Founding document · Version 1.0 · May 2026
We sell trust.
We must earn it first.
This is ConsentPixel — Privacy · Verified's Trust Charter. It is not a marketing document. It is not aspirational language. It is a set of binding principles that govern every product decision, every data handling choice, and every business relationship we enter into.
Document
Trust Charter
Version
1.0
Published
May 2026
Next review
May 2027
Status
● Active
Preamble
ConsentPixel — Privacy · Verified exists because the web has a trust problem. Millions of websites collect, share, and monetise visitor data without meaningful consent. Visitors have no idea what is happening. Website owners often do not know either.
We built ConsentPixel — Privacy · Verified to fix this — for website owners who want to do the right thing, for visitors who deserve to be treated with respect, and for a web that works better when people trust the platforms they use.
But a product that claims to protect privacy and consent must itself be held to the highest standard. It would be deeply hypocritical — and commercially fatal — for ConsentPixel — Privacy · Verified to violate the same principles it helps others uphold. This document is the written record of our commitments.
Contents
Who this document is for
✓ Website owners considering ConsentPixel — Privacy · Verified
✓ Agency partners who will white-label this product
✓ Privacy attorneys considering a partnership
✓ Enterprise clients conducting vendor due diligence
✓ Future team members and contractors
✓ Any investor, acquirer, or partner
Part I
Product Constitution
The Product Constitution defines the non-negotiable principles that govern what ConsentPixel — Privacy · Verified builds, how it behaves, and what it will never do. Each principle is stated as an absolute. There are no exceptions, no carve-outs, and no circumstances under which these principles can be suspended.
01
Privacy First
"ConsentPixel will always make the privacy-protective choice when any product decision involves a trade-off between user privacy and commercial benefit."
Every feature we build, every default we set, every configuration option we offer must default to the most protective position. Clients can choose to be less protective — that is their right and their responsibility. But ConsentPixel — Privacy · Verified will never design a product that nudges, pressures, or defaults towards privacy-invasive outcomes.
02
No Dark Patterns
"ConsentPixel will never implement, enable, or encourage dark patterns in consent UI — in our own product or in the tools we provide to clients."
Dark patterns in consent management include: pre-ticked consent boxes, accept buttons larger or more prominent than reject buttons, reject options buried in sub-menus, confusing language designed to obscure what is being consented to, and consent fatigue tactics. We will not build any of these. We will not offer them as configuration options. If a client attempts to configure their banner in a way that creates a dark pattern, the product will warn them and refuse to allow it.
03
Consent Data Is Sacred
"Visitor consent data collected through ConsentPixel belongs to the website owner and the visitor. ConsentPixel will never use, analyse, sell, or monetise this data for any purpose other than delivering the service."
The consent logs stored in ConsentPixel — Privacy · Verified contain records of real people making real decisions about their privacy. These records exist for one purpose: to give website owners a legally defensible audit trail. We will never sell consent data. We will never share it with third parties. We will never use aggregate consent data to make money in any form other than the subscription the client is already paying. This is an absolute commitment and it will never change.
04
Honest Compliance
"ConsentPixel will only claim a site is compliant when it actually is. We will never inflate compliance scores, soften risk ratings, or present a site as more compliant than it genuinely is."
The temptation will exist — from clients who want a clean report, from the desire to reduce support volume, from competitive pressure — to soften findings. We will resist this in every form. If a site has a Critical CIPA risk, the report will say Critical. If a regulation changes and a previously compliant site is no longer compliant, the client will be told immediately.
05
Radical Transparency
"ConsentPixel will be transparent about what it does, what it cannot do, and what clients need to know — even when that transparency is commercially inconvenient."
This means: we will always clearly state that our tool provides compliance infrastructure but not legal advice. We will clearly disclose all sub-processors who handle client data. We will publish our own privacy practices openly. When we make mistakes — and we will — we will disclose them promptly and completely. Our privacy policy will be written in plain English, not designed to be unreadable.
06
Tool, Not Advisor
"ConsentPixel is a compliance tool, not a legal advisor. We will never present our outputs as legal advice or allow clients to believe that using ConsentPixel is a substitute for qualified legal counsel."
Every scan report, every compliance certificate, every generated privacy policy will carry a clear statement that it is produced by automated software and does not constitute legal advice. We will actively encourage clients to work with qualified privacy attorneys for their specific legal situations. The moment we allow a client to believe that our $8.99/month tool is all the legal protection they need, we have failed them.
07
No Competitor Manipulation
"ConsentPixel will never use its position as a consent layer to disadvantage competitor products, inflate consent rates for preferred vendors, or manipulate the data collection of any specific third party."
Our script blocker must be genuinely neutral. It blocks trackers based on objective categorisation against our tracker database — not based on whether the tracker company is a competitor, partner, or preferred vendor. Google Analytics, Meta Pixel, HubSpot, and every other tracker will be treated identically according to category rules. Any partner arrangement will be disclosed publicly.
08
Client Data Ownership
"Clients own their data. ConsentPixel is a custodian, not an owner. Clients can access, export, and delete their data at any time."
Every piece of data a client generates through ConsentPixel — Privacy · Verified belongs to the client. On cancellation, clients have 60 days to export everything before it is permanently deleted. We will never hold data hostage to prevent cancellation. We will never make data export technically difficult to reduce churn. One-click full data export in standard formats (CSV, JSON) from day one of the product.
09
Security Is Not Optional
"Visitor consent data is sensitive personal information. ConsentPixel will maintain security standards that are appropriate for the sensitivity of the data it holds, without exception."
We commit to: encrypting all data in transit and at rest, never storing raw IP addresses, using SHA-256 hashing with salt for all visitor identifiers, maintaining access controls that follow least-privilege principles, conducting regular security reviews, disclosing security incidents to affected clients within 72 hours of discovery, and co-operating fully with any regulatory investigation.
10
Mission Over Growth
"ConsentPixel will not pursue growth strategies that compromise the privacy mission of the product."
Potential growth strategies that are prohibited under this principle include: partnering with ad tech companies in ways that create conflicts of interest in our blocking logic; accepting investment from data brokers or surveillance technology companies; building features whose primary purpose is to increase ad revenue for clients at the expense of visitor privacy. Growth that undermines the mission is not growth worth having.
Part II
The Never / Always List
These commitments are stated as absolute rules rather than principles because absolute rules are harder to rationalise away under pressure. Every person who works on ConsentPixel — Privacy · Verified in any capacity is bound by these commitments.
ConsentPixel will NEVER
Sell, share, rent, license, or otherwise transfer visitor consent data to any third party for any commercial purpose.
Use aggregate consent data to generate revenue beyond the client subscription fee — no data products, no behavioural analytics sold to marketers.
Implement a dark pattern in the banner builder — no pre-ticked boxes, no buried reject options, no manipulative visual hierarchies, no consent fatigue mechanics.
Store raw IP addresses, device fingerprints, or any unmasked personally identifiable information about website visitors.
Soften, inflate, or misrepresent a compliance assessment to make a client site appear more compliant than it actually is.
Allow any partner, investor, or commercial relationship to influence the objective categorisation of trackers in the blocking database.
Present ConsentPixel outputs as legal advice or allow clients to reasonably believe our tool substitutes for qualified legal counsel.
Make client data export technically difficult, restricted, or conditional on anything other than authentication. Data export is always free and unrestricted.
Accept investment from or enter into commercial partnerships with data brokers, surveillance technology companies, or ad tech companies whose business model conflicts with visitor privacy.
Delay disclosure of a security incident to affected clients beyond 72 hours of confirmed discovery.
Scan more than 5 pages of any prospect or client site without explicit permission, and never scan login-protected, staging, or private pages.
Continue scanning a domain after its owner has requested removal via the opt-out page.
ConsentPixel will ALWAYS
Default all consent banner configurations to the most privacy-protective settings. Clients must actively choose to be less protective — the default is never permissive.
Disclose the full list of sub-processors who handle client data, updated within 30 days of any change, on a publicly accessible page.
Provide clients with a full export of their data in machine-readable format within 48 hours of request.
Delete all client data permanently within 60 days of subscription cancellation, following a 30-day warning period during which export remains available.
Honour Global Privacy Control (GPC) signals for visitors to consentpixel.com itself — we practise what we preach.
Display a compliant ConsentPixel — Privacy · Verified consent banner on consentpixel.com — we are our own first client and most visible example.
Write our own privacy policy, cookie policy, and terms of service in plain English — accessible to a non-lawyer without requiring legal training to understand.
Label every scan report, compliance assessment, and generated document with a clear statement that it is produced by automated software and does not constitute legal advice.
Maintain an incident response plan and test it annually. Clients will be notified of any breach affecting their data within 72 hours of discovery.
Respond to data subject access requests (DSARs) received about ConsentPixel's own data processing within the legally required timeframes.
Make this Trust Charter publicly accessible on the ConsentPixel website. It is not a confidential document. We stand behind it publicly.
Part III
Compliance Charter
The Compliance Charter defines how ConsentPixel — Privacy · Verified itself complies with privacy regulations in its own operations. ConsentPixel operates simultaneously as a data processor (on behalf of clients) and as a data controller (for its own users and website visitors).
Data Controller
ConsentPixel's own users
ConsentPixel makes its own decisions about how it handles the data of its portal users, website visitors, and prospects.
Data Processor
Visitor consent log data
ConsentPixel processes visitor consent log data strictly on behalf of its clients, following their instructions and for no other purpose.
3.1 — Data ConsentPixel collects about its own users
| Data category | Specific data | Purpose | Legal basis | Retention |
|---|---|---|---|---|
| Account data | Name, email, organisation name, billing address | Account creation, billing, service delivery | Contract performance | Subscription + 7 years |
| Authentication data | Hashed password, session tokens, MFA status | Secure account access | Contract performance | Duration of subscription |
| Usage data | Portal page views, feature usage, scan triggers | Product improvement, support | Legitimate interest | 12 months rolling |
| Billing data | Stripe customer ID, last 4 digits of card, billing history | Payment processing | Contract performance | 7 years (tax) |
| Support data | Support tickets, email correspondence | Customer support | Contract performance | 3 years after closure |
| Communication preferences | Email opt-in/out status, notification preferences | Sending agreed communications | Consent | Until opt-out |
3.2 — Data ConsentPixel processes on behalf of clients
| Data type | How stored | Default retention | Client can change? |
|---|---|---|---|
| Visitor consent decisions | Hashed visitor ID + decision JSON + timestamp + regulation + geo code | 3 years | No — minimum for legal audit |
| Passive scan telemetry | Tracker domains, category, firing status — no visitor PII | 12 months | Yes — can be reduced |
| Banner interaction data | Banner version shown, time to decision, category selections | 3 years | No — required for audit trail |
| Active scan results | Page URLs scanned, tracker inventory, cookie list, risk score | 24 months | Yes — can be reduced |
| Generated documents | Privacy policy HTML, T&C content, cookie policy | Indefinite while subscribed | Yes — client can delete any time |
✅ What ConsentPixel — Privacy · Verified never stores about visitors
🚫 Raw IP addresses in any form
🚫 Full device fingerprints
🚫 Names, emails, phone numbers, or directly identifying information
🚫 Browsing history outside the visited page
🚫 The actual content of form submissions
🚫 Any data not necessary for recording the consent decision
3.3 — Sub-Processors
All sub-processors are bound by data processing agreements. This list is updated within 30 days of any change. Clients are notified of material changes at privacy@consentpixel.com.
Sub-processor & purposeProcessesCountryClient data?
Cloudflare (Workers, KV, R2)
Pixel CDN, edge config serving, file storage
Configs, reports, edge routing
USA (global)
Yes
Railway
Backend API compute, scanner workers
All app data in transit
USA
Yes
Vercel
Portal and admin panel hosting
Session data only
USA
Limited
Supabase (PostgreSQL)
Primary database — consent logs, configs, scan results
All consent logs and configs
USA (EU available)
Yes
Upstash
Redis cache and BullMQ job queue
Cached configs and job state
USA (global)
Limited
Resend
Transactional email delivery
Client email addresses
USA
Limited
Twilio
SMS alert delivery
Client phone numbers
USA
Limited
Stripe
Payment processing
Billing data only
USA
Limited
3.4 — Data Subject Rights
| Right | Applies to | How to exercise | Response timeframe |
|---|---|---|---|
| Right of access (GDPR Art. 15 / CCPA) | Portal users, prospects | Email privacy@consentpixel.com or portal settings | 30 days (GDPR) / 45 days (CCPA) |
| Right to erasure / deletion | Portal users, prospects | Portal settings or privacy@consentpixel.com | 30 days confirm, deleted within 60 days |
| Right to data portability | Portal users | One-click export in portal settings — CSV and JSON | Immediate (automated) |
| Right to rectification | Portal users | Edit in portal settings or contact support | 5 business days |
| Right to object | Prospects in outbound database | Unsubscribe link in any email or privacy@consentpixel.com | Immediate suppression |
| Opt-out of sale/sharing (CCPA) | All California residents | GPC signal honoured automatically; manual opt-out at /privacy | Immediate |
3.7 — Security Standards
Encryption
TLS 1.3 enforced at Cloudflare edge. AES-256 for database and file storage at rest. SHA-256 with per-site salt for all visitor identifiers. Raw IPs never stored.
Access control
Least-privilege RBAC across all internal systems. Cloudflare Zero Trust for internal tooling. No secrets stored in source control — 1Password Teams for secrets management.
Incident response
72-hour client notification SLA from confirmed discovery. Written incident response plan, tested annually. All data access events logged to immutable audit log retained 12 months.
Penetration testing
Annual third-party penetration test required before IAB TCF CMP certification. GitHub Dependabot for automated dependency vulnerability alerts.
3.8 — Our Own Tracking Practices
Our commitment on our own tracking
ConsentPixel — Privacy · Verified does not use Google Analytics, Meta Pixel, any session replay tool, any ad retargeting pixel, or any cross-site tracking technology on consentpixel.com. We use Plausible Analytics — a privacy-first tool that processes no personal data and sets no cookies. We are our own most visible demonstration of the practices we advocate.
| Cookie / tracker | Category | Purpose | Retention | Consent required? |
|---|---|---|---|---|
__cp_session | Functional | Portal authentication session | 24 hours | No — strictly necessary |
__cp_consent | Functional | Stores visitor consent decision | 12 months | No — strictly necessary |
| Plausible Analytics | Analytics | Privacy-first cookieless analytics — no PII, no cross-site tracking, IP anonymised | No cookie set | No — no personal data collected |
| Stripe.js | Functional | Payment form security and fraud prevention | Session | No — strictly necessary for payment |
| Intercom (if enabled) | Support | Customer support chat widget | 9 months | Yes — consent required |
Part IV
Partnership & Relationship Standards
Every partner, agency, investor, and advisor who works with ConsentPixel — Privacy · Verified enters into a relationship governed by the principles in this charter.
4.1 — Agency Partners
→ May not represent automated assessments as legal advice to their clients.
→ May not configure client banners in ways that use dark patterns, even if a client requests it.
→ Must ensure clients understand ConsentPixel holds their visitor consent data and must be disclosed in the client's own privacy policy.
→ Must not suppress compliance alert notifications from their clients.
→ May not imply the product was built in-house if directly asked by a client.
4.2 — Attorney Partners
→ Must maintain their own independent professional judgement at all times.
→ Legal reviews must clearly identify the attorney's involvement and credentials.
→ Must disclose the partnership to clients when recommending ConsentPixel.
→ May not use scan data to approach non-client site owners for legal solicitation without prior consent.
→ Attorney-client privilege remains entirely in the attorney's domain — ConsentPixel has no access to privileged communications.
4.3 — Investors & Acquirers
! The ten principles of the Product Constitution survive any investment, acquisition, or change of control.
! No investor may require ConsentPixel to violate the Never / Always commitments in Part II.
! In an acquisition, this Trust Charter must be publicly maintained for a minimum of five years post-acquisition.
! Client data may not be used as an acquisition asset if transferred to a data broker or ad tech company.
! Material changes require 90 days advance notice to clients, with the option to export and delete before changes take effect.
4.4 — Outbound Prospecting Standards
→ Only publicly accessible pages are scanned — never login-protected, staging, beta, or private pages.
→ No more than five pages per domain scanned in any prospecting context.
→ All outbound emails include a clear and functional one-click unsubscribe mechanism.
→ Any domain whose owner has submitted an opt-out via consentpixel.com/no-scan is permanently suppressed from future scanning and outreach.
→ CAN-SPAM, CASL, and GDPR requirements for commercial email are followed in all jurisdictions.
Part V
Governance, Review & Enforcement
This Trust Charter is a founding document. It takes precedence over any commercial agreement, investor request, partner pressure, or internal decision that conflicts with its principles. No person — including the founder — has the authority to suspend or override this Charter unilaterally.
5.2 — Decision Evaluation Framework
When any product decision, partnership, feature request, or business opportunity is being evaluated, the following questions must be answered before proceeding:
Does this decision comply with all ten principles of the Product Constitution?
If NO → The decision cannot proceed. Find an alternative approach.
Does this decision avoid all items on the Never list?
If NO → The decision cannot proceed under any circumstances.
Does this decision maintain or strengthen the Always commitments?
If it weakens an Always commitment → it requires the full Charter amendment process.
Would we be comfortable disclosing this decision publicly on our website?
If NO → Treat as a signal of conflict with the transparency principle. Re-evaluate.
Would our clients trust us more or less if they knew about this decision?
If less → Stop. The trust cost is always higher than the short-term commercial benefit.
5.3 — Annual Charter Review
This Charter is reviewed every May, aligned with the founding date. The review considers whether regulatory changes require updating compliance commitments, whether the sub-processor list is current, whether security controls remain adequate, whether any product developments have created tension with any principle, and whether new risks require additions to the Never / Always list.
May 2026
Version 1.0 — Founding document published
Initial Trust Charter published as a founding document. All 10 principles, Never/Always list, Compliance Charter, and Governance framework active.
May 2027
Version 2.0 — First annual review
Scheduled review. Any changes will be published with 90 days advance notice and full public rationale.
⚠ Charter amendment process
Changes to this document require: a written rationale explaining why the change is necessary; a 90-day notice period before the change takes effect; public disclosure of the change and rationale on the ConsentPixel website; and advance notification to all existing clients. No change can be made unilaterally by any individual.
5.5 — Relationship to Legal Obligations
This Charter supplements — and in many areas exceeds — ConsentPixel's legal obligations under applicable privacy law. Where applicable law requires less than this Charter commits to, this Charter governs. Where applicable law requires more, the law governs and this Charter will be updated at the next review to reflect the higher standard.
Report a concern
Any concern — reported in good faith — will be investigated.
Any client, partner, employee, contractor, or member of the public who believes ConsentPixel — Privacy · Verified is acting in violation of this Charter may report it to the channels below. Reports made in good faith will be investigated and responded to.
Founding Commitment
"ConsentPixel was built on a simple belief:
the web is better when people trust the tools they use."
This Charter is how we earn that trust — and keep it.
Document
ConsentPixel — Privacy · Verified Trust Charter
Version
1.0 · May 2026
Public document · consentpixel.com/trust-charter
Frequently asked questions
Common questions answered
Everything you need to know. Can't find what you're looking for? Contact us →
What is the Trust Charter and is it legally binding?
The Trust Charter is ConsentPixel's founding document — a public, binding set of commitments that governs every product decision, data handling choice, and business relationship. It is not aspirational marketing language. It takes precedence over any commercial agreement, investor request, or partner pressure. The 10 Product Constitution principles, the Never/Always list, and the Compliance Charter are all operative commitments that cannot be suspended or overridden unilaterally — including by the founder.
Does ConsentPixel sell or share visitor consent data?
Never — this is Principle 3 of the Product Constitution ('Consent Data Is Sacred') and item 1 of the Never list. Visitor consent logs belong to the website owner and the visitor. ConsentPixel holds them as a processor on the client's behalf and will never use, analyse, sell, monetise, or share that data for any purpose other than delivering the service. This commitment survives any acquisition, investment, or change of control.
Does ConsentPixel use session replay or Google Analytics on its own website?
No. We practise what we preach. ConsentPixel.com uses Plausible Analytics — a privacy-first, cookieless tool that collects no personal data. We do not run Google Analytics, Meta Pixel, any session replay tool (Hotjar, FullStory, Clarity), or any advertising tracking pixel on our own website. We run our own ConsentPixel pixel with a fully compliant consent banner. This is documented in our own Cookie Policy and verified by our own scanner.
What sub-processors does ConsentPixel use?
Our sub-processors are: Cloudflare (CDN, edge config, file storage), Railway (backend API, scanner workers), Vercel (portal hosting), Supabase (primary database — all consent logs and configurations), Upstash (Redis cache and job queue), Resend (email delivery), Twilio (SMS alerts), Stripe (payment processing), Sentry (error monitoring — PII scrubbed), Axiom (audit logging), Checkly (uptime monitoring), and Smartproxy/Oxylabs (scanner proxy rotation). All are bound by data processing agreements. The full list is on our Sub-processors page and updated within 30 days of any change.
What happens to my data if I cancel my subscription?
When you cancel, your data is retained for 60 days to allow export — you can download everything in CSV and JSON format from your portal settings at any time during that period. After 60 days, all data is permanently and irreversibly deleted. We will never hold data hostage to prevent cancellation, and data export is always free and unrestricted. If you request immediate deletion before the 60-day period, we will action it promptly.
Can ConsentPixel change this Trust Charter?
Changes require a written rationale, 90 days' advance notice to all existing clients, public disclosure on the ConsentPixel website, and cannot be made unilaterally by any individual. Material changes give clients the opportunity to export their data and cancel before the changes take effect. The Never list and core Product Constitution principles have the highest protection — any change to these triggers the full amendment process with maximum notice.
Is ConsentPixel compliant with GDPR as a data processor?
Yes. ConsentPixel acts as a data processor for client visitor consent data and a data controller for its own portal users. We have a pre-signed, GDPR Article 28 compliant Data Processing Agreement (DPA) available for all plans — no negotiation required for Starter, Agency Lite, and Agency Pro. Enterprise clients can request custom DPA terms. EU-US data transfers are covered by EU-US Data Privacy Framework certification and Standard Contractual Clauses (SCCs) where applicable. EU data residency is available on Agency and Enterprise plans.
How does ConsentPixel handle security incidents?
We maintain a written incident response plan tested annually. If a personal data breach is confirmed that affects client data, we notify affected clients within 72 hours of confirmed discovery — not 72 hours after we think we might have a problem, but from confirmed discovery. We co-operate fully with any regulatory investigation. All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Visitor identifiers are SHA-256 hashed with a per-site salt — raw IP addresses are never stored.
Put our principles to work
Privacy compliance built on
principles you can read and verify.
14-day free trial. No credit card. Our commitments apply from day one — trial or paid.
Trust Charter Version 1.0 · Privacy Policy · DPA · Sub-processors