Privacy & Data Handling
This plugin collects email addresses, stores them, shares them with a third-party email service, and sets cookies in visitors’ browsers. If you operate under GDPR, CCPA, or any similar regime, you need to know exactly what data moves where. This article lays it out so you can update your privacy policy and handle data requests.
This is practical guidance, not legal advice. Check your obligations with a qualified advisor for your jurisdiction.
Table of Contents
What data is collected
When a customer signs up on a coming soon product, the plugin handles:
| Data | Source | Stored where |
|---|---|---|
| Email address | The signup form | Local wp_sscs_signups table and your email provider |
| MailerLite subscriber ID | Returned by MailerLite | Local table + a browser cookie |
| Referrer ID | The ?shared_by= link that brought them in |
Local table (referrer_id) |
| WordPress user ID | The logged-in session, if any | Local table (wp_user_id) |
| Signup timestamp | The server | Local table (created_at) |
| IP address | The request | Not stored — used transiently (see below) |
Where the data goes
Your WordPress database
Every MailerLite-powered signup is written to the wp_sscs_signups table on your
own server. This is your data, under your control. (Products using Super Speedy
Emails instead store signups in the SSE plugin’s tables — still on your server.)
MailerLite (third-party processor)
For MailerLite-powered products, the email address is sent to MailerLite
(connect.mailerlite.com) to create or update a subscriber and add them to your
chosen group. MailerLite then becomes a data processor for that email address and
typically sends its own confirmation/marketing emails. You should list MailerLite
as a third-party processor in your privacy policy and link to their privacy terms.
Cloudflare (only if Turnstile is enabled)
If you turn on the Cloudflare Turnstile CAPTCHA, each form submission sends a
challenge token and the visitor’s IP address to Cloudflare
(challenges.cloudflare.com) for verification. If you enable Turnstile, add
Cloudflare as a processor in your privacy policy. If Turnstile is off (the
default), nothing is sent to Cloudflare.
How IP addresses are used
The plugin uses the visitor’s IP address in two narrow, transient ways — it is never written to the signups table:
- Rate limiting: the IP is hashed into a short-lived counter key to limit repeated submissions. The counter expires automatically (default 10 minutes) and holds only a number, not the address itself.
- Turnstile verification (only if enabled): the IP is forwarded to Cloudflare as part of the CAPTCHA check.
| Cookie | Lifetime | Purpose |
|---|---|---|
sscs_mailerlite_user_id |
1 year | Remembers that this visitor has signed up (so they see share buttons, not the form again) and identifies them as a potential referrer. |
sscs_shared_by_id |
Session | Records that the visitor arrived via someone’s share link, so the referral can be credited if they sign up. |
Both are first-party cookies used for signup state and referral tracking. Mention them in your cookie policy. Neither is used for cross-site advertising.
Consent
The built-in form is a single email field plus a submit button — it does not include a consent checkbox or privacy-policy link by default. If your jurisdiction requires explicit marketing consent, you can add the necessary wording (and a link to your policy) using the product’s Offer Description field, which accepts HTML and renders directly above the form. For a formal opt-in checkbox or double opt-in flow, consider using the Super Speedy Emails provider, which has its own confirmation pipeline.
Handling data requests (access / deletion)
To fulfil a “delete my data” or “what do you hold on me” request for a given email, remove them from each place the data lives:
- Local table — delete their row from
wp_sscs_signups(see Viewing & Exporting Your Signups). - Email provider — delete the subscriber in MailerLite (or SSE) separately. Removing the local row does not remove them from your provider.
- Cookies — these live in the visitor’s own browser and expire on their own; there’s nothing to delete server-side.
The local-table deletion query is:
wp db query "DELETE FROM wp_sscs_signups WHERE email = 'person@example.com'"
WordPress’s core Tools → Export/Erase Personal Data screens do not currently include this plugin’s table, so handle the local table manually as above.
A note for administrators
Your MailerLite API key is stored in the WordPress options table. On the settings
page it is masked and write-only — the saved key is never displayed back, so it
can’t be read off the screen or out of the page source. Only Administrators
(manage_options) can open the settings page at all. Still, treat a database export
as sensitive: it contains both the API key and your collected email addresses.
- Spam & Abuse Protection — when IP/Cloudflare data is used.
- Viewing & Exporting Your Signups — reading and deleting local records.
- Email Providers — what MailerLite vs SSE store and where.