Privacy Policy
How we collect, use, store, and protect your personal information when you visit our website or use the WP WAF Manager plugin.
Effective Date: April 7, 2026
This Privacy Policy describes how Nahnu Fitness LLC, a Washington State limited liability company (“Company,” “we,” “us,” or “our”), collects, uses, discloses, and protects personal information in connection with the website www.wpwafmanager.com (the “Site”) and the WP WAF Manager WordPress plugin and related software, updates, documentation, and support services (collectively, the “Plugin”).
This Privacy Policy is incorporated into and forms part of our Terms of Use. Capitalized terms not defined here have the meaning given in the Terms of Use.
For information about cookies and similar tracking technologies used on the Site, please see our separate Cookie Policy.
1. Who We Are
Nahnu Fitness LLC Washington State, USA Email: [email protected]
We are a US-based small business. We do not have offices, employees, or representatives in the European Union, the United Kingdom, or the European Economic Area, and we do not actively target or market the Site or Plugin to residents of those regions. We do, however, strive to follow GDPR-aligned privacy principles as a matter of good practice for all users, regardless of location. (See Section 9 for more on this.)
We have not appointed a Data Protection Officer (DPO), as we are not legally required to do so under applicable law.
2. Scope
This Privacy Policy applies to personal information we collect:
- When you visit the Site;
- When you purchase a license or create an account through SureCart;
- When you install, activate, update, or use the Plugin on your WordPress site;
- When you contact us by email for support or otherwise communicate with us; and
- When you submit feedback, comments, or other content to us.
This Privacy Policy does not apply to third-party websites, services, or platforms (including Cloudflare, SureCart, your hosting provider, or your own WordPress site) that you may access in connection with the Plugin. Those services are governed by their own privacy policies.
3. Information We Collect
3.1 Information You Provide Directly
- Account and billing information: name, email address, billing address, country, VAT/tax ID where applicable, and payment method details. Payment card data is collected and processed by our payment processor (SureCart and its underlying payment gateway, Stripe); we do not store full payment card numbers on our systems.
- License information: the license key issued to you and the WordPress site URL(s) on which the license is activated.
- Email support communications: any information you provide when you email us for support, including your message content and any attachments, screenshots, log files, or system information you share.
- Feedback: any ideas, suggestions, bug reports, or other feedback you submit.
3.2 Information Collected Automatically From the Site
When you visit the Site, our self-hosted, privacy-focused analytics software (such as Plausible or Matomo, configured for cookieless and IP-anonymized tracking) may collect limited information, including:
- Anonymized or truncated IP address;
- Approximate geographic location (country level only);
- Browser type and version, operating system, and device type;
- Pages viewed, referring URL, and time spent on pages; and
- Date and time of access.
We host this analytics software ourselves on our own infrastructure. We do not share this Site analytics data with any third-party analytics provider, advertising network, or data broker.
3.3 Information Collected by the Plugin
Important — please read carefully. WP WAF Manager is designed to keep your sensitive credentials on your own WordPress site, not on our servers.
- Cloudflare API tokens, API keys, and account credentials that you enter into the Plugin are stored locally in your own WordPress database. We do not receive, transmit, store, or have any access to your Cloudflare credentials. They never leave your server in connection with our services.
- Cloudflare account data (zones, rules, email routing addresses, etc.) that the Plugin reads or writes is exchanged directly between your WordPress site and Cloudflare’s API. We are not in the middle of that connection.
- License activation and validation: when you activate or use the Plugin, the Plugin communicates with our license server (operated by SureCart on our behalf) to validate the license. This communication transmits: your license key, the site URL the license is activated on, the Plugin version, and the WordPress version. It does not transmit your Cloudflare credentials, your site’s traffic data, your visitors’ personal data, or the content of your WordPress site.
- Update checks: the Plugin periodically checks for available updates by contacting our update server. This transmits the Plugin version and site URL.
- Optional diagnostic / error reports: if you choose to send us a diagnostic report or include log files in a support email, those reports may contain technical information about your environment (PHP version, WordPress version, server type, error messages). Please review any diagnostic data before sending it and redact anything sensitive.
We do not include analytics, telemetry, tracking pixels, or third-party advertising SDKs inside the Plugin itself.
3.4 Information From Third Parties
We may receive information about you from:
- SureCart and its underlying payment gateway (Stripe) — order, billing, refund, and subscription information; and
- Public sources, where lawful and necessary (for example, business registry information for B2B customers).
3.5 Sensitive Information
We do not knowingly collect, and ask that you do not provide, any “sensitive” or “special category” personal information through the Site or Plugin, including racial or ethnic origin, political opinions, religious beliefs, genetic data, biometric data, health or medical information, sexual orientation, or precise geolocation. Notwithstanding the name “Nahnu Fitness LLC,” WP WAF Manager is a security/infrastructure product and is not designed for, intended for, or used to process health, medical, fitness, or wellness data of any kind. The Plugin is not a “regulated entity” under the Washington My Health My Data Act, and we do not collect “consumer health data” through the Plugin.
4. How We Use Personal Information
We use personal information to:
- Provide the Site and Plugin — create your account, issue and validate your license, deliver software updates;
- Process payments and prevent fraud — billing, refunds, and chargeback handling;
- Provide email support — respond to your questions and troubleshoot issues;
- Send transactional communications — receipts, renewal notices, security notices, and policy updates;
- Send marketing communications (where permitted and where you have not opted out) — product updates, newsletters, and offers;
- Improve and secure the Site and Plugin — diagnostics, debugging, and abuse prevention;
- Comply with law and enforce our Terms — tax records, responding to legal requests, and defending claims; and
- Business transfers — in connection with a merger, acquisition, or sale of assets.
We do not use your personal information for automated decision-making that produces legal or similarly significant effects on you, and we do not use it for profiling for advertising purposes.
5. How We Disclose Personal Information
We do not sell personal information for money, and we do not share personal information for cross-context behavioral advertising. We disclose personal information only as described below.
5.1 Service Providers (Sub-Processors)
We use a deliberately small number of service providers, who process personal information on our behalf:
- Payment processing and licensing: SureCart, with Stripe as the underlying payment gateway. SureCart handles checkout, subscription billing, license issuance, and license validation. Stripe handles card processing.
- Hosting and infrastructure: the hosting provider for the Site and license server.
- Email delivery: the transactional email provider used to send receipts, license notices, password resets, support replies, and (where applicable) marketing emails.
- Content delivery and edge security: the CDN and DDoS-protection providers used to serve and protect the Site itself.
We do not use third-party analytics providers (our analytics is self-hosted), advertising networks, customer-data platforms, or external helpdesk software. Customer support is handled directly by us via email.
A current list of sub-processors is available on request by emailing [email protected].
Third-party practices. While we strive to align our own practices with GDPR principles, the third-party services listed above are independent companies that operate under their own privacy policies and may process personal information in ways that differ from ours. We encourage you to review their privacy policies before providing them with your information.
5.2 Legal and Safety Disclosures
We may disclose personal information when we believe in good faith that disclosure is necessary to:
- Comply with a subpoena, court order, or other legal process;
- Comply with applicable laws and regulations;
- Respond to lawful requests from public authorities;
- Enforce our Terms of Use or other agreements;
- Protect the rights, property, safety, or security of Company, our users, or the public; or
- Detect, prevent, or address fraud, security, or technical issues.
5.3 Business Transfers
If Company is involved in a merger, acquisition, financing, reorganization, bankruptcy, receivership, or sale of all or part of its assets, personal information may be transferred to the successor or acquiring entity, subject to the same protections described in this Privacy Policy.
5.4 With Your Consent
We may disclose personal information for any other purpose with your consent.
6. International Users
Company is located in the United States, and our service providers are also located in the United States or other countries. We do not target or actively market to users in the European Union, the United Kingdom, or the European Economic Area. If you choose to access the Site or purchase the Plugin from outside the United States, you acknowledge that your personal information will be transferred to, stored, and processed in the United States, which may have data protection laws different from those in your country.
7. Data Retention
We retain personal information for as long as needed to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Specifically:
- Account and license data: for the duration of your active license and for up to 7 years afterward, to comply with tax, accounting, and legal obligations.
- Billing and tax records: as required by applicable US tax law (typically 7 years).
- Email support communications: for up to 3 years after the last interaction.
- Marketing data: until you unsubscribe or object, then promptly removed from active marketing lists.
- Site analytics: typically 12–24 months in our self-hosted analytics database.
When personal information is no longer needed, we will delete, anonymize, or securely destroy it.
8. Security
We implement reasonable administrative, technical, and physical safeguards designed to protect personal information from unauthorized access, disclosure, alteration, or destruction. These include encryption in transit (TLS), access controls, least-privilege practices, and the use of reputable infrastructure providers.
However, no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect personal information, we cannot guarantee its absolute security. You are responsible for keeping your account credentials and license keys confidential and for securing your own WordPress site, server, and Cloudflare account, including the Cloudflare API tokens you store in the Plugin.
9. Your Privacy Rights
To exercise any of the rights described below, contact us at [email protected]. We will respond within the timeframes required by applicable law and may need to verify your identity before fulfilling your request. We will not discriminate against you for exercising any of these rights.
9.1 Rights Under California Law (CCPA / CPRA)
If you are a California resident, you have the right to:
- Know what personal information we collect, use, and disclose.
- Access the specific pieces of personal information we hold about you.
- Delete personal information we have collected from you, subject to legal exceptions.
- Correct inaccurate personal information.
- Opt out of sale or sharing of personal information. We do not sell personal information and do not share it for cross-context behavioral advertising.
- Limit the use and disclosure of sensitive personal information. We do not collect sensitive personal information for the purpose of inferring characteristics about you.
You may also designate an authorized agent to make a request on your behalf.
Shine the Light (Cal. Civ. Code § 1798.83): California residents may request information about the categories of personal information (if any) we have disclosed to third parties for those third parties’ direct marketing purposes. We do not currently disclose personal information for third-party direct marketing.
9.2 Rights Under Other US State Privacy Laws
If you are a resident of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), or another US state with a comprehensive privacy law, you may have rights similar to those listed above, including the right to access, correct, delete, obtain a portable copy of, and opt out of certain processing of your personal information. You may also have the right to appeal a denial of your request.
9.3 GDPR-Aligned Rights (Voluntary)
Although we do not target users in the EU, UK, or EEA and are not subject to GDPR or UK GDPR by virtue of targeting those markets, we voluntarily extend the following rights to all users as a matter of good practice:
- Access — request a copy of the personal information we hold about you.
- Rectification — request correction of inaccurate or incomplete information.
- Erasure — request deletion in appropriate circumstances.
- Restriction — request that we limit how we process your information.
- Portability — receive your information in a structured, machine-readable format.
- Object — object to processing for direct marketing or other purposes.
- Withdraw consent — where processing is based on consent, withdraw that consent at any time.
9.4 Washington My Health My Data Act
As stated in Section 3.5, we do not collect “consumer health data” as defined by the Washington My Health My Data Act through the Site or the Plugin.
10. Children’s Privacy
The Site and Plugin are not directed to children under 16, and we do not knowingly collect personal information from children under 16. If we learn that we have collected personal information from a child under 16 without verified parental consent, we will delete it as soon as possible. If you believe we have collected information from a child under 16, please contact us at [email protected].
11. Marketing Communications
Where permitted by law, we may send you marketing emails about our products, features, and offers. You can opt out at any time by clicking the “unsubscribe” link in any marketing email or by emailing [email protected]. Opting out of marketing will not affect transactional communications related to your account, license, or support requests.
12. Do Not Track and Global Privacy Control
Some web browsers transmit “do not track” (DNT) signals. Because no common industry or legal standard for DNT has been adopted, the Site does not currently respond to DNT signals. Where required by law (e.g., in California), we honor recognized opt-out preference signals such as the Global Privacy Control (GPC) as a valid request to opt out of “sale” or “sharing” of personal information for visitors from those jurisdictions. Note that because we do not sell or share personal information in the first place, GPC signals from any visitor are effectively already honored by default.
13. Third-Party Links and Services
The Site and Plugin may contain links to third-party websites or integrate with third-party services (such as Cloudflare, SureCart, and WordPress.org). We are not responsible for the privacy practices of those third parties. We encourage you to read their privacy policies before providing them with personal information.
14. Data Breach Notification
In the event of a data breach affecting your personal information, we will notify you and the relevant authorities as required by applicable US state breach-notification laws.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we do, we will post the revised version on the Site and update the “Last Updated” date at the top. If we make material changes, we will provide additional notice (for example, by email or a prominent notice on the Site) where required by law. Your continued use of the Site or Plugin after the effective date of the revised Privacy Policy constitutes your acceptance of the changes.
16. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of your personal information, please contact us at:
Nahnu Fitness LLC Website: https://www.wpwafmanager.com Email: [email protected]