GDPR is a complex subject for everyone, and our take on it is similar to many WP plugins you install on your site.
First, Business Directory Plugin is neither a data processor nor data controller, and we do not store nor handle any personally identifiable information for your site on our servers. With that said, BD does capture data that you control on your site, which puts you on the hook for GDPR requests from your users.
WordPress provides some GDPR hooks for users who request the “right to be forgotten” and BD uses those WordPress hooks to integrate with your GDPR features provided by WordPress itself.
When a user requests a GDPR export by the site admin, BD includes the following WP information from our listings, if they apply:
- Listings owned by the user, (which means that we export the content of the listing–by default the following fields are included):
- (Other fields in your listings can be included by setting “This field contains sensitive or private information?” option when editing the field. But this is up to YOU and will not happen automatically)
- Additional information:
- Listing images
- Listing attachments
- Payments made by user:
- Payment Transaction ID
- Payer email
- Ratings made by user:
- Rating ID
- Rating Author
- Rating Author Email
- Rating Author IP
- Rating Date
- Rating Value
- Rating Content
- Rated Listing (URL)
When users request that their data be erased, all the matching data above will be removed, including all listings and their data (post metadata) as well as payments and ratings–all completely scrubbed from your database. In addition, media and attachment files are removed from server folders.
PLEASE NOTE: If you have BACKUPS of your data, this removal in WP will not affect them in any way. You will need to remove any backups that contain this data as well to complete your GDPR request.
More information about the WordPress hooks can be found below (which should be integrated with if you are doing a custom plugin with BD to be GDPR compliant):