Privacy Policy

Last updated: April 5, 2026

1. Introduction

VistoShield is a cloud security platform for WordPress developed and operated by Vistoweb E.E. (“Vistoweb”, “we”, “us”, “our”). VistoShield provides real-time threat detection, malware scanning, firewall protection, and compliance reporting through a cloud dashboard (app.vistoshield.com), a REST API (api.vistoshield.com), and a WordPress plugin available on wordpress.org.

This Privacy Policy explains what personal data we collect, how we use it, who we share it with, how long we keep it, and what rights you have. This policy should be read alongside our Terms of Service and Data Processing Agreement (DPA). It applies to all VistoShield products and services, including the website (vistoshield.com), the cloud dashboard, the API, and the WordPress plugin.

2. Data Controller

The data controller responsible for your personal data is:

Company: Vistoweb E.E.
EUID: ELGEMI.153537403000
VAT: EL801286009
Address: 235 El. Venizelou Ave., P. Faliro 17563, Suite B9, 2nd Floor, Athens, Greece
Phone: +30 210 300 5000
Fax: +30 210 300 5009
Website: vistoweb.com
Email: [email protected]
Data Protection Officer: [email protected]

3. What Data We Collect

3.1 Account Data

When you create a VistoShield account, we collect:

Full name
Email address
Password (stored as an Argon2ID hash — we never store your plaintext password)
IP address at the time of registration
Google OAuth token (if you register or sign in via Google)

3.2 Site Data

When you add WordPress sites to your dashboard, we collect:

Site URLs and domain names
Server information transmitted via heartbeat (server IP, hosting environment)
WordPress version and PHP version
Active plugin and theme list (names and versions only)

3.3 Security Data

To provide the security service, we collect and process:

Malware scan results and findings
File integrity check results and file checksums
Quarantined file metadata
Vulnerability scan reports
Security configuration assessments

3.4 Traffic Data

The Live Traffic Monitor and Bot Detector modules collect:

Visitor IP addresses
User agent strings (browser and device information)
HTTP request paths, methods, and status codes
Bot classification results (human, good bot, bad bot)
Referrer URLs

3.5 Event Data

Security event and activity tracking includes:

Firewall block events and WAF rule triggers
Login attempts (successful and failed), including usernames and IP addresses
Activity log entries (plugin activations, setting changes, user actions)
Security alert triggers and incident response actions

3.6 Monitoring Data

Our monitoring modules collect:

Uptime check results (HTTP status codes, response times, downtime events)
DNS records for monitored domains
SSL certificate details (issuer, expiration dates, chain validity)
Domain reputation and blacklist status from public blocklist databases

3.7 Billing Data

All payment processing is handled by Paddle.com, which acts as our Merchant of Record. Paddle collects and processes your payment information (credit card numbers, billing address) directly. We never see or store your credit card numbers. We only store:

Paddle customer ID
Subscription status (active, cancelled, past due)
Plan type and billing cycle
Transaction history (amounts, dates, invoice references)

3.8 Communication Data

Support ticket content and correspondence
Email notification preferences and subscription status
Newsletter subscription status

3.9 Technical Data

When you access the VistoShield dashboard, we automatically collect:

Browser type and version
Device type and operating system
IP address
Pages visited and actions taken within the dashboard

4. How We Collect Data

4.1 Directly from You

When you register an account, configure settings, submit support tickets, or subscribe to our newsletter.

4.2 From Your WordPress Sites

The VistoShield WordPress plugin (the “Agent”) sends periodic heartbeat data, security scan results, traffic logs, and security events to the VistoShield cloud API via HMAC-authenticated HTTPS requests. The plugin only transmits security-relevant data — it never sends the content of your posts, pages, visitor personal data (beyond IP addresses in traffic logs), or database credentials.

4.3 From Third Parties

Paddle.com — billing status, subscription events, and transaction confirmations
Google — basic profile information (name, email) if you use Google OAuth to sign in

4.4 Automatically

Server logs — standard web server access and error logs
Plausible Analytics — anonymous, aggregate website usage statistics for vistoshield.com (no personal data, no cookies)

5. Legal Basis for Processing (GDPR Article 6)

We process your personal data on the following legal bases:

Legal Basis	Processing Activities
Contract performance (Art. 6(1)(b))	Providing the VistoShield security service, processing site data, generating security reports, managing your account, processing payments via Paddle
Legitimate interest (Art. 6(1)(f))	Security threat analysis, fraud prevention, service improvement, sending transactional emails (security alerts, weekly reports), maintaining server logs
Consent (Art. 6(1)(a))	Marketing emails, newsletter subscription, cookie consent for non-essential cookies (if any in the future)
Legal obligation (Art. 6(1)(c))	Retention of billing records for tax purposes, fraud prevention obligations, compliance with lawful data requests

6. How We Use Your Data

We use your personal data to:

Provide and maintain the security service — process site data, run scans, monitor traffic, detect threats, and generate security reports
Generate security reports and alerts — send real-time security notifications, weekly security summaries, and incident alerts
Process payments — manage subscriptions and billing through Paddle (our Merchant of Record)
Send transactional emails — security alerts, scan results, weekly reports, account notifications, and password resets
Send marketing emails — product updates, security tips, and promotional content (only with your explicit consent; you can unsubscribe at any time via the link in every email)
Improve the service — analyze aggregate usage patterns to enhance features, fix bugs, and optimize performance
Prevent abuse — detect and prevent fraudulent use, enforce rate limits, and protect the integrity of the platform

We share your personal data only with the following categories of recipients, and only to the extent necessary:

7.1 Service Providers (Sub-processors)

Paddle.com (UK/EU) — payment processing as Merchant of Record. Paddle handles all billing, VAT calculation, invoicing, and refunds. Paddle is GDPR compliant and operates under its own privacy policy.
Hetzner Online GmbH (Germany, EU) — cloud infrastructure hosting. All VistoShield servers and databases are hosted in Hetzner datacenters in Germany. Hetzner is ISO 27001 and SOC 2 certified.
Plausible Insights OÜ (Estonia, EU) — privacy-first website analytics for vistoshield.com. Plausible does not collect personal data, does not use cookies, and is fully GDPR compliant.

7.2 What We Do Not Do

We do not sell your personal data to anyone.
We do not share your data with advertisers or ad networks.
We do not use your data for profiling or targeted advertising.
We do not share your security data with other customers.

7.3 Law Enforcement

We may disclose your personal data if required to do so by law, in response to a valid legal process (such as a court order or government request), or to protect the rights, property, or safety of Vistoweb, our customers, or the public. We will notify you of such requests where legally permitted.

8. International Data Transfers

All VistoShield data is stored and processed within the European Union, specifically in Hetzner Cloud datacenters in Germany.

Paddle processes payment data in compliance with GDPR and maintains appropriate data protection agreements.
Plausible Analytics is hosted in the EU (Estonia) and processes no personal data.

We do not transfer personal data to countries outside the EU/EEA unless adequate protection is ensured through EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) or an adequacy decision by the European Commission. If we ever need to engage a sub-processor outside the EEA, we will update this policy and notify affected users.

9. Data Retention

We retain your data for the following periods:

Data Type	Retention Period
Security data, traffic logs, events (Free plan)	3 days
Security data, traffic logs, events (Pro plan)	14 days
Security data, traffic logs, events (Max plan)	30 days
Account data (name, email, settings)	Until you delete your account
Soft-deleted sites and associated data	Purged 30 days after soft-deletion
Billing records	As required by Greek and EU tax law (typically 7 years)
Support tickets	2 years from resolution
Server logs	90 days

When you delete your account, all personal data associated with your account is removed immediately. Associated security data, site data, and logs are purged within 30 days. Billing records are retained only as required by law.

10. Your Rights Under GDPR

As a data subject under the General Data Protection Regulation (GDPR), you have the following rights:

Right to access (Art. 15) — You can request a copy of all personal data we hold about you. You can also export your data at any time from the VistoShield dashboard in JSON format.
Right to rectification (Art. 16) — You can correct inaccurate personal data directly by editing your profile in the dashboard, or by contacting us.
Right to erasure (Art. 17) — You can delete your account at any time from the dashboard. Account data is removed immediately; associated data is purged within 30 days.
Right to restrict processing (Art. 18) — You can request that we limit the processing of your personal data in certain circumstances (e.g., while we verify the accuracy of your data).
Right to data portability (Art. 20) — You can export your data in a structured, machine-readable JSON format from the dashboard.
Right to object (Art. 21) — You can object to processing based on legitimate interest. You can unsubscribe from marketing emails at any time using the link in every email, or by contacting our DPO.
Right to withdraw consent (Art. 7(3)) — Where processing is based on consent (e.g., marketing emails), you can withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
Right to lodge a complaint — You have the right to lodge a complaint with a supervisory authority. The competent authority in Greece is the Hellenic Data Protection Authority (HDPA) — www.dpa.gr, Kifisias 1-3, 115 23 Athens, Greece, Tel: +30 210 647 5600.

To exercise any of these rights, contact our Data Protection Officer at [email protected]. We will respond to all requests within 30 days as required by GDPR. If we need additional time (up to 60 additional days for complex requests), we will inform you within the initial 30-day period.

11. Cookies

VistoShield uses a minimal number of strictly necessary cookies:

Cookie	Type	Duration	Purpose
`vs_cookie_consent`	Essential	1 year	Stores your cookie preference (accepted/declined)
Session cookies	Essential	Session	Dashboard authentication (app.vistoshield.com). Expire when you log out or close your browser.

We do not use tracking cookies, advertising cookies, or any third-party cookies. Plausible Analytics, which we use for website analytics on vistoshield.com, is entirely cookie-free. For more details, see our Cookie Policy.

12. Children’s Privacy

VistoShield is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16 without parental consent, we will take steps to delete that information promptly. If you believe a child under 16 has provided us with personal data, please contact us at [email protected].

13. Security Measures

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

Password hashing — all passwords are hashed using Argon2ID, a memory-hard algorithm resistant to brute-force and GPU attacks
Encryption in transit — all data transmitted between your browser, the WordPress plugin, and our servers is encrypted using TLS 1.2 or higher
Encryption at rest — sensitive data is encrypted at rest where applicable
Authentication — JWT-based authentication with token versioning and revocation capabilities
HMAC verification — all communication between the WordPress plugin and the cloud API is authenticated using HMAC signatures
Infrastructure isolation — database servers are on a private network not accessible from the public internet
DDoS protection — Cloudflare protection for all public-facing services
Regular security audits — periodic security assessments and code reviews
Access controls — role-based access with the principle of least privilege for all internal systems

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:

The “Last updated” date at the top of this page will be revised.
For material changes that affect how we process your personal data, we will notify you via email at the address associated with your account at least 30 days before the changes take effect.
Continued use of VistoShield after the updated policy takes effect constitutes your acceptance of the changes.

We encourage you to review this page periodically to stay informed about our privacy practices.

15. Contact

If you have questions about this Privacy Policy, wish to exercise your GDPR rights, or have a privacy concern, you can reach us at:

Data Protection Officer: [email protected]
General support: [email protected]
Phone: +30 210 300 5000
Fax: +30 210 300 5009

Vistoweb E.E.
235 El. Venizelou Ave., P. Faliro 17563
Suite B9, 2nd Floor
Athens, Greece
VAT: EL801286009

Supervisory Authority:
Hellenic Data Protection Authority (HDPA)
Kifisias 1-3, 115 23 Athens, Greece
www.dpa.gr • Tel: +30 210 647 5600