GDPR Compliance

The nice thing about Donation Platform for WooCommerce is that it does not process any additional data not already processed by WooCommerce. It will never send any personal information to a third party server. It also only processes data required for generating leaderboards. The following two features require some processing of Personally Identifiable Information (PII):

• Order Details if the template is used to generate PDF documents (https://wordpress.org/plugins/woocommerce-pdf-invoices-packing-slips/)
• Order Details necessary for generating the Leaderboard

However, please note that WooCommerce and other extensions do process personal data and therefore may require customization. More information on how to make WooCommerce GDPR ready can be found here: https://woocommerce.com/gdpr/

Please make sure to clear the cache via the plugin settings whenever you made manual changes to orders/users and want to ensure that the leaderboard is updated immediately.

GDPR Checklist for Donation Platform for WooCommerce

1. Does the plugin share personal data with third parties (e.g. to outside APIs/servers). If so, what data does it share with which third parties and do they have a published privacy policy we can link to? No.
2. Does the plugin collect personal data? If so, what data and where is it stored
   1. User data/meta No.
   2. Options No.
   3. Order custom post type meta Order details for the leaderboard will be cached in the database
   4. Product custom post type meta No.
   5. Post meta No.
   6. Custom db tables No.
   7. Files No.
3. Does the plugin access personal data (e.g. using the personal data WooCommerce stores in orders). If so, what data?
   1. User data/meta Yes, when using the leaderboard feature
   2. Options No.
   3. Order custom post type meta Yes: order details (used to generate PDF documents)
   4. Product custom post type meta No.
   5. Post meta No.
   6. Custom database tables No.
   7. Files No.
4. Does the plugin store personal data (including making copies of it). If so, where? Yes, PDF documents are temporarily stored on the server, cached leaderboard data will be stored in the database
5. Does the plugin pass personal data to a SDK? What does that SDK do with the data? No.
6. Does the plugin implement the core personal data exporter hook? No.
7. Does the plugin implement the core personal erasure hook? No.
   1. For what reasons (if any) does the plugin refuse to erasure personal data? (e.g. order not yet completed, etc) Not applicable
8. Does the plugin enqueue Javascript, tracking pixels or embed iframes from a third party (third party JS, tracking pixels and iframes can collect visitor’s data/actions, leave cookies, etc.) No.
9. Does the plugin store things in the browser? If so, where and what?
   1. Cookies No
   2. Indexed DB No
   3. Local Storage No
   4. Session Storage No
10. Does the plugin use error logging? Does it avoid logging personal data if possible? How long are log entries kept? Who has access to them? No
11. In wp-admin, what role/capabilities are required to access/see personal data? Are they appropriate? Not applicable
12. What personal data is exposed on the front end of the site by the plugin? Does it appear to logged-in and logged-out users?
13. What personal data is exposed in REST API endpoints by the plugin? Does it appear to logged-in and logged-out users? What roles/capabilities are required to see it? Not applicable
14. Privacy documentation
    1. Does the plugin have documented anywhere what personal data it collects, accesses, and shares, why it collects that, and how long it is retained? Yes
    2. Is browser storage (e.g. cookies) also covered Yes
    3. If the plugin shares personal data with a third party, does that third party have a documented privacy policy (e.g. a URL) that covers the API(s) Not applicable
    4. Are there separate things you need to declare for administrators and shop managers vs end-users No
15. Does the plugin properly remove/clean-up data, including especially personal data:
    1. during uninstall of the plugin? Not applicable
    2. when an order is deleted (e.g. from the order meta or any order-referencing rows in another table)? Yes
    3. when a user is deleted (e.g. from any user referencing rows in a table)? Not applicable
16. Does the plugin provide controls to reduce the amount of personal data required? Not applicable
17. Does the plugin share personal data with SDKs or APIs only when the SDK or API requires it, or is the plugin also sharing personal data that is optional? Not applicable
18. Does the amount of personal data collected or shared by this plugin change when certain other plugins are also installed? No