Last updated: 8 June 2026
This privacy policy describes how fair-event-plugins.com (“the site”, “we”) processes personal data. The site exists to host documentation and to operate a small OAuth proxy service used by the open-source Fair Payment WordPress plugin.
1. Data controller
The site and the OAuth proxy are operated by:
Marcin Wosinek
Spain
Contact: marcin.wosinek@gmail.com
For all questions about this policy or your personal data, please use the email above.
2. What the OAuth proxy does
The Fair Payment plugin connects WordPress sites to the Mollie payment gateway. Mollie’s OAuth integration requires a registered client secret that cannot be safely shipped inside an open-source plugin distributed via WordPress.org. To work around this, fair-event-plugins.com runs a small proxy that holds the client secret and performs the OAuth handshake with Mollie on behalf of the plugin.
The proxy exposes three endpoints used during the connection flow:
/oauth/authorize— starts the Mollie OAuth flow./oauth/callback— receives Mollie’s authorization code and exchanges it for tokens./oauth/refresh— exchanges a refresh token for a new access token when the old one expires.
The proxy is not involved in processing payments. Payments flow directly from your WordPress site to Mollie’s API at api.mollie.com. No payment data, customer data, or order data ever reaches fair-event-plugins.com.
3. Data processed by the OAuth proxy
3.1 Data that passes through but is not stored
The following data is held only in temporary cache entries (transients) for up to 10 minutes while the OAuth handshake is in progress, then deleted automatically:
- The Mollie OAuth authorization code returned by Mollie.
- The Mollie access token and refresh token issued for your Mollie account.
- The OAuth scope granted.
- The Mollie organization id and profile id needed for profile selection.
During a token refresh (/oauth/refresh), the plugin sends us your Mollie refresh token. We forward it to Mollie, return the new access token to your site, and do not store the refresh token.
3.2 Data stored permanently in our connection log
For every connection attempt — successful or failed — we record one row in our database containing:
- The requesting WordPress site’s site id, site name, and site URL (as provided by the plugin).
- The Mollie organization id and Mollie profile id that were connected.
- The OAuth scope granted by Mollie.
- Whether a Mollie profile was created automatically as part of the connection.
- Connection status (success / failed) and, on failure, the error code and message returned by Mollie.
This log does not contain access tokens, refresh tokens, customer data, or any payment data. It is used to debug failed connections, monitor abuse, and understand how the proxy is being used.
3.3 Standard web server logs
The web server hosting fair-event-plugins.com (provided by Hostinger) records standard request logs for every visit, including documentation pageviews and OAuth requests:
- IP address
- Date and time
- Requested URL and HTTP method
- HTTP response status
- User-agent string
Retention is controlled by Hostinger’s standard log-retention policy.
3.4 Analytics (Plausible)
The documentation pages of fair-event-plugins.com use Plausible Analytics to count visits and understand which docs are useful. Plausible is a privacy-focused, cookieless analytics service hosted in the European Union.
Plausible does not use cookies, does not track visitors across sites, and does not collect personal data or device fingerprints. It records aggregated, anonymous metrics such as page URL, referrer, country (derived from IP and then discarded), browser, and operating system. IP addresses are processed only transiently to derive country and a daily anonymous visitor hash, and are not stored.
Plausible is not loaded on the OAuth proxy endpoints (/oauth/*).
See Plausible’s data policy for full details.
4. Legal basis (GDPR Article 6)
For visitors to the documentation pages, processing of server-log data is based on our legitimate interest (Art. 6(1)(f) GDPR) in operating and securing the site.
For OAuth proxy use, processing is based on performance of a service you requested (Art. 6(1)(b) GDPR) — you initiate the proxy call by clicking “Connect Mollie” inside the Fair Payment plugin, and the data is processed solely to deliver that connection. Logging of connection attempts is additionally covered by our legitimate interest (Art. 6(1)(f) GDPR) in diagnosing failures and preventing abuse.
5. Recipients and third parties
- Mollie B.V. (Netherlands) — The OAuth proxy exchanges tokens with
api.mollie.com. See Mollie’s user agreement and privacy policy. - Hostinger International Ltd. (Lithuania) — provides the hosting on which the site and OAuth proxy run. Hostinger processes server-log data on our behalf as a data processor. See Hostinger’s privacy policy.
- Plausible Insights OÜ (Estonia) — provides anonymous, cookieless analytics for the documentation pages only. See Plausible’s data policy and privacy policy.
We do not sell or share your data with any other third parties. We do not use advertising or tracking cookies on fair-event-plugins.com.
6. International transfers
Mollie (Netherlands), Hostinger (Lithuania), and Plausible (Estonia) are all established in the European Union. No transfers outside the EEA occur as part of the proxy service or the documentation site.
7. Retention
| Data | Retention |
|---|---|
| OAuth handshake transients (tokens, codes) | Up to 10 minutes, then auto-deleted |
Refresh tokens passed to /oauth/refresh | Not stored — forwarded to Mollie and discarded |
| Connection log rows | Kept for the operational lifetime of the proxy, for debugging and abuse prevention |
| Server access logs | Per Hostinger’s standard log-retention policy |
| Plausible analytics data | Aggregated, anonymous — no personal data retained |
8. Your rights under GDPR
As an EU/EEA data subject you have the right to:
- Access the personal data we hold about you.
- Request correction of inaccurate data.
- Request erasure of your data (right to be forgotten).
- Restrict or object to processing.
- Data portability.
- Lodge a complaint with the Spanish data protection authority, the Agencia Española de Protección de Datos (AEPD).
To exercise these rights, email marcin.wosinek@gmail.com. Because the proxy stores so little identifiable data (site URL + Mollie organization id), we will normally ask for the relevant site_id or site URL to locate your records.
You can revoke the plugin’s access to your Mollie account at any time from your Mollie dashboard under Settings → Authorized applications. Doing so invalidates the tokens issued through the proxy.
9. Security
The OAuth proxy runs over HTTPS only. The Mollie client secret is stored in server configuration and is never exposed to client sites. Transient cache entries are deleted automatically after at most 10 minutes.
10. Changes to this policy
We may update this policy when the proxy’s behavior changes or when required by law. The “Last updated” date at the top reflects the most recent change. Material changes will be announced on the site’s homepage.
11. Contact
For any privacy-related questions, write to marcin.wosinek@gmail.com.