Privacy Policy

Summary of Key Points

• ConsentStack LLC is a consent management platform based in Laguna Hills, California.
• This Privacy Policy covers data we collect as a controller — when you visit our website, use our dashboard, subscribe to our newsletter, or contact us.
• Data we process on behalf of our customers through the ConsentStack platform (such as SDK consent logs and end-user data) is governed by our Data Processing Agreement (DPA), not this policy.
• We do not sell your personal information.
• We do not use your data to train AI or machine learning models.
• You can manage your cookie preferences at any time using the consent banner on our website.
• You have rights over your personal data — see Section 8 and the Regional Disclosures in Section 11.

1. Introduction and Scope

This Privacy Policy explains how ConsentStack LLC ("ConsentStack," "we," "us," or "our") collects, uses, shares, and protects personal information when you:

• Visit our website at consentstack.io
• Use the ConsentStack dashboard
• Subscribe to our newsletter
• Submit a contact form
• Otherwise interact with us

What this policy does not cover: Data processed through the ConsentStack platform on behalf of our customers — including consent decisions collected by our SDK on customer websites — is handled in our capacity as a data processor. That processing is governed by our Data Processing Agreement (DPA), available upon request or as part of your service agreement. This Privacy Policy applies only to data we collect and control directly.

ConsentStack LLC is the data controller for the personal information described in this policy.

ConsentStack LLC

23046 Avenida De La Carlota Suite #600

Laguna Hills, California, USA

2. Information We Collect

Information You Provide Directly

• Account registration: Your name, email address, and company or team name when you create an account.
• Billing information: Payment processing is handled by Stripe. We do not store your credit card details directly. Stripe provides us with subscription status and billing metadata.
• Contact form: Your name, email address, and message when you submit our contact form.
• Newsletter: Your email address when you subscribe to our newsletter.
• Site configuration: Domain names and consent banner settings you configure in the dashboard.

Information Collected Automatically

• Device and browser information: Browser type and version, operating system, screen resolution, and device type.
• IP address: Used for security, rate limiting, and to determine your approximate geographic location (country and region/state) for regulatory compliance purposes.
• Usage data: Pages visited, time spent on pages, referrer URLs, and click paths.
• Cookies: We use a theme preference cookie (named "theme", stored for 1 year, containing your light/dark/system choice) and Supabase session cookies for authentication. See Section 5 for details.
• Analytics: Page views and performance metrics collected via Vercel Analytics and Vercel Speed Insights.
• Consent interaction data: When you interact with the ConsentStack consent banner on our own website, we collect a pseudonymized visitor identifier (SHA-256 hashed, not personally identifiable), your consent choices by category, interaction type, time to respond, banner position, page URL, browser/OS/device type, and language.
• Future tracking tools (managed by our consent banner): Google Analytics, Microsoft Clarity, and marketing pixels from providers such as Meta and TikTok. These will only be activated with your consent.

Information from Third Parties

• Google OAuth: If you sign in with Google, we receive your name, email address, and profile picture from Google.
• Stripe: We receive payment status information (subscription state, plan details) from Stripe. We do not receive your credit card number.

3. How We Use Your Information

We use your personal information for the following purposes:

• Provide and maintain our services — Account management, dashboard access, and consent configuration. Legal basis (GDPR): Contract performance.
• Process payments — Billing, invoices, and subscription management via Stripe. Legal basis: Contract performance.
• Communicate with you — Responding to support requests, sending service notifications, usage alerts, and payment notifications. Legal basis: Contract performance and Legitimate interest.
• Send marketing communications — Product updates and newsletters. You can unsubscribe at any time. Legal basis: Consent.
• Improve our services — Usage analytics and performance monitoring to understand how our products are used. Legal basis: Legitimate interest.
• Translate content — Automatically translating consent banner content into multiple languages via DeepL on behalf of dashboard users. Legal basis: Contract performance.
• Determine applicable privacy regulations — Using your approximate geographic location (derived from IP address) to apply the correct consent model for your jurisdiction. Legal basis: Legal obligation and Legitimate interest.
• Ensure security — Fraud prevention, rate limiting, and abuse detection to protect our services and users. Legal basis: Legitimate interest.
• Comply with legal obligations — Maintaining tax records, responding to legal proceedings, and fulfilling regulatory requirements. Legal basis: Legal obligation.

What We Do Not Do

• We do not sell your personal information for monetary consideration.
• We do not use your data to train AI or machine learning models.
• We do not build advertising profiles from your data.
• Marketing pixels on our website may constitute "sharing" of personal information under California law (CCPA/CPRA). You can opt out of this sharing at any time via our consent banner.

4. How We Share Your Information

Service Providers

We share personal information with the following service providers who help us operate our business:

• Supabase — Database hosting and authentication.
• Stripe — Payment processing and subscription billing.
• Resend — Transactional email delivery (support responses, notifications, invitations).
• Cloudflare — Content delivery network, SDK delivery, DDoS protection, and rate limiting.
• Vercel — Website and dashboard hosting.
• Sanity — Content management for our marketing site. Sanity serves content only and does not receive user personal data.
• DeepL — Content translation for multi-language consent banners.
• Google Analytics — Website analytics (planned).
• Microsoft Clarity — Session recording and heatmaps (planned).

Planned services are noted as such and will be added when activated. Additional pixel providers (such as Meta and TikTok) will be added to this list when implemented.

Other Disclosures

• Legal requirements: We may disclose your information in response to court orders, subpoenas, or law enforcement requests. We will notify you before disclosing your information unless we are legally prohibited from doing so.
• Business transfers: In the event of a merger, acquisition, or sale of assets, your personal information may be transferred to the acquiring entity. We will notify you before any such transfer takes effect.
• With your consent: We may share your information in ways not described above with your explicit consent.

We never sell personal information for monetary consideration and we do not share data with data brokers.

5. Cookies and Tracking Technologies

We use cookies and similar technologies on our website.

Essential cookies are required for our website to function. These include Supabase session cookies for authentication and a theme preference cookie ("theme") that stores your light/dark/system display choice for one year.

Analytics and performance tools including Vercel Analytics and Vercel Speed Insights help us understand page performance and usage patterns. Google Analytics and Microsoft Clarity are planned additions.

Marketing pixels from providers such as Meta and TikTok are planned. These will only be activated with your consent.

We use ConsentStack's own consent management tool on this website. You can manage your cookie preferences at any time by clicking the cookie preferences link in our website footer.

For a detailed list of cookies used on our website, please see our Cookie Declaration page.

6. Data Retention

We retain your personal information only as long as necessary for the purposes described in this policy.

• Account and billing data — Retained for 5 years after account closure to comply with tax and legal requirements.
• Site configuration data — Deleted when you delete your site or close your account.
• Newsletter subscriptions — Retained in our database until you unsubscribe.
• Contact form submissions — Forwarded to our support team via email (Resend). We do not maintain a separate database of contact form submissions. Resend may retain delivery logs in accordance with their own privacy policy.
• Analytics data — Retained according to the default retention periods of each analytics tool (Vercel Analytics, Google Analytics, Microsoft Clarity).
• Cookies — Session cookies expire when you log out. The theme preference cookie expires after one year.

When data is no longer needed, it is deleted or anonymized.

7. Data Security

We take the security of your personal information seriously and implement industry-standard measures to protect it:

• Encryption in transit (HTTPS/TLS) and at rest
• Authentication via secure session tokens with automatic refresh
• Row-level security policies on database tables
• Rate limiting at the CDN edge to prevent abuse
• Payment card data handled entirely by Stripe — we never see or store card numbers
• Access to production systems restricted to authorized personnel

No method of transmission or electronic storage is 100% secure. While we cannot guarantee absolute security, we are committed to protecting your data using commercially reasonable measures.

As we grow, we will pursue relevant security certifications and update this section accordingly.

8. Your Privacy Rights

Regardless of where you are located, you can:

• Access the personal data we hold about you
• Correct inaccurate personal data
• Delete your account and associated data (available in the dashboard under account settings)
• Export your data
• Opt out of marketing emails using the unsubscribe link included in every email
• Manage cookie preferences via the consent banner on our website

How to Exercise Your Rights

• Email: [email protected]
• In-app: Account deletion and data management are available in dashboard settings

We will respond to your request within 30 days (for requests under GDPR) or 45 days (for requests under CCPA/CPRA). If we need additional time, we will notify you.

We may need to verify your identity before processing your request. If you have an account, we will ask you to authenticate via your existing login. If you do not have an account, we may ask for information to match against our records.

Additional rights specific to your jurisdiction are described in Section 11 below.

9. International Data Transfers

ConsentStack is based in the United States. Your personal information is processed and stored in the United States through our service providers, including Supabase, Vercel, Cloudflare, and Stripe.

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your data is transferred to the United States. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission as our primary transfer mechanism to ensure adequate protection of your data.

We intend to pursue EU-US Data Privacy Framework (DPF) certification and will update this section when that certification is obtained.

10. Children's Privacy

ConsentStack is a business-to-business service and is not directed at children under the age of 16 (in the EU) or 13 (in the US). We do not knowingly collect personal information from children. If we discover that we have inadvertently collected personal information from a child, we will delete it promptly. Parents or guardians who believe their child may have provided us with personal information can contact us at [email protected].

11. Regional Disclosures

The following sections provide additional information required by specific privacy laws. Please refer to the section that applies to your jurisdiction.

11.1 European Economic Area (EEA) and European Union

Data controller: ConsentStack LLC, 23046 Avenida De La Carlota Suite #600, Laguna Hills, California, USA.

Legal bases for processing: We process your personal data based on the legal bases described in Section 3 of this policy, including contract performance, legitimate interest, consent, and legal obligation.

Your additional rights under GDPR: In addition to the rights described in Section 8, you have the right to:

• Restrict processing of your personal data in certain circumstances
• Data portability — receive your personal data in a structured, commonly used, machine-readable format
• Object to processing based on legitimate interests
• Withdraw consent at any time for processing based on consent, without affecting the lawfulness of prior processing
• Lodge a complaint with your local data protection supervisory authority

EU representative: We are in the process of appointing a formal EU representative under Article 27 of the GDPR and will update this section when complete. For EU/EEA inquiries, contact [email protected].

Data transfers: We rely on Standard Contractual Clauses (SCCs) for transfers of personal data from the EEA to the United States. EU-US Data Privacy Framework certification is planned.

11.2 United Kingdom

Your rights under the UK General Data Protection Regulation (UK GDPR) mirror those described in Section 11.1 for the EEA, adapted to UK law.

UK representative: We are in the process of appointing a formal UK representative and will update this section when complete. For UK inquiries, contact [email protected].

Supervisory authority: You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

Data transfers: We rely on the UK International Data Transfer Agreement (UK IDTA) and Standard Contractual Clauses for transfers from the UK to the United States.

11.3 Switzerland

We comply with the Swiss Federal Act on Data Protection (FADP). Your rights under Swiss law are similar to those described in Section 11.1 for the EEA. We rely on Standard Contractual Clauses for data transfers from Switzerland to the United States.

For inquiries, contact [email protected].

11.4 United States — California (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with specific rights regarding your personal information.

Categories of personal information we collect:

• Identifiers (name, email address, IP address, account ID)
• Commercial information (subscription and billing records)
• Internet or electronic network activity (browsing history, usage data, interactions with our website)
• Geolocation data (approximate location derived from IP address)
• Professional or employment-related information (company name)

We do not sell personal information for monetary consideration. Marketing pixels on our website may constitute "sharing" of personal information as defined under the CCPA. You can opt out of this sharing at any time using our consent banner.

Your California rights:

• Right to know what personal information we collect, use, and disclose
• Right to delete your personal information
• Right to correct inaccurate personal information
• Right to opt out of sharing for cross-context behavioral advertising
• Right to non-discrimination for exercising your privacy rights

Authorized agents: You may designate an authorized agent to make a request on your behalf. We may require verification that you authorized the agent to act for you.

Response time: We will respond to verifiable requests within 45 days. If we need more time, we will notify you and may take up to 90 days total.

To exercise your rights, contact us at [email protected].

11.5 United States — Other State Privacy Laws

Residents of states with comprehensive privacy laws — including Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Iowa, Indiana, Tennessee, Montana, Oregon, Texas, Delaware, Florida, Nebraska, New Hampshire, New Jersey, Kentucky, Minnesota, Maryland, and Rhode Island — have similar rights to access, correct, delete, and opt out of the processing of their personal data.

To exercise your rights under any of these laws, contact us at [email protected].

11.6 Brazil (LGPD)

If you are located in Brazil, the Lei Geral de Protecao de Dados (LGPD) provides you with specific rights regarding your personal data.

Legal bases for processing: We process your personal data based on contract performance, legitimate interest, consent, and legal obligation, as described in Section 3.

Your rights under the LGPD:

• Confirmation of the existence of processing
• Access to your data
• Correction of incomplete, inaccurate, or outdated data
• Anonymization, blocking, or deletion of unnecessary or excessive data
• Data portability
• Deletion of data processed with your consent
• Information about public and private entities with which we share your data
• Information about the possibility of denying consent and the consequences
• Withdrawal of consent

To exercise your rights, contact us at [email protected].

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements.

• Material changes: We will notify you via email (if you have an account) and post a prominent notice on our website before the changes take effect.
• Non-material changes: We will update this page with a new "Last updated" date.

Your continued use of our services after any changes take effect constitutes your acceptance of the updated policy. Previous versions of this policy are available upon request.

13. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us:

ConsentStack LLC

23046 Avenida De La Carlota Suite #600

Laguna Hills, California, USA

Privacy contact: [email protected]

Data Protection Officer: [email protected]

EU representative: Details to be announced. For EU/EEA inquiries, contact [email protected].

UK representative: Details to be announced. For UK inquiries, contact [email protected].

If you are located in the EEA or UK, you have the right to lodge a complaint with your local data protection supervisory authority.