Privacy Policy – Exedotcom API Gateway Plugin

Last Updated: October 6, 2025
Version: 2.0.0

1. Introduction

This Privacy Policy describes how the Exedotcom API Gateway WordPress plugin (“Plugin”, “we”, “us”, or “our”) collects, uses, and protects information when you use our services. The API Gateway is developed by Exedotcom to provide centralized API services and subscription management for AI Story Maker and other Exedotcom plugins.

2. Information We Collect

2.1 Subscription and Account Data

• Domain Information: The primary domain where the plugin is installed and configured
• User Email Addresses: Email addresses provided during subscription signup and management
• Stripe Customer Data: Customer IDs and subscription IDs from Stripe payment processing
• Package Information: Details about subscribed service packages including credits, pricing, and features
• Session Data: Temporary session identifiers for checkout and subscription management processes

2.2 Order and Transaction Data

We maintain comprehensive records in custom database tables:

Orders Table (wp_exaig_orders):

• Domain name and package details
• User email and Stripe customer information
• Credit allocation and usage tracking
• Subscription status and payment dates
• Order metadata and timestamps

Transactions Table (wp_exaig_transactions):

• Order modification history
• Transaction types and descriptions
• Before/after value changes in JSON format
• Audit trail for all subscription changes

2.3 API Usage and Logging Data

System Logs (wp_exaig_logs):

• Request URLs and IP addresses
• Module and action identifiers
• Request status and response codes
• Domain information for each API call
• Detailed request/response data in JSON format
• Timestamps for all API interactions

2.4 Master Server Configuration

• OpenAI API Keys: Master API keys stored for centralized AI story generation
• SMTP Configuration: Email server settings for automated communications
• Model Settings: AI model preferences and token limits
• General Instructions: Cached instructions and configuration data

2.5 Payment and Billing Data

• Stripe Integration: Payment processing through Stripe with webhook handling
• Billing Information: Subscription amounts, payment dates, and renewal schedules
• Credit Management: Credit allocation, usage tracking, and replenishment records

3. How We Use Your Information

3.1 Service Provision

• Manage subscriptions and credit allocation for AI Story Maker users
• Process payments and handle billing through Stripe integration
• Provide centralized API services for story generation and content creation
• Validate subscription status and enforce usage limits

3.2 Communication and Support

• Send subscription confirmation and renewal notifications via email
• Provide customer support and troubleshooting assistance
• Deliver service updates and important account information
• Handle verification codes and account security measures

3.3 System Operations

• Monitor API usage and system performance
• Maintain audit trails for subscription and payment changes
• Prevent fraud and unauthorized access to services
• Optimize service delivery and troubleshoot issues

3.4 Analytics and Improvement

• Analyze usage patterns to improve service quality
• Monitor system performance and reliability
• Generate reports for service optimization
• Track subscription metrics and user engagement

4. Data Storage and Security

4.1 Database Security

• All data is stored in WordPress database tables with proper indexing and constraints
• Foreign key relationships ensure data integrity between orders and transactions
• Sensitive payment data is handled through Stripe’s secure infrastructure
• Database migrations are protected with transient locks to prevent corruption

4.2 API Security

• All API endpoints use WordPress authentication and authorization
• AJAX requests are protected with nonces and capability checks
• Rate limiting and usage monitoring prevent abuse
• SSL/TLS encryption for all data transmission

4.3 Payment Security

• PCI Compliance: Payment processing handled entirely through Stripe
• Webhook Security: Stripe webhooks are verified using cryptographic signatures
• No Card Storage: Credit card information is never stored on our servers
• Secure Tokens: Only Stripe customer and subscription IDs are retained

5. Data Sharing and Third Parties

5.1 Essential Service Providers

• Stripe: Payment processing, subscription management, and billing
• OpenAI: AI content generation using master API keys
• Email Services: SMTP providers for automated email communications
• WordPress.org: Plugin updates and security notifications

5.2 API Gateway Services

• Domain Validation: Verifying legitimate plugin installations
• Credit Distribution: Managing credit allocation across subscriber domains
• Usage Monitoring: Tracking API calls and subscription compliance

5.3 No Unauthorized Sharing

• We do not sell, rent, or trade your personal information
• Data is only shared as necessary for service functionality
• Third-party access is limited to essential service operations

6. Data Retention

6.1 Active Subscriptions

• Subscription data is retained for the duration of active subscriptions
• Transaction history is maintained for billing and support purposes
• API logs are retained for system monitoring and troubleshooting

6.2 Inactive Accounts

• Cancelled subscription data may be retained for legal and billing purposes
• Log data may be automatically purged based on retention policies
• Personal data is minimized and anonymized when possible

6.3 Legal Requirements

• Data may be retained longer when required by law or regulation
• Financial records are maintained according to accounting standards
• Audit trails are preserved for compliance purposes

7. International Data Transfers

7.1 Service Providers

• Stripe: Data processed in accordance with Stripe’s global infrastructure
• OpenAI: API requests processed through OpenAI’s international servers
• Email Services: SMTP data may be processed by international providers

7.2 Data Protection

• All international transfers comply with applicable data protection laws
• Service providers maintain appropriate security and privacy safeguards
• Data processing agreements ensure consistent protection standards

8. Your Rights and Choices

8.1 Account Management

• View and update your subscription information
• Cancel subscriptions and request refunds according to our terms
• Access your transaction history and usage data
• Update email preferences and communication settings

8.2 Data Rights (GDPR/CCPA)

• Access: Request copies of your personal data
• Rectification: Correct inaccurate or incomplete information
• Erasure: Request deletion of your data (subject to legal requirements)
• Portability: Receive your data in a structured, machine-readable format
• Objection: Object to certain types of data processing

8.3 Communication Preferences

• Opt out of marketing communications while maintaining service notifications
• Choose email frequency and content preferences
• Update contact information and delivery methods

9. Cookies and Tracking

9.1 Essential Cookies

• WordPress session cookies for authenticated users
• Temporary cookies for checkout and subscription processes
• Security cookies for CSRF protection

9.2 No Tracking Cookies

• We do not use advertising or analytics tracking cookies
• No third-party tracking scripts are embedded in our plugin
• User behavior is not tracked across external websites

10. Children’s Privacy

This service is not intended for children under 13 years of age. We do not knowingly collect, use, or disclose personal information from children under 13.

11. Data Breach Notification

In the event of a data breach affecting your personal information:

• We will notify affected users within 72 hours of discovery
• Appropriate authorities will be notified as required by law
• We will provide clear information about the breach and remediation steps
• Additional security measures will be implemented to prevent future incidents

12. Plugin-Specific Features

12.1 Virtual Pages

• The plugin creates virtual pages (e.g., /ai-story-maker-plans/) for subscription management
• These pages are dynamically generated and do not store additional user data
• Standard WordPress privacy and security practices apply

12.2 REST API Endpoints

• Custom REST endpoints are provided for plugin communication
• All endpoints require proper authentication and authorization
• API responses are logged for monitoring and debugging purposes

13. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices or for legal compliance. We will:

• Post updated policies on our website and plugin documentation
• Notify users of significant changes via email
• Maintain version history for transparency
• Provide at least 30 days notice for material changes

14. Contact Information

For questions about this Privacy Policy or our data practices:

Company: Exedotcom
Website: https://exedotcom.ca
Email: privacy@exedotcom.ca
Address: [Your business address]

Data Protection Officer: [If applicable]
EU Representative: [If applicable for GDPR compliance]

15. Legal Compliance

This plugin and privacy policy are designed to comply with:

• General Data Protection Regulation (GDPR)
• California Consumer Privacy Act (CCPA)
• Payment Card Industry Data Security Standard (PCI DSS) – through Stripe
• WordPress Plugin Directory Guidelines
• Other applicable privacy and data protection laws

16. Dispute Resolution

For privacy-related disputes:

• Contact us directly using the information above
• We will respond to complaints within 30 days
• EU residents may contact their local data protection authority
• Binding arbitration may be available for unresolved disputes

---

Extra Pro Debugging Tip: Use the built-in log export functionality in the plugin admin to download detailed API logs for troubleshooting. These logs contain sensitive information, so handle them securely and delete them after use.

Related Topics to Learn:

• Stripe Webhook Security and Verification
• WordPress REST API Security Best Practices
• Database Schema Design for Compliance
• PCI DSS Compliance for WordPress Plugins
• GDPR Implementation for SaaS Services
• Payment Processing Regulations and Standards

---

This privacy policy is effective as of the date listed above and applies to all users of the Exedotcom API Gateway plugin. By using our services, you acknowledge that you have read and understood this policy.