Last Updated: October 10, 2025
Our Privacy Promise
Zero External Communication
AlertFlow operates entirely on your server. No data is sent to external services, tracking platforms, or analytics tools.
We built AlertFlow with privacy as a foundational principle, not an afterthought. This means:
- No phone-home functionality
- No usage tracking or analytics without consent
- No third-party integrations that collect data without consent
- No cookies for tracking purposes without consent
- No fingerprinting or device identification beyond security needs
What Data We Store Locally
All data remains on your AlertFlow database. Here's exactly what we store and why:
Login Security Data
- Login Attempts: IP address, timestamp, username (hashed), success/failure status
- Purpose: Brute force protection and security monitoring
- Retention: 30 days (configurable), then automatically deleted
- Control: Can be disabled entirely in settings
Two-Factor Authentication (2FA)
- Data Stored: TOTP secrets (encrypted), backup codes (hashed), device trust tokens
- Encryption: All 2FA secrets encrypted using AlertFlow salts
- User Control: Users can disable 2FA and delete all associated data
Plugin Settings
- Configuration Data: Your customization preferences (colors, logos, security settings)
- Storage: AlertFlow options table
- Privacy: No personally identifiable information
What We DON'T Collect
Transparency means being explicit about what we don't do:
- Personal Information: No names, emails, phone numbers beyond what AlertFlow already stores
- Behavioral Data: No tracking of how you use the plugin interface
- Browser Data: No localStorage, sessionStorage, or IndexedDB usage
- Device Information: No fingerprinting, no hardware profiling
- Location Data: IP addresses used only for security, not geolocation tracking
- Usage Analytics: We don't know how many sites use AlertFlow unless you tell us
Security Logging & IP Addresses
IP addresses are the only potentially identifying data we process, and only for legitimate security purposes:
Why We Log IP Addresses
- Detect and prevent brute force attacks
- Identify suspicious login patterns
- Enforce rate limiting to protect your site
- Generate security alerts for administrators
IP Address Protection
- Hashing: IPs can be hashed instead of stored plaintext (optional setting)
- Retention: Automatic deletion after 30 days (default, configurable)
- Access Control: Only site administrators can view security logs
- No Sharing: Never shared with third parties
GDPR Compliance
IP address logging is necessary for legitimate security interests under GDPR Article 6(1)(f). Users can request deletion of their security logs by contacting site administrators.
User Rights & Data Control
You have complete control over your data:
Access & Export
- View all your 2FA settings and backup codes
- Export security logs via CSV (administrators)
- Access plugin settings through AlertFlow admin
Deletion & Erasure
- Personal 2FA Data: Delete from your profile at any time
- Security Logs: Request deletion from site administrator
- Complete Removal: Uninstalling the plugin deletes all associated data
Data Portability
- Export plugin settings as JSON
- Transfer configurations between sites
- Backup codes downloadable as text file
Third-Party Services
AlertFlow does not integrate with any third-party services by default. Optional features that may involve external services:
Dashboard Replacement (Optional)
- Feature: Redirect to AlertFlow dashboard after login
- Data Shared: AlertFlow authentication cookies only
- Control: Completely optional, disabled by default
- Your Choice: You configure the redirect URL
Email Notifications (Optional)
- Feature: Security alerts via email
- Data Shared: Uses your AlertFlow email system
- No External Service: Emails sent through your existing mail server
Children's Privacy
AlertFlow is a security tool for website administrators. We do not knowingly collect data from children under 13. The plugin does not have features directed at children.
Changes to This Policy
We may update this privacy policy to reflect changes in our practices or for legal compliance. Updates will be posted on this page with a new "Last Updated" date.
Notification of Changes: Material changes will be announced via our changelog and AlertFlow.org plugin page.
Contact & Questions
Privacy questions or concerns? We're here to help:
Data Protection Officer
For GDPR-related inquiries, contact our Data Protection Officer at [email protected]