, request metadata |
| Partnero, Dub | Affiliate and referral link tracking | Referral and click metadata |
Customer-configured integrations. Some services are connected by you and act under your control as part of your own processing. These include backup-storage destinations (Amazon S3, Cloudflare R2, DigitalOcean Spaces, Google Cloud Storage, Google Drive, pCloud, Wasabi, or a custom S3 endpoint), DNS management (Cloudflare or AWS Route 53), Git-based deployments (GitHub), and security scanners you enable (Patchstack, Wordfence, WPScan). You choose these providers and supply their credentials; FlyWP uses them only to carry out the actions you request.
A current, authoritative list of FlyWP’s subprocessors is maintained in our DPA and made available to customers on request.
International Data Transfers
FlyWP Inc is based in Delaware (USA) and serves customers globally, which means personal data may be transferred outside the EU/EEA. Under Chapter V of the GDPR, any such transfer must be protected by an appropriate safeguard. To comply:
- Approved safeguards. When transferring personal data outside the EU/EEA, FlyWP relies on approved mechanisms, principally the EU Standard Contractual Clauses (SCCs), or adequacy decisions where applicable to ensure an adequate level of protection.
- Data residency. Because you choose the region in which your servers and backups are hosted, you can keep hosted personal data within the EU/EEA where your regulatory needs require it.
- EEA applicability. The GDPR is incorporated into the EEA Agreement, so equivalent protections apply across the EU and EEA. FlyWP ensures that EEA-origin data remains subject to GDPR safeguards even after it crosses borders.
In short, FlyWP transfers data only to processors and data centers that meet GDPR requirements, and documents those transfers in our DPA.
Data Subject Rights
Under the GDPR, individuals (data subjects) have specific rights over their personal data. FlyWP supports these rights for all EU/EEA personal data we process:
- Access & Portability. You can request a copy of the personal data FlyWP holds about you. For data you control through FlyWP (site and server data), you can export it directly via backups, SFTP access, or database exports in the dashboard. For data we hold as controller (such as account information), email [email protected] and we will provide it in a structured, machine-readable format.
- Rectification. You can update your account and contact information at any time in your FlyWP account settings; email changes are confirmed via a verification step. We will promptly correct any inaccurate personal data.
- Erasure (“Right to be Forgotten”). You may request deletion of your personal data. Deleting your account removes your profile and associated content from our systems. Records we are legally required to retain (for example, transaction records for tax purposes) may be kept in minimized form, with personal identifiers removed where possible.
- Objection & Restriction. You can object to processing based on legitimate interests including direct marketing, which we will stop on request and you may ask us to restrict processing while a dispute is resolved.
- Withdraw Consent. Where processing relies on your consent (for example, non-essential cookies or marketing email), you may withdraw it at any time, without affecting the lawfulness of prior processing.
- Complaints. If you believe FlyWP has infringed your rights, you can contact us at [email protected] or lodge a complaint with your local EU/EEA data-protection authority.
We will respond to any valid GDPR request without undue delay and within one month, as required by Article 12.
Data Deletion and Retention
In line with the GDPR’s storage-limitation principle, FlyWP retains personal data only as long as necessary for service delivery or to meet legal obligations.
- Account Data. We retain your account data (profile, billing, invoices) while your account is active and for a reasonable period after closure to satisfy audit and tax obligations. Contact data is removed once it is no longer needed.
- Service Data. Data on managed servers is retained until you delete it or cancel the service. After account termination, we delete your hosted data unless you have first requested an export.
- Logs and Backups. System logs and backups that may contain personal data are retained for a limited period for operational and security purposes, then purged or overwritten.
FlyWP will honor any account-deletion request, subject to the exceptions above. Aggregated or anonymized data (for example, usage statistics with no identifiers) may be retained for analytics.
FlyWP’s Security Measures
FlyWP applies robust safeguards to protect personal data, consistent with the GDPR’s “integrity and confidentiality” principle (Article 5(1)(f)) and the security obligations of Article 32:
- Encryption in transit and at rest. All traffic is served over TLS. Sensitive stored secrets cloud API keys, SSH private keys, database, system, and SFTP credentials, and OAuth tokens are encrypted at rest. Account passwords are stored only as salted hashes.
- Strong authentication. Two-factor authentication (TOTP) is available to all users, and access to internal systems is restricted and monitored.
- Isolation. Customer environments run in secure, containerized (Docker-based) server setups that isolate workloads.
- Network protection. Firewalls, rate limiting, bot protection, and DDoS mitigation (including optional Cloudflare integration) protect the platform.
- Ongoing review. We continuously monitor our systems and review our security practices.
Breach notification. In the event of a personal-data breach, FlyWP will notify the relevant supervisory authority within 72 hours where required (Article 33) and will inform affected data controllers and, where applicable, data subjects without undue delay.
How to Contact Us
For any GDPR-related inquiry or request:
- Email [email protected] for privacy or DPA questions; we aim to respond within one business day.
- See our Privacy Policy and Terms of Service (linked at the bottom of flywp.com) for further detail on how we handle data.
- If you have a dedicated account manager, you may also reach out to them directly.
FlyWP is committed to transparency and to making GDPR compliance seamless for our customers. We review and update this page as regulations and our practices evolve.
This document describes FlyWP’s data-protection practices and is provided for informational purposes. It does not constitute legal advice. For contractual commitments, refer to your FlyWP Data Processing Agreement and Terms of Service.