Privacy Policy

How we handle your data when you use SailWP, sailwp.com, app.sailwp.com, or the SailWP plugin/theme. Plain summary first, full detail below.

The short version

SailWP is a WordPress theme + plugin + cloud dashboard that lets you build and edit your site by chatting with an AI. To do that, the things you type, paste, attach, or speak get sent through our server to Anthropic (the AI provider), and the response comes back.

We do not sell your data. Anthropic does not train models on your data. We retain only what we need to run the service and bill you.

You have full GDPR rights — access, correction, erasure, portability — exercisable by emailing [email protected].

1. Who we are 2. What we process 3. Why & legal basis 4. Sub-processors 5. Retention 6. Your rights 7. Security 8. Cookies 9. Minors 10. Changes

1. Who we are (the controller)

SailWP is operated by 31 Ventures, a sole proprietorship registered in the Netherlands.

Trade name: SailWP (a product of 31 Ventures)
Owner: Joost Boer
Chamber of Commerce (KvK): 81019556
VAT (BTW): NL003518091B91
Country: The Netherlands
Contact: [email protected]

For privacy questions, data-subject requests, or breach notifications, email [email protected] with subject "Privacy". We respond within 30 days as required by GDPR Art. 12.

A holding + BV structure is in formation. Once registered, this section will be updated and the BV will assume controller status by way of contract assignment under Art. 6:159 BW (Dutch Civil Code).

2. What personal data we process

2.1 Account & identity

Email address — for magic-link login, account identification, transactional emails, and (if you opt in) product updates.
License key — a random opaque ID generated when the plugin/theme activates. Maps to your site URL and subscription state.
Site URL(s) connected to your workspace.
Workspace metadata — display names, favicons, member roles, invitation state.

2.2 Content you submit through the AI

Page content when you ask the AI to redesign, edit, or analyze a specific page. Block markup, text, image URLs.
Chat messages you type or speak. Voice is converted to text in your browser (using Web Speech API) before transmission.
Attached files — text from documents, image bytes for photos and screenshots, raw bytes for PDFs.
Site context — page title, your site URL, active theme, WordPress version, plugin version. Used to give the AI context and to debug.

2.3 Billing & payment

Stripe customer ID, subscription state, invoice history — we receive these from Stripe via webhook. We do not see, store, or transmit your card number, CVC, or full billing address — those stay with Stripe.
VAT number (if you provide one for B2B billing) — passed through to Stripe Tax for invoice issuance.

2.4 Operational logs

Per-call usage logs — timestamp, license key, AI model used, token count, cost in cents, error code (if any). No chat content. Used for billing, abuse-rate-limiting, and debugging.
Page-version snapshots — when the AI edits a page, we store a copy of the previous HTML on our server so you can restore it. Plus a one-line summary generated by Anthropic Haiku.
Server access logs — IP address, user agent, timestamp, requested path. Retained ≤30 days for security investigation.

2.5 What we do NOT collect

We do not run third-party advertising or analytics scripts.
We do not track you across sites.
We do not collect biometric, health, political, or other special-category data (Art. 9 GDPR).
Voice is transcribed locally in your browser. The audio never leaves your device.

3. Why we process your data & the legal basis

Purpose	Legal basis (GDPR Art. 6)
Provide the SailWP service (login, AI calls, dashboard, plugin)	Performance of contract — Art. 6(1)(b)
Bill you, issue invoices, comply with tax law	Legal obligation + contract — Art. 6(1)(b),(c)
Send transactional emails (magic-link, billing, security alerts)	Performance of contract — Art. 6(1)(b)
Detect and prevent abuse, rate-limit excessive use	Legitimate interest (service integrity) — Art. 6(1)(f)
Improve and debug the service	Legitimate interest — Art. 6(1)(f)
Send product updates / newsletters	Consent — Art. 6(1)(a). You can opt out anytime.

4. Sub-processors & international transfers

We use the following sub-processors. Each has a data-processing agreement in place that meets GDPR requirements. Where data is transferred outside the EEA, we rely on the EU Standard Contractual Clauses (SCCs) per Commission Implementing Decision 2021/914.

Sub-processor	Purpose	Region	Transfer mechanism
Anthropic, PBC	AI inference (Claude models)	USA	SCCs + Anthropic DPA
Stripe Payments Europe Ltd.	Payment processing, VAT calculation, invoicing	Ireland (EEA) + USA	SCCs + Stripe DPA
Resend, Inc.	Transactional email (magic-links, billing notices)	USA	SCCs + Resend DPA
mijn.host (Hostnet B.V.)	VPS hosting, where our database and servers run	Netherlands (EEA)	EEA — no transfer
Cloudflare, Inc.	DNS, edge proxy, DDoS protection	Global / USA HQ	SCCs + Cloudflare DPA
Google LLC (Nano Banana Pro)	AI image generation (when you generate images via chat)	USA	SCCs + Google Cloud DPA

We will publish a 30-day notice on this page before adding or replacing a sub-processor that processes personal data. To object to a new sub-processor, email [email protected]; you may terminate your subscription with a refund of any unused prepaid period if we proceed against your objection.

Anthropic data handling: per Anthropic's Commercial Terms, your inputs and outputs are not used to train Anthropic's models. Anthropic may retain inputs for up to 30 days for trust & safety review, after which they are deleted, unless flagged for legal/safety reasons.

5. How long we keep your data

Data category	Retention
Account email, license key, site URL	Until 30 days after you close the account or uninstall the plugin (whichever is later)
Page-version snapshots	Up to 90 days, or until manual deletion via dashboard
Per-call usage logs (no content)	13 months (rolling, for billing reconciliation)
Server access logs	30 days
Stripe billing records, invoices	7 years (Dutch tax law obligation, art. 52 AWR)
Anthropic AI inputs (held by Anthropic)	≤30 days at Anthropic
Backups (encrypted nightly snapshots)	14 days rolling, then overwritten

On account closure we will delete or irreversibly anonymise data within 30 days, except where retention is required by law (e.g. tax records).

6. Your rights under GDPR

You have the following rights and can exercise them by emailing [email protected] from the email tied to your account. We will respond within 30 days, free of charge, unless requests are manifestly excessive.

Access (Art. 15) — get a copy of the personal data we hold about you.
Rectification (Art. 16) — correct inaccurate data.
Erasure / "right to be forgotten" (Art. 17) — have your data deleted, subject to legal retention obligations.
Restriction (Art. 18) — pause our processing in specific situations.
Portability (Art. 20) — receive your data in a structured, machine-readable format.
Objection (Art. 21) — object to processing based on legitimate interest.
Withdraw consent (Art. 7) — for processing based on consent, at any time.
Lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or the supervisor in your country of residence.

We do not engage in automated decision-making with legal effect (Art. 22). The AI helps you build a site; it does not decide anything legally binding about you.

7. Security

We apply appropriate technical and organisational measures (Art. 32 GDPR), including:

TLS 1.2+ for all data in transit (HTTPS only, HSTS enabled)
Encryption at rest for backups
HMAC-signed session tokens (HS256, 256-bit secret)
Magic-link sign-in (no password storage)
Principle of least privilege on the VPS; SSH key-only access
HTTP-only, Secure, SameSite=Lax cookies for sessions
Rate-limiting and abuse detection on AI endpoints
Encrypted nightly database backups

If we discover a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the Autoriteit Persoonsgegevens within 72 hours and inform affected users without undue delay (Art. 33–34 GDPR).

8. Cookies and local storage

SailWP uses only cookies and local storage that are strictly necessary to deliver the service (Art. 11.7a Dutch Telecommunications Act / ePrivacy). No consent banner is required because we do not set tracking, advertising, or third-party analytics cookies.

Session cookie on app.sailwp.com — HTTP-only, Secure, 90-day max-age. Required to keep you signed in.
Local storage on your WordPress site (when the plugin is active) — stores rail collapse state and chat history locally in your browser. Never transmitted.
Self-hosted Umami on sailwp.com — counts page visits without cookies, without IP storage, without cross-site tracking. Falls outside ePrivacy consent rules.

9. Minors

SailWP is a B2B/professional product. The service is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has provided us with personal data, email [email protected] and we will delete it.

10. Changes to this policy

If we materially change how we process data, we will notify active users by email at least 30 days before the change takes effect, and update the date at the bottom of this page. Continued use of the service after the effective date constitutes acceptance of the updated policy. If you do not accept the change, you may close your account before the effective date and request data deletion.

Last updated: 30 April 2026 · Version 1.0 · Operated by 31 Ventures (KvK 81019556) · Terms · DPA