Avada › Forums › Community Forum › GDPR concern – encripted URL sent to Avada with Patch update? Why? › Reply To: GDPR concern – encripted URL sent to Avada with Patch update? Why?
Hey there @revans, I hope you’re well today!
Your website’s URL is not personal data since it’s publicly accessible, but even in the extreme cases where you might consider it “personal”, it actually never gets transmitted. It gets encrypted/hashed, and that hash is then sent to our server along with the request.
These hashes are stored on our server for 7 days and after that period they get deleted.
The purpose of that particular string it to allow us to get an average of the PHP versions used by Avada installations. This way we know that PHP 5.2 usage is around 0.2% and we know when it’s time to drop support for an old – and deprecated – PHP version so that the rest 99.8% of our customers can enjoy the benefits of the newer PHP versions they are using, including better performance.
We don’t collect site-URLs.
Even if we wanted to, reverse-engineering the hash to get your site’s URL would be almost impossible – especially if you take into account the volume of requests we get on our server for these patches, and the short lifetime these hashes have on our server.
See Recital 156 from the GDPR:
The further processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is to be carried out when the controller has assessed the feasibility to fulfil those purposes by processing data which do not permit or no longer permit the identification of data subjects, provided that appropriate safeguards exist (such as, for instance, pseudonymisation of the data).