Privacy — Agentic Storefront for Publishers

Last updated: 2026-06-07 · Plugin version: 0.3.3 · Plugin page

One-line summary. Your visitors are never identified. The plugin sends no cookies, no tracking pixels, and no visitor IDs to any third party. Only the public URL, title, categories and tags of the page being viewed are sent to xpay — the same data Google sees in your site's HTML.

What gets sent and when

1. Recommendation iframe loads (`widget.xpay.sh/embed/recs/*`)

When a reader views a page where the recommendation widget renders (auto-injected below post content, or via the [xpay_recs] shortcode / Recommendations block), an iframe is loaded from widget.xpay.sh with these URL parameters:

siteId — your random opaque site identifier (no link to any visitor).
api — the backend URL the iframe calls (publisher-api.xpay.sh).
Optional: amazonTag if you set an Amazon Associates tag in plugin settings.

The iframe then calls POST publisher-api.xpay.sh/storefront/decide with the page's public URL, title, public categories, and public tags. No visitor identifier is sent.

2. Load beacon (`publisher-api.xpay.sh/storefront/beacon`)

When the widget mounts, an anonymous "load" event is sent so you can see in your xpay dashboard which of your host pages are running the script. Data sent:

site_id, site_host, the page URL, and the browser user-agent string.
No visitor identifier — no cookie, no IP-derived ID, no device fingerprint.

3. Click beacon

When a reader clicks a recommended product card, a "click" event is sent with the click destination's merchant domain. Used for affiliate-attribution accounting only. No visitor identifier.

4. Settings iframe (`widget.xpay.sh/embed/admin/settings`)

Only loaded when a logged-in WordPress administrator visits Settings → Agentic Storefront. The iframe receives your site_id, plugin version, and connection status via URL parameters; it holds no credentials. User edits postMessage back to the WordPress admin shell, which saves them to your wp_options via the plugin's REST endpoint.

5. One-time connect flow

When a publisher clicks Connect site, a tab opens on app.xpay.sh. The publisher's email address is collected by Privy (the authentication provider) at this step and stored against the publisher's xpay account. The publisher email is not sent on any subsequent runtime call.

What is never sent

Visitor cookies, session IDs, fingerprints, or any persistent identifier.
IP addresses (the backend Lambda logs IPs for abuse prevention with a 30-day retention; they are never linked to visitor identifiers because no such identifiers exist on this rail).
Page content beyond title, public categories, and public tags. Article body text is not sent.
Form data, search queries, or any data from logged-in WordPress users on your site.

WP Consent API integration

When the WP Consent API plugin is installed and reports a hard "no" for marketing consent on the current request, the recommendation iframes are not rendered at all. If no Consent API plugin is installed, the iframes still render because they collect no visitor data (see above) — they are functionally equivalent to a contextual editorial widget.

Where data is stored

Your WordPress database (wp_options): asp_site_id, asp_account_id, asp_amazon_tag, asp_exclude_categories, asp_exclude_domains, asp_auto_inject, asp_consent_personalization, asp_emit_agent_storefront, asp_emit_llms_augment, and a few internal connection state keys. All deleted when the plugin is uninstalled.
xpay's backend (DynamoDB tables, us-east-1): the registered site row (site_id, site_url, classification metadata, account_id), per-fetch agent activity logs (90-day TTL), and click attribution rows.

How to remove all your data

From WordPress: Plugins → Agentic Storefront for Publishers → Deactivate → Delete. WordPress will call the plugin's uninstall.php which removes every wp_options row above.
From xpay: Log into app.xpay.sh/dashboard/earn/affiliate/sites and click "Remove site". Removes the site row + every associated agent activity log.
Account deletion: Email privacy@xpay.sh with the email address tied to your xpay account. We will delete the account and all associated data within 30 days.

Subprocessors

xpay's backend runs on Amazon Web Services (us-east-1). The recommendation widget uses Iconify CDN (api.iconify.design) at runtime to render UI icons; this CDN sees the iframe's user-agent and IP only — no site_id or any other plugin-managed identifier.

Contact

Privacy questions: privacy@xpay.sh. Full xpay privacy policy: xpay.sh/privacy. Terms of service: xpay.sh/terms.