Privacy Policy

Last updated: March 26, 2026

WPVibe is operated by SeedProd LLC. This policy explains what data we collect when you use the WPVibe MCP server and how we handle it.

Data We Collect

• Email address -- used for account creation and magic link authentication.
• WordPress site URLs -- the addresses of sites you connect to WPVibe.
• WordPress application passwords -- used to authenticate API requests to your sites on your behalf. These are encrypted at rest with AES-256-GCM and never exposed in AI conversations.

We do not collect or store the content of your AI conversations. Conversations are handled directly by the AI client you use (Claude, ChatGPT, Cursor, etc.) and are subject to that provider's privacy policy.

How We Use Your Data

• Authentication -- your email is used to identify your account and send magic link sign-in emails.
• Site management -- stored credentials are used only to make WordPress REST API calls that you request through your AI client.
• Service operation -- we may use aggregated, non-identifying usage data to monitor service health and improve WPVibe.

Data Storage and Security

• Account data is stored in Cloudflare D1 (SQLite), hosted in Cloudflare's global network.
• WordPress credentials are encrypted with AES-256-GCM before storage. Encryption keys are managed as Cloudflare Worker secrets and are never committed to source code.
• All communication between WPVibe, your AI client, and your WordPress sites uses HTTPS.

Third-Party Services

• Cloudflare -- infrastructure hosting (Workers, D1, KV). Subject to Cloudflare's Privacy Policy.
• Unsplash -- when you use the image search tool, your search query is sent to the Unsplash API. Subject to Unsplash's Privacy Policy.
• SendLayer -- used to deliver magic link authentication emails. Subject to SendLayer's Privacy Policy.

We do not sell, rent, or share your personal data with any other third parties.

Data Retention

• Your account and connected sites are retained as long as your account is active.
• When you remove a site, it is soft-deleted and retained for 30 days before permanent removal.
• You can request full account deletion at any time by contacting us.

Your Rights

You can:

• View your connected sites at any time through your AI client using the list_sites tool.
• Remove any connected site using the remove_site tool.
• Request a copy of your stored data or full account deletion by emailing us.

Safety Measures

• Delete operations move items to WordPress trash -- permanent deletion is blocked.
• New posts and pages default to draft status unless you explicitly set them to publish.
• All actions respect your WordPress user role and permissions.

Changes to This Policy

We may update this policy from time to time. Changes will be posted on this page with an updated date. Continued use of WPVibe after changes constitutes acceptance of the updated policy.

Contact

For questions about this privacy policy or your data, contact us at john@wpvibe.ai.