Privacy
Privacy Policy
Last updated: 13 July 2026
This policy explains how Rosenheinrich Software Solutions (Phillip Rosenheinrich, Destouchesstr. 3, 80803 Munich, Germany — “we”, “us”) processes personal data when you use the multisitemigrate.com website, customer account, and license services for Multisite Migrate. Provider details are in our Legal Notice.
Not legal advice. This text reflects our current product behaviour. Have a qualified lawyer review it for your situation.
WordPress plugin (on your server)
The free Multisite Migrate WordPress plugin runs on infrastructure you control. Backup archives, database dumps, and stored credentials remain on your servers unless you configure remote destinations (for example cloud storage). We do not receive that site content through normal plugin use.
Licensed features may contact our license server with a license key and site URL to validate or activate your license. Optional cloud connectors (Google Drive, Dropbox) use an OAuth proxy on our license server; authorization codes and tokens are exchanged in transit and are not stored in our database.
Google user data
If you connect Google Drive as a backup destination in Multisite Migrate, the plugin requests access through Google OAuth using the drive.file scope. That scope limits access to backup files that Multisite Migrate creates or opens in your Google Drive account.
- What we access: backup archives that the plugin uploads, lists, downloads, or deletes in your Google Drive (typically in a dedicated folder).
- Why: to store, restore, import, or remove your WordPress backups when you request it. We do not read unrelated files in your Drive.
- How authorization works: you sign in with Google; our license server at multisitemigrate.rosenheinrich.com acts as an OAuth proxy so your site can receive tokens without embedding client secrets in the plugin.
- Where data is stored: backup files stay in your Google Drive. OAuth access and refresh tokens are stored in your WordPress database on your server. Our license server keeps tokens only in short-lived temporary storage during the authorization handshake and when proxying token refresh — not in our customer database.
- Sharing: we do not sell Google user data and do not use it for advertising.
- Limited use: our use of Google user data is limited to providing and improving the backup and restore features you enable, in line with the Google API Services User Data Policy (including the Limited Use requirements).
- Revoking access: disconnect Google Drive in the plugin settings, or remove Multisite Migrate under your Google Account permissions.
Data we process on this website
- Account & checkout: email address, name, phone number (optional), password (stored only as a secure hash), and Stripe customer ID after purchase.
- Licenses & activations: license key, plan tier, status, expiry, linked email, activated site URL, and plugin version.
- Authentication: session token in an HTTP-only cookie (
mm_web_auth), browser user agent, and last-used timestamp. Magic-link login uses a short-lived token sent by email. - Billing: payment and billing details are collected and processed by Stripe (card data, billing address, tax information). We receive limited billing metadata from Stripe (customer ID, subscription status, invoices).
- Server & security logs: IP address, request metadata, and timestamps in standard web-server logs and in our license audit log (failed validation attempts and activations; retained up to 90 days).
- Functional cookies: authentication session, optional billing-currency preference (
mm_billing_currency, 1 year), and language preference cookies if you use our multilingual setup. - Email: transactional messages (welcome, login links, license delivery, billing notices) via our mail infrastructure.
Cookies and consent
When you visit multisitemigrate.com, we use cookies and similar technologies. Some are strictly necessary for the site to work; others help us remember preferences or — with your consent — support marketing and conversion measurement.
Consent management
On your first visit, a WPConsent Pro consent banner lets you accept or reject non-essential cookies by category. You can reopen your choices at any time via the cookie settings control on the site.
- Essential: always active — required for login, checkout, security, language routing, and storing your consent decision.
- Functional: optional attribution cookie when you arrive from the WordPress plugin (
mm_plugin_utm). - Marketing: opt-in only — Google Tag Manager, Google Ads (remarketing and conversion measurement), and LinkedIn Insight Tag.
Marketing cookies and tags load only after you opt in. Legal basis: Art. 6(1)(a) GDPR (consent). In Germany, storing or accessing information on your device for marketing purposes also requires consent under TTDSG § 25(1).
First-party cookies
mm_web_auth— account session — session / auth TTL — Essentialmm_billing_currency— EUR/USD billing preference — 1 year — Essentialmm_plugin_utm— plugin-to-site marketing attribution — 7 days — Functional- Language / locale cookies — multilingual routing — varies — Essential
- WPConsent cookies — stores your consent choices — per WPConsent documentation — Essential
Marketing and third-party technologies (consent only)
These load only if you opt in to the Marketing category:
- Google Tag Manager — tag container that loads Google Ads remarketing and conversion tags after marketing consent.
- Google Ads — remarketing and conversion measurement. Google Privacy Policy · Google Ads Settings (opt-out)
- LinkedIn Insight Tag — B2B remarketing and conversion measurement. LinkedIn Privacy Policy
- Google Consent Mode v2 — marketing storage defaults to denied until you opt in; WPConsent sends consent updates to Google tags.
Third-party providers may set their own cookies (for example for ad identifiers). Retention is typically 30–90 days, depending on the provider and your browser settings.
Cookieless analytics
MM Metrics (mmTrack / mmq) is a first-party, cookieless funnel analytics tool on this site. It helps us understand how visitors move through pricing and checkout without setting marketing cookies and without requiring marketing consent.
Retention and withdrawal
You can withdraw marketing consent at any time via the WPConsent cookie settings control. Withdrawal does not affect processing that was lawful before withdrawal. Essential and functional cookies remain active where necessary for the site to function.
Purposes and legal bases (GDPR)
- Contract performance (Art. 6(1)(b)): account creation, license provisioning, checkout, subscription management, and support related to your purchase.
- Legitimate interests (Art. 6(1)(f)): fraud prevention, rate limiting, security logging, cookieless funnel analytics, and keeping our services reliable — balanced against your rights.
- Legal obligation (Art. 6(1)(c)): tax and accounting records where applicable.
- Consent (Art. 6(1)(a)): marketing/remarketing cookies and tags (Google Tag Manager, Google Ads, LinkedIn) — loaded only after you opt in via the WPConsent banner; essential and functional cookies do not require this consent.
Recipients and processors
- Stripe, Inc. — payment processing and customer billing portal. Stripe Privacy Policy
- Google Ireland Ltd. — Google Tag Manager, Google Ads, and Google Consent Mode (marketing, consent-based). Google Privacy Policy
- LinkedIn Ireland Unlimited Company — LinkedIn Insight Tag (marketing, consent-based). LinkedIn Privacy Policy
- Hosting provider — operation of this website and databases (EU/EEA or with appropriate safeguards).
- Cloud / CDN providers (if enabled) — may see IP addresses and request metadata (for example country detection for currency display).
- Email delivery — providers used to send transactional email.
We do not sell your personal data.
International transfers
Stripe, Google, LinkedIn, and some infrastructure providers may process data in the United States or other countries outside the EU/EEA. Where required, transfers rely on appropriate safeguards such as the EU Standard Contractual Clauses and the provider’s data-processing terms.
Retention
- Customer account and license records: for the life of your account or license, plus statutory retention periods for invoices.
- Checkout staging data (before payment completes): up to 24 hours.
- Magic-link tokens: up to 24 hours.
- License audit log entries: up to 90 days, then deleted automatically.
- Server logs: according to hosting configuration (typically weeks to months).
- Marketing cookies (when consented): typically 30–90 days, depending on the provider; you can clear them by withdrawing consent or deleting browser cookies.
Your rights
Under the GDPR you may have the right to:
- access, rectify, or erase your personal data;
- restrict or object to certain processing;
- data portability where applicable;
- withdraw consent at any time (without affecting prior lawful processing);
- lodge a complaint with a supervisory authority — in Germany, your local state data-protection authority (Landesdatenschutzbehörde).
To exercise your rights, email [email protected]. You can also manage billing details in the customer account or Stripe customer portal where available.
Security
Passwords are stored hashed. Sessions use HTTP-only cookies. Access to production systems is restricted. No method of transmission over the Internet is 100% secure; we work to protect your data with reasonable technical and organisational measures.
Children
Our services are aimed at businesses and site administrators. We do not knowingly collect data from children under 16.
Changes
We may update this policy when our services or legal requirements change. The “Last updated” date at the top indicates the current version.
Contact
Phillip Rosenheinrich · Rosenheinrich Software Solutions · Destouchesstr. 3 · 80803 Munich · Germany
Email: [email protected]