Segurium

Privacy Policy

Last revised: 27 April 2026

This Privacy Policy explains what data the Segurium WordPress plugin (the “Plugin”) transmits to the Segurium cloud service at cti.segurium.com (the “Service”), why we process it, how long we keep it, who we share it with, and the rights you have under European data-protection law.

This Policy is the public, long-form version of the External Service Disclosure that the Plugin shows you after activation. Where the two documents describe the same processing, they must say the same thing; if there is a discrepancy, the description here controls.

In one paragraph. When you turn cloud scanning on, the Plugin sends file metadata (paths, hashes, sizes, modification times), a randomly generated installation identifier, and security events (scan results, cleanup outcomes, blocked attacks) to cti.segurium.com. It also sends the contents of individual files when a hash alone cannot classify them, or when a clean replacement is needed. We don’t collect visitor analytics, posts, comments, or media. The data is processed inside the European Economic Area, you can ask for a copy or deletion at any time, and the contact for that is privacy@segurium.com.

1. Who is the controller

The data controller for the personal data described in this Policy is Dmytro Tkachuk, an individual sole developer trading as “Segurium”, contactable at privacy@segurium.com. Because we do not have a fixed establishment in the European Union, we are not required to designate a representative under Article 27 GDPR for our current scale of processing; this assessment is reviewed periodically.

2. Scope of this Policy

This Policy applies to:

It does not cover data collected by your own WordPress installation (visitor analytics, posts, user accounts, etc.). For data on your Site you are the controller; we are not. It also does not cover data collected by third parties whose terms apply when you interact with them (e.g. Freemius for payments, your hosting provider, the WordPress.org plugin directory).

3. Data we collect from your Site

The Plugin sends the following categories of data to the Service. The list mirrors the External Service Disclosure shown after activation.

3.1 File metadata

For each file in scope of a scan: SHA-256 hash, path relative to your WordPress installation, size in bytes, and last-modified timestamp. The path is a relative path inside your WordPress directory (for example, wp-content/plugins/example/file.php) and may incidentally contain a username or site name if your installation uses one in the directory layout.

3.2 File contents (occasional)

When classification by hash alone is not conclusive — that is, when the hash is not in our knowledge base — the Plugin uploads the file body so the Service can analyse it and return a verdict. The Plugin also uploads file bodies when generating a clean replacement during cleanup. File bodies are not uploaded for files whose hash is already known to the Service: in that case, only the hash leaves your server.

3.3 Installation identifier and basic Site information

A randomly generated installation identifier (the “IID”) is created the first time you enable cloud scanning. The IID is not derived from any personal identifier. Together with the IID we record: your Site URL, the Site’s name as set in WordPress, the WordPress version, and the Plugin version. This is what lets the Service associate requests with your Site.

3.4 Scan, cleanup, and settings events

Operational telemetry needed to keep cloud and Site state in sync: scan start and finish events, per-file actions (cleaned, ignored, restored), and snapshots of Plugin settings (for example, which protection modules are on, the cleanup policy). These events include the IID and timestamps.

3.5 Firewall events

Records of network requests blocked by the Plugin’s firewall: the source IP address, the attack pattern that triggered the rule, and a timestamp. We use these events in aggregate to adapt protection across all Sites running Segurium. The blocked IP and attack pattern are personal data of the third party that originated the request, not of you.

3.6 Account, billing, and support data

If you buy a Pro license, Freemius collects the data needed to process the payment (name, email address, billing address as required for tax) and shares with us a license record (license key, plan, validity period, the email address you registered with) so we can grant Pro entitlements to your IID. If you write to support@segurium.com we receive your email address and the content of your message.

3.7 Marketing site (segurium.com)

The marketing site uses session cookies only on /pricing for CSRF protection of the quote form (a server-side token, no third-party tracking). The quote form sends what you type in it — site count, contact name, email address, message — to support@segurium.com via SMTP. The site does not use third-party analytics or advertising trackers.

4. Data we do not collect

The Plugin does not transmit any of the following to cti.segurium.com:

5. Purposes and lawful bases

We process the data above for the following purposes, on the legal bases shown. The lawful bases are those of the EU General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”).

Purpose Lawful basis
Detecting malware on your Site by comparing file hashes against our verdict database, and producing scan results. Performance of the contract between you and us (Art. 6(1)(b) GDPR) and our legitimate interest in operating the Service (Art. 6(1)(f)).
Uploading and analysing file contents when a hash is not enough, and generating clean replacements during cleanup. Your explicit consent given when you enable cloud scanning (Art. 6(1)(a)). You can withdraw consent at any time; see §9.
Aggregating firewall events across all Sites to refine threat intelligence and adapt protection rules. Our legitimate interest in keeping the Service effective for all customers (Art. 6(1)(f)). The originating IP belongs to the attacker, not to you.
Billing and license management for Pro purchases. Performance of the contract (Art. 6(1)(b)) and compliance with our legal accounting obligations (Art. 6(1)(c)).
Responding to support, abuse, or privacy requests. Our legitimate interest in supporting the Service (Art. 6(1)(f)) and, for privacy requests, compliance with our legal obligations (Art. 6(1)(c)).
Sending the optional daily security digest (only if you enabled it in Plugin settings). Your explicit consent (Art. 6(1)(a)). You can disable it from the Plugin’s alert settings at any time.

We do not use this data for advertising or for automated decision-making with legal effect.

6. Retention

We keep data only as long as needed for the purpose it was collected for, and then delete it or fully anonymise it. The current periods are:

If you ask us to delete the IID and operational data tied to it, we will do so within 30 days, except where we are required to retain specific records (for example, a paid invoice for tax purposes) or where the data has already been irreversibly aggregated into threat statistics.

7. Recipients and subprocessors

We do not sell or rent personal data. We share it only with the providers we rely on to run the Offering:

We may also disclose data when required by law, to protect our rights, or in connection with a merger, acquisition, or asset sale, in which case we will inform affected users in advance where practicable.

8. International transfers

The Service’s servers are located within the European Economic Area (EEA). Some of our subprocessors are headquartered or operate outside the EEA — in particular Freemius (United States) and Zoho (United States and India). When personal data is transferred to those countries we rely on the safeguards permitted under Chapter V GDPR, including, where applicable, the European Commission’s Standard Contractual Clauses, and we limit transfers to what is strictly necessary.

9. Your rights

If you are a natural person whose personal data we process, the GDPR gives you the following rights, which you can exercise free of charge:

To exercise any of these rights, write to privacy@segurium.com. We will respond within one month and may ask you to confirm your identity if the request is unclear.

10. Children

The Offering is intended for adults administering WordPress sites. It is not directed at children under 16 and we do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact privacy@segurium.com and we will delete it.

11. Cookies on segurium.com

The marketing site does not use third-party analytics, advertising, or tracking cookies. The only cookie set is a session cookie on /pricing that holds a CSRF token used by the quote form. The cookie is strictly necessary, expires when you close the browser, and is not shared with third parties; under Article 5(3) of the ePrivacy Directive (and its national implementations), strictly necessary cookies do not require consent.

12. Security

We protect data in transit with TLS, isolate the Service’s database on a dedicated server, restrict administrative access to the production environment, log administrative changes to the verdict database, and keep operational logs only as long as needed. Files submitted for analysis are stored in a content-addressed, access-controlled directory and purged on schedule. No system is impenetrable; we encourage you to keep your WordPress installation up to date and to use strong administrator credentials.

13. Data breach notification

If a personal-data breach is likely to result in a risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority within 72 hours of becoming aware of it, in line with Article 33 GDPR. Where the breach is likely to result in a high risk to you, we will also notify you directly without undue delay (Article 34 GDPR).

14. Changes to this Policy

The current version of this Policy is always at segurium.com/privacy with a “Last revised” date. For changes that materially affect your rights or the categories of data we process, we will notify you in the Plugin’s admin UI or by email at least 30 days before the change takes effect.

15. Contact

For privacy questions, GDPR data-subject requests, or to withdraw consent, write to: privacy@segurium.com.
For all other questions about Segurium: support@segurium.com.