TL;DR
We collect what we need to sell you the plugin, deliver updates, and answer your tickets. That's it.
We don't sell data. We don't run ad pixels. We don't profile you. You can export everything we have on you and delete your account anytime from my.trueplugins.com/dashboard/account. If you only read one section, this is the one.
Who we are
TruePlugins is the company behind TrueCommander and this website. We operate from Lithuania (European Union). For everything in this policy, TruePlugins is the data controller under the GDPR.
For anything in this policy — data requests, questions, complaints, or just curiosity — email hello@trueplugins.com. One inbox, real human reading it.
What we collect
We collect five buckets of data, and only because each one has a specific job. If we can't point to a job, we don't collect it.
Account data (only if you buy)
Name, email, billing address. Your password is hashed with bcrypt — we can't read it. This information comes from Stripe's checkout when you complete a purchase, plus anything you update later on your account page.
Your card number lives with Stripe. We never see it.
License + activation data
For each site where you activate the plugin we keep: a license key (we generate it), the site's bare domain (lowercased and stripped of paths), and a "last seen" timestamp from the plugin's daily check-in. We use this to enforce your activation limit and decide whether to offer you an update.
When you deactivate a site, we keep the activation row marked as revoked rather than deleting it, so the audit trail survives.
AI usage logs
When you run an AI command from inside the plugin, we log the command name, credits cost, AI model used, whether it succeeded, and how many characters went in and out. We do not store the prompt you sent or the AI's reply. Those pass through our server to OpenAI and back, and then we forget them.
The usage log is how we count your monthly credits and how we'd spot abuse if a license key were leaked.
Support tickets + contact messages
When you write us a support ticket or fill in the contact form, we keep the subject, body, your email, and any files you attached. For the contact form specifically we also keep your IP and browser string for 12 months — purely to catch spam.
Sign-in extras (optional)
If you turn on two-factor authentication, we store your TOTP secret and a bcrypt-hashed copy of your backup codes. If you sign in with Google, we store a stable Google identifier so we know it's you next time. Neither feature is required.
What we don't collect
Worth naming out loud because most policies don't:
- Your card number — Stripe has it, we don't
- The prompts you send to AI commands, or the AI's replies
- Anything from your WordPress site's content or visitors
- Cross-site tracking pixels or marketing audience data
- Anything at all from people who only browse the marketing site without buying or filling in a form
Why we collect it
Under the GDPR, every piece of personal data needs a legal basis. Here's ours, by bucket:
- Contract — account, license, billing, ticket data. We need this to deliver what you bought.
- Legitimate interest — AI usage logs (abuse prevention + billing dispute resolution) and the contact form's IP/browser fields (spam defense). You can object to either, and we'll weigh your objection against the operational need.
- Consent — analytics cookies on this marketing site, and any marketing email you opt into. You can withdraw consent anytime from the cookie settings link in the footer.
Who we share it with
We use these third parties to run the business. None of them get more data than they need to do their part.
Stripe
Payments, tax handling, subscription billing, customer portal. Card data lives with Stripe. We receive only what Stripe tells us back: name, billing address, payment status.
OpenAI
Your AI command prompts go to OpenAI for processing. We don't store them on our side. OpenAI has its own data-handling policy that governs what it does with the prompt and reply on its end.
Google (optional)
If you use Google to sign in, we exchange OAuth credentials with Google to confirm it's you. We don't post anything to your Google account or read anything beyond your account identifier.
Resend
Transactional emails (password resets, purchase receipts, ticket updates) go out through Resend, which receives the recipient's email address and the email body.
We do not sell, rent, or trade your personal data. We do not share it with advertisers. If that ever changes we'll update this section and email active accounts before turning anything on.
Cookies on this site
This marketing site uses two categories. The customer portal at my.trueplugins.com has its own minimal set (a session cookie + theme preference), described in the in-app account page.
- Essential — your theme + accent choice, cart contents, your cookie consent record itself, and a 5-minute "you just paid" signal after checkout. The site doesn't work without these.
- Analytics — opt-in, currently inactive. When we turn it on it will count anonymous page views and respect your cookie choice. No cross-site tracking, no advertising profiles.
Change your mind anytime via the Cookie Settings link in the footer.
International transfers
We're based in the EU. Some of our third parties (Stripe, OpenAI, Google, Resend) process data in the United States. Where that happens, the transfer relies on Standard Contractual Clauses approved by the European Commission, plus the supplementary measures each provider documents on their own privacy page.
How long we keep it
- Account, license, activation data — as long as you have an account. After you delete your account, we keep the minimum required by tax law (typically 7 years in the EU) and nothing else.
- AI usage logs — 12 months, then deleted. Long enough for billing disputes, short enough to honour data minimisation.
- Support tickets — as long as your account exists. Deleted along with the account.
- Contact form messages — 12 months unless they become a ticket.
- Cookies — preferences for up to 12 months, the post-payment signal for 5 minutes, cart contents until you complete checkout or clear them.
Your rights
If you're in the EU, UK, or another GDPR-equivalent jurisdiction, you can:
- Get a copy of your data (data portability)
- Correct anything wrong
- Delete your account and have your data erased
- Withdraw consent for analytics or marketing emails anytime
- Object to processing based on legitimate interest
- Lodge a complaint with your national data-protection authority
The first three you can do yourself from my.trueplugins.com/dashboard/account — export downloads as a ZIP, deletion is a two-step confirmation. For the rest, email hello@trueplugins.com and we'll respond within 30 days.
Security
Passwords are stored as bcrypt hashes. Sensitive operations (changing your password, enabling 2FA, deleting your account, inviting a teammate) require you to re-enter your current password — a stolen session cookie alone isn't enough.
License responses sent to your installed plugin are signed with an Ed25519 key, so an attacker who gains write access to your WordPress options table can't forge a "valid" cached license. Our server private key never leaves the server.
That said, no system is bulletproof. If something does happen, we'll tell affected users within 72 hours of becoming aware, per the GDPR.
Children
TrueCommander is sold to professional WordPress users. We don't knowingly collect data from anyone under 16. If you think a child has signed up for an account, email us and we'll close it.
Changes to this policy
We update this page when our practices change. The "Last updated" date at the top is authoritative. Material changes — new third parties, new data categories, anything that broadens what we collect — get an email to active accounts before they take effect.
We won't retroactively change what we do with data already collected. Your consent at sign-up locks the version you saw.
Questions about your data?
Privacy isn't a checkbox we tick. Ask anything in here and we'll give you a real answer.
Email us