We are committed to safeguarding the privacy of our website visitors and service users and all the personal data we process shall always be in line with the General Data Protection Regulation (GDPR). This document contains details on what data we collect from you if you choose to use our service, what we need this data for as well as your rights pertaining to your data. In this document “we” and “us” refers to the data controller CMS Commander (see contact details), while “you” refers to the data subject of whom personal data is collected.
What Data We Collect
Below you can find details on what data we might collect from you depending on how you use our website and services as well as details on what we use your data for and why we need it.
When browsing our website
We do not collect any personal information when just browsing our site but as with most websites our server collects a series of general data, which gets stored in the server log files. Collected may be (1) the browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system reaches our website (so-called referrers), (4) the sub-websites, (5) the date and time of access to the Internet site, (6) an Internet protocol address (IP address) and (7) the Internet service provider of the accessing system. This anonymously collected data is not used to draw conclusions about you but is needed to optimize the content of our website and provide law enforcement authorities with the information necessary for criminal prosecution in case of a cyber-attack.
When using our contact form
When using our contact form to directly communicate with us you need to enter your email address, your name as well as the message you want to send. By using our contact form you agree to the storage of the data voluntarily entered by you for the specific purpose of processing and replying to your contact requests. The data is not shared with any third parties and not used for any other purpose.
When registering for a CMS Commander account
You have the possibility to register on our website in order to use our offered services. Which personal data are transmitted to us is determined by your respective input mask used for the registration. By registering for CMS Commander you agree with the collection and use of your personal data as detailed below.
If you want to register you need to provide us with your email address. This is used to send you your account details after the registration process has been completed and may also be used to send you other transactional emails, such as notifications of available updates on your managed sites. It may also be used to send you information about new features that we have made available in CMS Commander. By registering for CMS Commander you consent to receiving emails related to your account.
You will also need to enter your full name and full address, including street name, city, ZIP code, country you live in and if applicable your business name and your European VAT-ID. We are required to collect these details in order to determine the correct VAT rate to charge you according to European tax laws as well as to store the data for accounting purposes.
If you want to sign up for a paid CMS Commander account you have the choice to use your Paypal account or your credit card (processed by Stripe) during checkout. Please see the section “Third Parties We Share Data With” below for details on each option.
By registering the IP address assigned by your Internet service provider (ISP), date, and time of the registration are also stored in order to prevent the possible misuse of our services, and, if necessary, to make it possible to investigate committed offenses. Insofar, the storage of this data is necessary to secure the controller. This data is not passed on to third parties unless there is a statutory obligation to pass on the data.
When using our service inside your CMS Commander account
In order to connect your websites to our service you need to enter your website URL and WordPress admin username of each site you want to add into the “add site” form inside your account. These information are necessary to facilitate the services we offer. Your site’s WordPress login passwords are not required and we never ask you to input your password.
After you have added your sites our service allows you to remotely access the information on your websites which you have added, including the content, user accounts, installed plugins and more. Said website content can be displayed inside your account for the sites you chose to add but it will neither be stored by us nor shared with any 3rd parties. The content will remain entirely on your own website and servers. CMS Commander only provides the ability to access said content remotely.
The “Choose Sources” page inside your CMS Commander account allows you to connect our service with various other online services. For this purpose you need to enter your API key and, depending on the service, your username or other identifiers via the webforms provided. We only use this data to connect your account with the services of your choice and provide you the additional features offered.
Furthermore you have the choice to connect your Google Analytics and Google Webmaster accounts to your CMS Commander account. The effect is that your Google Analytics data will be displayed in your CMS Commander dashboard. The data will not be stored on our end. Should you choose to connect your Google Drive account, Dropbox account or provide your Amazon S3 details they can be used as a repo to store your website backups.
The “Deploy Site” page inside your CMS Commander account allows you to set up a new WordPress site on your own webserver. In order to use this feature you are required to enter your web server details, including FTP login details and database login details. The data will not be stored by us once the functionality of the “Deploy Site” feature has been completed and it will not be used for any other purpose or shared with any other party.
Third Parties We Share Data With
Payment processor: Paypal
If you choose “PayPal” as the payment option during the ordering process, we automatically transmit your data to PayPal in order to complete the checkout process. By selecting this payment option, you agree to the transfer of personal data required for payment processing. The personal data transmitted to PayPal is usually first name, last name, address, email address, IP address, or other data necessary for payment processing. The processing of the purchase contract requires such personal data, which are in connection with the respective order.
The transmission of the data is aimed at payment processing and fraud prevention. The controller will transfer personal data to PayPal, in particular, if a legitimate interest in the transmission is given. The personal data exchanged between PayPal and the controller for the processing of the data will be transmitted by PayPal to economic credit agencies. This transmission is intended for identity and creditworthiness checks. PayPal will, if necessary, pass on personal data to affiliates and service providers or subcontractors to the extent that this is necessary to fulfill contractual obligations.
The European operating company of PayPal is PayPal (Europe) S.Ã .r.l. & Cie. S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg, Luxembourg. The applicable data protection provisions of PayPal can be found at https://www.paypal.com/us/webapps/mpp/ua/privacy-full.
Payment processor: Stripe
If you choose “credit card” as the payment option during the ordering process, we ask you to enter your credit card details (card number, card expiry date, cardholder name and CVC code) and automatically transmit your data to Stripe in order to complete the checkout process. Stripe is a payment processing company, which we use to facilitate offering credit card payments. All your sensitive credit card data is entirely handled by Stripe and does not get stored in our own system.
By selecting this payment option, you agree to the transfer of personal data required for payment processing. The personal data transmitted to Stripe is usually first name, last name, address, email address, credit card number, credit card expiry date, credit cardholder name, credit card CVC code, IP address, or other data necessary for payment processing. The processing of the purchase contract requires such personal data, which are in connection with the respective order.
The transmission of the data is aimed at payment processing and fraud prevention. The controller will transfer personal data to Stripe, in particular, if a legitimate interest in the transmission is given. The personal data exchanged between Stripe and the controller for the processing of the data will be transmitted by Stripe to economic credit agencies. This transmission is intended for identity and creditworthiness checks. Stripe will, if necessary, pass on personal data to affiliates and service providers or subcontractors to the extent that this is necessary to fulfill contractual obligations.
The European operating company of Stripe is Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin. The applicable data protection provisions of Stripe can be found at https://stripe.com/privacy .
Email processor: Sendgrid
We use Sendgrid to process and send all transactional emails to registered customers, such as the email with account details you will receive after signing up. By registering for a CMS Commander account you agree to the tranfer of your full name and your email address to Sendgrid for the purpose of email processing.
Sendgrid is a company based in the United States of America that complies with all of the EU’s data protection requirements and is Privacy Shield certified. Sendgrid’s address is 1801 California St., Suite 500, Denver, CO 80202, U.S.A. The applicable data protection provisions of Sendgrid can be found at https://sendgrid.com/policies/privacy/services-privacy-policy/ .
MaxMind GeoIP Services
If you decide to order our services or products we use the GeoIP service by MaxMind to determine the country you are based in during the order process. We need to determine the country you are ordering from in order to accurately charge you the correct VAT rate as required by EU tax laws. For this purpose only your IP address and no other data gets shared with Maxmind, who use it to calculate your approximate location. Further information and the applicable data protection provisions of MaxMind, Inc. can be found under https://www.maxmind.com/en/privacy_policy
Wordfence Security Plugin
Wordfence is a security plugin for WordPress operated by Defiant, Inc. which protects our site from malicious attacks and automated bot networks. For the purpose of security for our services Wordfence collects your IP address, the pages visited, entry and exit points, the domains from which visitors come and browser types. Further information and the applicable data protection provisions of Defiant, Inc. can be found under https://www.wordfence.com/privacy-policy/
We use Google Analytics (with the anonymizer function) on this website for their web analytics services and traffic data collection. We have implemented Google’s “anonymizeIp” feature, which means that your IP address is abridged by Google and anonymised when accessing our website. That means all the traffic data Google collects, such as the access time, the location from which the access was made, and the frequency of visits, is also collected anonymously and can not be tracked back to your person.
The operator of the Google Analytics component is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, United States. Further information and the applicable data protection provisions of Google can be found under https://www.google.com/intl/en/policies/privacy/ and under http://www.google.com/analytics/terms/us.html.
Metrics for your sites: SEMrush, Sucuri and MOZ
If you are a registered user of our service we display several metrics related to your websites inside your CMS Commander account for your convenience. For the purpose of requesting these metrics and statistics we will send the website URLs of the sites you added to MOZ.com, SEMrush and Sucuri via automated requests. No other and no personal data of yours is shared with these services.
Period For Which Your Data Will Be Stored
In general personal data that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose. That means that we will regularly delete data that we do not need anymore, for example after you have canceled your account with us and stopped using our services.
As an exception we may retain your personal data where such retention is necessary for compliance with a legal obligation to which we are subject. For example due to tax laws we are required to keep records of invoice data for 10 years.
You may, at any time, prevent the setting of cookies through our website by means of a corresponding setting of the Internet browser used, and may thus permanently deny the setting of cookies. Furthermore, already set cookies may be deleted at any time via an Internet browser or other software programs. This is possible in all popular Internet browsers. If you deactivate the setting of cookies in the Internet browser used, not all functions of our website may be entirely usable.
Users may find advertising or other content on our Site that link to the sites and services of our partners, suppliers, advertisers, sponsors, licensors and other third parties. We do not control the content or links that appear on these sites and are not responsible for the practices employed by websites linked to or from our Site. In addition, these sites or services, including their content and links, may be constantly changing. These sites and services may have their own privacy policies and customer service policies. Browsing and interaction on any other website, including websites which have a link to our Site, is subject to that website’s own terms and policies.
The newsletter and transactional emails of CMS Commander contains so-called tracking pixels. A tracking pixel is a miniature graphic embedded in such e-mails, which are sent in HTML format to enable log file recording and analysis. This allows a statistical analysis of the success or failure of online marketing campaigns. Based on the embedded tracking pixel, CMS Commander may see if and when an e-mail was opened by a data subject, and which links in the e-mail were called up by data subjects. Such personal data collected in the tracking pixels contained in the newsletters are stored and analyzed by the controller in order to optimize the shipping of the newsletter, as well as to adapt the content of future newsletters even better to the interests of the data subject. These personal data will not be passed on to third parties. Data subjects are at any time entitled to revoke the respective separate declaration of consent issued by means of the double-opt-in procedure. After a revocation, these personal data will be deleted by the controller. CMS Commander automatically regards a withdrawal from the receipt of the newsletter as a revocation.
In this section we have summarized the rights that you have under data protection law. Some of the rights are complex, and not all of the details have been included in our summaries. Accordingly, you should read the relevant laws and guidance from the regulatory authorities for a full explanation of these rights.
Your principal rights under data protection law are:
The right to access
You have the right to confirmation as to whether or not we process your personal data and if so access to the personal data. We will supply to you a copy of your personal data provided the rights and freedoms of others are not affected by doing so.
The right to rectification
You have the right to have any inaccurate personal data about you corrected and any incomplete data completed.
The right to erasure
In some circumstances you have the right to the erasure of your personal data without undue delay. However, there are exclusions of the right to erasure. The general exclusions include where processing is necessary, such as for compliance with a legal obligation or for the establishment, exercise or defence of legal claims.
The right to object to or restrict processing
You have the right to object to our processing of your personal data on grounds relating to your particular situation, but only to the extent that the legal basis for the processing is that the processing is necessary for: the performance of a task carried out in the public interest or in the exercise of any official authority vested in us; or the purposes of the legitimate interests pursued by us or by a third party. If you make such an objection, we will cease to process the personal information unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims.
The right to data portability
To the extent that the legal basis for our processing of your personal data is consent and such processing is carried out by automated means, you have the right to receive your personal data from us in a structured, commonly used and machine-readable format. However, this right does not apply where it would adversely affect the rights and freedoms of others.
The right to complain to a supervisory authority
If you consider that our processing of your personal information infringes data protection laws, you have a legal right to lodge a complaint with a supervisory authority responsible for data protection. You may do so in the EU member state of your habitual residence, your place of work or the place of the alleged infringement.
The right to withdraw consent
To the extent that the legal basis for our processing of your personal information is consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal.
You may exercise any of your rights in relation to your personal data by contacting us via email at firstname.lastname@example.org or by using our contact form.
In most cases the legal basis for processing operations is that we have obtained consent from you for a specific processing purpose according to Art. 6(1) lit. a GDPR. If the processing of personal data is necessary for the performance of a contract to which you are a party, such as providing our services, the processing is based on Article 6(1) lit. b GDPR. The same applies to such operations which are necessary for carrying out pre-contractual measures, for example in the case of inquiries concerning our services. If we subject to a legal obligation by which processing of personal data is required, such as for the fulfillment of tax obligations, the processing is based on Art. 6(1) lit. c GDPR.
In rare cases, the processing of personal data may be necessary to protect the vital interests of the data subject or of another natural person. This would be the case, for example, if a visitor were injured in our company and his name, age, health insurance data or other vital information would have to be passed on to a doctor, hospital or other third party. Then the processing would be based on Art. 6(1) lit. d GDPR. Finally, processing operations could be based on Article 6(1) lit. f GDPR. This legal basis is used for processing operations which are not covered by any of the abovementioned legal grounds, if processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. Such processing operations are particularly permissible because they have been specifically mentioned by the European legislator. He considered that a legitimate interest could be assumed if the data subject is a client of the controller (Recital 47 Sentence 2 GDPR).
Use of Services by Minors
Children under the age of 13 years are not the target audience for this website or service. To protect their privacy, we prohibit the solicitation of personal information from children. If you are under the age of 13, please do not submit your email address or any other personal information to us through this website. CMS Commander does not intentionally gather personal data about visitors who are under the age of 13.
Click to Contact Us
This document was last updated on April 28, 2018