Privacy Policy

This Privacy Policy explains how Algorismus LLC (“Algorismus,” “we,” “us,” or “our”), the company that operates the WPOS.ai product family (the “Service”), collects, uses, shares, and protects information about you. WPOS.ai is the renamed successor to the product previously known as “WPCursor”; certain legacy hostnames (wpcursor.com, api.wpcursor.com, app.wpcursor.com) and the WordPress plugin slug (wpcursor-ewb) remain in use for backward compatibility and are covered by this Policy.

If you do not agree with this Policy, do not use the Service.

1. Who we are

Legal entity: Algorismus LLC, a Texas limited liability company (intent to convert to a Delaware C-Corporation; this Policy will be updated upon conversion).
Product: WPOS.ai — an AI-powered WordPress management, build, and maintenance platform consisting of:
- A WordPress plugin (wpcursor-ewb) installed on customer WordPress sites.
- A web application at app.wpos.ai (currently served from app.wpcursor.com).
- A REST + WebSocket backend API at api.wpos.ai (currently api.wpcursor.com).
- An administrative dashboard at admin.wpos.ai (currently admin.wpcursor.com).
- A managed WordPress hosting offering and an MCP (“Model Context Protocol”) agent marketplace.
Operations team base: Abbottabad, Pakistan (engineering, support).
Privacy contact: privacy@wpos.ai (3801 Hulen Street, STE 201, Fort Worth, TX 76107)
Legal / DPO contact: legal@wpos.ai (3801 Hulen Street, STE 201, Fort Worth, TX 76107)
Postal address: 3801 Hulen Street, STE 201, Fort Worth, TX 76107

For the purposes of the EU/UK General Data Protection Regulation (GDPR / UK GDPR), Algorismus is the data controller for account and billing data, and a data processor for content you process through the Service (your prompts, your WordPress site data, and the content the AI generates on your behalf).

2. Scope

This Policy applies to:

The WPOS.ai web applications (app.wpos.ai, admin.wpos.ai, marketing sites at wpos.ai).
The WPOS.ai REST + WebSocket API (api.wpos.ai).
The WPOS.ai WordPress plugin (wpcursor-ewb) when installed on your WordPress site and configured against the Service.
Email, in-product, and support communications sent by Algorismus.

This Policy does not apply to (a) third-party WordPress sites you visit or own that happen to have the plugin installed but are not interacting with our backend, (b) third-party services we link to, or (c) data you process locally on your own infrastructure without transmitting it to our backend.

3. Information we collect

3.1 Information you provide directly

Category	Examples	Purpose
Account identifiers	Name, email address, password hash, OAuth subject (Google), profile photo URL	Authentication, account recovery, support
Billing data	Plan, credit balance, Stripe customer ID, last-4 of payment instrument, billing address, VAT/Tax ID	Payment processing, invoicing, tax compliance
Site registration data	WordPress site URL, site name, WordPress admin user, license key, domain-lock fingerprint	License validation, anti-abuse, support
Prompts and instructions	The natural-language instructions you send to the AI assistant	Generating responses and performing the tasks you request
Uploaded content	Files, images, design references, screenshots, scraped pages you upload to your workspace	Performing the requested task
Support communications	Messages to support@wpos.ai, in-app chat, bug reports	Responding to and resolving your inquiry

3.2 Information we collect from your WordPress site (via the plugin)

When the wpcursor-ewb plugin is installed and authenticated against our backend, it transmits the following on your behalf:

WordPress version, active theme, active plugins, PHP version, site language and timezone.
The contents of pages, posts, widgets, ACF fields, and other content you instruct the AI to read, create, or modify.
Domain name (used for license domain-locking; see §7).
Plugin version and update channel (test, beta, public).
Diagnostic logs you explicitly submit (e.g., via the in-plugin “send debug logs” action).

We do not routinely transmit your WordPress users’ personal data, customer orders, or database tables that are not directly involved in a task you requested. You — the WordPress site administrator — are the controller of your site’s data and choose what the AI may access by selecting it in the plugin UI.

3.3 Information generated by the Service

AI-generated content (text, code, widget JSON, page layouts, images) produced in response to your prompts.
Conversation transcripts between you and the AI, retained in your workspace.
Credit transactions, usage statistics, and audit logs (who did what, when, on which site).

3.4 Information collected automatically

Category	Examples	Source
Device / connection	IP address, browser, OS, device type, language, referrer	Web server logs, browser headers
Cookies & local storage	Session cookie (`claude.sid`), CSRF token, UI preferences (e.g., `wpcAdminEnv`), Stripe + PostHog cookies	Browser
Telemetry	Page views, feature usage, error events, performance metrics	PostHog product analytics
Operational logs	Backend request logs, MCP tool invocations, container lifecycle events	Application servers

3.5 Information from third parties

Google OAuth — when you sign in with Google, we receive your email, name, profile photo URL, and Google subject ID.
Stripe — we receive payment, subscription, and dispute events through Stripe webhooks. We do not receive or store full card numbers.
Anthropic — when you use the AI assistant, Anthropic processes your prompt on our behalf and returns the model output. We do not receive Anthropic’s internal account data about you.

4. How we use information

We use the information described above to:

Provide the Service — authenticate you, route AI requests, render the app, store workspaces, deliver plugin updates.
Bill you — process payments via Stripe, deduct credits, send receipts, handle refunds and disputes.
Communicate with you — send transactional emails (welcome, password reset, low-credit warnings, plan upgrades, site activation), respond to support tickets, send service announcements you cannot opt out of, and (if you’ve consented) marketing emails you can unsubscribe from at any time.
Secure the Service — detect and prevent abuse, fraud, license sharing across non-licensed domains, credit-system gaming, and attacks against our infrastructure.
Improve the Service — analyze aggregated usage to fix bugs, prioritize features, and measure performance. Where we use individual-level analytics, we limit it to product telemetry (PostHog) and do not sell that data.
Comply with law — meet our tax, accounting, anti-money-laundering, sanctions, and other legal obligations.
Model training — We do NOT use your prompts, AI conversations, or WordPress site content to train any AI models, ours or Anthropic’s. See §5.1.

Legal bases (EEA/UK users)

Purpose	Legal basis (GDPR Art. 6)
Account, billing, plugin operation	Contract (Art. 6(1)(b))
Security, anti-abuse, telemetry	Legitimate interests (Art. 6(1)(f))
Marketing email	Consent (Art. 6(1)(a)) — withdrawable
Tax, accounting	Legal obligation (Art. 6(1)(c))

5. AI processing and model training

5.1 Your content is not used to train models

Algorismus does not train its own AI models. AI capabilities are provided by Anthropic, PBC (the maker of Claude) under a commercial API agreement. Anthropic’s commercial API terms prohibit using your inputs and outputs to train Anthropic’s models by default, and we do not opt in to any program that would change that. We also do not sell or license your content to any other AI vendor for training.

5.2 What we send to Anthropic

When you send a prompt, we forward to Anthropic:

The prompt text.
Relevant context the AI needs (e.g., page contents, widget definitions, file you uploaded) as you’ve authorized via the plugin or app UI.
A system prompt and tool definitions controlled by Algorismus.
A pseudonymous session identifier — not your email or account ID.

Anthropic processes the request, returns a response, and (per its commercial API terms) retains the data only as long as needed for trust-and-safety review and abuse detection. See Anthropic’s privacy policy at https://www.anthropic.com/legal/privacy.

5.3 AI output is not legal/medical/financial advice

AI-generated content is provided “as is.” It may be inaccurate, incomplete, or unsuitable for your use case. You are responsible for reviewing it before publishing to your site, sending to customers, or relying on it for any decision.

5.4 Intellectual property in AI output

As between you and us, you own the AI-generated output produced for your account, subject to the Terms of Service. Note that under current U.S. copyright law, purely AI-generated content may not be eligible for copyright protection regardless of who paid for it. We make no representation about copyrightability of AI output.

6. Headless browser and screenshot capture

The Service includes a headless-browser feature (“Steel Browser”) that lets the AI navigate to URLs you specify, take screenshots, and extract content for design reference. When you invoke this feature:

We connect to the URL you provided from our server-side browser, not from your computer.
The page is rendered, and we store screenshots and extracted text in your workspace.
The browser session is isolated per user, time-limited (2 hours in the upstream Steel session, 30 minutes idle cleanup), and torn down after use.
We do not retain login cookies or credentials for sites you visit through this feature.

You must not use this feature to access content you are not authorized to access.

8. Workspace isolation and content storage

For each WordPress site you connect, we create an isolated workspace on our servers containing your .mcp.json configuration, uploaded files, scraped pages, and AI conversation history. Workspaces are:

Bind-mounted into per-user runtime containers (resource-limited, no access to other users’ workspaces).
Not browseable across accounts.
Stored in the United States (AWS).

Conversation history is retained for the lifetime of your account or until you delete it (see §13).

9. Cookies and similar technologies

Cookie / storage	Purpose	Type	Duration
`claude.sid`, `claude.sid_dev`	Authenticated session	Strictly necessary	Session / 30 days
CSRF token	Anti-CSRF protection	Strictly necessary	Session
`wpcAdminEnv` (localStorage)	Live/Dev API toggle in admin dashboard	Strictly necessary	Until cleared
Stripe cookies	Payment processing, fraud detection	Strictly necessary	Per Stripe
PostHog cookies (`ph_*`)	Product analytics	Analytics	Up to 1 year

You can disable non-essential cookies in your browser. Disabling strictly necessary cookies will prevent the Service from working.

10. Sharing and subprocessors

We share information only with the categories of recipients below, under written agreements that require confidentiality and appropriate safeguards.

10.1 Subprocessors

Subprocessor	Purpose	Data	Region
Anthropic, PBC	AI model inference (Claude API)	Prompts, conversation context, tool outputs	United States
Stripe, Inc.	Payments, subscriptions, invoicing, tax	Billing data, payment instrument tokens	United States, EEA
Amazon Web Services, Inc. (AWS)	Compute, storage, networking	All categories at rest	United States (`3801 Hulen Street, STE 201, Fort Worth, TX 76107` — us-east-1 / us-west-2)
Steel Browser (steel-dev)	Headless browser for AI navigation	URLs you specify, rendered screenshots	Self-hosted on AWS
PostHog, Inc.	Product analytics, telemetry	Pseudonymous event data	United States / EU (per project config)
Google LLC	OAuth sign-in (optional)	Email, name, profile photo	United States
Email provider	Transactional email delivery	Email address, message body	(`3801 Hulen Street, STE 201, Fort Worth, TX 76107` — Resend / Postmark / SES)
GitHub, Inc.	Plugin update distribution (release CI)	Plugin ZIPs, version metadata	United States

We will update this list when subprocessors change and, where required by contract, provide advance notice.

10.2 Other sharing

Service providers — auditors, legal counsel, accountants, contractors, under confidentiality.
Business transfers — in the event of a merger, acquisition, financing, or asset sale, your information may be transferred subject to this Policy.
Legal compliance — when required by law, court order, or to protect rights, property, or safety.
With your consent — for any other purpose disclosed at the time of collection.

We do not sell your personal information, and we do not “share” it for cross-context behavioral advertising as those terms are defined by the California Consumer Privacy Act.

11. International data transfers

Algorismus is based in the United States; engineering operations are in Pakistan; subprocessors are primarily in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States and other jurisdictions whose data-protection laws may differ from your own.

Where required, we rely on:

Standard Contractual Clauses (EU Commission Decision 2021/914) with subprocessors handling EEA/UK personal data.
UK International Data Transfer Addendum for UK transfers.
Adequacy decisions where applicable.

A copy of the SCCs is available on request at privacy@wpos.ai.

12. Security

We employ technical and organizational measures designed to protect your information, including:

TLS 1.2+ for data in transit.
Encrypted database storage (AWS managed encryption).
Per-user runtime container isolation (no shared filesystem between users’ AI sessions).
Domain-locked licenses and signed plugin updates (SHA-256 verified by the plugin’s UpdateChecker).
Role-based access controls within Algorismus; access to production data is restricted to engineers who require it.
Audit logging for credit transactions, releases, and admin actions.

No system is perfectly secure. If you discover a vulnerability, please email security@wpos.ai (3801 Hulen Street, STE 201, Fort Worth, TX 76107) — we operate a coordinated-disclosure program.

13. Retention and deletion

Data	Retention
Account and billing records	Lifetime of account + 7 years (tax, accounting)
Conversation history & workspaces	Lifetime of account, or until you delete in-app
Credit transactions, usage stats	7 years
Operational logs (web, app, container)	90 days rolling
Email logs (transactional)	12 months
Marketing opt-outs / suppression list	Indefinitely (to honor your opt-out)

You can delete individual conversations and uploaded files in-app at any time. To delete your account, email privacy@wpos.ai or use the “Delete account” action in Settings (where available). We will delete or anonymize your personal data within 30 days, except where retention is required by law (e.g., invoices), in which case we will isolate it from production use.

14. Your rights

Depending on where you live, you may have the following rights:

Access — request a copy of the personal data we hold about you.
Correction — ask us to fix inaccurate or incomplete data.
Deletion / erasure — ask us to delete your personal data, subject to legal-retention exceptions.
Portability — receive your data in a structured, machine-readable format.
Objection / restriction — object to or restrict certain processing (e.g., legitimate-interest based processing).
Withdraw consent — withdraw any consent you previously gave (e.g., marketing).
Lodge a complaint — with your local supervisory authority (EEA/UK) or attorney general (US).

To exercise any right, email privacy@wpos.ai. We will respond within 30 days (extendable by 60 days for complex requests) and may need to verify your identity.

14.1 California (CCPA / CPRA) — additional disclosures

In the preceding 12 months, we have collected the categories of personal information listed in §3 for the business purposes listed in §4. We have disclosed identifiers, commercial information, internet activity, and inferences to the subprocessors listed in §10.1 for those business purposes. We have not sold or shared personal information for cross-context behavioral advertising. California residents have the right to know, delete, correct, opt out of sale/sharing (not applicable to us), and limit use of sensitive personal information, and we will not discriminate against you for exercising these rights.

14.2 Other US state privacy laws

If you reside in Virginia, Colorado, Connecticut, Utah, Texas, or another state with a comprehensive privacy law, you have rights substantially similar to those in §14 and §14.1. Texas residents specifically: you may exercise these rights under the Texas Data Privacy and Security Act.