Privacy Policy
Last updated: 20 April 2026
1. Who we are
CookieOffice ("we", "us", "our") operates the consent management platform available at cookieoffice.com. We are the data controller for personal data you provide when creating an account or using our dashboard. For consent event data we collect on your behalf from your website visitors, we act as a data processor and you are the controller.
Contact: [email protected]
2. Data we collect and why
| Category | Data | Lawful basis |
|---|---|---|
| Account | Email, name, hashed password | Contract (Art. 6(1)(b)) |
| Billing | Payment method, invoices (handled by Stripe) | Contract · Legal obligation |
| Website config | Domain names, banner settings, API keys | Contract (Art. 6(1)(b)) |
| Consent records | Hashed visitor ID, country, language, choice, timestamp | Legitimate interest (audit trail) · Your instructions |
| Usage analytics | Aggregated impression and session counts | Legitimate interest (Art. 6(1)(f)) |
| Support | Messages you send us by email | Legitimate interest (Art. 6(1)(f)) |
We never store raw IP addresses. Visitor IPs are one-way hashed (SHA-256 + salt) at the point of ingestion and the original value is immediately discarded.
3. How we use your data
- Providing and operating the CookieOffice dashboard and SDK
- Processing payments and sending invoices
- Sending transactional emails (account creation, password reset, billing alerts)
- Storing consent audit logs on your behalf in accordance with your plan
- Detecting abuse, fraud, or violations of our Terms of Service
- Improving the platform through aggregated, anonymised usage data
We do not sell, rent, or share your personal data with third parties for marketing purposes.
4. Data processors and sub-processors
We use a limited number of trusted sub-processors to deliver the service:
| Processor | Purpose | Location |
|---|---|---|
| Stripe | Payment processing | US (SCCs) |
| Cloudflare | CDN, DDoS protection, edge caching of SDK | Global (SCCs) |
| PostgreSQL host | Primary database | EU |
SCCs = Standard Contractual Clauses (EU Commission Decision 2021/914).
5. Data retention
- Consent event logs: retained for the period defined by your plan — 30 days (Free), 90 days (Basic), 365 days (Pro) — then automatically deleted.
- Account data: retained while your account is active. After account deletion, data is removed within 30 days unless we are required to keep it for legal or tax purposes.
- Billing records: retained for 7 years as required by applicable tax law.
6. Your rights (EEA and UK)
Under GDPR (and UK GDPR) you have the following rights regarding your personal data:
- Access (Art. 15): request a copy of the data we hold about you.
- Rectification (Art. 16): correct inaccurate data.
- Erasure (Art. 17): request deletion, subject to legal retention obligations.
- Restriction (Art. 18): restrict processing in certain circumstances.
- Portability (Art. 20): receive your data in a structured, machine-readable format.
- Object (Art. 21): object to processing based on legitimate interests.
- Withdraw consent: where processing is based on consent, withdraw at any time.
To exercise any right, email [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority.
7. Security
We implement appropriate technical and organisational measures including TLS encryption in transit, bcrypt-hashed passwords, hashed visitor identifiers, database access controls, and regular security reviews. No system is perfectly secure — if you discover a vulnerability, please disclose it responsibly to[email protected].
8. Cookies on this website
Our marketing website and dashboard use a small number of strictly necessary cookies for authentication and security. We do not place advertising or third-party tracking cookies on our own properties without your consent. See our Cookie Policy for the full list.
9. Data processing agreement
When you use CookieOffice to record consent decisions from your website visitors, you are the data controller and we act as your data processor under Art. 28 GDPR. Our data processing terms are incorporated into our Terms of Service and govern how we handle visitor data on your behalf.
10. Changes to this policy
We may update this Privacy Policy from time to time. We will notify registered users of material changes by email at least 14 days before they take effect. The "last updated" date at the top of this page reflects the most recent revision.
11. Contact
Questions or concerns about this policy? Contact us at [email protected].