UK GDPR Compliant

Privacy Policy

Last updated: 2026

Summary (Plain English)

📦

What we store

Your account email, store URL, and product purchase patterns (no personal customer data).

📅

How long we keep it

Order data is automatically deleted after 24 months. Account data until you delete your account.

🗑️

Your control

Delete your store (and all its data) from the Dashboard, or disconnect via the WordPress plugin, at any time.

1. Who We Are
2. What Data We Collect
3. What We Do Not Collect
4. Legal Basis for Processing
5. How We Use Your Data
6. Data Retention
7. Data Deletion & Your Right to Erasure
8. Third Parties & Data Sharing
9. Security
10. Your Rights Under UK GDPR
11. Cookies & Sessions
12. Changes to This Policy
13. Contact Us

1. Who We Are

FBT SaaS ("we", "us", or "our") is the data controller for data processed through this service. We provide an AI-powered Frequently Bought Together recommendation engine for WooCommerce stores, based on the FP-Growth machine learning algorithm.

For questions about this policy or your data, see Section 13 — Contact Us.

2. What Data We Collect

2a. Account Data

Email address — used to identify your account and send service communications.
Password — stored as a one-way bcrypt hash. We cannot recover your original password.

2b. Store Configuration Data

Store name and URL — identifies your WooCommerce store.
WooCommerce API credentials (consumer key & secret) — auto-generated by the WordPress plugin and stored to enable order syncing. These are used solely to read your order history via the WooCommerce REST API.
Algorithm settings — your configured parameters (minimum support, confidence, lift, sync frequency).

2c. Order Transaction Data (from your WooCommerce store)

When you trigger a sync, we fetch and temporarily cache the following fields from your WooCommerce orders:

WooCommerce Order ID — a numeric reference used to group line items into baskets for the FP-Growth algorithm.
Product ID and product name — identifies which products appear together in orders.
Order date — used to limit data to your configured time window (up to 24 months).

Important: We do not store customer names, addresses, email addresses, payment information, or any other personal data belonging to your customers. We only process product co-purchase patterns.

2d. Generated Recommendation Data

Product recommendation pairs (Product A → recommend Product B), with association metrics (support, confidence, lift).
These are derived outputs — they contain no personal data and are pushed to your WordPress store for display.

3. What We Do Not Collect

We are explicit about data we do not collect or process:

Your customers' personal data (names, email addresses, phone numbers, billing/shipping addresses)
Payment card details or financial information of any kind
IP addresses or browsing behaviour of your store's visitors
Your customers' account credentials
Special category data (health, ethnicity, religion, etc.)

4. Legal Basis for Processing

Under UK GDPR Article 6, we rely on the following legal bases:

6(b)

Contractual necessity

Processing your account data and store configuration to provide the service you signed up for.

6(f)

Legitimate interests

Processing order transaction data (product IDs and co-purchase patterns) to generate recommendations — this is the core purpose of the service you have actively configured.

5. How We Use Your Data

Provide the service: Run the FP-Growth algorithm against your order history to identify products frequently purchased together.
Deliver recommendations: Push generated recommendations back to your WordPress store via the secure REST API endpoint.
Authenticate your plugin: Use stored WooCommerce API credentials to fetch orders during scheduled and manual syncs.
Service communications: Send account-related emails (password resets, service notices). We do not send marketing emails without your explicit consent.
We do not: sell, rent, or share your data with any third party for commercial purposes.

6. Data Retention

We apply a strict retention schedule in line with the UK GDPR Storage Limitation principle (Article 5(1)(e)):

Data Category	Retention Period	Mechanism
Account data (email, password hash)	Until account deletion	Manual via account settings or request to us
Store configuration & API credentials	Until store is deleted	Dashboard → Delete Store, or plugin Disconnect
Order transaction data (product co-purchase patterns)	Maximum 24 months	Automatically purged after each sync; also deleted when store is removed
Generated recommendations	Until next sync or store deletion	Overwritten on each sync; deleted with store

The 24-month limit is enforced automatically: after every sync, any order records older than 24 months are permanently deleted from our database.

7. Data Deletion & Your Right to Erasure

You have full control and multiple ways to delete your data immediately:

Delete a store via the SaaS Dashboard

Dashboard → Store card → Delete button. This permanently deletes the store record, all cached order data, all generated recommendations, and all associated configuration. This action is instant and irreversible.

Disconnect via the WordPress Plugin

WordPress Admin → FBT SaaS → Disconnect button. This calls our server to delete all store data, revokes the WooCommerce API keys, clears the sync schedule, and removes all plugin settings from your WordPress database.

Request full account deletion

Email us at the address in Section 13 to request deletion of your entire account, including all stores and all associated data. We will action this within 30 days (typically much sooner).

8. Third Parties & Data Sharing

We do not sell or share your data with third parties for marketing or any commercial purpose.

The only external data flow is:

Your WooCommerce store (outbound) — we call the WooCommerce REST API on your store using the API keys generated during setup. We read order data; we write recommendation data. This is a direct server-to-server connection with your own website.
Hosting infrastructure — our application runs on a server hosted by a third-party provider. Any hosting provider we use is bound by a Data Processing Agreement (DPA) and processes data only on our documented instructions.

We may disclose data if required by law or to comply with a legal obligation, court order, or regulatory requirement in the UK.

9. Security

We implement technical and organisational measures to protect your data:

All communication between your browser, WordPress plugin, and our servers uses HTTPS/TLS encryption.
Passwords are hashed using bcrypt — they are never stored in plaintext.
WooCommerce API credentials are stored with encryption at rest.
The connection between your WordPress site and our service is authenticated by a unique, randomly-generated connection token.
Access to store data is scoped to your user account — other users cannot access your store data.

No system is 100% secure. If you believe you have found a security vulnerability, please contact us privately before public disclosure.

10. Your Rights Under UK GDPR

As a data subject under UK GDPR, you have the following rights. To exercise any of them, contact us at the address in Section 13.

Right of Access (Article 15)

Request a copy of all personal data we hold about you.

Right to Rectification (Article 16)

Request correction of inaccurate or incomplete personal data.

Right to Erasure (Article 17)

Request deletion of your personal data. For store & order data, you can exercise this instantly via the Dashboard or Plugin (Section 7).

Right to Restriction (Article 18)

Request that we restrict processing of your data in certain circumstances.

Right to Portability (Article 20)

Request your data in a structured, machine-readable format.

Right to Object (Article 21)

Object to processing based on legitimate interests. If you object, we will stop unless we have compelling grounds.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe we have mishandled your data.

11. Cookies & Sessions

We use minimal, strictly necessary cookies:

Session cookie — used to keep you logged into the dashboard. This cookie is deleted when you log out or close your browser. It contains only a session identifier, not your personal data.

We do not use tracking, analytics, or advertising cookies. No third-party cookies are set by our service.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make significant changes, we will update the "Last updated" date at the top of this page. Continued use of the service after changes are posted constitutes acceptance of the updated policy.

We encourage you to review this page periodically.

13. Contact Us

For any questions, data requests, or concerns about this Privacy Policy:

FBT SaaS

Data Controller

privacy@fbt.sidocode.com

fbt.sidocode.com

We aim to respond to all data-related requests within 30 days, in compliance with UK GDPR timescales.