Privacy Policy

Last updated: April 28, 2026

1. Introduction

VistoShield is a cloud security platform for WordPress developed and operated by Vistoweb E.E. (“Vistoweb”, “we”, “us”, “our”). VistoShield provides real-time threat detection, malware scanning, firewall protection, and compliance reporting through a cloud dashboard (app.vistoshield.com), a REST API (api.vistoshield.com), and a WordPress plugin available on wordpress.org.

This Privacy Policy explains what personal data we collect, how we use it, who we share it with, how long we keep it, and what rights you have. This policy should be read alongside our Terms of Service and Data Processing Agreement (DPA). It applies to all VistoShield products and services, including the website (vistoshield.com), the cloud dashboard, the API, and the WordPress plugin.

2. Data Controller

The data controller responsible for your personal data is:

Company: Vistoweb E.E.
EUID: ELGEMI.153537403000
VAT: EL801286009
Address: 235 El. Venizelou Ave., P. Faliro 17563, Suite B9, 2nd Floor, Athens, Greece
Phone: +30 210 300 5000
Fax: +30 210 300 5009
Website: vistoweb.com
Email: [email protected]
Data Protection Officer: [email protected]

3. What Data We Collect

3.1 Account Data

When you create a VistoShield account, we collect:

Full name
Email address
Password (stored as an Argon2ID hash — we never store your plaintext password)
IP address at the time of registration
Google OAuth token (if you register or sign in via Google)

3.2 Site Data

When you add WordPress sites to your dashboard, we collect:

Site URLs and domain names
Server information transmitted via heartbeat (server IP, hosting environment)
WordPress version and PHP version
Active plugin and theme list (names and versions only)

3.3 Security Data

To provide the security service, we collect and process:

Malware scan results and findings
File integrity check results and file checksums
Quarantined file metadata
Vulnerability scan reports
Security configuration assessments

3.4 Traffic Data

The Live Traffic Monitor and Bot Detector modules collect:

Visitor IP addresses
User agent strings (browser and device information)
HTTP request paths, methods, and status codes
Bot classification results (human, good bot, bad bot)
Referrer URLs

3.5 Event Data

Security event and activity tracking includes:

Firewall block events and WAF rule triggers
Login attempts (successful and failed), including usernames and IP addresses
Activity log entries (plugin activations, setting changes, user actions)
Security alert triggers and incident response actions

3.6 Monitoring Data

Our monitoring modules collect:

Uptime check results (HTTP status codes, response times, downtime events)
DNS records for monitored domains
SSL certificate details (issuer, expiration dates, chain validity)
Domain reputation and blacklist status from public blocklist databases

3.7 Billing Data

All payment processing is handled by Paddle.com, which acts as our Merchant of Record. Paddle collects and processes your payment information (credit card numbers, billing address) directly. We never see or store your credit card numbers. We only store:

Paddle customer ID
Subscription status (active, cancelled, past due)
Plan type and billing cycle
Transaction history (amounts, dates, invoice references)

3.8 Communication Data

Support ticket content and correspondence
Email notification preferences and subscription status
Newsletter subscription status

3.9 Rescue Service Credentials

When you purchase VistoShield Rescue, we collect access credentials solely for the purpose of malware removal:

WordPress admin credentials, FTP/SSH credentials, database credentials, and hosting panel credentials as applicable
All credentials are encrypted with AES-256-GCM before storage. They are never stored in plain text.
Credentials are permanently hard-deleted within 48 hours of service completion. No copies are retained.
Access to encrypted credentials is limited to automated cleanup systems and authorized technicians.
Every access to credentials is logged with timestamp and IP address for security audit purposes.
If you revoke consent before service completion, we will immediately delete all stored credentials.

3.10 Technical Data

When you access the VistoShield dashboard, we automatically collect:

Browser type and version
Device type and operating system
IP address
Pages visited and actions taken within the dashboard

4. How We Collect Data

4.1 Directly from You

When you register an account, configure settings, submit support tickets, or subscribe to our newsletter.

4.2 From Your WordPress Sites

The VistoShield WordPress plugin (the “Agent”) sends periodic heartbeat data, security scan results, traffic logs, and security events to the VistoShield cloud API via HMAC-authenticated HTTPS requests. The plugin only transmits security-relevant data — it never sends the content of your posts, pages, visitor personal data (beyond IP addresses in traffic logs), or database credentials.

4.3 From Third Parties

Paddle.com — billing status, subscription events, and transaction confirmations
Google — basic profile information (name, email) if you use Google OAuth to sign in

4.4 Automatically

Server logs — standard web server access and error logs
Plausible Analytics — anonymous, aggregate website usage statistics for vistoshield.com (no personal data, no cookies)

5. Legal Basis for Processing (GDPR Article 6)

We process your personal data on the following legal bases:

Legal Basis	Processing Activities
Contract performance (Art. 6(1)(b))	Providing the VistoShield security service, processing site data, generating security reports, managing your account, processing payments via Paddle
Legitimate interest (Art. 6(1)(f))	Security threat analysis, fraud prevention, service improvement, sending transactional emails (security alerts, weekly reports), maintaining server logs
Consent (Art. 6(1)(a))	Marketing emails, newsletter subscription, cookie consent for non-essential cookies (if any in the future)
Legal obligation (Art. 6(1)(c))	Retention of billing records for tax purposes, fraud prevention obligations, compliance with lawful data requests

6. How We Use Your Data

We use your personal data to:

Provide and maintain the security service — process site data, run scans, monitor traffic, detect threats, and generate security reports
Generate security reports and alerts — send real-time security notifications, weekly security summaries, and incident alerts
Process payments — manage subscriptions and billing through Paddle (our Merchant of Record)
Send transactional emails — security alerts, scan results, weekly reports, account notifications, and password resets
Send marketing emails — product updates, security tips, and promotional content (only with your explicit consent; you can unsubscribe at any time via the link in every email)
Improve the service — analyze aggregate usage patterns to enhance features, fix bugs, and optimize performance
Prevent abuse — detect and prevent fraudulent use, enforce rate limits, and protect the integrity of the platform

We share your personal data only with the following categories of recipients, and only to the extent necessary:

7.1 Service Providers (Sub-processors)

We engage the following sub-processors to provide and operate the VistoShield Service. Each sub-processor is bound by a written data-processing agreement (or equivalent contractual safeguards) that requires them to process personal data only on our instructions and to apply appropriate technical and organisational security measures.

Sub-processor	Purpose	Location / Transfer Mechanism
Paddle.com Market Limited	Payment processing as Merchant of Record — billing, VAT calculation, invoicing, refunds, and first-tier billing support via paddle.net	United Kingdom (UK adequacy decision) and EU. GDPR compliant.
Hetzner Online GmbH	Cloud infrastructure hosting the VistoShield platform.	Germany (EU). ISO 27001 and SOC 2 certified.
Cloudflare, Inc.	DDoS protection, CDN, edge WAF and TLS termination. Processes IP addresses, request headers and metadata of all visitors.	USA — transfers safeguarded by EU Standard Contractual Clauses (Commission Decision 2021/914) and Cloudflare’s Data Processing Addendum.
Microsoft Ireland Operations Ltd.	Inbound email service. Receives the content of email correspondence sent to us.	EU (Ireland). Microsoft EU Data Boundary applies.
Google Ireland Limited	Optional Sign-In service. Used only when you explicitly choose to register or log in via Google. We receive your name, verified email address, and a Google account identifier.	EU (Ireland). Google maintains its own GDPR-compliant infrastructure.
Plausible Insights OÜ	Privacy-first website analytics. Cookie-free and processes no personal data.	Estonia (EU). Fully GDPR compliant.

An up-to-date list of sub-processors is maintained on this page. We will update this list and notify customers in advance of any changes that introduce a new sub-processor with access to personal data.

7.1.1 Public DNS Blocklist Providers (Reputation Monitor)

The Reputation Monitor module performs DNS-based lookups against the following public blocklist zones to determine whether your monitored domain is listed: Spamhaus DBL (dbl.spamhaus.org), SURBL (multi.surbl.org), SpamCop (bl.spamcop.net), Barracuda Reputation Block List (b.barracudacentral.org), and URIBL (multi.uribl.com). These lookups transmit only the domain name being checked (which is the public domain you have asked us to monitor) and an originating DNS query IP. No account data, user data, or site data is sent to these providers. We do not consider these providers sub-processors of personal data, but we list them here for full transparency.

7.1.2 External Uptime Monitoring

We use UptimeRobot to perform external availability checks against our public endpoints (vistoshield.com, app.vistoshield.com, api.vistoshield.com) from monitoring locations outside our own infrastructure. This gives us — and you — an independent view of whether the platform is reachable that does not depend on the platform itself. UptimeRobot receives only the response codes and response times of our public endpoints. No customer account data, user data, or site data is sent to UptimeRobot. We do not consider this provider a sub-processor of personal data, but we list it here for full transparency.

7.2 What We Do Not Do

We do not sell your personal data to anyone.
We do not share your data with advertisers or ad networks.
We do not use your data for profiling or targeted advertising.
We do not share your security data with other customers.

7.3 Law Enforcement

We may disclose your personal data if required to do so by law, in response to a valid legal process (such as a court order or government request), or to protect the rights, property, or safety of Vistoweb, our customers, or the public. We will notify you of such requests where legally permitted.

8. International Data Transfers

The primary storage and processing of VistoShield data takes place within the European Union, specifically in EU datacentres in Germany. Inbound email is processed in Ireland (EU), and website analytics in Estonia (EU).

Two categories of data flow through providers established outside the EU/EEA:

Cloudflare, Inc. (USA) operates the edge network in front of all VistoShield domains. Request metadata (IP address, request URL, headers) transits Cloudflare’s global edge before reaching our EU origin. Transfers are safeguarded by EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and Cloudflare’s Data Processing Addendum.
Paddle.com Market Limited is established in the United Kingdom, which benefits from a European Commission adequacy decision. Paddle additionally relies on Standard Contractual Clauses for any onward transfers.

If we ever need to engage an additional sub-processor outside the EEA, we will update this policy and notify affected users in advance.

9. Data Retention

We retain your data for the following periods:

Data Type	Retention Period
Security data, traffic logs, events (Free plan)	3 days
Security data, traffic logs, events (Pro plan)	14 days
Security data, traffic logs, events (Max plan)	30 days
Account data (name, email, settings)	Until you delete your account
Soft-deleted sites and associated data	Purged 30 days after soft-deletion
Billing records	As required by Greek and EU tax law (typically 7 years)
Support tickets	2 years from resolution
Server logs	90 days
Rescue service credentials	Deleted within 48 hours of service completion

When you delete your account, all personal data associated with your account is removed immediately. Associated security data, site data, and logs are purged within 30 days. Billing records are retained only as required by law.

10. Your Rights Under GDPR

As a data subject under the General Data Protection Regulation (GDPR), you have the following rights:

Right to access (Art. 15) — You can request a copy of all personal data we hold about you. You can also export your data at any time from the VistoShield dashboard in JSON format.
Right to rectification (Art. 16) — You can correct inaccurate personal data directly by editing your profile in the dashboard, or by contacting us.
Right to erasure (Art. 17) — You can delete your account at any time from the dashboard. Account data is removed immediately; associated data is purged within 30 days.
Right to restrict processing (Art. 18) — You can request that we limit the processing of your personal data in certain circumstances (e.g., while we verify the accuracy of your data).
Right to data portability (Art. 20) — You can export your data in a structured, machine-readable JSON format from the dashboard.
Right to object (Art. 21) — You can object to processing based on legitimate interest. You can unsubscribe from marketing emails at any time using the link in every email, or by contacting our DPO.
Right to withdraw consent (Art. 7(3)) — Where processing is based on consent (e.g., marketing emails), you can withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
Right to lodge a complaint — You have the right to lodge a complaint with a supervisory authority. The competent authority in Greece is the Hellenic Data Protection Authority (HDPA) — www.dpa.gr, Kifisias 1-3, 115 23 Athens, Greece, Tel: +30 210 647 5600.

To exercise any of these rights, contact our Data Protection Officer at [email protected]. We will respond to all requests within 30 days as required by GDPR. If we need additional time (up to 60 additional days for complex requests), we will inform you within the initial 30-day period.

11. Cookies

VistoShield uses a minimal number of strictly necessary cookies:

Cookie	Type	Duration	Purpose
`vs_cookie_consent`	Essential	1 year	Stores your cookie preference (accepted/declined)
Session cookies	Essential	Session	Dashboard authentication (app.vistoshield.com). Expire when you log out or close your browser.

We do not use tracking cookies, advertising cookies, or any third-party cookies. Plausible Analytics, which we use for website analytics on vistoshield.com, is entirely cookie-free. For more details, see our Cookie Policy.

12. Children’s Privacy

VistoShield is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16 without parental consent, we will take steps to delete that information promptly. If you believe a child under 16 has provided us with personal data, please contact us at [email protected].

13. Security Measures

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

Password hashing — all passwords are hashed using Argon2ID, a memory-hard algorithm resistant to brute-force and GPU attacks
Encryption in transit — all data transmitted between your browser, the WordPress plugin, and our servers is encrypted using TLS 1.2 or higher
Encryption at rest — sensitive data is encrypted at rest where applicable
Authentication — JWT-based authentication with token versioning and revocation capabilities
HMAC verification — all communication between the WordPress plugin and the cloud API is authenticated using HMAC signatures
Infrastructure isolation — database servers are on a private network not accessible from the public internet
DDoS protection — Cloudflare protection for all public-facing services
Regular security audits — periodic security assessments and code reviews
Access controls — role-based access with the principle of least privilege for all internal systems

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:

The “Last updated” date at the top of this page will be revised.
For material changes that affect how we process your personal data, we will notify you via email at the address associated with your account at least 30 days before the changes take effect.
Continued use of VistoShield after the updated policy takes effect constitutes your acceptance of the changes.

We encourage you to review this page periodically to stay informed about our privacy practices.

15. Contact

If you have questions about this Privacy Policy, wish to exercise your GDPR rights, or have a privacy concern, you can reach us at:

Data Protection Officer: [email protected]
General support: [email protected]
Phone: +30 210 300 5000
Fax: +30 210 300 5009

Vistoweb E.E.
235 El. Venizelou Ave., P. Faliro 17563
Suite B9, 2nd Floor
Athens, Greece
VAT: EL801286009

Supervisory Authority:
Hellenic Data Protection Authority (HDPA)
Kifisias 1-3, 115 23 Athens, Greece
www.dpa.gr • Tel: +30 210 647 5600