Skip to content

Adam Greenwell

Privacy and Data Usage

This page explains what data Guard Dog collects, how it’s used, and privacy considerations for site administrators.

Overview

Guard Dog is privacy-focused:

  • ✅ No data sent to external servers (except CAPTCHA when enabled)
  • ✅ All data stored locally on your WordPress database
  • ✅ No tracking or analytics of your site
  • ✅ No phone-home functionality
  • ✅ Open source and auditable

Data Collected by Guard Dog

Data Stored Locally

Guard Dog stores the following data in your WordPress database:

User Settings

What: User-specific 2FA settings, recovery codes, temporary user metadata

Where: WordPress user meta table (wp_usermeta)

Examples:

  • 2FA enabled status
  • TOTP secret key (encrypted)
  • Recovery codes (hashed)
  • Email 2FA preferences
  • Temporary user expiration date

Purpose: Provide security features per user

Retention: Until user deletes account or disables feature

Activity Logs

What: Records of security events and user actions

Where: Custom table (wp_guard_dog_activity_log)

Examples:

  • Login attempts (success and failure)
  • IP addresses
  • Usernames attempted
  • Action timestamps
  • Event details (what changed, who did it)

Purpose: Security monitoring, troubleshooting, compliance

Retention: Configurable (30-365 days or indefinite)

Failed Login Attempts

What: IP addresses with failed login attempts and lockout status

Where: Custom table (wp_guard_dog_login_attempts)

Examples:

  • IP address
  • Number of failed attempts
  • Last attempt timestamp
  • Lockout expiry time

Purpose: Prevent brute-force attacks

Retention: Until lockout expires or successful login

Plugin Settings

What: Configuration settings for Guard Dog features

Where: WordPress options table (wp_options)

Examples:

  • Custom login URL
  • CAPTCHA provider and keys
  • Access control rules
  • Email provider configuration

Purpose: Store plugin configuration

Retention: Until plugin is deleted

Data Sent to Third Parties

Guard Dog only sends data to third parties when specific features are enabled:

CAPTCHA Providers (When CAPTCHA Enabled)

What providers:

  • Google reCAPTCHA (v2 and v3)
  • hCaptcha
  • Cloudflare Turnstile

Data sent:

  • User’s IP address
  • Browser/device information
  • Mouse movements and timing (reCAPTCHA v3)
  • CAPTCHA response token
  • Your site domain

When: When user accesses login/registration page or submits form

Why: Verify user is human, not bot

Privacy policies:

Your control: Choose privacy-focused providers (Turnstile, hCaptcha) or disable CAPTCHA

Email Providers (When Email 2FA Enabled)

What providers:

  • Amazon SES
  • Resend
  • SendGrid

Data sent:

  • Recipient email address
  • 2FA verification code
  • Your site name (from address)

When: User triggers email 2FA

Why: Deliver 2FA codes via email

Privacy policies:

Your control: Use app-based 2FA instead or choose different provider

Data NOT Collected

Guard Dog explicitly does not collect:

  • ❌ Passwords (even hashed passwords aren’t logged)
  • ❌ Actual 2FA codes (not stored after verification)
  • ❌ User browsing behavior
  • ❌ Analytics or usage statistics
  • ❌ Personal content of posts/pages
  • ❌ Email addresses (except for logging user creation/changes)
  • ❌ Payment information

Privacy by Feature

Custom Login URL

Data collected: None beyond standard WordPress login

Privacy impact: Low – Increases privacy by hiding login page

CAPTCHA Protection

Data collected: See CAPTCHA Providers above

Privacy impact:

  • High with Google reCAPTCHA (tracking, cookies)
  • Low with hCaptcha or Cloudflare Turnstile (privacy-focused)

Mitigation: Choose privacy-focused CAPTCHA providers

Two-Factor Authentication (App-Based)

Data collected:

  • 2FA secret key (stored encrypted locally)
  • Recovery codes (stored hashed locally)
  • No external data transmission

Privacy impact: None – All operations happen locally

Two-Factor Authentication (Email-Based)

Data collected:

  • Email address
  • Sent to your configured email provider

Privacy impact: Medium – Email provider sees addresses

Mitigation: Use reputable email provider with privacy policy

Login Attempt Limiting

Data collected:

  • IP addresses
  • Failed attempt timestamps

Privacy impact: Low – IP addresses stored temporarily

Data retention: Until lockout expires

Access Control

Data collected:

  • IP addresses (in whitelist/blacklist)
  • Usernames (in whitelist/blacklist)

Privacy impact: Low – Stored as configuration, not tracking

Activity Log

Data collected:

  • User actions and events
  • IP addresses
  • Timestamps
  • Event details

Privacy impact: Medium – Comprehensive activity tracking

Mitigation:

  • Configure auto-cleanup
  • Limit events logged
  • Inform users about logging

Temporary User Access

Data collected:

  • Username
  • Display email (not used for sending)
  • Creation date
  • Expiry date
  • Access token

Privacy impact: Low – Data auto-deleted at expiry

GDPR Compliance

Guard Dog can be used in a GDPR-compliant manner, but you have responsibilities as the site administrator.

Your GDPR Obligations

1. Update Privacy Policy

Your site’s privacy policy must disclose:

Example text:

Security Monitoring

This site uses Guard Dog security plugin to protect against unauthorized access. We collect and process the following data for security purposes:

  • IP addresses of login attempts (retained for 90 days)
  • Username and email address when creating accounts
  • Activity logs of user actions (retained for 90 days)
  • Two-factor authentication settings

CAPTCHA

This site uses [Provider Name] to verify that login and registration attempts are made by humans. [Provider Name] may collect information including your IP address and browser data. See Provider’s Privacy Policy for details.

Legal Basis: Legitimate interest in protecting our website and user data from security threats.

Your Rights: You may request access to, correction of, or deletion of your personal data. Contact [your email] for such requests.

2. Provide Data Access

Users have the right to access their data. You must provide:

  • Their activity log entries
  • Their 2FA settings
  • Their access control status
  • Any temporary access created for them

How: Export from Activity Log, filter by user

3. Honor Deletion Requests

When user requests data deletion:

  1. Delete their WordPress account (standard WordPress)
  2. Clear activity log entries for that user
  3. Remove from any access control lists
  4. Delete temporary access records

Partial compliance: Some data may need retention for legitimate interest (security logs of attacks, for example)

4. Document Your Processing

Maintain a “Record of Processing Activities”:

  • What data you collect (IP addresses, activity logs)
  • Why you collect it (security, fraud prevention)
  • How long you retain it (90 days, 1 year, etc.)
  • Who has access (administrators only)
  • Any third parties (CAPTCHA providers)

GDPR-Compliant Configuration

Recommended settings:

  1. CAPTCHA: Use hCaptcha or Cloudflare Turnstile (privacy-focused)
  2. Activity Log:
  • Enable auto-cleanup (90 days)
  • Limit to necessary events
  • Document purpose in privacy policy
  1. IP Addresses:
  • Necessary for security
  • Auto-delete old data (login attempts, expired lockouts)
  • Document as legitimate interest
  1. Data Export:
  • Ability to export activity logs
  • Provide user-specific data on request
  1. Consent:
  • For CAPTCHA: Cookie consent banner (if using Google reCAPTCHA)
  • For security logging: Legitimate interest, inform in privacy policy

Data Protection Impact Assessment (DPIA)

For high-risk processing, conduct a DPIA:

When needed:

  • Systematic monitoring of large scale
  • Processing special category data
  • Large scale profiling

Guard Dog alone rarely triggers DPIA, but consider if:

  • Combined with other extensive monitoring
  • Site handles sensitive data (health, financial)
  • Very large scale (millions of users)

Data Subject Rights

Users have rights under GDPR:

RightHow Guard Dog Complies
AccessExport activity logs for user
RectificationEdit user data in WordPress
ErasureDelete user account, clear logs
Restrict processingDisable 2FA, stop logging for user
Data portabilityExport logs in CSV/JSON
ObjectDocument legitimate interest in security

CCPA Compliance (California)

California Consumer Privacy Act has similar requirements:

Your CCPA Obligations

  1. Disclose data collection in privacy policy
  2. Provide opt-out for data selling (Guard Dog doesn’t sell data)
  3. Honor access requests (provide user data)
  4. Honor deletion requests (delete user data)

Guard Dog doesn’t “sell” data, simplifying CCPA compliance.

CCPA-Compliant Privacy Policy Text

California Residents

Under the California Consumer Privacy Act (CCPA), you have the right to:

  • Know what personal information we collect
  • Access your personal information
  • Delete your personal information
  • Opt-out of sale of personal information (we don’t sell data)

To exercise these rights, contact [your email].

Other Privacy Regulations

PIPEDA (Canada)

Similar to GDPR:

  • Consent or legitimate interest required
  • Right to access and correct
  • Security safeguards required

Guard Dog helps with security safeguards requirement.

LGPD (Brazil)

Brazilian data protection law:

  • Similar to GDPR
  • Requires lawful basis for processing
  • Data subject rights

Compliance approach similar to GDPR.

Other Jurisdictions

Check your local data protection laws for:

  • Consent requirements
  • Data retention limits
  • Cross-border transfer restrictions
  • Notification requirements for breaches

Privacy Best Practices

1. Minimize Data Collection

Only enable activity log events you actually need:

  • ✅ Security events
  • ✅ User management
  • ❌ Every post update (too granular)

2. Implement Data Retention

Don’t keep data forever:

  • Activity logs: 90-180 days
  • Failed logins: Until lockout expires
  • Temporary users: Auto-delete at expiry

3. Secure Data Storage

  • ✅ Use HTTPS for all connections
  • ✅ Regular database backups (encrypted)
  • ✅ Limit admin access to logs
  • ✅ Keep WordPress/PHP updated

4. Anonymize When Possible

For statistics, anonymize:

  • Remove last octet of IP: 203.0.113.x instead of 203.0.113.50
  • Use hashed identifiers instead of emails
  • Aggregate data for reporting

5. Inform Users

Be transparent:

  • Update privacy policy
  • Inform about CAPTCHA usage
  • Document purpose of logging
  • Provide contact for questions

6. Regular Audits

Periodically review:

  • What data is being collected
  • How long it’s retained
  • Who has access
  • Whether it’s still necessary

Data Breach Procedures

If your site is compromised:

1. Immediate Response

  • Secure the site (enable site-wide blocking)
  • Change all passwords
  • Review activity logs for breach scope

2. Assessment

  • Determine what data was accessed
  • Identify affected users
  • Document the incident

3. Notification

  • GDPR: 72 hours to report to supervisory authority if high risk
  • CCPA: Notify affected users without unreasonable delay
  • Your users: Inform affected individuals

4. Remediation

  • Fix vulnerability
  • Enhance security measures
  • Update incident response procedures

Subprocessors (Third Parties)

When you use Guard Dog features that involve third parties, those third parties are “subprocessors” under GDPR:

CAPTCHA Providers:

  • Google LLC (reCAPTCHA)
  • Intuition Machines, Inc. (hCaptcha)
  • Cloudflare, Inc. (Turnstile)

Email Providers:

  • Amazon Web Services (SES)
  • Resend (if you configure it)
  • SendGrid (owned by Twilio)

Your responsibility:

  • Document these subprocessors
  • Ensure they have adequate data protection (they do – review their privacy policies)
  • Include in your privacy policy

Children’s Privacy (COPPA)

Guard Dog doesn’t specifically target children, but:

  • If your site is directed at children under 13 (US)
  • You must comply with COPPA
  • Obtain parental consent before collecting data
  • Provide parental access to child’s data

Guard Dog security features don’t prevent COPPA compliance but don’t automatically ensure it either.

Privacy-Focused Configuration

For maximum privacy:

CAPTCHA: Cloudflare Turnstile (most privacy-friendly)
Activity Log: Security events only
Auto-cleanup: 30-60 days
Email Provider: Choose privacy-focused option or use app-based 2FA
Access Control: Use IP whitelist instead of logging all failed attempts

This minimizes data collection while maintaining security.

Conclusion

Guard Dog is designed with privacy in mind:

  • Local data storage
  • Minimal third-party dependencies
  • User control over features
  • Configurable data retention

Your responsibility:

  • Update privacy policy
  • Configure appropriately
  • Honor data subject rights
  • Maintain security

When configured properly, Guard Dog enhances both security and user privacy.

Additional Resources

GDPR:

CCPA:

General Privacy: