Short version: We collect only what we need to run BoltAudit. We never read your WordPress users' data, customer data, or post content. Your payment is handled entirely by Paddle, who are the merchant of record.
BoltAudit is operated by HalalBrains ("we", "us", "our"). Our platform provides AI-powered performance and health audits for WordPress websites. Our services are accessible at boltaudit.com, app.boltaudit.com, and via the BoltAudit WordPress plugin.
For data protection enquiries, contact us at privacy@boltaudit.com.
When you register for BoltAudit, we collect:
When you connect a WordPress site, the BoltAudit plugin sends aggregate, structural information about your site. This includes:
This data is used solely to generate your audit report and is never sold or shared with third parties for marketing purposes.
We store your subscription status, plan metadata, and references to Paddle transaction IDs. We do not store card numbers, CVVs, or any payment instrument details — all payment processing is handled by Paddle (see Section 7).
We log which audit types you run, timestamps, audit scores and grades, and model usage metrics. This powers your score history, trend charts, and weekly digest emails.
Our Cloudflare Workers infrastructure automatically records request logs including IP addresses, HTTP method, path, status code, and response time. These logs are retained for 30 days for security and debugging purposes.
The following data never leaves your WordPress site and is never transmitted to BoltAudit servers:
wp-config.php (only specific safe constants such as WP_DEBUG)| Data | Purpose |
|---|---|
| Email address | Account login, audit completion notifications, weekly digest, security alerts |
| Site metadata | Generating AI audit reports and scores |
| Billing records | Subscription status, transaction history, invoicing |
| Usage data | Score history, trend charts, digest emails, platform improvements |
| Technical logs | Security monitoring, debugging, abuse prevention |
We do not use your data for advertising, do not sell it, and do not use it to train AI models.
If you are located in the European Economic Area (EEA) or the United Kingdom, our legal bases for processing personal data are:
We rely on the following third-party service providers to operate BoltAudit:
| Provider | Purpose | Location | Data Shared |
|---|---|---|---|
| Cloudflare, Inc. | Infrastructure — Workers, D1, R2, KV, Pages, CDN | United States (global edge) | All data transits and is stored on Cloudflare infrastructure |
| Anthropic, PBC | AI engine — Claude API for audit analysis | United States | Site metadata sent as prompt context; Anthropic does not train on API inputs by default per their usage policy |
| Paddle.com Market Ltd | Payment processing and Merchant of Record | United Kingdom | Email address, purchase amount, product details; card data handled entirely by Paddle |
We do not share your data with any other third parties without your explicit consent, except as required by law.
BoltAudit uses Paddle.com Market Ltd as its payment infrastructure provider. Paddle acts as the Merchant of Record for all BoltAudit purchases, which means:
You can review Paddle's Privacy Policy at paddle.com/legal/privacy. When you complete a purchase, you also agree to Paddle's Buyer Terms at paddle.com/legal/checkout-buyer-terms.
BoltAudit receives from Paddle only: confirmation that a payment succeeded, the transaction ID, the subscription plan purchased, and the email address you used at checkout.
The marketing website (boltaudit.com) sets no cookies. There is no analytics, advertising, or tracking on the marketing site.
The app (app.boltaudit.com) sets a single session cookie (ba_session) to maintain your logged-in state. This cookie:
HttpOnly and SecureNo consent banner is displayed on the marketing site because no cookies are set. The app session cookie is strictly necessary and does not require consent under ePrivacy regulations.
| Data Type | Retention Period |
|---|---|
| Account data | For the lifetime of your account, then 30 days after deletion request |
| Audit reports | 12 months from the date of the audit; older reports are purged automatically |
| Billing records | 7 years (required for tax compliance) |
| Request logs | 30 days |
| Session tokens | 7 days from last activity |
Depending on your location, you may have the following rights regarding your personal data:
To exercise any of these rights, email privacy@boltaudit.com. We will respond within 30 days. If you believe we have not handled your data lawfully, you have the right to lodge a complaint with your local data protection authority (UK: ICO; EU: your national DPA).
BoltAudit is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe we have inadvertently collected such data, please contact us at privacy@boltaudit.com and we will delete it promptly.
BoltAudit's infrastructure runs on Cloudflare's global network. Data may be stored and processed in data centres outside your country, including in the United States. Where data is transferred from the EEA or UK to a third country, we rely on Cloudflare's and Anthropic's Standard Contractual Clauses (SCCs) as the transfer mechanism. You can request details of these safeguards by emailing privacy@boltaudit.com.
We may update this Privacy Policy from time to time. When we do, we will update the "last updated" date at the top of this page. For material changes, we will notify you by email at least 14 days before the change takes effect. Continued use of BoltAudit after notice of a material change constitutes your acceptance of the updated policy.
For any privacy-related questions, data requests, or complaints: