Main menu

Plugin privacy notice

Privacy and security information for WordPress administrators

This page provides information for WordPress administrators that have the Loco Translate plugin installed. If you're looking for this website's privacy notice, you're in the wrong place. Try this.


Loco Translate does not process any data from your website visitors at all. For that reason, you don't really need to mention it in your own privacy notice, but of course that's up to you.

The plugin only processes data during administrator operation and we (the company) never see any data held in your database or in your files. Everything happens on your server and stays on your server, with the exception of some API integrations.

Is Loco Translate GDPR compliant?

  • We're confident that simply installing our plugin on your website doesn't put you in breach of the regulation.
  • We're confident that providing our software to run on your own servers doesn't put us in breach of the regulation.

That said, please read the rest of this notice as it explains specifically how data is processed via the WordPress admin area and provides some suggestions for better privacy and security.

Personal data in PO files

We're not responsible for what you type into our editing software, but regardless - we never send this data anywhere or do anything to record it for our own use. The files live on your server and we don't see them.

Loco Translate is a PO file editor and WordPress (by default) exposes all PO files to the public Internet. This means any data in your translation files is potentially public.

Important: PO files have an attribution field called Last-Translator. Depending on your settings, this field may be populated with your user name and email address. This is standard practice for translators working with Gettext files, but you can change this behaviour in the plugin settings, at: Loco Translate > Settings > User options.

Suggestion: There is no technical reason why PO or MO files should ever be exposed to the Internet, but WordPress won't protect them for you. We recommend you secure your web server appropriately by blocking web access to these file types. If you don't have the necessary knowledge then ask your hosting provider or development team for assistance.

Data in the WordPress database

Loco Translate uses the WordPress database for caching metadata and storing settings and preferences. Your translation files are not held in the database.

Any data you enter into Loco Translate's settings screens will be stored in the database, which means if the settings you enter contain personal data, so does your database. As above, we don't see any of this data and it's your responsibility to secure it.

Remote APIs

Loco Translate makes use of various remote APIs depending on your settings:

  • The WordPress API is used for fetching translation and locale data from
  • Any third party translation APIs for which you enter API keys in your settings.
  • The Loco API is currently not used, but is planned for integration in future.

In the case of the WordPress API, our software uses WordPress core functions to fetch data from As we aren't responsible for their services, you should check their privacy notice. Use of this API can't be disabled, but we don't use it in any way to deliberately expose your personal data to

Any third party APIs you enable will be subject to their own privacy policy. As above, we don't deliberately expose any personal data to any third parties. As with any remote API, the service provider will see your IP address and will be able to cross-reference this with any credentials you use to authenticate with their service.

In the case of the Loco API (once implemented). This is subject to our own privacy notice as we process all traffic to our servers during the provision of our service. Our API end points will see either your browser's IP address or that of your server, but we don't in any way use this traffic to track, analyse or identify individuals.

Note that none of these APIs are used outside of WordPress admin screens, so your public website visitors are not visible in any way to these service providers.

Clicking external links

If you click an external link from a WordPress admin page to our website (like to this page for example) we may add Google Analytics campaign identifiers into the URL. This does not leak any personal data, or indeed any sensitive data about your system. All it tells us is that traffic is coming from our plugin and from which screen. This lets us analyse which functions our users need the most help with. From this we can make usability improvements or write better documentation, but we will never profile individuals.

Once on this website your privacy is subject to our own privacy notice. See the section on Google Analytics, which explains more about why we analyse web traffic, the limits we place on it, and how you can block it.

Please note your activity within your WordPress admin area is not being tracked. We do not record any actions or admin page hits that occur on your own site.


The Loco Translate plugin does not set any cookies, but WordPress does. You are responsible for the cookies that your website sets.

Last updated by