Documentation · Privacy, Security and Compliance

Data Storage Overview

This document gives an overview of the data the ADP Car Market Hub plugin stores in a WordPress site, where it is stored, and how it is removed when the plugin is uninstalled. It is intended as a reference for site operators, administrators and the people they work with on privacy and compliance.

This document is not legal advice. Site operators should review their specific data handling, retention and disclosure obligations with their own legal advisor.

When to use this document

Use this document when you need to:

Understand which data categories the plugin creates or processes.
Prepare a privacy notice or a record of processing activities for the site.
Plan backups, exports or deletion of plugin data.
Answer internal questions about what is removed if the plugin is deactivated or uninstalled.

Overview

The plugin stores data in three layers of WordPress:

WordPress posts and post meta — used for imported vehicle listings and for inquiry leads.
WordPress options — used for plugin settings such as API connection parameters, design options, scheduler configuration, lead form configuration, the CMH Team / dealership contact details and the licensing state.
Custom database tables — used for analytics events, for the search alert subscriptions, for the cached vehicle field data and for the Content Studio jobs and generated marketing assets.

In addition, the plugin uses standard WordPress mechanisms for transient caching, attachment storage for vehicle images, and WordPress users (no new user accounts are created by the plugin itself).

Data categories stored by the plugin

The categories below reflect what the plugin code creates and writes. Some items only appear when the corresponding feature is configured and used.

Vehicle listings (imported content)

Custom post type: as24ci_car.
Vehicle attributes are stored as post meta (for example make, model, price, mileage and condition).
Vehicle images imported from the source feed are stored as standard WordPress attachments and referenced from post meta.
This data describes vehicles for sale and is not personal data of website visitors.

Inquiry leads

Custom post type: as24ci_lead (registered as non-public; managed from the plugin's Leads admin tab).
Each lead stores the data submitted through the contact or test-drive form, including the contact name, email address, phone number (optional), message, the related vehicle, the source URL, the submission timestamp, an internal status (New, Contacted, Closed, Spam) and, for test-drive requests, the requested appointment date and time.
See Lead Data and Consent for the detailed list of fields and operational guidance.

Analytics events

Custom database table: {prefix}as24ci_analytics.
Records page-view and (optionally) business-intelligence events such as filter searches, contact form opens and lead submissions.
The table stores an event type, the related post ID, an optional minimized extra-data payload and a timestamp. It does not store IP addresses, user identifiers or cookies on the server side.
Tracking is off by default and only activates when analytics are enabled in the plugin settings. See Analytics Retention.

Search alert subscriptions

Custom database table: {prefix}as24ci_search_agents.
Records subscribers to the "search agent" feature: name (optional), email, search criteria, a confirmation token, a status value (pending, active, inactive, paused), the creation timestamp and the confirmation timestamp.
Subscriptions follow a double opt-in workflow. See Search Alerts Double Opt-In.

Content Studio jobs and generated assets

Custom database tables: {prefix}as24ci_content_studio_jobs and {prefix}as24ci_content_studio_assets.
The jobs table records AI content-generation requests for a vehicle (the related vehicle post ID, a vehicle snapshot hash, the content type and platform preset, the prompt payload, provider/model, language, tone, status and the WordPress user ID that created the job).
The assets table records the generated marketing output (captions, hashtags, alt text, an optional JSON payload, file references for generated images and internal scheduling fields).
This data describes dealership marketing content derived from vehicle listings. It does not store website-visitor personal data, but the created_by column links a job to the WordPress user who generated it.

CMH Team / dealership contact details

Stored as WordPress options (as24ci_team_members, as24ci_team_location_defaults, as24ci_team_standards, as24ci_team_rules).
The team-member records hold dealership staff contact data entered by the operator: name, position, phone, mobile and email address. The team standards hold a general dealership name, email and phone.
This is contact data of dealership employees/representatives, not of website visitors. It is used to resolve the recipient address for contact form inquiries and to display contact details on the frontend. A vehicle post can also reference an assigned team member via post meta (_as24ci_team_member, _as24ci_team_mode).

Licensing state

The plugin's license key, status, plan, installation UID, feature rights and related metadata are stored as WordPress options (the as24ci_license_* keys). The license key itself is contained in these options; the other values are derived validation results returned by the licensing service.

Plugin settings (WordPress options)

All plugin settings are stored as WordPress options (the wp_options table).
This includes API connection parameters, scheduler configuration, design and template settings, lead form configuration, the analytics retention setting and the privacy-jurisdiction selector.
Sensitive credentials such as the AutoScout24 API client secret are stored as WordPress options but are protected at rest by the plugin's centralised secrets helper: the client secret is encrypted with authenticated AES-256-GCM and the cron-import token is stored as a one-way HMAC-SHA256 hash. Site operators should still apply normal WordPress security hardening for the database and wp-config.php.

Transients and caches

The plugin uses WordPress transients for short-lived data such as cached access tokens, run locks for the import process and rate-limit counters for the contact form. These are removed automatically by WordPress and are cleared on uninstall where applicable.

Client-side storage (browser)

The favorites / wishlist feature stores the list of favorite vehicle IDs in the visitor's browser using localStorage. This data does not leave the browser and is not persisted on the server.
The plugin does not set its own tracking cookies. Standard WordPress cookies (for example for logged-in users) are unaffected by the plugin.

Where to find each data store

Category	Location
Vehicle anchor posts	`wp_posts` and `wp_postmeta` (post type `as24ci_car`)
Vehicle field data	Custom table `{prefix}as24_vehicles` (linked to the `as24ci_car` post by `post_id`)
Vehicle images	WordPress media library (attachments)
Inquiry leads	`wp_posts` and `wp_postmeta` (post type `as24ci_lead`)
Analytics events	Custom table `{prefix}as24ci_analytics`
Search alert subscriptions	Custom table `{prefix}as24ci_search_agents`
Content Studio jobs	Custom table `{prefix}as24ci_content_studio_jobs`
Content Studio generated assets	Custom table `{prefix}as24ci_content_studio_assets`
CMH Team / dealership contact details	`wp_options` (`as24ci_team_*`) and `wp_postmeta` (assigned member)
Licensing state	`wp_options` (`as24ci_license_*`)
Plugin settings	`wp_options`
Caches and locks	WordPress transients
Favorites	Visitor's browser `localStorage` only

The exact table prefix depends on the WordPress installation ($wpdb->prefix).

Data lifecycle and deletion

The plugin removes data in the following ways:

Lead deletion — leads can be deleted individually from the Leads admin tab. Deletion removes the lead post and its meta values.
Analytics retention — analytics events older than the configured retention window are deleted automatically by a daily WP-Cron task. A one-click "purge all analytics data" action is also available in the admin. See Analytics Retention.
Search alert unsubscribe — recipients can unsubscribe from search alerts using the link included in every notification email. Administrators can also delete or pause subscriptions from the Search Alerts admin tab.

What happens on uninstall

When the plugin is deleted from the WordPress admin, the uninstall routine runs and:

Drops the analytics table ({prefix}as24ci_analytics) so that visitor tracking data does not persist after removal.
Drops the search agents table ({prefix}as24ci_search_agents) so that subscriber email addresses and search criteria do not persist after removal.
Drops the vehicle field data table ({prefix}as24_vehicles) and related schema version options.
Drops the Content Studio tables ({prefix}as24ci_content_studio_jobs and {prefix}as24ci_content_studio_assets) and their schema version option, so generated marketing content and job records do not persist after removal.
Deletes the plugin's WordPress options (settings, scheduler state, design options, CMH Team contact details, licensing state and similar).
Clears scheduled WP-Cron events and short-lived transients used by the plugin.

If the option Delete data on uninstall is enabled before removal, the uninstall routine additionally deletes:

All imported vehicle posts and their imported image attachments.
All inquiry lead posts.
The plugin's activation-created pages (archive page, compare page and favorites page).

If that option is not enabled, vehicle posts, lead posts and pages are preserved so they can be reused after a reinstall. Manually uploaded gallery images are never deleted by the uninstall routine.

Operational notes

The plugin does not transmit lead data to any third party. Lead notifications are sent using the standard WordPress mail function (wp_mail), which uses the site's configured mail transport.
The plugin connects to the AutoScout24 Hub API to import vehicle data using credentials configured by the site operator. It does not send personal visitor data to that API.
Backups taken at the WordPress database level will include lead posts, analytics events and search alert subscriptions. Site operators should consider this when defining backup retention policies.
Multisite installations: on uninstall, the cleanup routine iterates over all sites in the network and removes the plugin's tables and options for each site.

Troubleshooting

Plugin tables still present after uninstall — verify that the plugin was deleted (not only deactivated). Deactivation does not run the uninstall routine.
Lead posts not visible in the standard WordPress posts list — this is expected. The lead post type is registered as non-public and is managed from the plugin's Leads admin tab.
Old analytics rows are not being removed — confirm that WP-Cron is running on the site and that the daily cleanup event (as24ci_daily_cleanup) is scheduled. See Analytics Retention.