Effective: July 5, 2026
01Who we are
WPCloudLab is a done-for-you webcare service for WordPress sites, and a monitoring service for everything else — run by a small team of WordPress specialists and web engineers, part of BLV Group. The service is operated by Belov Digital Agency, 651 N Broad St STE 206, Middletown, DE 19709, United States. Privacy questions go to [email protected]. A person reads them.
02What we collect
Only what the service needs to run. In practice that means:
- Account data — Your name, email, company and password. The password is stored only as a bcrypt hash — we couldn't read it if we wanted to.
- Site connection data — The URLs of the sites you connect and the per-site secrets our agent uses to authenticate with them.
- Operational data — Backup archives, uptime results, scan findings and activity logs — the records produced while we maintain your sites.
- Billing — Handled by Stripe. Card numbers never touch our servers.
- Support correspondence — Emails and messages you send us, kept so the next conversation starts with context instead of a blank form.
03Backups and your clients’ data
When we back up a customer site, the archive contains whatever the site contains — which can include personal data of that site’s own users: customers, commenters, form submissions. For that data, our customer remains the controller. We process it solely to provide the service, and for nothing else.
Backup archives are encrypted, stored in a private Cloudflare R2 bucket, retained for 30 days and then deleted. How the pipeline works and how we audited it are public pages, not internal secrets.
04Cookies
Two kinds. First, the encrypted session cookie (iron-session) that keeps you logged in — strictly functional. Second, Google Analytics 4 cookies that help us understand which pages and flows work: configured with IP anonymization, with all advertising signals permanently disabled (no ad storage, no ad personalization — we run no ads), and never used to sell or share your data. If your browser sends the Global Privacy Control signal, we honor it and analytics runs without cookies at all. Analytics is also disabled entirely on the operator dashboard.
05Third parties we rely on
Five, each with a job:
- Google Analytics (Google LLC) — Aggregated usage analytics — pages, referrers, conversion steps. IP-anonymized, ad signals disabled, honors Global Privacy Control.
- Stripe — Payment processing. Your card details go to Stripe directly and stay there.
- Cloudflare R2 — Encrypted backup storage, in a private bucket.
- Our transactional email provider — Account and alert email — password resets, downtime alerts, reports.
- Telegram — Internal operational alerts to our own team, so a human notices when something needs attention.
We do not sell or share personal data for advertising. Ever.
06Retention
- Backups — 30 days, then deleted — every archive ages out on schedule.
- Account data — For the life of your account.
- Logs — As long as they are operationally useful. They exist to answer “what happened”, not to profile anyone.
- On request — Ask and we delete your account data. One email is enough.
07Your rights
Access, export, correction, deletion — email [email protected] and we handle it. We honor GDPR-style rights regardless of where you live, and we answer like humans, not like a compliance portal.
08Changes
When this policy changes, we update this page and the effective date at the top. Material changes are announced by email. The same plain-English promise applies to the terms of service.
Something this page didn’t answer? Write to [email protected] or use the contact page. You’ll get an answer from a person, usually inside the hour.