Last updated / Effective date: 16 June 2026
This Privacy Policy explains what personal data we collect, how we use it, and the rights you have. It is written in plain English. WP Media Locker is a subscription service consisting of a WordPress plugin and a cloud API that offloads (“offsets”) your WordPress site’s media files to Cloudflare R2 cloud storage and serves them over a content delivery network (CDN).
1. Who we are and how to contact us
WP Media Locker is operated by an individual sole proprietor:
- Legal name (data controller): WP Media Locker
- Trading as: WP Media Locker
- Based in: Japan
- Business address: Japan — full postal address available on request
- Website: https://wpmedialocker.com
- API: https://api.wpmedialocker.com
We are the data controller for the personal data described in this policy.
Privacy contact: [email protected]
EU / UK representative (GDPR Art. 27): Not currently appointed.
In this policy, “we”, “us”, “our” means the controller named above. “Customer”, “you”, “your” means the subscriber to the Service. “Content” means the media files we store on your behalf.
2. Data we collect
(a) Account data
- Your email address
- Your name
- The WordPress site domain(s) you connect to the Service
(b) Billing data
Billing and payments are handled by our payment provider, Creem (Armitage Labs OÜ), acting as Merchant of Record.
- We do NOT collect or store your card or payment details. Creem does.
- We store only a Creem customer/subscription reference, your subscription tier, and your subscription status (e.g. active, past due, cancelled).
- Creem’s handling of your payment data is governed by Creem’s own privacy policy and terms.
(c) Technical and usage data
- IP addresses — logged when files are uploaded, for security, abuse prevention, and legal/DMCA compliance.
- API request logs — such as the endpoint called and a timestamp.
- Storage usage metadata — e.g. how much storage you are using against your tier limit.
- File metadata — filenames, file sizes, and storage paths.
(d) Customer Content
- The media files you store with us, which we hold in Cloudflare R2 storage on your behalf. We process this Content to provide the Service (storage and CDN delivery). We do not access the contents of your files except as needed to operate the Service, prevent abuse, or comply with the law.
3. How we use your data
We use the data above to:
- Provide and operate the Service — store your Content, serve it over the CDN, manage your account and storage limits.
- Handle billing — via Creem, to manage your subscription, tier, and status.
- Security and abuse prevention — detect, investigate, and prevent fraud, abuse, and unauthorised use.
- Legal compliance — respond to lawful requests and to DMCA / abuse complaints.
- Support — respond to your questions and troubleshoot issues.
- Service emails — send you transactional and service-related messages (e.g. account, billing, security, and important Service notices).
4. Legal bases for processing (GDPR)
Where the GDPR applies, we rely on the following legal bases:
| Purpose | Legal basis |
|---|---|
| Providing and operating the Service; managing your account; storing and delivering Content | Performance of a contract (Art. 6(1)(b)) |
| Billing and subscription management via Creem | Performance of a contract (Art. 6(1)(b)) |
| Security, abuse prevention, and fraud detection | Legitimate interests (Art. 6(1)(f)) — keeping the Service and our users safe |
| Logging IP addresses for security and abuse | Legitimate interests (Art. 6(1)(f)) and, where applicable, legal obligation (Art. 6(1)(c)) |
| Responding to DMCA / abuse complaints and lawful requests | Legal obligation (Art. 6(1)(c)) and legitimate interests (Art. 6(1)(f)) |
| Any processing that requires it (e.g. certain marketing or cookies) | Consent (Art. 6(1)(a)), which you can withdraw at any time |
5. Sub-processors
We use the following third parties (“sub-processors”) to provide the Service. Each processes personal data only as needed for the purpose shown.
| Sub-processor | Purpose | Notes |
|---|---|---|
| Cloudflare | Object storage (R2) and CDN delivery of your Content | Storage is held in regional R2 buckets — see below |
| Creem / Armitage Labs OÜ | Payments and billing; Merchant of Record | Handles all card/payment data; we do not |
| Brevo | Transactional / service email delivery | |
| Oracle Cloud | API server hosting | |
| Oracle Cloud | Hosting of the marketing site / dashboard | Same VPS as the API server |
Storage regions (Cloudflare R2)
Your Content is stored in one of five regional buckets. You can choose your storage region, including an Europe (EU jurisdiction) option for EU/GDPR data residency:
| Region | Notes |
|---|---|
| North America East | |
| North America West | |
| Europe (EU jurisdiction) | Available for GDPR data residency |
| Asia Pacific | |
| Oceania |
A Data Processing Agreement (DPA) is available on request at [email protected].
6. International data transfers and data residency
- The Service is operated by a controller based in Japan, so your data may be processed in or accessed from Japan.
- You can choose where your Content is stored, including an Europe (EU jurisdiction) storage region, to support EU/GDPR data residency.
- Some sub-processors (see Section 5) may process data in other countries.
Where personal data is transferred out of the EEA/UK, we intend to rely on an appropriate transfer mechanism (such as the EU Standard Contractual Clauses).
Standard Contractual Clauses (SCCs) or another lawful transfer mechanism where required, supported by Japan’s status under the EU adequacy decision Confirm the exact transfer mechanism(s), any UK addendum, and whether a transfer impact assessment is needed.
7. Data retention
- Account data and Content are kept while your subscription is active, plus a grace period of 14 days after cancellation or expiry, after which they are deleted.
- Logs (including IP address and API request logs) are retained for 12 months for security and legal purposes. 90 days
- When you delete your account, we hard-delete your Content and associated data (subject to any data we are legally required to keep, and to standard backup rotation).
8. Security
We take reasonable technical and organisational measures to protect your data, including:
- Encryption in transit (HTTPS/TLS) between the plugin, the API, and storage/CDN.
- Access controls limiting who and what can access systems and data.
- Presigned URLs for uploads, so upload access is scoped and time-limited.
- API-key authentication for all API requests.
No system can be guaranteed 100% secure, but we work to protect your data and to keep our security measures up to date.
9. Your rights
Depending on where you live, you have rights over your personal data.
Under the GDPR (EEA / UK), you have the right to:
- Access the personal data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure (“right to be forgotten”).
- Data portability / export — receive your data in a portable format.
- Restriction of processing.
- Objection to processing based on legitimate interests.
- Withdraw consent at any time, where we rely on consent.
- Complain to a supervisory authority in your country.
Under the CCPA/CPRA (California), you have the right to:
- Know what personal information we collect and how we use it.
- Access / delete your personal information.
- Opt out of any “sale” or “sharing” of personal information (we do not sell your personal information).
- Non-discrimination for exercising your rights.
How to exercise your rights
- Self-service data export — you can export your data from your account dashboard.
- Self-service account deletion (hard delete) — you can delete your account and Content from your account dashboard.
- For any other request, or if you need help, email [email protected].
We will respond within the timeframes required by applicable law.
10. Cookies
Our marketing site and dashboard may use cookies and similar technologies, for example to keep you logged in and to understand site usage.
We use only essential cookies needed to operate the website and dashboard (such as session, login, and security cookies). We do not use third-party advertising cookies. — list the cookies/categories used (strictly necessary, preferences, analytics, etc.), their purposes and lifetimes, whether a consent banner is shown, and how to manage preferences.
11. Children
The Service is not directed to children and is not intended for anyone under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact [email protected] and we will take appropriate steps to delete it.
12. Changes to this policy
We may update this Privacy Policy from time to time. When we do, we will update the “Last updated / Effective date” at the top of this document and, where appropriate, notify you. The current version is effective as of 16 June 2026.