Yes, the plugin is designed in a GDPR-compatible way. Here's how data flows.
Where your files are stored
All file content stays in your linked cloud account (Google Drive, OneDrive/SharePoint, Dropbox, or Box). The plugin doesn't copy or store file content on your WordPress server.
What WordPress stores locally
The plugin keeps some metadata on your server so it can function:
- OAuth tokens for your linked cloud accounts, stored in the WordPress options table.
- A cache of folder and file metadata (file IDs, names, modification times) in
wp-content/[plugin]-cache, to reduce API calls and speed up modules. - Generated thumbnails for the Gallery module, but only for Box and Dropbox; Google Drive and OneDrive deliver thumbnails via API.
No file content is permanently stored on your server.
What gets logged
Logging is opt-in. If you enable the Statistics feature, the plugin records user actions (downloads, uploads, views) with the WordPress user (if logged in) or IP address. You control what's logged and for how long.
Honoring data subject rights
To handle access or deletion requests:
- File content: handle in the cloud provider's account, that's where it lives.
- Activity logs: clear them from the plugin's Statistics dashboard.
- OAuth tokens: revoke as described in How do I revoke the plugin's access to my cloud account?
Sub-processors
The plugin doesn't introduce additional sub-processors. The third parties involved are the cloud provider you linked (Google, Microsoft, Dropbox, or Box) and Freemius for license validation. CodeCanyon customers go through Envato instead of Freemius.