Privacy Policy

Effective Date: December 30, 2025
Last Updated: December 30, 2025
Version: 2.0 (Updated with Actual Plugin Stack)

---

1. INTRODUCTION

This Privacy Policy (“Policy”) governs how Explain Like I’m 5 (“Website,” “we,” “us,” “our,” or “the Company”) collects, uses, processes, discloses, and protects your personal information and data when you visit our website at explainitlikeim5.com, including any subdomains and related pages (collectively, the “Service”).

Website Owner Contact Information:
Explain Like I’m 5
Website: explainitlikeim5.com
Email: privacy@explainitlikeim5.com
Location: Bengaluru, India

We are committed to maintaining the highest standards of data privacy and transparency. This Policy applies to all visitors, users, and individuals who access our Website, regardless of location. Please read this Policy carefully to understand our privacy practices.

---

2. SCOPE AND APPLICABILITY

This Privacy Policy applies to:

• All users accessing explainitlikeim5.com via web browsers
• Visitors from all jurisdictions, including but not limited to the European Union (GDPR), California (CCPA/CPRA), Canada (PIPEDA), and other regions
• All data collection methods employed by our Website, including cookies, tracking pixels, and analytics tools
• Third-party services and plugins integrated with our Website

Jurisdictional Compliance: Our Policy complies with applicable data protection laws including:

• General Data Protection Regulation (GDPR) for EU/EEA residents
• California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) for California residents
• ePrivacy Directive for EU/EEA residents
• UK Data Protection Act 2018
• Personal Information Protection and Electronic Documents Act (PIPEDA) for Canadian users
• Quebec Law 25

---

3. INFORMATION WE COLLECT

3.1 Automatically Collected Information

When you visit our Website, we automatically collect certain information about your device and browsing activity through various technologies:

A. Google Site Kit & Google Analytics Tracking

• IP address (anonymized by default through Site Kit settings)
• Browser type and version
• Operating system
• Device type (desktop, mobile, tablet)
• Pages viewed and content accessed
• Time spent on pages
• Click patterns and navigation flow
• Referral sources and search queries
• Session duration and user IDs

B. Device Information

• Device type and screen resolution
• Browser language preferences
• Operating system details
• User agent information

C. Behavioral Data

• Pages visited and content engagement
• Time spent on pages and scroll depth
• Click tracking and interaction patterns
• Video engagement (if applicable)
• Search queries within our site
• Download activity

D. Traffic Source Information

• Referring website or search engine
• Search terms used to find our site
• Campaign identifiers (utm parameters)
• Date and time of visit

3.2 Information You Voluntarily Provide

If you interact with our Website through forms or contact features, you may voluntarily provide:

• Name and email address (when submitting contact/support forms via SureForms)
• Phone number (if provided in forms)
• Comments and feedback
• Survey responses
• Any other information you choose to include in form submissions
• Content preferences and saved settings

3.3 Information NOT Collected

• We do NOT collect credit card or payment information directly (payments handled by third-party processors)
• We do NOT collect health information or biometric data
• We do NOT intentionally collect information from minors under 13 years old
• We do NOT require account registration for basic Website access
• SureForms does NOT store form submission data on external servers (stored locally only)

---

4. THIRD-PARTY PLUGINS AND DATA COLLECTION

Our Website uses the following WordPress plugins and services, each with specific data collection practices detailed below:

4.1 Google Site Kit (Analytics, Search Console, AdSense Integration)

Purpose: Unified integration with Google services including Google Analytics, Google Search Console, and Google AdSense management.

Data Collected:

• User activity data: email, role, login name, display name
• Local and WordPress.com user IDs
• All site management activities and timestamps
• Site’s Jetpack version and site ID
• IP addresses (for login attempts and security logging)
• User agent information
• Google Analytics data: pageviews, sessions, unique visitors, user flow, conversion tracking
• Google Search Console data: search queries, click-through rates, keyword performance

IP Anonymization:

• Enabled by default – Site Kit automatically anonymizes IP addresses in Google Analytics
• Setting location: Site Kit > Settings > Analytics > Anonymize IP addresses
• Can be disabled if needed

Data Processing:

• Google processes and stores analytics data on their servers
• IP anonymization helps protect user privacy
• Analytics data retention: 14 months (default, user configurable)

GDPR/CCPA Compliance:

• Google Site Kit requires manual configuration for GDPR compliance
• We have enabled Google Consent Mode to communicate user consent preferences to Google
• Consent Mode categories managed: analytics_storage, ad_storage, ad_user_data, ad_personalization
• For EEA/Switzerland/UK users: Data is NOT tracked until explicit consent is provided via our cookie banner

Cookie Usage:

• Google Analytics cookies (e.g., _ga, _gat, _gid)
• Google AdSense cookies (if AdSense connected)
• Site Kit may set additional tracking cookies

Third-Party Data Sharing:

• Data is shared with Google LLC for analytics and advertising purposes
• Data may be shared with Google partners for campaign optimization

User Opt-Out:

• Users can opt-out of Google Analytics tracking via Google Analytics Opt-Out Add-on
• Users can adjust Google Ad Settings: https://adssettings.google.com
• Users can reject tracking via our cookie consent banner

Privacy Policy: https://policies.google.com/privacy
Site Kit Documentation: https://sitekit.withgoogle.com/

---

4.2 All in One SEO (AIOSEO) – SEO Plugin

Purpose: Website search engine optimization, on-page SEO analysis, XML sitemap generation, schema markup, and SEO guidance.

Data Collected:

• License key and activation dates (used for plugin management)
• Guided Setup tracking: completion status, duration to complete
• Active integrations and enabled features
• Plugin settings (sensitive settings like API keys are automatically excluded)
• Non-personally-identifying information: browser type, language preference, referring site, access dates/times
• Site health information and WordPress environment details

Data Processing:

• Primarily local processing on your WordPress site
• Minimal external data transmission
• API keys are never sent to AIOSEO servers

External Data Sharing:

• Limited to non-personal analytics about plugin usage
• Does NOT share personal information about your website visitors
• Does NOT share sensitive settings or API credentials

Data Security:

• API keys and sensitive credentials automatically excluded from any reporting
• Data stored securely on your WordPress installation

GDPR/CCPA Compliance:

• GDPR compliant with minimal data collection from visitors
• No visitor data shared with AIOSEO
• Local processing ensures visitor privacy

Privacy Stance:

• “We don’t share your personal information with anyone except to comply with the law”
• Data NOT sold to third parties
• Data NOT used for marketing purposes outside your site

Privacy Policy: https://aioseo.com/privacy-policy/

---

4.3 SureForms – Form Builder & Submissions

Purpose: Creating, displaying, and collecting form submissions with spam protection and GDPR compliance options.

Data Collection:
When someone submits a form on our Website:

• Name, email, and any information you provide in form fields
• Timestamp of form submission
• IP address (can be disabled via GDPR mode)
• Browser name (can be disabled via GDPR mode)
• Device name (can be disabled via GDPR mode)
• Optional: reCAPTCHA, hCaptcha, or Cloudflare Turnstile verification data

Data Storage:

• CRITICAL: ALL form submission data is stored ONLY in your WordPress database
• NO data is stored on SureForms servers or any external server
• Data is stored locally on your website’s database
• Only you have direct access to form submissions
• SureForms only reads and displays data from your database (acts as interface only)

GDPR Compliance Mode:

• SureForms includes optional GDPR mode for enhanced privacy
• When GDPR mode is enabled:
  • IP address is NOT stored
  • Browser name is NOT stored
  • Device name is NOT stored
  • Only form field data and timestamp are collected
• Enable GDPR mode: Forms > Settings > GDPR Compliance > Enable GDPR Mode

Spam Protection Options:

• Google reCAPTCHA: Tracks interaction; Google processes verification data
• hCaptcha: Privacy-focused alternative to reCAPTCHA; does not track user behavior
• Cloudflare Turnstile: Lightweight, privacy-first CAPTCHA alternative

Data Security:

• Form submissions transmitted via encrypted SSL/TLS connection
• Stored in your secure WordPress database
• Protected by your site’s security measures and access controls

Data Retention:

• Form submissions retained in your database indefinitely (unless you delete them)
• You have full control over retention and deletion
• No automatic deletion by SureForms

Data Access:

• You can view all form submissions in WordPress dashboard
• Only site administrators have access
• SureForms does NOT access, view, or analyze your submission data
• SureForms does NOT track or log user submissions

Third-Party Integration:

• If using Google reCAPTCHA: Google processes CAPTCHA verification (see Google Privacy Policy)
• If using hCaptcha: hCaptcha processes verification with minimal data collection
• If using Cloudflare Turnstile: Cloudflare processes verification

User Rights:

• Users can request data deletion from forms they submitted
• Submit deletion requests to: privacy@explainitlikeim5.com
• We will delete form submissions upon user request

Privacy Policy: https://sureforms.com/privacy-policy/
GDPR Compliance Guide: https://sureforms.com/docs/gdpr-compliant-forms/

---

4.4 Jetpack – Security & Site Management

Purpose: Website security, brute force attack protection, activity logging, site backup, and security monitoring.

Data Collected:

User Activity Data:

• User email address and WordPress.com account email
• User role (administrator, editor, author, etc.)
• User login name
• User display name
• Local WordPress user ID and WordPress.com user ID
• All site management activities (who did what, when)
• Site ID and Jetpack version
• Timestamps of all activities
• IP addresses associated with activities
• User agent information

Security & Login Monitoring:

• Failed login attempts: IP address, attempted username/email, user agent
• Successful login attempts: IP address, timestamp, user agent
• Brute force attack attempts: blocked IP addresses and attack patterns
• Cookie: jpp_math_pass (1 day duration) – used to remember if user completed CAPTCHA verification

Data Syncing:

• Security-related data is synced to Jetpack/Automattic servers
• Failed login attempts are logged on Jetpack servers (includes IP, username, user agent)
• This data helps protect your site from hacking attempts
• Data is encrypted during transmission (TLS 1.2+)

Akismet Integration (Optional):

• If Akismet spam protection is enabled on your site:
  • Contact form submissions sent to Akismet: IP address, user agent, name, email, website, message
  • Data analyzed for spam detection
  • Legitimate submissions not stored by Akismet
  • Actual submission data remains on your site’s database

Data Processing:

• Activity data processed on Jetpack/Automattic servers
• Security data encrypted in transit (TLS 1.2+)
• Data at rest encrypted using AES-256
• Encryption keys managed through AWS Key Management Service

Data Retention:

• Activity logs retained on your site
• Security event logs retained for 1+ year
• Jetpack retains data according to their retention policies
• You can purge logs manually if needed

GDPR/CCPA Compliance:

• Data processing complies with GDPR requirements
• Jetpack has executed Data Processing Agreements (DPA)
• Activity data may include IP addresses (data controller for your site)

Data Security Measures:

• TLS 1.2+ encryption for all data in transit
• AES-256 encryption for data at rest
• Regular security assessments and code reviews
• Incident response plan with breach notification within applicable timeframes
• Penetration testing conducted periodically

User Rights:

• Users can request information about their activities logged
• Users can request deletion of security events
• Jetpack maintains audit logs for security purposes

Privacy Policy: https://jetpack.com/support/for-your-privacy-policy/
Security Practices: https://jetpackworkflow.com/security/

---

4.5 LiteSpeed Cache – Performance & Caching

Purpose: Website caching and performance optimization to improve page load speed and server efficiency.

Data Collection:

• LiteSpeed Cache does NOT collect personal data about visitors
• Cache stores temporary copies of website pages on your server
• Cache may include cookies: session IDs, authentication tokens, user preferences
• Cache management uses temporary files in RAM for quick access

Data Storage:

• ALL cache data stored locally on your server
• Cache files are temporary and automatically expire
• Cache not transferred to LiteSpeed Tech employees
• Cache can be manually purged at any time
• No external cloud storage of cache files

Cookie Usage:

• Cache may set cookies for performance tracking
• Public cache: same for all visitors (static content)
• Private cache: individual user-specific cached versions (based on session ID/IP)

Data Processing:

• All caching operations performed locally on your server
• No data transmission to LiteSpeed Tech
• LiteSpeed Tech only accesses data if you request technical support

GDPR/CCPA Compliance:

• GDPR compliant: caches are temporary and local-only
• Cache files can be purged to comply with deletion requests
• No permanent storage of personal data in cache
• Does NOT interfere with GDPR/CCPA compliance

Data Security:

• Cache stored on your secure server
• Protected by your server’s security measures
• Keep LiteSpeed Cache plugin updated (security patches released regularly)
• Note: Update to version 6.5.0.1+ to address CVE-2024-44000

Important Note:
“LSCache software has access to whatever personally-identifiable data is already visible on your site, but it has no need to actually look at that data. LiteSpeed stores a copy on your server for fast access, and you may delete that copy whenever you like.”

Privacy Policy: https://www.litespeedtech.com/
GDPR Compliance: https://blog.litespeedtech.com/2018/05/23/litespeed-cache-wordpress-gdpr/

---

5. COOKIES AND TRACKING TECHNOLOGIES

5.1 Types of Cookies Used

Essential/Necessary Cookies (Set automatically, no consent required)

• WordPress session cookies: user authentication, admin access
• WordPress security cookies: CSRF protection, security tokens
• Jetpack security cookie: jpp_math_pass (1 day) – CAPTCHA verification
• LiteSpeed cache cookies: performance optimization
• Basic functionality cookies: site preferences
• Retention: Session duration to 1 year

Analytics Cookies (Requires consent via cookie banner)

• Google Analytics cookies: _ga, _gat, _gid (user behavior tracking)
• Google Site Kit cookies: analytics and site performance
• Retention: 14 months to 2 years

Advertising Cookies (Requires consent if Google AdSense enabled)

• Google AdSense cookies: personalized ad delivery
• Third-party advertising cookies: conversion tracking
• Retention: 13 months

Preference/Functional Cookies (Requires consent)

• Language and theme preferences
• Display format choices
• Saved user preferences
• Retention: 1-2 years

5.2 Tracking Technologies

Google Analytics 4 (via Site Kit)

• Tracks user behavior across our Website
• Uses cookies and JavaScript tracking code
• Collects: pageviews, sessions, user flow, events, conversions
• IP anonymized by default
• Data shared with Google for analytics purposes

Site Kit Activity Tracking

• Logs all WordPress site management activities
• Stores IP addresses for admin actions
• Used for security and audit purposes
• Data retained for accountability

CAPTCHA Verification (Optional)

• If Google reCAPTCHA used: Google processes verification
• If hCaptcha used: hCaptcha processes verification with minimal data
• If Cloudflare Turnstile used: Cloudflare processes verification

---

6. GOOGLE SITE KIT AND CONSENT MODE V2

6.1 Google Consent Mode V2 Implementation

Our Website implements Google Consent Mode V2, a mechanism that adapts Google services based on your consent choices. This is required for GDPR compliance in the EU/EEA.

Consent Categories:

1. analytics_storage – Permission for Google Analytics data collection
2. ad_storage – Permission for Google AdSense cookie placement
3. ad_user_data – Permission to use data for remarking and audience creation
4. ad_personalization – Permission for personalized ad targeting

6.2 How Consent Mode V2 Works

1. Initial State: Until you make a choice, Google services operate in limited mode (no personalization)
2. Your Choice: When you interact with our cookie banner, your preferences are communicated to Google
3. Ongoing Compliance: Google tags adjust behavior based on your selections
4. Conversion Modeling: Google may estimate conversions during non-consent periods

6.3 Cookie Consent Banner

Our Website displays a cookie consent banner that:

• Appears on your first visit
• Explains what cookies we use and why
• Provides options: “Accept All,” “Reject All,” “Customize”
• Allows granular control over consent categories
• Links to this Privacy Policy
• Can be accessed/modified at any time via cookie settings

Banner Functionality:

• Accept All: Enables all tracking cookies and analytics
• Reject All: Disables all non-essential cookies; site continues to function
• Customize: Choose which categories to accept/reject
• Users can change choices at any time via footer cookie settings

6.4 GDPR/EEA-Specific Requirements

For users in the European Union, European Economic Area, Switzerland, and UK:

• Explicit opt-in consent required before non-essential cookies are placed
• Consent Mode V2 communicates your preferences to Google
• Without consent, Google Analytics does NOT track personal data
• Without consent, Google AdSense does NOT place behavioral tracking cookies
• You MUST provide consent choice before we can collect analytics data
• You can withdraw consent at any time via cookie banner

---

7. HOW WE USE YOUR INFORMATION

7.1 Primary Uses

Website Operation & Improvement:

• Monitoring Website functionality and performance
• Debugging and troubleshooting technical issues
• Improving user experience and interface design
• Understanding user preferences and behavior
• Content optimization based on popularity metrics

Analytics & Performance Measurement:

• Measuring Website traffic and visitor patterns
• Analyzing content performance and engagement
• Identifying trends and popular topics
• A/B testing page variations
• Generating performance reports
• Optimizing page load speed

Security & Protection:

• Detecting and preventing brute force attacks on login
• Protecting against fraud and malicious activity
• Maintaining Website security and integrity
• Logging admin activities for audit trail
• Spam detection and prevention in forms
• Compliance with legal obligations

Communication:

• Responding to form submissions and inquiries
• Sending responses to contact requests
• Notifying you of Website updates or policy changes
• Addressing privacy or support requests

7.2 Uses NOT Permitted Without Consent

We do NOT use your data for:

• Selling or sharing personal information without consent
• Creating health, financial, or sensitive profiles
• Targeting minors with personalized advertising
• Discriminatory profiling or automated decision-making
• Location tracking beyond IP-based geolocation
• Any purpose not disclosed in this Privacy Policy

---

8. DATA SHARING AND THIRD-PARTY DISCLOSURE

8.1 Required Third-Party Sharing

The following data is shared with third parties as necessary for Website operation:

Google LLC (Google Site Kit, Google Analytics, AdSense if connected):

• Analytics data: pageviews, sessions, user flow, conversions
• User IP address (anonymized by default)
• Browser and device information
• Referral source and search terms
• Data retention: 14 months

Jetpack/Automattic (Security & Site Management):

• Activity logs: admin actions, timestamps
• Failed login attempts: IP, username, user agent
• Security event data
• Data retention: Per Jetpack policy

Optional: Google reCAPTCHA (if CAPTCHA enabled):

• CAPTCHA interaction data
• User verification information
• Timestamp and interaction details
• Processed by Google per their Privacy Policy

Optional: hCaptcha (if privacy CAPTCHA selected):

• Minimal CAPTCHA verification data
• Privacy-focused processing
• Processed by hCaptcha per their Privacy Policy

Optional: Cloudflare Turnstile (if Turnstile selected):

• CAPTCHA verification data
• Processed by Cloudflare per their Privacy Policy

8.2 Data Controllers vs. Processors

Data Controllers (determine how data is used):

• Explain Like I’m 5 (our Website)
• Google LLC (analytics and advertising)

Data Processors (process data on behalf of controllers):

• Jetpack/Automattic (security and activity logging)
• Website hosting provider (server operations)

8.3 NO Sale of Personal Data

• We do NOT sell personal information about Website visitors
• We do NOT share personal information with marketers or advertisers
• We do NOT allow third parties to collect personal data from our Website for their own purposes
• Data shared only when necessary for Website operation and security

---

9. DATA RETENTION AND DELETION

9.1 How Long We Keep Your Data

Google Analytics Data (via Site Kit):

• Default retention: 14 months
• Can be configured in Site Kit settings
• Aggregated data may be retained longer

Jetpack Activity Logs:

• Security logs: 1+ year
• Activity logs: retained per Jetpack policy
• You can manually purge logs if needed

SureForms Submissions:

• Stored indefinitely in your WordPress database (unless deleted)
• You have full control over retention and deletion
• Can be deleted manually or via bulk delete feature
• Deletions are permanent

LiteSpeed Cache:

• Temporary (expires automatically)
• Can be manually purged at any time
• Typically 1-30 day expiration depending on configuration

Server/Security Logs:

• IP access logs: 30-90 days
• Security event logs: 1 year

Browser Cache & Cookies:

• Functional cookies: 1-2 years
• Session cookies: until browser closes
• Analytics cookies: 14 months to 2 years

9.2 Your Right to Deletion

GDPR Users (EU/EEA):
Have the right to request deletion of personal data, subject to exceptions (legal obligations, fraud prevention).

CCPA Users (California):
Have the right to request deletion of personal information collected, with limited exceptions.

How to Request Data Deletion:

• Email: privacy@explainitlikeim5.com
• Specify what data to delete
• Provide identification verification
• Response timeframe: 30 days (GDPR) or 45 days (CCPA)
• May request extensions for complex deletions

Limitations on Deletion:

• Some data cannot be deleted due to legal compliance
• Security and fraud prevention data may be retained
• Aggregated/anonymized data retention
• Website functionality requirements

---

10. YOUR PRIVACY RIGHTS

10.1 GDPR Rights (EU/EEA Residents)

Right to Access (Data Subject Access Request – DSAR)

• Request what personal data we hold about you
• Receive data in a structured, commonly-used format
• Applies to data processed via our Website

Right to Rectification

• Correct inaccurate or incomplete data
• Submit updated information

Right to Erasure (“Right to be Forgotten”)

• Request deletion of your personal data
• Applies when data no longer necessary for stated purposes
• Exceptions: legal obligations, fraud prevention, security

Right to Restrict Processing

• Request limitation on data processing
• Data retained but not actively used

Right to Data Portability

• Receive your data in machine-readable format
• Transfer data to another service provider

Right to Object

• Object to processing for direct marketing
• Object to processing based on legitimate interests

Right to Lodge a Complaint

• If rights are violated, file complaint with your national Data Protection Authority
• EU authority contacts: https://edpb.ec.europa.eu/about-edpb/board/members_en

10.2 CCPA/CPRA Rights (California Residents)

Right to Know

• Know what personal information is collected and used
• Request disclosure of data sources, purposes, and recipients

Right to Delete

• Request deletion of personal information (with exceptions)
• Timeframe: 45 days (may extend 45 days)

Right to Correct

• Request correction of inaccurate information

Right to Opt-Out of Sale/Sharing

• We do NOT sell your personal information
• We do NOT share data for behavioral advertising without consent
• Cookie banner rejection opt-out respected

Right to Opt-Out of Targeted Advertising

• Select “Reject All” in cookie banner
• Opt-out of Google AdSense personalization via Google Ad Settings
• Adjust browser cookie settings

Right to Non-Discrimination

• No denial of service for exercising privacy rights
• No price differences or reduced service quality

Right to Appeal

• Appeal our decision if we deny your request
• Submit appeal within 45 days of denial

How to Exercise Rights:

• Email: privacy@explainitlikeim5.com
• Specify request type (access, deletion, correction, opt-out)
• Provide identification verification
• Timeframe: 45 days for response (may extend 45 days if complex)

10.3 Other Jurisdictions

Canada (PIPEDA):

• Right of access to personal information
• Right to request correction
• Right to withdraw consent

UK Data Protection Act 2018:

• Similar rights to GDPR
• Contact: Information Commissioner’s Office (ICO)

---

11. SECURITY AND PROTECTION

11.1 Data Protection Measures

Technical Safeguards:

• SSL/TLS encryption (HTTPS) for all data in transit
• Firewall protection against unauthorized access
• Regular security audits and vulnerability assessments
• Malware scanning and intrusion detection
• Automatic security patches and plugin updates
• Web server logs for monitoring suspicious activity

Jetpack Security Features:

• Brute force attack protection (blocks malicious login attempts)
• Two-factor authentication support
• Malware scanning and threat detection
• Automatic security updates
• Backup and restore capabilities
• Activity logging and audit trails

Organizational Safeguards:

• Limited admin access to sensitive data
• Strong password policies for all accounts
• Security training for administrators
• Incident response procedures
• Vendor compliance requirements

Data Retention Policies:

• Server logs: 30-90 days
• Security logs: 1+ year
• Analytics: 14 months
• Form submissions: Indefinite (user-controlled deletion)

11.2 Data Breach Notification

In the event of a confirmed data breach:

• GDPR Users: Notified within 72 hours
• CCPA Users: Notified without unreasonable delay
• Canadian Users: Notified as required by law
• Notification will include: nature of breach, data affected, steps taken

Report Security Issues:
Email: security@explainitlikeim5.com

11.3 Limitations on Security

While we implement industry-standard security, no system is 100% secure. We recommend:

• Using secure, updated browsers
• Maintaining strong passwords
• Being cautious with email attachments
• Reporting suspicious activity immediately

---

12. CHILDREN’S PRIVACY

12.1 Age Restrictions

Our Website is NOT intended for children under 13 years old. We do not knowingly collect personal information from children under 13.

COPPA Compliance (US): We comply with the Children’s Online Privacy Protection Act and do not collect data from children under 13 without verifiable parental consent.

GDPR Compliance: Children under 16 are limited in their ability to consent. Parental consent is required for children under this age in most EU countries.

CCPA/CPRA Compliance: Children under 16 cannot opt-out of personalized advertising; parental consent is required for children under 13.

12.2 If We Learn of Underage Users

If we become aware that a child under 13 has provided personal information, we will immediately delete such information and notify the parent/guardian.

Report Child Data: Contact info@explainitlikeim5.com

---

13. THIRD-PARTY LINKS AND EXTERNAL WEBSITES

Our Website may contain links to third-party websites and external content. We are NOT responsible for:

• Third-party privacy practices and policies
• Third-party data collection practices
• Third-party content accuracy or authenticity
• Third-party security practices and data protection

When you click external links, you leave our Website and are subject to the third party’s terms and privacy policy. We recommend reviewing their policies before providing information.

---

14. CHANGES TO THIS PRIVACY POLICY

14.1 Policy Updates

We may update this Privacy Policy periodically to reflect:

• Changes in data collection practices
• New plugins or services
• Legal requirement changes
• Privacy best practices
• User feedback and requests

14.2 Notification of Changes

When we make material changes:

• We will update the “Last Updated” date at the top
• We will maintain a version history (see below)
• For significant changes affecting EU users, we may provide additional notice
• Continued use after updates constitutes acceptance of changes

14.3 Version History

Version	Date	Summary of Changes
2.0	December 30, 2025	Updated with actual plugin stack: All in One SEO, Google Site Kit, LiteSpeed Cache, SureForms, Jetpack
1.0	December 30, 2025	Initial Privacy Policy

---

15. LEGAL COMPLIANCE STATEMENTS

15.1 GDPR Compliance Statement

We comply with GDPR (General Data Protection Regulation) by:

• Obtaining explicit consent before non-essential cookies via cookie banner
• Providing transparent data collection disclosures
• Implementing Google Consent Mode V2 for EU/EEA users
• Enabling user rights: access, rectification, erasure, portability, objection
• Maintaining records of processing activities and consent
• Executing Data Processing Agreements with vendors (Jetpack, Google)
• Promptly reporting data breaches (within 72 hours)
• Conducting Data Protection Impact Assessments (DPIA) for high-risk processing
• IP anonymization enabled by default in Google Analytics

15.2 CCPA/CPRA Compliance Statement

Our Website complies with California privacy laws by:

• Disclosing all personal information collection methods
• Providing clear opt-out mechanisms
• Honoring privacy requests within 45 days
• Non-discrimination for exercising privacy rights
• Transparent disclosure of rights and data practices
• Providing appeal process for denied requests
• Metrics disclosure upon request

15.3 ePrivacy Directive Compliance

We comply with ePrivacy Directive (2002/58/EC) by:

• Obtaining prior consent for cookies (except strictly necessary)
• Providing clear cookie notices
• Including links to privacy policies
• Honoring opt-in/opt-out preferences
• Consent Mode V2 implementation for preference communication

---

16. PLUGIN-SPECIFIC PRIVACY COMMITMENTS

16.1 All in One SEO

• Your visitor data is NOT shared with AIOSEO
• API keys never sent to external servers
• Local processing only for SEO analysis
• No personal data collection from website visitors

16.2 Google Site Kit

• IP addresses anonymized by default in Analytics
• Consent required before tracking (except essential)
• Consent Mode V2 implements your cookie banner preferences
• Data shared with Google per their Privacy Policy

16.3 SureForms

• Form submissions stored ONLY in your database
• ZERO server-side storage on SureForms
• GDPR mode available to exclude IP/browser/device
• Complete ownership and control of form data

16.4 Jetpack

• Activity logs provide security audit trail
• Failed login attempts tracked to prevent hacking
• Data encrypted in transit (TLS 1.2+)
• Privacy Policy available for full details

16.5 LiteSpeed Cache

• Local-only caching (no external storage)
• Temporary cache files auto-expire
• Can be manually purged anytime
• GDPR compliant (local processing)

---

17. CONTACT INFORMATION

17.1 Privacy-Related Questions

Email: [privacy@explainitlikeim5.com]
Response Time: 7-10 business days

17.2 Privacy Requests (GDPR/CCPA)

To submit a formal privacy request:

1. Email [privacy@explainitlikeim5.com] with:
   • Request type (access, deletion, rectification, opt-out, etc.)
   • Specific details about what you’re requesting
   • Your contact information
   • Proof of identity (may be required)
2. We will confirm receipt within 3 business days
3. We will respond within:
   • 30 days (GDPR) – may extend 60 days for complex requests
   • 45 days (CCPA) – may extend 45 days for complex requests

17.3 Security Issues

Email: [security@explainitlikeim5.com]

Report any security vulnerabilities or breaches immediately.

17.4 Data Protection Authority Contacts

If you believe your rights are violated:

• EU: Contact your national Data Protection Authority: https://edpb.ec.europa.eu/about-edpb/board/members_en
• California: California Attorney General: https://oag.ca.gov
• Canada: Office of the Privacy Commissioner: https://www.priv.gc.ca
• UK: Information Commissioner’s Office: https://ico.org.uk

---

18. ACKNOWLEDGMENT AND AGREEMENT

By accessing and using explainitlikeim5.com, you acknowledge that:

1. You have read and understood this Privacy Policy
2. You consent to data collection and processing as described
3. You understand Google’s use of cookies for analytics and advertising
4. You accept that data is shared with third parties as outlined
5. You agree to the data retention terms
6. You will exercise your rights in accordance with applicable laws
7. You accept the risks of internet-based data transmission

---

19. FINAL NOTES

19.1 Policy Effective Date

This Privacy Policy is effective as of December 30, 2025 and applies to all data collected from that date forward.

19.2 Entire Agreement

This Privacy Policy, together with our Terms of Service, constitutes the entire agreement regarding our privacy practices.

19.3 Severability

If any provision is deemed unenforceable, that provision will be modified to minimum extent necessary to make it enforceable, and the remainder will continue in full effect.

Last Reviewed: December 30, 2025