Privacy Policy

1. Introduction

CookieFrame ("we," "us," or "our") operates a cookie consent management platform that helps website owners comply with privacy regulations worldwide. This Privacy Policy explains how we collect, use, disclose, and protect personal information when you use our services.

This policy applies to:

• Account Holders: Individuals and organizations who register for CookieFrame to manage cookie consent on their websites
• Website Visitors: Individuals who interact with CookieFrame consent widgets deployed on our customers' websites

We operate as both a data controller (for account holder information) and a data processor (for visitor consent data collected on behalf of our customers).

2. Information We Collect

2.1 Account Holder Information

When you create and maintain a CookieFrame account, we collect:

Account Registration Data

• Email address (required)
• Name (optional)
• Profile image (if using Google sign-in)
• Password (hashed, if using password authentication)

Authentication Data

• OAuth tokens and identifiers from Google (if using social sign-in)
• Session tokens
• WebAuthn credentials (if using passkeys)
• IP address and user agent (for security purposes)

Domain and Configuration Data

• Domain names you register
• Widget customization settings (colors, text, positioning)
• Compliance framework preferences (GDPR, CCPA, TCF)
• Scan configuration options

Usage and Analytics Data

• Features accessed within the platform
• Scan history and results
• Administrative actions performed

2.2 Payment Information

We do not store credit card numbers or full payment details. Payment processing is handled by Stripe.

We store only:

• Customer identifiers from payment providers
• Subscription identifiers
• Plan associations

2.3 Website Visitor Information

When visitors interact with CookieFrame consent widgets on our customers' websites, we collect on behalf of the website owner:

• Hashed visitor identifier
• Consent preferences (categories accepted or rejected)
• TCF consent string (if TCF is enabled)
• Consent action type (accept all, reject all, customize)
• Browser user agent
• Country and region derived from IP address
• Page URL where consent was given
• Timestamp of consent

We do not use this visitor data for our own purposes. It is collected solely on behalf of and for the benefit of the website owner.

2.4 Cookie Scanning Data

When scanning customer websites, we detect and catalog:

• Cookie names, types, and providers
• Storage mechanisms (cookies, localStorage, sessionStorage)
• Cookie attributes (expiration, flags, domains)
• Third-party services and technologies

2.5 Communications Data

When you contact us, we collect:

• Name and email address
• Company name (if provided)
• Message content
• Submission timestamp

3. How We Use Your Information

3.1 Account Holder Data

We use account holder information to:

• Create and manage your account
• Authenticate your identity and secure your account
• Provide, maintain, and improve our services
• Process payments and manage subscriptions
• Send service-related communications (account verification, password resets, scan notifications)
• Provide customer support
• Detect and prevent fraud, abuse, and security incidents
• Comply with legal obligations

3.2 Website Visitor Data

Visitor consent data is processed exclusively to:

• Record and demonstrate consent for website owner compliance
• Enable website owners to respect visitor preferences
• Generate compliance reports and analytics for website owners

We do not sell, share, or use visitor data for advertising, profiling, or any purpose beyond providing the consent management service to our customers.

4. Legal Bases for Processing (GDPR)

For individuals in the European Economic Area, United Kingdom, and Switzerland, we process personal data based on the following legal grounds:

Performance of Contract (Article 6(1)(b))

• Account creation and management
• Service delivery and feature access
• Payment processing
• Customer support

Legitimate Interests (Article 6(1)(f))

• Security monitoring and fraud prevention
• Service improvement and analytics
• Maintaining audit logs

Legal Obligation (Article 6(1)(c))

• Tax and accounting requirements
• Responding to lawful requests from authorities
• Maintaining consent records for compliance

Consent (Article 6(1)(a))

• Marketing communications (where applicable)
• Optional data processing beyond core service delivery

For visitor consent data, we act as a data processor under Article 28 GDPR, processing data on behalf of website owners who serve as the data controller.

5. Your Rights Under GDPR

If you are located in the EEA, UK, or Switzerland, you have the following rights:

Right of Access (Article 15) You may request a copy of the personal data we hold about you.

Right to Rectification (Article 16) You may request correction of inaccurate or incomplete personal data.

Right to Erasure (Article 17) You may request deletion of your personal data, subject to legal retention requirements.

Right to Restriction of Processing (Article 18) You may request that we limit how we use your data in certain circumstances.

Right to Data Portability (Article 20) You may request your data in a structured, commonly used, machine-readable format.

Right to Object (Article 21) You may object to processing based on legitimate interests or for direct marketing purposes.

Right to Withdraw Consent (Article 7(3)) Where processing is based on consent, you may withdraw that consent at any time.

Right to Lodge a Complaint You may file a complaint with your local supervisory authority.

To exercise these rights, contact us at privacy@cookieframe.com.

6. Your Rights Under CCPA and CPRA (California)

If you are a California resident, the California Consumer Privacy Act and California Privacy Rights Act provide you with specific rights:

Right to Know You may request disclosure of the categories and specific pieces of personal information we have collected, the sources of collection, our business purposes, and categories of third parties with whom we share data.

Right to Delete You may request deletion of personal information we have collected from you, subject to exceptions permitted by law.

Right to Correct You may request correction of inaccurate personal information.

Right to Opt-Out of Sale or Sharing We do not sell personal information as defined under CCPA/CPRA. We do not share personal information for cross-context behavioral advertising.

Right to Limit Use of Sensitive Personal Information We do not collect sensitive personal information beyond what is necessary to provide our services.

Right to Non-Discrimination We will not discriminate against you for exercising your privacy rights.

Categories of Personal Information Collected

• Identifiers (email address, name, account IDs)
• Internet activity (usage data, IP address, device information)
• Commercial information (subscription and payment records)
• Geolocation data (country and region for compliance determination)

How We Collect Personal Information

• Directly from you during registration and use
• Automatically through cookies and similar technologies
• From third-party authentication providers (Google)

Business Purposes for Collection

• Providing and improving our services
• Processing transactions
• Security and fraud prevention
• Legal compliance

To submit a request, email privacy@cookieframe.com or use the account settings in your dashboard. We will verify your identity before processing requests.

7. CalOPPA Disclosures (California Online Privacy Protection Act)

Do Not Track Signals CookieFrame's consent widget supports the Do Not Track browser signal when enabled by website owners. When a visitor's browser sends a Do Not Track signal and this feature is enabled, the widget respects that preference.

Our main platform does not currently respond to Do Not Track signals for analytics purposes, as we do not engage in cross-site tracking.

Third-Party Tracking We do not allow third parties to collect personal information about your online activities over time and across different websites when you use our services for their own advertising purposes.

8. Your Rights Under PIPEDA (Canada)

If you are a Canadian resident, the Personal Information Protection and Electronic Documents Act provides you with the following rights:

Access You may request access to your personal information held by us and information about how it has been used and disclosed.

Correction You may challenge the accuracy and completeness of your personal information and have it amended as appropriate.

Consent We collect, use, and disclose personal information only with your knowledge and consent, except where permitted or required by law.

Limiting Collection We limit the collection of personal information to what is necessary for the identified purposes.

Accountability CookieFrame is responsible for personal information under our control. Contact our privacy officer at privacy@cookieframe.com.

9. Australian Privacy Principles

If you are an Australian resident, the Privacy Act 1988 and Australian Privacy Principles provide you with the following protections:

Collection (APP 3) We collect personal information only when reasonably necessary for our functions and activities, and we do so by lawful and fair means.

Use and Disclosure (APP 6) We use and disclose personal information only for the primary purpose for which it was collected, or a related secondary purpose you would reasonably expect.

Access and Correction (APP 12, 13) You may request access to your personal information and request correction of any inaccurate, out-of-date, incomplete, irrelevant, or misleading information.

Overseas Disclosure (APP 8) Your personal information may be transferred to countries outside Australia, including the United States and European Union, where our service providers operate. We take reasonable steps to ensure overseas recipients handle your information in accordance with Australian privacy law.

Complaints You may complain to us about how we handle your personal information. If unsatisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC).

10. Cookies and Tracking Technologies

10.1 Cookies We Use

Essential Cookies

• Session authentication cookies
• Security tokens (CSRF protection)
• User preference cookies

Functional Cookies

• Theme preferences (light/dark mode)
• Language settings

Analytics Cookies We use PostHog for analytics to understand how users interact with our platform. This helps us improve our services.

10.2 How to Manage Cookies

You can control cookies through your browser settings. Note that disabling essential cookies may affect your ability to use our services.

11. Data Sharing and Third Parties

11.1 Service Providers

We share personal information with service providers who assist in operating our business:

Hosting and Infrastructure

• Vercel (application hosting)
• Neon (database services)
• Hetzner (background processing)
• Cloudflare (content delivery and security)

Payment Processing

• Stripe

Email Services

• Resend (transactional email delivery)

Analytics

• PostHog (usage analytics)

Authentication

• Google (OAuth sign-in)

11.2 Legal Requirements

We may disclose personal information when required to:

• Comply with applicable laws or legal process
• Respond to lawful requests from government authorities
• Protect our rights, privacy, safety, or property
• Enforce our terms of service

11.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, personal information may be transferred to the acquiring entity.

12. International Data Transfers

CookieFrame operates globally. Your personal information may be transferred to and processed in countries other than your country of residence, including the United States.

For transfers from the EEA, UK, or Switzerland, we rely on:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions where applicable
• Other lawful transfer mechanisms

We ensure appropriate safeguards are in place to protect your personal information in accordance with this Privacy Policy and applicable law.

13. Data Retention

We retain personal information for as long as necessary to fulfill the purposes for which it was collected:

Account Data Retained while your account is active and for a reasonable period thereafter to comply with legal obligations and resolve disputes.

Consent Logs (Visitor Data) Retained according to the website owner's subscription plan:

• Free Plan: 30 days
• Starter Plan: 90 days
• Professional Plan: 365 days
• Enterprise Plan: 730 days

After the retention period, consent logs are automatically purged.

Audit Logs Retained as required for security and compliance purposes.

Payment Records Retained as required for tax, accounting, and legal purposes.

14. Data Security

We implement appropriate technical and organizational measures to protect personal information, including:

• Encryption of data in transit using TLS
• Secure database connections
• Password hashing using bcrypt
• Access controls and authentication
• Regular security assessments
• Incident response procedures

No method of transmission or storage is completely secure. While we strive to protect your personal information, we cannot guarantee absolute security.

15. Children's Privacy

CookieFrame is not directed at children under 16 years of age (or 13 in jurisdictions where that applies). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at privacy@cookieframe.com, and we will delete such information.

16. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms:

GDPR Jurisdictions We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach and will notify affected individuals without undue delay where the breach is likely to result in high risk.

CCPA/CPRA We will notify affected California residents in accordance with California Civil Code Section 1798.82.

Australian Privacy Act We will notify the OAIC and affected individuals of eligible data breaches as required under the Notifiable Data Breaches scheme.

PIPEDA We will report breaches to the Privacy Commissioner of Canada and notify affected individuals where the breach creates a real risk of significant harm.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes:

• We will update the "Last Updated" date at the top of this policy
• We will notify you by email or through a notice on our website
• Continued use of our services after the effective date constitutes acceptance of the updated policy

We encourage you to review this Privacy Policy periodically.

18. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

CookieFrame Email: privacy@cookieframe.com Website: https://cookieframe.com/contact

We will respond to your inquiry within 30 days, or sooner where required by law.

19. Supplemental Notice for Specific Jurisdictions

19.1 Brazil (LGPD)

If you are a Brazilian resident, you have rights under the Lei Geral de Proteção de Dados, including the right to confirmation of processing, access, correction, anonymization, portability, deletion, and information about sharing. Contact us at privacy@cookieframe.com.

19.2 South Africa (POPIA)

If you are a South African resident, the Protection of Personal Information Act provides you with rights including access, correction, and deletion. You may lodge complaints with the Information Regulator.

19.3 Other Jurisdictions

We respect and comply with applicable privacy laws in jurisdictions where we operate. If your jurisdiction provides additional rights not explicitly covered above, please contact us to exercise those rights.

This Privacy Policy is provided in English. In the event of any conflict between translated versions and the English version, the English version shall prevail.