- We don’t ask you for personal information unless we truly need it.
- We don’t share your personal information with anyone except to comply with the law, develop our products, or protect our rights.
- We don’t store personal information on our servers.
Table of Content
- Information about us as controllers of your data
- The rights of users and data subjects
- Information about the data processing
1. Information about us as controllers of your data
The party responsible for this application (the “controller”) for purposes of data protection law is:
2. The rights of users and data subjects
With regard to the data processing to be described in more detail below, users and data subjects have the right
- to confirmation of whether data concerning them is being processed, information about the data being processed, further information about the nature of the data processing, and copies of the data (cf. also Art. 15 GDPR);
- to correct or complete incorrect or incomplete data (cf. also Art. 16 GDPR);
- to the immediate deletion of data concerning them (cf. also Art. 17 DSGVO), or, alternatively, if further processing is necessary as stipulated in Art. 17 Para. 3 GDPR, to restrict said processing per Art. 18 GDPR;
- to receive copies of the data concerning them and/or provided by them and to have the same transmitted to other providers/controllers (cf. also Art. 20 GDPR);
- to file complaints with the supervisory authority if they believe that data concerning them is being processed by the controller in breach of data protection provisions (see also Art. 77 GDPR).
In addition, the controller is obliged to inform all recipients to whom it discloses data of any such corrections, deletions, or restrictions placed on processing the same per Art. 16, 17 Para. 1, 18 GDPR. However, this obligation does not apply if such notification is impossible or involves a disproportionate effort. Nevertheless, users have a right to information about these recipients.
Likewise, under Art. 21 GDPR, users and data subjects have the right to object to the controller’s future processing of their data pursuant to Art. 6 Para. 1 lit. f) GDPR.
3. Information about the data
For technical reasons, the following data sent by your internet browser to us or to our server provider will be collected. These server log files record:
- the type and version of your browser,
- operating system,
- the date and time of your visit,
- the IP address from which you visited our site.
- the short lived authorization code generated by the OAuth flow.
The data thus collected will be temporarily stored, but not in association with any other of your data. We carry out no processing on this information and it is not shared with any third party.
The basis for this storage is Art. 6 Para. 1 lit. f) GDPR. Our legitimate interest lies in the improvement, stability, functionality, and security of our website.
The data will be deleted within no more than seven days, unless continued storage is required for evidentiary purposes. In which case, all or part of the data will be excluded from deletion until the investigation of the relevant incident is finally resolved.
Plugin authorization flow (OAuth)
Use of the Application involves visiting our authentication server (website) as part of the authentication (OAuth) flow to provide the Application access to the OneDrive API. The Application obtains the following information when you use the built-in app for authentication and link the Application with your Microsoft Account:
- Your WordPress website address.
- A short lived authorization code generated by the OAuth flow.
This information is obtained and used after you decide to grand the Application the requested access via the Microsoft OAuth consent screen. After giving the consent, you will be redirected to the server of wpcloudplugins.com which will redirect you back to your own site where the authorization process is finalized.
This redirect via the server of wpcloudplugins.com is required for any easy plugin setup where you don’t need to create your own App which also allows you to set your own Authorized redirect URI.
On your own server, the short lived authorization code will be exchanged for the actually access token and refresh token which are stored, encrypted, on your server. The authorization code can only be used once and will immediately become inactive after it has been exchanged for the access token or within minutes if it is not used.
IMPORTANT: When you use the Application, all other communications are strictly between your server and the cloud storage service servers. The communication is encrypted and the communication will not go through WP Cloud Plugins servers. We do not collect and do not have access to your files.
Microsoft Graph Permissions for OAuth
In order for the Application to work seamlessly, several permissions are granted by users during the standard oAuth authorization flow. Please see their privacy policies for further details
- OneDrive (files.readwrite.all)
The Application uses this permissions to allow it to see, edit, create, and delete all of your OneDrive files on your WordPress site. This is the core functionality of the plugin to make the integration between OneDrive and WordPress as seamless as possible. We ask for the ‘see’ permission to be able to list your files. The ‘create’ permission is used for uploading new content to your OneDrive. The other permissions are required to manage your files on OneDrive which includes, renaming, editing, deleting and sharing your files.
- SharePoint (sites.readwrite.all)
The Application uses this permissions to allow it to see, edit, create, and delete all of your SharePoint files on your WordPress site. The need of this scope is the same as descriped above.
- Microsoft User Profile (user.read)
This permission is used by the Application to allow for locale detection and for showing your name, email and profile picture for easy account identification in the Application dashboard.
Do third parties see and/or have access to information obtained by the Application?
We will share your information with third parties only in the ways that are described in this privacy statement:
- as required by law, such as to comply with a subpoena, or similar legal process;
- when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request;
We do not use the Application to knowingly solicit data from or market to children under the age of 18. If a parent or guardian becomes aware that his or her child has provided us with information without their consent, he or she should contact us at [email protected]. We will delete such information from our files within a reasonable time.
We are concerned about safeguarding the confidentiality of your information. We provide physical, electronic, and procedural safeguards to protect information we process and maintain. For example, we limit access to this information to authorized employees who need to know that information in order to operate, develop or improve our Application. Please be aware that, although we endeavor to provide reasonable security for information we process and maintain, no security system can prevent all potential security breaches.
If you have any questions regarding privacy while using the Application, or have questions about our practices, please contact us via email at [email protected]
Last revision: May 15, 2021