Privacy & Data Handling

Super Speedy Plugins

This plugin collects email addresses, stores them, shares them with a third-party email service, and sets cookies in visitors’ browsers. If you operate under GDPR, CCPA, or any similar regime, you need to know exactly what data moves where. This article lays it out so you can update your privacy policy and handle data requests.

This is practical guidance, not legal advice. Check your obligations with a qualified advisor for your jurisdiction.

What data is collected

When a customer signs up on a coming soon product, the plugin handles:

Data Source Stored where
Email address The signup form Local wp_sscs_signups table and your email provider
MailerLite subscriber ID Returned by MailerLite Local table + a browser cookie
Referrer ID The ?shared_by= link that brought them in Local table (referrer_id)
WordPress user ID The logged-in session, if any Local table (wp_user_id)
Signup timestamp The server Local table (created_at)
IP address The request Not stored — used transiently (see below)

Where the data goes

Your WordPress database

Every MailerLite-powered signup is written to the wp_sscs_signups table on your own server. This is your data, under your control. (Products using Super Speedy Emails instead store signups in the SSE plugin’s tables — still on your server.)

MailerLite (third-party processor)

For MailerLite-powered products, the email address is sent to MailerLite (connect.mailerlite.com) to create or update a subscriber and add them to your chosen group. MailerLite then becomes a data processor for that email address and typically sends its own confirmation/marketing emails. You should list MailerLite as a third-party processor in your privacy policy and link to their privacy terms.

Cloudflare (only if Turnstile is enabled)

If you turn on the Cloudflare Turnstile CAPTCHA, each form submission sends a challenge token and the visitor’s IP address to Cloudflare (challenges.cloudflare.com) for verification. If you enable Turnstile, add Cloudflare as a processor in your privacy policy. If Turnstile is off (the default), nothing is sent to Cloudflare.

How IP addresses are used

The plugin uses the visitor’s IP address in two narrow, transient ways — it is never written to the signups table:

  • Rate limiting: the IP is hashed into a short-lived counter key to limit repeated submissions. The counter expires automatically (default 10 minutes) and holds only a number, not the address itself.
  • Turnstile verification (only if enabled): the IP is forwarded to Cloudflare as part of the CAPTCHA check.

Cookies the plugin sets

Cookie Lifetime Purpose
sscs_mailerlite_user_id 1 year Remembers that this visitor has signed up (so they see share buttons, not the form again) and identifies them as a potential referrer.
sscs_shared_by_id Session Records that the visitor arrived via someone’s share link, so the referral can be credited if they sign up.

Both are first-party cookies used for signup state and referral tracking. Mention them in your cookie policy. Neither is used for cross-site advertising.

Consent

The built-in form is a single email field plus a submit button — it does not include a consent checkbox or privacy-policy link by default. If your jurisdiction requires explicit marketing consent, you can add the necessary wording (and a link to your policy) using the product’s Offer Description field, which accepts HTML and renders directly above the form. For a formal opt-in checkbox or double opt-in flow, consider using the Super Speedy Emails provider, which has its own confirmation pipeline.

Handling data requests (access / deletion)

To fulfil a “delete my data” or “what do you hold on me” request for a given email, remove them from each place the data lives:

  • Local table — delete their row from wp_sscs_signups (see Viewing & Exporting Your Signups).
  • Email provider — delete the subscriber in MailerLite (or SSE) separately. Removing the local row does not remove them from your provider.
  • Cookies — these live in the visitor’s own browser and expire on their own; there’s nothing to delete server-side.

The local-table deletion query is:

wp db query "DELETE FROM wp_sscs_signups WHERE email = 'person@example.com'"

WordPress’s core Tools → Export/Erase Personal Data screens do not currently include this plugin’s table, so handle the local table manually as above.

A note for administrators

Your MailerLite API key is stored in the WordPress options table. On the settings page it is masked and write-only — the saved key is never displayed back, so it can’t be read off the screen or out of the page source. Only Administrators (manage_options) can open the settings page at all. Still, treat a database export as sensitive: it contains both the API key and your collected email addresses.

Related

  • Spam & Abuse Protection — when IP/Cloudflare data is used.
  • Viewing & Exporting Your Signups — reading and deleting local records.
  • Email Providers — what MailerLite vs SSE store and where.

Leave a Reply

Your email address will not be published. Required fields are marked *

×
1/1