Privacy Policy

Last updated: April 30, 2026

1. Who We Are and Our Role as Data Controller

XOCO WEB SRL (CUI 45465782, Registration No. J20/46/2022, EUID ROONRC.J20/46/2022) operates the ReloadWP service at reloadwp.com and acts as the data controller within the meaning of Article 4(7) of the GDPR, responsible for determining the purposes and means of processing your personal data.

This Privacy Policy is written in compliance with:

  • EU General Data Protection Regulation (GDPR) - Regulation (EU) 2016/679
  • Applicable Romanian data protection law and implementing legislation
  • Guidance issued by the Romanian National Supervisory Authority (ANSPDCP)

For all data protection matters, contact us at: hello@reloadwp.com. We aim to respond to all data-related enquiries within 30 days.

2. Scope of This Policy

This policy applies to personal data collected and processed by ReloadWP through:

  • The reloadwp.com website and any subdomains
  • Contact and enquiry forms on the site
  • Client account management and service delivery
  • Billing and subscription management

This policy does not apply to third-party websites linked from our site. We are not responsible for the privacy practices of those sites.

3. Data We Collect

3.1 Data You Provide Directly

We only collect personal data you actively and voluntarily provide to us. This includes:

  • Contact form submissions: your name, email address, website URL, and message content.
  • Account registration: name, email address, company name (if applicable), and billing details.
  • Client onboarding: website access credentials (e.g., WordPress admin login, hosting panel credentials, FTP/SFTP details) necessary to deliver maintenance services. These are treated with strict confidentiality and used solely to perform the contracted services.
  • Payment information: billing name and address. Full card numbers and CVV codes are handled exclusively by our payment processor and are never stored by us.
  • Support and correspondence: any information you provide when contacting us by email or through the platform.

3.2 Data Collected Automatically

Beyond standard infrastructure logs maintained by our hosting provider (Vercel - see Section 5), we do not collect data automatically. Specifically, we do not use:

  • Tracking pixels or web beacons
  • Behavioural analytics or session recording tools
  • Browser fingerprinting or device identification
  • Advertising or retargeting technologies
  • Google Analytics, Facebook Pixel, or equivalent services

We do not engage in any form of automated personal profiling or decision-making based on your personal data.

4. How We Use Your Data and Legal Bases

We process your personal data only for specified, explicit, and legitimate purposes. The table below sets out each processing activity and its corresponding legal basis under Article 6 GDPR:

  • Responding to enquiries and contact form submissions - Legal basis: Legitimate interest (Art. 6(1)(f)).
  • Delivering WordPress maintenance and care plan services - Legal basis: Performance of a contract (Art. 6(1)(b)).
  • Managing your account and subscription - Legal basis: Performance of a contract (Art. 6(1)(b)).
  • Processing payments and preventing fraud - Legal basis: Performance of a contract / Legitimate interest (Art. 6(1)(b) and (f)).
  • Retaining billing and accounting records - Legal basis: Legal obligation (Art. 6(1)(c)) - required by Romanian accounting law.
  • Security monitoring and infrastructure protection - Legal basis: Legitimate interest (Art. 6(1)(f)).
  • Sending optional newsletters or marketing communications - Legal basis: Consent (Art. 6(1)(a)). You may withdraw consent at any time without penalty.

We will not use your personal data for any purpose incompatible with those listed above without first obtaining your explicit consent or notifying you as required by law.

5. Third-Party Data Processors

We use a limited number of carefully selected service providers who act as data processors on our behalf under binding data processing agreements (DPAs) in accordance with Article 28 GDPR. We do not sell, rent, or trade your personal data with any third party for marketing or commercial purposes.

5.1 Vercel (Website Hosting)

Our website is hosted on Vercel. Vercel may log standard request metadata including IP address, browser type, and pages visited, in accordance with their privacy policy at vercel.com/legal/privacy-policy. Data may be processed in the United States under Standard Contractual Clauses (SCCs).

5.2 Resend (Transactional Email)

Contact form submissions are routed through Resend solely to deliver email notifications to us. Resend processes your data only as instructed by us and does not retain or use it for any other purpose.

5.3 Payment Processor

Payments are processed by our designated payment provider. They act as an independent data controller for payment processing purposes and operate under their own privacy policy. We do not store complete card numbers or CVV codes.

We will update this section promptly if we engage additional processors. We will not engage any new processor that materially affects your data rights without notifying you in advance.

6. Client Access Credentials and Sensitive Data

Where you provide us with website access credentials (WordPress admin, cPanel, FTP/SFTP, etc.) to enable delivery of our maintenance services, we treat this information as strictly confidential.

We apply the following safeguards to such credentials:

  • Access is restricted to personnel directly responsible for delivering your services.
  • Credentials are stored using appropriate encryption and access controls.
  • Credentials are not shared with any third party except where strictly necessary for service delivery (e.g., a contracted specialist), and only under equivalent confidentiality obligations.
  • Upon termination of your subscription, we will return or securely delete all credentials you have provided within 7 business days, upon request.

7. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by applicable law. Specific retention periods:

  • Contact form submissions and email enquiries: retained for the duration of the enquiry or client relationship, plus up to 2 years after last contact, then deleted or anonymised.
  • Client account data: retained for the duration of the active subscription and up to 2 years following termination, unless a longer period is required by law.
  • Billing and accounting records: retained for 10 years as required by Romanian accounting law (Legea nr. 82/1991).
  • Access credentials: deleted promptly upon termination of the relevant service engagement, or upon your request.
  • Infrastructure logs (Vercel): subject to Vercel's own retention policy.

When data is no longer required, we ensure it is securely deleted or irreversibly anonymised.

8. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights, which you may exercise at any time by contacting hello@reloadwp.com:

  • Right of access (Art. 15): request a copy of the personal data we hold about you and information about how it is processed.
  • Right to rectification (Art. 16): request correction of inaccurate or incomplete personal data.
  • Right to erasure / "right to be forgotten" (Art. 17): request deletion of your data where no overriding legal basis requires us to retain it.
  • Right to restriction of processing (Art. 18): request that we temporarily limit processing of your data in certain circumstances (e.g., while accuracy is contested).
  • Right to data portability (Art. 20): receive your data in a structured, commonly used, machine-readable format where processing is based on consent or contract.
  • Right to object (Art. 21): object to processing based on legitimate interests, including for direct marketing purposes.
  • Right to withdraw consent: where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
  • Right not to be subject to solely automated decisions (Art. 22): we do not carry out automated decision-making or profiling with legal or significant effects.

We will respond to all rights requests within 30 days. In complex cases, we may extend this by a further 60 days with notice. We will not charge a fee for responding to rights requests unless they are manifestly unfounded or excessive.

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) at dataprotection.ro, or with the supervisory authority of your country of residence within the EU/EEA.

9. Security Measures

We implement appropriate technical and organisational measures (TOMs) to protect your personal data against unauthorised access, accidental loss, alteration, or disclosure. These measures include:

  • HTTPS/TLS encryption across all pages and data transmissions.
  • Strict access controls - personal data is accessible only to personnel with a legitimate need.
  • Secure handling and storage of client access credentials.
  • Regular review of our security practices.

No method of transmission over the internet is completely secure. While we take all reasonable precautions, we cannot guarantee absolute security. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority as required by GDPR Articles 33 and 34.

10. Cookies

We do not use tracking, analytics, or advertising cookies. Any cookies present on reloadwp.com are strictly necessary for the technical operation of the site (e.g., session management or security tokens). For full details, see our Cookie Policy.

You may control cookies through your browser settings. Disabling strictly necessary cookies may affect the functionality of the site.

11. International Data Transfers

Some of our service providers (including Vercel and Resend) may process your data outside Romania or the European Economic Area (EEA), including in the United States. Where such transfers occur, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914/EU).
  • Supplementary technical and organisational measures where required to ensure equivalent protection.

You may request a copy of the relevant transfer safeguards by contacting hello@reloadwp.com.

12. Children's Data

Our services are directed exclusively at adults (persons aged 18 and over). We do not knowingly collect personal data from individuals under 18. If you believe we have inadvertently collected data from a minor, please contact us immediately at hello@reloadwp.com and we will take prompt steps to delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, applicable law, or service offerings. Changes will be published on this page with an updated effective date.

For material changes that significantly affect how we process your personal data, we will notify active clients by email at least 14 days before the change takes effect. Continued use of our services after the effective date constitutes acceptance of the updated policy. If you do not accept the updated policy, you may close your account without penalty beyond the no-refund terms in our Terms of Service.

14. Contact and Data Protection Enquiries

For any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact us at hello@reloadwp.com

We are committed to resolving all data protection concerns promptly and in good faith.