Privacy Policy

Last updated: May 25, 2026

This Privacy Policy describes how Brand on Fire LLC, d/b/a Gaucho Plugins ("we", "us"), handles personal data in connection with the Login for Stripe Customer Portal plugin (the "Plugin") and the website at customerportalplugin.com.

1. What the website collects

This marketing website is a static HTML site. It does not set first-party tracking cookies. No personal data is required to browse it. Third-party scripts loaded for functionality:

  • Tailwind CSS CDN (cdn.tailwindcss.com) — serves CSS framework JavaScript.
  • Google Fonts (fonts.googleapis.com, fonts.gstatic.com) — serves the Inter typeface.
  • Freemius Checkout (checkout.freemius.com) — loaded only on the pricing page to power the "Get PRO" button. The script is inactive until you click the button; on click, the data you enter into the checkout overlay (name, email, payment info) is processed by Freemius under Freemius’s privacy policy.

2. What the Plugin collects (on your WordPress site)

When installed on a WordPress site, the Plugin stores the following data on your own server:

  • Your Stripe Secret API key (in wp_options).
  • Configured options: login URL slug, post-logout redirect URL, "restrict to existing customers" toggle.
  • For each magic-link request: a SHA-256 hash of the issued token, the requesting email address, the request IP (for rate limiting), and the expiry timestamp.

A daily WP-Cron sweep removes expired tokens and rate-limit counters. Tokens are deleted on redemption. On plugin uninstall, every plugin option and transient is removed (including the Stripe Secret Key).

3. Data sent to Stripe

When a customer requests or redeems a magic link, the Plugin calls the Stripe API using your Secret Key. Customer email addresses are sent to Stripe to look up or create a Stripe customer and to generate a Customer Portal session. Once redirected, the customer interacts with Stripe directly under Stripe’s Privacy Policy.

4. Data sent to Freemius

The Plugin uses the Freemius SDK for license validation and update delivery. The SDK only contacts Freemius if you opt in via the connect screen or if you purchase PRO. Data Freemius receives is governed by Freemius’s Privacy Policy.

5. GDPR personal-data exporter & eraser

The Plugin registers a personal-data exporter and eraser with WordPress Privacy Tools. Site owners can fulfill subject-access and deletion requests for an email address through Tools → Export Personal Data and Tools → Erase Personal Data. Both surfaces include data the Plugin holds (issued/used token records and rate-limit counters keyed to that email).

6. Anti-enumeration design

The magic-link form deliberately returns the same response for valid, invalid, and unknown email addresses, and the wording is mode-aware. This prevents the login page from being used to confirm whether a given email belongs to a Stripe customer. A per-email + per-IP rate limit (5 requests per 10 minutes) further deters scraping.

7. Cookies

This marketing site sets no first-party cookies. The Stripe-hosted Customer Portal that customers reach after redeeming a magic link sets its own session cookies under Stripe’s privacy policy.

8. Contact

For privacy questions or data-subject requests related to this site or the Plugin, contact info@brandonfire.com. We’ll respond within 30 days.