Privacy Policy
Webdesignelite License Server
Last updated: March 2026
Table of Contents
1. Data Controller
Information about the data controller within the meaning of the GDPR can be found in our Imprint.
2. Processing Overview
This license server processes personal data exclusively to provide the following services:
- User account management (registration, login, profile)
- License management and verification for software products
- Support ticket system
- Transactional emails (license delivery, reminders, support notifications)
- Security and system logging
Processed Data Categories
| Category | Data | Purpose |
|---|---|---|
| Identity data | Name, email address | Account management, communication |
| Access credentials | Password (hashed), 2FA secret (encrypted) | Authentication |
| License data | License key, activation domains, plugin version, last check-in | License verification, update checks |
| Support data | Ticket content, attachments, timestamps | Customer support |
| Log data | User actions, timestamps, IP (on login) | Security, error analysis |
| Technical data | Session ID, CSRF token, language preference | Session management |
3. Legal Basis
- Art. 6(1)(b) GDPR – Performance of a contract: license provision, support, account management
- Art. 6(1)(f) GDPR – Legitimate interests: security logging, abuse prevention
- Art. 6(1)(a) GDPR – Consent: where separately obtained (currently not in use)
4. Registration & User Account
The following data is processed when creating an account:
- Name – for personalization and salutation
- Email address – as login identifier and for system notifications
- Password – stored as a Bcrypt hash, never in plain text
- Language preference – for the dashboard interface (DE/EN)
- Avatar – optional, as upload or preset
Two-factor authentication (TOTP) can optionally be enabled. The 2FA secret and recovery codes are stored encrypted.
5. License Management
The following data is processed when using our software licenses:
- License key – for unique identification
- Activation domains – to verify that the license is used on authorized websites
- Plugin version and WordPress version – for update compatibility checks
- Last check-in – timestamp of the last verification
- HMAC secret – optional signing of API responses for integrity assurance
License verification is performed via API (server-to-server, not browser-based). No end-user IP addresses are stored.
6. Support System
The following data is processed when using the integrated ticket system:
- Ticket subject and content – to process the inquiry
- Replies – including internal notes (visible to admins only)
- File attachments – max. 5 MB, PDF and image files only (JPEG, PNG, GIF, WebP), stored on the server's local storage
- Timestamps – creation and update timestamps
Attachments are automatically removed from the server when the associated ticket or reply is deleted.
7. Email Communication
The license server sends transactional emails via its own mail server (Mailcow). The following email types are sent:
- License key delivery
- Expiration reminders
- Welcome emails
- Support notifications (new ticket, new reply, status changes)
No newsletters are sent. Email templates are managed internally. Sent emails are logged for traceability (recipient, subject, timestamp).
8. Logging
For security and traceability, the following actions are automatically logged:
- Creation, modification, and deletion of licenses, products, users, and tickets
- Email dispatch
- System actions (cache clearing, maintenance)
Logs are automatically limited to a maximum of 500 entries (auto-pruning). Older entries are automatically deleted.
9. Cookies & Sessions
This license server uses strictly necessary cookies only:
| Cookie | Purpose | Duration |
|---|---|---|
| Session cookie | Session management, authentication | Until browser close / max. 120 min. |
| XSRF-TOKEN | Cross-Site Request Forgery protection | Session duration |
No tracking, analytics, or marketing cookies are used. No third-party scripts (Google Analytics, Meta Pixel, etc.) are loaded. A cookie consent banner is therefore not required.
10. Security Measures
To protect your data, we implement the following technical and organizational measures:
- Transport encryption – HTTPS only (TLS)
- Password hashing – Bcrypt with salt
- Two-factor authentication – TOTP (mandatory for administrators)
- Session encryption – sessions are stored encrypted on the server
- Secure cookies – session cookies are only transmitted over HTTPS
- CSRF protection – every form is protected against Cross-Site Request Forgery
- Rate limiting – API endpoints are limited to 30 requests/min (verification) or 10 requests/min (downloads)
- Role-based access control – customers can only see their own data
- Input validation – all inputs are validated and sanitized server-side
- CORS restriction – no cross-origin browser access possible
11. Retention & Deletion
| Data Category | Retention Period | Deletion |
|---|---|---|
| User account | Until deletion by admin or upon request | Complete deletion including profile picture |
| Licenses | Until deletion by admin | License and associated activations are removed |
| Activations | Until deactivation or license binding | Soft delete (reactivation possible), permanent upon license deletion |
| Support tickets | Until manual deletion (superadmin only) | Ticket, replies, and attachments are completely removed |
| Email logs | Until manual deletion | Deletable by admin |
| Activity logs | Max. 500 entries (auto-pruning) | Automatic cleanup, manually deletable |
| Sessions | Max. 120 minutes | Automatic cleanup |
12. Your Rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of access (Art. 15 GDPR) – information about what data is stored about you
- Right to rectification (Art. 16 GDPR) – correction of inaccurate data
- Right to erasure (Art. 17 GDPR) – deletion of your data, unless retention obligations apply
- Right to restriction of processing (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR) – export of your data in a machine-readable format
- Right to object (Art. 21 GDPR) – against processing based on legitimate interests
To exercise your rights, please contact: info@webdesignelite.de
You also have the right to lodge a complaint with a supervisory authority if you believe that the processing of your data violates the GDPR.
13. Recipients & Third Parties
Your data is not shared with, sold to, or used by third parties for advertising purposes. All processing takes place on our own servers:
- Web server – Netcup (Germany), for hosting and data processing
- Mail server – Mailcow on dedicated Netcup server (Germany), for email delivery
No data transfer to third countries (outside the EU/EEA) takes place.
14. Changes to This Privacy Policy
We reserve the right to update this privacy policy to reflect changes in legal requirements or modifications to our services. The current version is always available on this page.