Data collection, GDPR, and privacy

Especially in Europe, the laws around cookies and data capture/storage are always changing. This document explains what our plugin collects, stores, and why. It also shares some steps you can take towards compliance.

While WP Optin Wheel offers tools to respect users privacy and follow the GDPR guidelines. Ultimately, it’s up to you (the website owner) to implement them. We are not responsible for this implementation, nor the validation of local & international privacy/GDPR laws.

Use this document to decide if our plugin is following the privacy/GDPR/cookie rules in your country.

Data captured and why

WP Optin Wheel stores data in your WordPress database for a few reasons:

1. To allow users to play again or to limit to 1 play.
2. To prevent cheating.
3. To offer export features to the site owner

Below is a list of information we store in your database:

1. The player’s email address (if applicable).
2. The wheel ID this record belongs to.
3. A timestamp of when this record was inserted.
4. A hashed IP address (which can not be un-hashed).
5. A flag denoting whether this record is an opt-in ( = user filled out the form on the wheel) or a play result ( = user played and won or lost).
6. Other data they filled out on the opt-in-form (if any).
7. Whether or not the game was won and the associated prize.

By default item 1 through 5 are always captured and stored. Item 6 and 7 are only stored if you have certain features enabled in the wheel’s settings (such as the “log everything” checkbox).

We also track views and conversions anonymously to offer the website owner statistics on how their wheels are performing. This is achieved by keeping a numerical counter (nothing more). No sensitive or personal data is stored for this purpose.

Where we send the data

When you connect WP Optin Wheel to a 3rd party (as defined in the ‘integrations’ tab), such as MailChimp or ActiveCampaign, we send the data to that tool via their API. The 3rd party will store this data until the user is unsubscribed or deleted.

If you’re using our webhooks feature, we also send the data to the webhooks provided by you.

If you selected ‘validate emails’ in your wheel’s settings, WP Optin Wheel also sends the player’s email address to an API hosted on studiowombat.com. The API is used to validate the email address and returns a simple true/false flag. We do not log or store any data in that API.

A user’s right to access their data

Under the GDPR, users have the right to view their data. You can generate an export of a user’s data via Tools > Export Personal Data. Enter the email address of the user. WordPress will collect all the data from that user and generate a ZIP file. Our plugin is hooking into that process, and any user-specific data WP Optin Wheel stores will be included in the export.

A user’s right to be forgotten

The GDPR states that visitors can request you to hard-delete their data. You can do this by navigating to Tools > Erase Personal Data. Any data we keep in your WordPress database on the user will be removed.

Note that our plugin only deletes records stored in your WP database. If you connect your wheel to a 3rd party integration, you will have to delete their data manually there.

There’s a drawback to complying to deletion requests: if your wheels are only allowing users to play once, our system can no longer find & identify this user so it will allow them to play again.

Cookies & storage

If you are using the wheel via its shortcode, you can ignore this section. No cookies are set when the shortcode is used.

WP Optin Wheel uses a cookie to prevent visitors from seeing the wheel’s popup until they are allowed to see it again (depending on your wheel settings). The following cookie is set by the plugin:

• Name: wof-XX, where XX is the ID of your wheel. Example: wof-129.
• Value: 1.
• Expiry: depends on your wheel’s settings.
• Use of the cookie: to help determine whether or not the user is allowed to see the wheel on the frontend. If the cookie is set, it means the user has already seen the wheel’s popup and it should not be shown again.

Storage

In addition to using cookies, we may also use the browser’s storage capabilities (sessionStorage or localStorage) to prevent people from seeing the popup when they shouldn’t.

Cookies & the EU

While the GDPR is not a cookie law, current EU guidelines (called the ePrivacy directive) state that cookies should be used sparingly and only strictly necessary cookies (“functional cookies”) can be used without consent. Other cookies need the visitor’s consent before they can be placed. It’s debatable whether or not the cookie set by our plugin can be considered “strictly necessary”. To be safe, this probably shouldn’t be considered a strictly necessary cookie, as a popup is never a necessity on a website.

It is unclear if the guidelines target all cookies, or only cookies containing personal (traceable) information. Our cookie only contains a bit (“1”) as a value – which can’t really be used to track back to this specific visitor – but we’re unsure if this means it is exempt from the guidelines.

Compliance with various laws

Privacy policy

Your privacy policy should list what data you collect throughout your site (and why), as well as which (tracking) cookies your sites uses, and where you send data to. You can use the information in this document to add the necessary paragraphs to your privacy policy.

Europe’s GDPR

If your site is hosted/owned in Europe, you should comply with the GDPR. If you collect personal data, such as an email address, you must clearly state why you collect it and what you intend to do with it. We’ve written a guide on how you can become GDPR compliant with WP Optin Wheel.

Europe’s ePrivacy Directive

If you are using the wheel via its shortcode, you can ignore this section. No cookies are set when the shortcode is used so you are compliant by default.

As stated before, it’s not 100% clear if anything needs to be done to the cookie our plugin sets as it’s not really storing traceable/personal data. But to be 100% safe, you may want to turn off cookies until your visitor gives explicit consent. With Europe’s guidelines (and upcoming cookie laws), you may need to implement a “cookie banner” and only allow our cookie when the user marks “marketing cookies” as acceptable.

By default, our plugin sets the cookie, but you can opt-out of this by adding the following PHP code snippet:

With this code snippet, none of the cookies will be set by our plugin. When your visitors give consent through your cookie banner, you can add this JavaScript snippet which will allow cookies to be set:

Please note: disabling cookies until consent is given has some side effects. If a user does not give consent and our cookie can’t be set, the popup will be show on every page load, regardless of your wheel’s settings. This is potentially annoying for the user.

Don’t store any personal identifiable data

As stated earlier in this document, our plugin needs to store sensitive data in your database for some features to work (such as limiting prizes, limiting plays, etc). By default, we store the email address and a hashed version of the user’s IP address. If you don’t want to store those things, it can be disabled with a PHP code snippet:

Please note: by adding this code snippet, some features will no longer work. You will not be able to limit plays. Users can play unlimited times.