Privacy

What Fenerly collects

Fenerly is a website health scanner for WordPress agencies. We collect three kinds of data, all of it minimal and all of it in service of the score we show you.

1. From the public scanner (fenerly.com/scan)

• The URL you submit.
• A salted SHA-256 hash of your IP, used to rate-limit abuse. We never store the raw IP.
• The pillar scores we compute for that URL.
• Your email, only if you explicitly enter it in the “email me when scores change” box. Used for that purpose only.

2. From the WordPress plugin (when you install + connect)

• The site URL the plugin runs on.
• WordPress version, PHP version, Fenerly plugin version.
• Internal pillar scores: PHP error log size, WP-Cron firing status, debug-mode flag, list of installed plugins + versions, etc. No post content, no comments, no user data, no admin actions.

The plugin only sends data after you click “Connect to Fenerly” in WP admin. Before that, no outbound HTTP. The plugin is GPL-licensed; you can read the source at github.com/timelfrink/fenerly-plugin.

3. From the agency dashboard (when you sign up)

• Your email address, for sign-in via magic link.
• Your agency name and your role (owner / member).
• The sites you've connected and their scan history.

Where the data lives

All data is stored in a Postgres database hosted by Hetzner Online GmbH in Falkenstein, Germany. Daily backups are encrypted at rest, also in Germany. We don't use Vercel, AWS, or any other cloud provider; everything runs on one EU-hosted server.

Third-party services

To make Fenerly work we send some data through three external services. Each is named here so you can audit them:

• Cloudflare (DNS + DDoS protection). Inbound HTTP requests transit Cloudflare before reaching our server.
• Google CrUX API. When we scan a URL we ask Google whether it has real-user performance data for that URL. Google sees the URL but no user information.
• Postmark. We use Postmark to send sign-in magic links. Postmark sees your email address and the contents of the email.

We do not use Google Analytics, Mixpanel, Segment, or any other behavioural analytics tool.

How long we keep data

• Public scan results: retained indefinitely so shareable links don't break. Email submitted for follow-up scans is deleted on request.
• Connected-site scan history: retained for as long as the site is connected. When you disconnect a site or delete it from the dashboard, the site row and all its scan history are hard-deleted immediately.
• Agency + user accounts: retained while active. Email hello@fenerly.com to delete your account; we'll respond within 30 days.

Your rights (GDPR)

If you're in the EU, EEA, or UK, you have the right to access, correct, delete, and port your personal data, and to object to processing. The fastest way to exercise any of these rights is to email hello@fenerly.com — we'll respond within 30 days.

Our legal basis for processing is legitimate interest for the scanner (you submitted a URL; we score it) and contractual necessity for the dashboard (you signed up; we need to give you the service).

Cookies

We use one session cookie for the dashboard sign-in. No tracking cookies, no third-party ad cookies, no consent banner because there's nothing to consent to.

Changes to this policy

When we change this page in a material way we'll update the “Last updated” date at the top. For breaking changes (new data we collect, new third-party processors) we'll email everyone with a dashboard account.

Contact

Privacy questions, data requests, or anything you want clarified: hello@fenerly.com.

This text is honest about today's implementation but hasn't been lawyer-reviewed. If you need a legally binding version for procurement, email us and we'll prioritise it.