Privacy Policy

Last updated: March 7, 2026

1. Who We Are

beltoft.net is a software development business operated from Aarhus, Denmark. We develop and sell WordPress plugins and related digital products. For privacy purposes, beltoft.net is the data controller.

Contact: hello@beltoft.net

2. What Data We Collect

We collect the following personal data:

  • Account information: name, email address, and password (hashed) when you create an account.
  • Billing information: name, company name, country, and VAT number. Payment card details are processed directly by Stripe and never stored on our servers.
  • Order data: purchase history, subscription status, license keys, and activation domains.
  • Contact form submissions: name, email, company, topic, and message content.
  • Technical data: IP address (for rate limiting and fraud prevention), browser user agent, and page visit data via Google Analytics.

3. How We Use Your Data

We use your data for the following purposes:

  • Processing purchases, managing subscriptions, and delivering license keys.
  • Sending transactional emails: purchase confirmations, renewal notices, subscription updates, and refund notifications.
  • Responding to contact form inquiries.
  • Validating EU VAT numbers via the VIES service for reverse charge eligibility.
  • Preventing fraud and abuse through rate limiting and Cloudflare Turnstile verification.
  • Understanding site usage through Google Analytics to improve our products and website.

4. Legal Basis (GDPR)

We process your data under the following legal bases as defined by the EU General Data Protection Regulation (GDPR):

  • Contract performance: processing purchases, managing subscriptions, delivering licenses, and sending transactional emails.
  • Legitimate interest: fraud prevention, rate limiting, and analytics to improve our service.
  • Legal obligation: invoicing and tax compliance.
  • Consent: contact form submissions and optional social login.

5. Third-Party Services

We share data with the following third-party processors, all of which are GDPR-compliant:

  • Stripe (payment processing): processes card payments and stores payment methods for recurring billing. Stripe acts as an independent data controller for payment data.
  • Amazon Web Services (SES): sends transactional emails on our behalf.
  • Google Analytics: anonymous website usage tracking. No personally identifiable information is sent to Google Analytics.
  • Cloudflare Turnstile: bot detection on the contact form. Processes IP address and browser signals.
  • EU VIES: VAT number validation. Only the VAT number and country code are transmitted.
  • Google / GitHub: if you choose to sign in with Google or GitHub, we receive your name and email from the provider. We do not access other account data.

6. Data Retention

  • Account and order data: retained for as long as your account is active, plus 5 years for tax and accounting purposes as required by Danish law.
  • Contact form submissions: retained for 2 years after the inquiry is resolved.
  • Email logs: retained for 90 days for debugging and delivery verification.
  • Rate limiting data: in-memory only, not persisted, and automatically expires within 10 minutes.

7. Cookies

We use the following cookies:

  • Session cookies: required for authentication and cart functionality. These are essential and cannot be disabled.
  • Region preference: stores your country/region selection for correct currency and pricing display.
  • Google Analytics cookies: _ga and _gid for anonymous usage statistics. These can be blocked by your browser or ad blocker.

8. Your Rights

Under the GDPR, you have the right to:

  • Access your personal data and receive a copy.
  • Rectify inaccurate or incomplete data.
  • Erase your data (“right to be forgotten”), subject to legal retention requirements.
  • Restrict processing in certain circumstances.
  • Data portability: receive your data in a machine-readable format.
  • Object to processing based on legitimate interest.
  • Withdraw consent at any time where processing is based on consent.

To exercise any of these rights, email us at hello@beltoft.net. We will respond within 30 days.

9. Data Security

We implement appropriate technical and organizational measures to protect your data:

  • All traffic is encrypted via HTTPS (TLS 1.2+).
  • Passwords are hashed using industry-standard algorithms; we never store plaintext passwords.
  • Payment information is handled entirely by Stripe's PCI-DSS Level 1 certified infrastructure.
  • Authentication secrets use 256-bit cryptographic keys.
  • Webhook signatures are verified using HMAC to prevent tampering.

10. International Transfers

Your data is primarily processed and stored on servers located in the EU. Where data is transferred to processors outside the EU (e.g., Stripe, Google), these transfers are governed by Standard Contractual Clauses (SCCs) or equivalent safeguards as required by the GDPR.

11. Children

Our services are not directed at individuals under 16 years of age. We do not knowingly collect data from children.

12. Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated via email to registered users. The “last updated” date at the top of this page indicates the most recent revision.

13. Contact and Complaints

For any privacy-related questions or concerns:

beltoft.net
Aarhus, Denmark
hello@beltoft.net

You also have the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet) at datatilsynet.dk.