DRAFT — NEEDS LEGAL REVIEW. This privacy policy is a plain-language draft prepared by the operator and has not yet been reviewed by a qualified data-protection lawyer. It is published for transparency. Where it conflicts with the EU General Data Protection Regulation (GDPR) or Finnish data-protection law, that law prevails.
Privacy policy
This policy explains how we handle your personal data as an author or prospect — your name, email, CodeCanyon listing URL and sales figures. For it, PluginExit is the controller. Your buyers' data is handled separately: there you are the controller and we are your processor under a data-processing agreement (see the last section).
Who is the controller
| Controller | Lauri Kesonen — LK Web (toiminimi) |
|---|---|
| Business ID | [BUSINESS ID / TOIMINIMI — FILL IN] |
| Country | Finland (EU) |
| Privacy / DSAR contact | kesonen.lauri@gmail.com |
To exercise any of your rights, or to ask a privacy question, email the DSAR contact above.
What we collect, why, and on what legal basis
| Data | Why we hold it | Legal basis (GDPR Art. 6) | Retention |
|---|---|---|---|
| Your public listing data: plugin name, CodeCanyon URL, item price, sales pace | To build the audit receipt from public data and estimate the impact of Envato's flat 50% share for you | Legitimate interest (Art. 6(1)(f)) — relevant B2B outreach built only from already-public data | Deleted if you do not engage, on request, or at the latest with our prospect purge cycle; see below |
| Your name and email address | To reach you about the audit, answer questions, and — if you engage — run the migration and send you invoices and status updates | Legitimate interest for outreach; contract performance (Art. 6(1)(b)) once you engage | Engagement data deleted on day 37 after go-live; see retention below |
| Correspondence and support messages | To provide and document the service and handle refunds/disputes | Contract performance; legitimate interest; legal obligation for records | Retained as long as needed for the engagement and any legal record-keeping period |
| Billing records (invoices, payment references — not card numbers) | To take payment and meet Finnish accounting/tax obligations | Legal obligation (Art. 6(1)(c)) | Kept for the statutory Finnish accounting retention period |
| Standard server access logs (IP, timestamp, requested URL) | Ordinary web-server logging for security and operation; no per-page view tracking or analytics profiling | Legitimate interest (Art. 6(1)(f)) | Short-lived operational log, rotated on a routine schedule |
We do not collect special-category data, and we do not use your data for automated decision-making that produces legal effects. We do not sell your personal data.
Retention — tied to day 37
Once a migration goes live, the engagement data we hold as part of delivering it — including credentials you handed over and the buyer data we processed on your behalf — is deleted on day 37 by a scheduled job, with confirmation posted to your status page (see the credential & access charter). Data we must keep for a legal reason (invoices for tax/accounting) is retained only for the statutory period and nothing longer. Prospect data for authors who never engage is deleted on request and, in any case, on our routine prospect purge cycle.
Your rights
Under the GDPR you have the right to: access your data; have inaccurate data corrected; have your data erased; restrict or object to processing (including objecting to legitimate-interest outreach); data portability; and to withdraw any consent you gave, at any time, without affecting prior processing. To exercise any of these, email kesonen.lauri@gmail.com. We respond within one month. If you are unhappy with how we handle your data, you may complain to the Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto, tietosuoja.fi) or your local EU supervisory authority.
Sub-processors
We use a small set of service providers who process personal data on our behalf under appropriate data-processing terms:
| Sub-processor | Purpose | Data involved |
|---|---|---|
| Stripe | Payment processing (deposit and balance) | Your name, email, billing details — card data goes directly to Stripe; we never see or store card numbers |
| Freemius | The new licensing/store platform and free license-data import | Store and license data for the migration |
| Hosting / VPS provider (EU) | Hosting the site, status portal and redemption bridge | Data at rest, encrypted, on an EU server |
| Email sending provider (when added) | Delivering transactional and migration emails | Recipient name and email — added only when a sender is wired up, and listed here first |
This list is kept current. If we add or change a sub-processor, we update this page.
Your buyers' consent (the redemption bridge)
When your existing buyers redeem a purchase code on your new store, the bridge captures their email with an explicit, unchecked marketing-consent box. A buyer's email is only added to a marketing/direct list if they actively tick that box; without consent, the email is used only to issue their replacement license and nothing more. This mirrors the buyer-consent note in the credential & access charter.
International transfers
We keep data in the EU/EEA wherever we can. Where a sub-processor (such as Stripe or Freemius) processes data outside the EEA, that transfer relies on an adequacy decision or the European Commission's Standard Contractual Clauses.
Cookies and tracking
The public site is deliberately light on tracking. The audit receipt pages carry no tracking or analytics — only standard server access logs apply, the same as for any page here. We do not run advertising trackers or third-party analytics profiling on the audit pages.
Changes to this policy
We may update this policy; material changes are announced on this page, and the "last updated" date below always reflects the current version.
Related: terms of service · credential & access charter · verify the operator
Last updated 2026-07-06 · DRAFT, pending legal review.