This policy explains what Qwebmaster ("we", "us") collects when you use the qwebspamshield.com website and what the QWeb Spam Shield plugin sends to our platform when it protects a WordPress site. We build anti-spam software; treating data carefully is the job.
1. The website (visitors and customers)
Account and purchases
- Account: email address, optional name, and a hashed password. We use them to operate your license, send transactional email (receipts, trial and renewal notices), and provide support.
- Payments: processed by Stripe or PayPal. We receive the payment status and a reference, never full card numbers.
- Newsletter: double opt-in. Every email includes an unsubscribe link, and unsubscribing is immediate.
Analytics and cookies
We use Google Analytics 4 and a first-party analytics script to understand which pages work (page views, referrers, campaign parameters). We use a session cookie to keep you logged in to your account. We do not sell or share visitor data with data brokers or advertising networks.
Server logs
Standard web-server logs (IP address, URL, user agent) are kept for security, rate limiting, and abuse prevention, and rotate automatically.
2. The plugin (data processed to screen spam)
If you install QWeb Spam Shield on your site, you are the data controller for your visitors; we act as a processor that classifies submissions as spam or legitimate. The plugin sends us only what that requires:
- License checks: your license key, site URL, and plugin version, used to activate the plugin and deliver updates.
- Spam screening: most spam is caught by rules that run entirely on your own server and send us nothing. When the optional AI tiebreaker is needed, the submission content (message text and submitted fields) is sent over HTTPS to our platform, which forwards it to an AI provider (Google Gemini or OpenAI) solely for classification. The result may be cached against a cryptographic hash of the content for up to 30 days so repeated spam is answered without re-processing. We do not use your visitors' submissions to train models, and we do not sell them.
- Federated patterns: when a spam pattern is confirmed, an anonymized content signature (a detection rule, not the visitor's identity) can be shared so every protected site blocks it. This can be disabled in the plugin settings.
- Telemetry: aggregate counters (submissions screened, spam blocked, plugin version). No form content, no visitor identities.
Screening is fail-open by design: if our service is unreachable, forms keep working and nothing is queued or retained on our side.
3. How long we keep things
- Account, license, and order records: for as long as your account exists, then as required for tax and accounting.
- AI classification cache: up to 30 days.
- Screening audit records (metadata such as timestamps, license, and token counts, used for billing and abuse prevention): up to 13 months.
- Server logs: rotated on a short schedule.
4. Sub-processors
We use a small set of providers to run the service: DigitalOcean (hosting), Stripe and PayPal (payments), Google and OpenAI (AI classification), Google Analytics (website statistics), and an email delivery provider for transactional and newsletter email.
5. Your rights
You can access, correct, export, or delete your personal data. Email support@qwebspamshield.com or use the support page and we will act on the request within 30 days. If you are in the EU/EEA, UK, or Switzerland, these include your GDPR rights, and you may also lodge a complaint with your local supervisory authority. Deleting your account removes your personal data from the platform except records we must keep by law.
6. Changes
If this policy changes in a way that matters, we will post the new version here and update the effective date.