Hi Elliot,
The GDPR (as far as I understand it) is to inform your users about the information you save about them, why you need this information, how long you’ll retain the information, and give them the option to view this information and let them delete it if necessary.
You also can’t use information gathered for one purpose for a different one (i.e. an e-mail address entered in a contact form can’t be used to send a newsletter to without the explicit agreement from the user).
If you save any information that can track back to an individual user, this falls under the GDPR. So you might want to let people know exactly which information is sent to ACF when entering the license key. For instance, you say ‘This information includes the versions of ACF and WP installed, website name, website URL, website language and timezone’. This is all information that can’t be tracked to an individual (multiple people can be working on that website). It’ll still be good form to let it be known that you’re saving the information and why, of course. However, is this all the information that is sent (the term ‘includes’ implies that there might be more)? Is there information sent which individually identifies the user who enters the license key (such as used IP-address)? In that case, that falls under GDPR and that means the user must consent to having this information saved.
As far as I can tell, there’s no information saved by ACF about the end-user (i.e. the regular visitor to the website that uses ACF). Is this correct? Because if there IS information saved by ACF, I then need to let my end-users know and you might need to set up a processor agreement as you’re then processing personal information about my visitors.
Again, this is my understanding about the GDPR. If anyone else can weigh in, that would be awesome 🙂
Kind regards,
Vivienne
