Privacy Policy
What we collect, why we collect it, and your rights
Effective date: May 11, 2026
WHMCSPilot ("we", "us", "our") respects your privacy and is committed to handling your personal information in a transparent, lawful, and proportionate way. This Privacy Policy explains what we collect, how we use it, how long we keep it, and the rights you have over your data.
This policy applies to whmcspilot.com, our customer portal, our license-validation API, and any related services we operate. It is written to comply with the EU and UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and equivalent privacy laws.
1. Data controller
WHMCSPilot is the data controller responsible for personal data processed through our website and services. For privacy-related enquiries, write to [email protected].
2. What we collect
We collect only the information needed to deliver our Products and Services and to run the business. Specifically:
- Account information: name, email address, hashed password, company name, billing address, country, phone number (optional).
- Order and licensing data: products purchased, transaction IDs, licence keys issued, primary domain/installation associated with each licence, payment method (truncated card details or PayPal/crypto payer reference - we never store full card numbers).
- Communications: support tickets, project request messages, chat threads, and emails you send us.
- Technical and usage data: IP address, browser type, device information, referring URL, pages visited, session timestamps, error logs.
- Licence-validation data: domain, IP, WHMCS version and PHP version of the installation calling our licence API; these are needed to authorise licence checks and detect abuse.
- Cookies and similar technologies: see the Cookies section below.
We do not knowingly collect data from children under 16. If you believe a minor has provided us personal data, contact us and we will delete it.
3. Why we collect it (legal bases)
| Purpose | Legal basis |
|---|---|
| Creating and operating your account | Performance of a contract |
| Processing payments and issuing licences | Performance of a contract |
| Providing support and updates | Performance of a contract |
| Sending transactional emails (order confirmations, invoices, security notices) | Performance of a contract |
| Sending occasional product announcements to existing customers | Legitimate interest (you may opt out anytime) |
| Fraud prevention, security monitoring, abuse detection | Legitimate interest |
| Complying with tax, accounting and legal obligations | Legal obligation |
| Marketing emails to non-customer prospects | Consent (opt-in) |
4. Who we share it with
We do not sell or rent your personal data. We share it only with service providers ("processors") that help us run the business, and only to the minimum extent needed:
- Payment processors: Stripe, PayPal, NowPayments - they receive transaction information necessary to take payment.
- Email delivery: our outbound SMTP provider for transactional and marketing email.
- Hosting and infrastructure: our hosting provider and CDN.
- Analytics: a privacy-respecting analytics product to understand aggregate site usage (no cross-site profiling).
- Professional advisors: accountants and lawyers when bound by professional confidentiality.
- Authorities: where compelled by valid legal process or where necessary to protect our rights or those of others.
All processors are bound by written data-processing agreements requiring confidentiality, security, and compliance with applicable privacy laws.
5. International transfers
Our service providers may be located in jurisdictions outside your country of residence. Where personal data is transferred outside the European Economic Area or UK, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (or the UK Addendum thereto), supplemented by technical measures.
6. How long we keep your data
- Account and licensing data: for the lifetime of your account, plus the period required to honour the perpetual licence and for tax/accounting purposes (typically 7 years).
- Invoices and financial records: retained for the period required by tax law in our jurisdiction (typically 7 years).
- Support communications: retained for 5 years for quality and historical reference, then anonymised or deleted.
- Marketing data: deleted on unsubscribe or after 24 months of inactivity, whichever is sooner.
- Server logs: retained for up to 90 days for security analysis, then deleted.
7. Your rights
Depending on your jurisdiction, you have the right to:
- Access the personal data we hold about you.
- Rectify data that is inaccurate or incomplete.
- Erase data ("right to be forgotten"), subject to legitimate retention obligations.
- Restrict or object to certain processing activities.
- Port your data to another service in a machine-readable format.
- Withdraw consent for any activity based on consent, at any time.
- Complain to a supervisory authority in your country (for example, the ICO in the UK or your local data protection regulator in the EU).
To exercise any of these rights, email [email protected]. We respond within 30 days. We may need to verify your identity before actioning a request.
8. Cookies and tracking
We use cookies and similar technologies for three purposes: (a) strictly necessary cookies that keep you logged in, remember your cart, and prevent CSRF attacks; (b) preference cookies that store your country, currency, and UI preferences; (c) analytics cookies that help us understand which pages perform well in aggregate.
We do not use cross-site advertising cookies or sell cookie data to third parties. You can control or block cookies through your browser settings; doing so may affect the functionality of the customer portal.
9. Security
We protect your data using industry-standard measures: TLS encryption in transit, encrypted-at-rest databases, hashed passwords (bcrypt), restricted admin access with two-factor authentication, audit logs of administrative actions, and regular dependency security audits.
While no system can be guaranteed secure, we follow current best practice and notify affected customers and competent authorities of any confirmed data breach in accordance with applicable law (typically within 72 hours of becoming aware).
10. Customer data on your installation
When you install one of our modules onto your own WHMCS, the personal data of your customers is processed on your infrastructure. WHMCSPilot does not have access to that data and is not the controller or processor of it. You remain the controller of your customers' data.
The only data that flows from your WHMCS to WHMCSPilot is the licence-validation request described in section 2 - primarily your installation domain, IP, and module/PHP/WHMCS version. None of your customers' personal data is transmitted to us.
11. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be announced via email or a banner in the customer portal. The "Effective date" at the top of this page indicates the current version.
12. Contact
Questions about this Privacy Policy or about your personal data? Email [email protected] or write to us via the contact form. For unresolved complaints, you may contact your local data protection supervisory authority.