Privacy & API keys
Settings → Privacy & API keys consolidates the most sensitive controls: the behavioural collector switch, data retention window, EU-only vendors mode, integration credentials, and chargeback webhook secrets.
![\"\"](\"https://shop.chadacreatives.com/wp-content/themes/chada-store/assets/img/docs/wfg-privacy-api-keys.png\")
Privacy section
- EU-only vendors mode — disables third-party integrations not headquartered in the EU. When on, MaxMind/OpenAI/Groq calls are skipped entirely.
- Enable behavioral signals collection — turns on the JS collector on the checkout page. Off by default for privacy compliance.
- Data retention (days) — how long score rows, rule hits, and behavioural payloads are kept before the daily cron purges them. Default 365.
- Delete plugin data on uninstall — when on, deactivating the plugin removes all WooFraudGuard tables and options. Off by default so accidental deactivations don\’t lose history.
API keys section
- MaxMind user id + MaxMind license key — enables the MaxMind rule. See MaxMind minFraud setup.
- Groq API key — enables LLM-powered chargeback-rebuttal prose, free tier.
- OpenAI API key — same use case, paid tier. Used as a fallback when Groq isn\’t configured.
- Stripe / PayPal webhook secrets — enables the chargeback feedback loop. See Setting up dispute webhooks.
How keys are stored
All API keys are stored in wfg_settings under WordPress options, AES-256 encrypted at rest using the WP AUTH_KEY as the encryption secret. Existing keys are never displayed in the UI — the input fields are always empty, and leaving them empty on save keeps the current value.
To keep keys entirely out of the database, define the corresponding constants in wp-config.php:
define( \'WOOFRAUDGUARD_MAXMIND_USER_ID\', \'12345\' );
define( \'WOOFRAUDGUARD_MAXMIND_LICENSE_KEY\', \'...\' );
define( \'WOOFRAUDGUARD_GROQ_API_KEY\', \'gsk_...\' );
define( \'WOOFRAUDGUARD_OPENAI_API_KEY\', \'sk-...\' );
define( \'WOOFRAUDGUARD_STRIPE_WEBHOOK_SECRET\', \'whsec_...\' );