What is ConsentPixel — Privacy · Verified?

ConsentPixel is a universal consent management platform delivered as a single JavaScript pixel. Paste one script tag into your site's head and it automatically blocks unauthorised trackers, shows a compliant consent banner, and logs every visitor consent decision. It covers CIPA, GDPR, CCPA, and all major US state privacy laws from a single install.

What is CIPA and why does my website need to worry about it?

The California Invasion of Privacy Act (CIPA) is a 1967 wiretapping statute courts now apply to website tracking tools. If your site runs Hotjar, FullStory, or Microsoft Clarity without consent, you face $5,000 in statutory damages per violation with no proof of harm required. Plaintiff law firms actively scan websites for these tools. ConsentPixel blocks them before consent fires, eliminating the violation.

Does it work on WordPress, Shopify, and Webflow?

Yes. ConsentPixel works on any platform that allows a script tag in your head: WordPress, Shopify, Webflow, Squarespace, Wix, Next.js, or raw HTML. No plugins, no app store approvals, no developer required. One script tag, one time.

How long does installation take?

About 10 minutes. Copy your pixel snippet from the portal, paste it as the first item in your site head tag, configure your banner in the visual builder, and publish. The banner goes live within 60 seconds of publishing. Your portal automatically detects the pixel within 2 to 5 minutes.

Is there a free trial?

Yes — 14 days free, no credit card required. All Starter plan features are accessible from day one. You can scan your site, publish a consent banner, and start logging consent decisions without entering any payment details.

What makes ConsentPixel different from Cookiebot or CookieYes?

ConsentPixel was built CIPA-first — it includes a named blocklist of the specific session replay tools (Hotjar, FullStory, Clarity) that plaintiff firms scan for, and blocks them at the browser level. It also includes an active Playwright scanner that visits your site the way Kind Law does — fresh session, no cookies — and alerts you before they find something.

Does ConsentPixel collect or sell visitor data?

Never. Under our Trust Charter, we will never sell, share, or monetise visitor consent data. Consent logs exist solely to give you a legally defensible audit trail. Visitor identifiers are SHA-256 hashed — raw IP addresses are never stored.

What regulations does ConsentPixel cover?

GDPR for EU/EEA/UK visitors, CCPA/CPRA 2026 for California, CIPA sections 631 and 638.51, VCDPA for Virginia, CPA for Colorado, TDPSA for Texas, FDBR for Florida, and IAB TCF 2.2. The pixel detects each visitor's jurisdiction automatically and serves the correct banner — no manual configuration per country required.

🔒 Privacy Policy

Privacy Policy

Version 1.0 Effective May 1, 2026 Last reviewed May 2026 Next review May 2027

This policy explains how ConsentPixel — Privacy · Verified ("ConsentPixel", "we", "us") collects, uses, and protects the personal data of people who visit consentpixel.com, create accounts, and use our service. We've written it in plain English — no legal obfuscation. If you have questions, email privacy@consentpixel.com.

✉️ Privacy questions

⚠ Important distinction

This policy covers ConsentPixel's processing of our own users' data — people who visit our website, sign up for accounts, and contact us. It does not cover how our clients' websites process their visitors' data. For that, see our Data Processing Agreement.

1. Who we are

ConsentPixel is a consent management platform operated as an independent software company. We are incorporated in the United States. Our registered address and data controller contact is: privacy@consentpixel.com.

For EU/EEA users, ConsentPixel acts as a data controller for the personal data we collect about our own users and website visitors. We act as a data processor for personal data our clients instruct us to process on their behalf — that relationship is covered by our Data Processing Agreement.

2. Data we collect and why

We only collect what we genuinely need to deliver our service. Here is exactly what we collect, why, and the legal basis we rely on:

Data category	Specific data	Purpose	Legal basis	Retention
Account data	Name, email address, organisation name, billing address	Account creation, billing, service delivery	Contract performance	Subscription duration + 7 years
Authentication data	Hashed password, session tokens, MFA status	Secure account access	Contract performance	Duration of subscription
Usage data	Portal page views, feature usage events, scan triggers	Product improvement, support	Legitimate interest	12 months rolling
Billing data	Stripe customer ID, last 4 digits of card, billing history. Full card data handled exclusively by Stripe — we never see it.	Payment processing	Contract performance	7 years (tax records)
Support data	Support tickets, email correspondence	Customer support	Contract performance	3 years after account closure
Communication preferences	Email opt-in/out status, notification preferences	Sending agreed communications only	Consent	Until opt-out or account closure

✅ What we never collect

We do not use Google Analytics, Meta Pixel, any session replay tool, or any advertising tracking pixel on consentpixel.com. We use Plausible Analytics — a privacy-first, cookieless analytics tool that collects no personal data and sets no cookies. We practise what we preach.

3. Website visitors (non-account users)

If you visit consentpixel.com without creating an account, we collect minimal data:

Plausible analytics — anonymised page view counts, referrer sources, browser type, country-level location. No cookies. No cross-site tracking. No personal data collected.
Contact form submissions — if you contact us, we store your name, email, and message to respond to your enquiry. We do not add you to any mailing list without your explicit consent.
Free scanner usage — if you use the free public scanner, we record the scanned domain and the timestamp. We do not record your IP address in identifiable form.

4. How we use your data

We use personal data only for the purposes stated at the point of collection. Specifically:

To deliver the service — managing your account, running scans, generating reports, sending alerts, processing payments.
To communicate with you — responding to support requests, sending invoices, notifying you of CIPA risks on your sites, and sending product updates if you've opted in.
To improve the product — aggregated, anonymised usage data (e.g. "how many users trigger a manual scan per week") helps us prioritise features. We do not use personal data for this.
To comply with legal obligations — retaining billing records for tax purposes, responding to lawful data access requests.

We do not use your data for advertising. We do not sell your data. We do not share your data with third parties for their own marketing purposes.

5. Who we share data with

We share data with the following categories of third parties — only to the extent necessary to deliver the service:

Sub-processors — the infrastructure providers listed on our Sub-processors page. All are bound by data processing agreements.
Stripe — payment processing only. We pass your billing address and email. We never see your full card number.
Legal obligations — if required by law, court order, or to protect the rights, property, or safety of ConsentPixel, our users, or the public. We will notify you of any such requirement unless legally prohibited from doing so.

We do not sell personal data. We do not share personal data with advertising networks. We do not share personal data with data brokers.

6. International data transfers

ConsentPixel's primary infrastructure is located in the United States. If you are in the EU/EEA or UK, your personal data is transferred to and processed in the US under the following safeguards:

EU-US Data Privacy Framework (DPF) — where our sub-processors are DPF-certified.
Standard Contractual Clauses (SCCs) — for transfers to non-DPF-certified processors, we use EU Commission-approved SCCs as a supplementary transfer mechanism.

Agency and Enterprise plan clients who require EU data residency can enable this in their portal settings. When enabled, all consent log data is stored exclusively on EU-region infrastructure.

7. Your rights

Depending on where you are located, you have the following rights over your personal data:

Right	What it means	How to exercise	Response time
Access	See all personal data we hold about you	Portal settings → Export data, or email privacy@consentpixel.com	30 days (GDPR) / 45 days (CCPA)
Deletion / erasure	Delete your account and all personal data	Portal settings → Delete account, or email privacy@consentpixel.com	Confirmed in 30 days, deleted within 60 days
Portability	Download your data in a machine-readable format	Portal settings → Export — CSV and JSON available immediately	Immediate (automated)
Rectification	Correct inaccurate personal data	Edit in portal settings, or contact support	5 business days
Object to processing	Stop processing based on legitimate interest	Email privacy@consentpixel.com	Reviewed within 30 days
Opt out of sale/sharing (CCPA)	California residents — opt out of data sale or sharing	GPC signal honoured automatically; manual opt-out at consentpixel.com/privacy-choices	Immediate
Lodge a complaint	Complain to a data protection authority	EU: your national DPA. UK: ICO (ico.org.uk). US: FTC.	Per authority SLA

8. Data security

We take security seriously. Our measures include:

All data in transit encrypted with TLS 1.3 (enforced at Cloudflare edge)
All data at rest encrypted with AES-256
Visitor identifiers SHA-256 hashed with a per-site salt — raw IP addresses are never stored
Least-privilege access controls on all internal systems
Annual third-party penetration testing
72-hour breach notification to affected users from confirmed discovery

No system is perfectly secure. If you discover a security vulnerability, please report it to security@consentpixel.com — we respond within 24 hours.

9. Cookies

We use minimal cookies on consentpixel.com. For a full breakdown, see our Cookie Policy. The short version: we use two strictly necessary cookies for authentication and consent storage, and Plausible Analytics which sets no cookies at all.

10. Children's privacy

ConsentPixel — Privacy · Verified is a B2B service designed for businesses and professionals. We do not knowingly collect personal data from anyone under 16 years of age. If you believe a person under 16 has provided us with personal data, please contact privacy@consentpixel.com and we will delete it promptly.

11. Changes to this policy

If we make material changes to this policy, we will notify active account holders by email at least 30 days before the change takes effect, and update the "Last reviewed" date at the top of this page. We will never reduce your rights under this policy without explicit notification and the opportunity to object.

12. Contact

For any privacy questions, data access requests, or concerns:

Privacy enquiriesprivacy@consentpixel.com — response within 30 days (GDPR) / 45 days (CCPA)

Security reportssecurity@consentpixel.com — reviewed within 24 hours

General contacthello@consentpixel.com — 1 business day response

DSAR requestsUse the form at consentpixel.com/contact and select "Privacy / DSAR"

📋 Terms of Service

Terms of Service

Version 1.0 Effective May 1, 2026 Governing law State of Delaware, USA

These Terms of Service ("Terms") form the contract between you and ConsentPixel when you use our service. By creating an account or using consentpixel.com, you agree to these Terms. If you don't agree, don't use the service.

✉️ Questions about Terms

⚠ Not legal advice

ConsentPixel provides compliance infrastructure — not legal counsel. Nothing in our service, documentation, scan reports, or generated documents constitutes legal advice. You remain responsible for your own compliance. Consult a qualified attorney for your specific legal situation.

1. The service

ConsentPixel — Privacy · Verified provides a consent management platform ("Service") including: a JavaScript pixel for blocking and managing third-party trackers, a consent banner builder, a site scanner and risk scoring engine, a compliance document generator, a trust badge system, an alert engine, and an agency portal. The Service is provided via consentpixel.com and the client portal.

The Service is designed for businesses and professionals. You must be at least 18 years old and have authority to enter into this agreement on behalf of any organisation you represent.

2. Account registration

You must provide accurate information when creating an account.
You are responsible for maintaining the security of your account credentials.
You must notify us immediately at support@consentpixel.com if you suspect unauthorised access to your account.
One account may manage multiple domains under your organisation. Agency plans allow managing client domains under one account.
You may not share account credentials or create accounts on behalf of others without their knowledge.

3. Permitted use

You may use ConsentPixel — Privacy · Verified to manage privacy compliance for websites you own, operate, or are authorised to manage. Specifically permitted:

Installing the ConsentPixel pixel on your own website(s)
Installing the pixel on client websites if you are an authorised agency or contractor for those clients
Generating privacy documents for your own or clients' websites
Reselling the service under your own brand (Agency plan required)

4. Prohibited use

You must not:

Use the Service to gain unauthorised access to third-party websites, systems, or data
Install the pixel on websites you do not own or are not authorised to manage
Use scan results to build competitive intelligence products, data broking services, or surveillance tools
Attempt to reverse-engineer, decompile, or extract the source code of the Service
Use the Service in any way that violates applicable law
Resell, sublicense, or white-label the Service without an Agency plan
Use automated tools to scrape or extract data from the portal beyond normal use
Misrepresent scan results or compliance assessments to your clients or regulators

5. Compliance responsibility

Critical — please read

ConsentPixel provides compliance infrastructure. It does not guarantee compliance. You remain solely responsible for ensuring your websites comply with all applicable laws, including GDPR, CCPA, CIPA, and any other regulation applicable to your business and your users. Our scan reports, risk grades, and compliance certificates are produced by automated software and do not constitute legal advice. If you need legal advice about your compliance obligations, consult a qualified attorney.

6. Billing and payment

Billing cycle — monthly or annual, as selected at signup. Annual plans are billed in full upfront.
Payment method — credit or debit card via Stripe. We do not accept invoiced payment on Starter or Agency Lite plans.
Failed payments — if a payment fails, we will retry 3 times over 7 days and notify you by email. After 7 days of failed payment, your account will be suspended (not deleted). Data is retained for 30 days before deletion.
Price changes — we will give at least 30 days' notice of any price increase. Your rate is locked for the current billing period.
No automatic upgrades — we will never upgrade your plan or increase your charges without your explicit approval. If your domain count approaches your plan limit, we notify you and you decide whether to upgrade.
Taxes — prices shown exclude applicable taxes. Tax is calculated at checkout based on your billing address.

7. Cancellation and refunds

Cancel any time — you can cancel at any time from your portal billing settings. No cancellation fees.
Monthly plans — cancellation takes effect at the end of the current billing period. No partial-month refunds.
Annual plans — if you cancel within 14 days of the annual renewal date, we offer a full refund. After 14 days, no refund is available for the remaining period, but you can continue using the service until the annual period ends.
14-day free trial — no charge during the trial period. You can cancel at any time during the trial without charge.
Data on cancellation — your data is retained for 60 days after cancellation to allow export. You can request immediate deletion at any time during this period. After 60 days, all data is permanently deleted.

8. Intellectual property

Our IP: The ConsentPixel platform, pixel code, scanner engine, brand, and all associated intellectual property belong to ConsentPixel. These Terms grant you a limited, non-exclusive, non-transferable licence to use the Service during your subscription. Nothing in these Terms transfers ownership of our IP to you.

Your IP: Content you upload (logos, brand assets, domain information) remains yours. We use it only to deliver the Service.

Generated documents: Privacy policies, terms, and cookie policies generated by the Service for your website are yours to use on your site. You may not resell them as standalone products.

Consent log data: Visitor consent logs collected through your implementation of the Service belong to you (the website operator). We hold this data as a processor on your behalf. See our DPA for details.

9. Availability and support

Uptime target — we target 99.9% monthly uptime for the pixel delivery CDN (Cloudflare). Portal and scanner uptime target: 99.5%. These are targets, not guarantees.
Maintenance — planned maintenance windows will be announced at least 24 hours in advance via the portal status page at status.consentpixel.com.
Support — email support is included on all plans. Support channels: support@consentpixel.com. Response SLA: 4 hours during business hours (Mon–Fri 9am–6pm EST). Enterprise plans include priority support SLAs.
No phone support — support is provided by email only. This creates a documented record of all support interactions.

10. Limitation of liability

To the maximum extent permitted by applicable law:

ConsentPixel's total liability to you for any claim arising from these Terms or the Service is limited to the amount you paid us in the 12 months preceding the claim.
We are not liable for indirect, incidental, special, consequential, or punitive damages, including loss of profits, data loss, or business interruption, even if we were advised of the possibility of such damages.
We are not liable for any regulatory fines, legal costs, or damages arising from your own compliance failures, including any CIPA, GDPR, or CCPA penalties.
We are not liable for the accuracy of scan results — scans represent a point-in-time snapshot and may not reflect real-time changes to your site.

Some jurisdictions do not allow the exclusion of certain warranties or limitation of certain damages. In those jurisdictions, our liability is limited to the fullest extent permitted by law.

11. Indemnification

You agree to indemnify and hold ConsentPixel harmless from any claims, damages, costs, or expenses (including reasonable legal fees) arising from: your use of the Service in violation of these Terms; your violation of any applicable law or regulation; or your infringement of any third party's rights.

12. Termination

By you: You may terminate at any time as described in Section 7.

By us: We may suspend or terminate your account immediately if: you materially breach these Terms and fail to remedy the breach within 7 days of notice; you engage in prohibited use (Section 4); or you fail to pay charges after the grace period. We will notify you by email before termination except in cases of serious breach where immediate action is warranted.

On termination, your licence to use the Service ends immediately. Data handling on termination follows Section 7 (data retained 60 days, then permanently deleted).

13. Governing law and disputes

These Terms are governed by the laws of the State of Delaware, USA, without regard to conflict of law principles. Any dispute arising from these Terms will be resolved through binding arbitration under the rules of the American Arbitration Association (AAA), except that either party may seek injunctive relief in any court of competent jurisdiction to prevent irreparable harm.

For users in the EU or UK, mandatory consumer protection laws in your jurisdiction apply to the extent they cannot be excluded by contract. Nothing in these Terms removes rights you have under applicable EU or UK law.

14. Changes to these Terms

We may update these Terms from time to time. For material changes, we will notify you by email at least 30 days before the change takes effect. Continued use of the Service after the effective date constitutes acceptance. If you do not accept the changes, you may cancel your account before the effective date.

15. Entire agreement

These Terms, together with our Privacy Policy, DPA (if executed), and any order form or plan agreement, constitute the entire agreement between you and ConsentPixel regarding the Service and supersede all prior agreements.

🤝 Data Processing Agreement

Data Processing Agreement

Version 1.0 Effective May 1, 2026 Regulation GDPR Art. 28 compliant

This DPA governs how ConsentPixel processes personal data on behalf of clients (the "Controller"). It is pre-signed by ConsentPixel. To execute it, download and countersign. Enterprise clients requiring custom DPA terms should contact enterprise@consentpixel.com.

✉️ Custom DPA request

✓ Pre-signed — no negotiation required for standard plans

This DPA is pre-signed on behalf of ConsentPixel for all Starter, Agency Lite, and Agency Pro clients. You do not need to request a countersigned copy — this page constitutes your DPA when you accept our Terms of Service. Download a PDF copy from your portal settings for your records.

1. Definitions

ControllerThe client — the website owner or agency who has a ConsentPixel subscription and instructs ConsentPixel to process personal data on their behalf.

ProcessorConsentPixel — Privacy · Verified, acting on the Controller's instructions.

Personal dataAny information relating to an identified or identifiable natural person processed through the Service — primarily hashed visitor identifiers and consent decision records.

ProcessingAny operation performed on personal data — including collection, storage, retrieval, transmission, and deletion.

Sub-processorAny third party engaged by ConsentPixel to process personal data in the delivery of the Service.

GDPREU General Data Protection Regulation 2016/679 and its UK equivalent (UK GDPR).

2. Subject matter and nature of processing

ConsentPixel processes personal data on the Controller's behalf to deliver the consent management service described in the Terms of Service. The nature of processing includes: collection of visitor consent decisions via the ConsentPixel pixel, storage of consent logs, scanning of the Controller's website for compliance assessment, and delivery of compliance alerts and reports.

Processing activity	Data types	Data subjects	Retention (default)
Consent log ingestion	Hashed visitor ID, consent decision JSON, timestamp, regulation, geo code	Website visitors of the Controller's site(s)	3 years (minimum for legal audit)
Banner interaction data	Banner version shown, time to decision, category selections	Website visitors	3 years
Passive scan telemetry	Tracker domains contacted, category, firing status — no visitor PII	None — aggregate technical data only	12 months
Active scan results	Page URLs scanned, tracker inventory, cookie list, risk score	None — technical data about the site	24 months
Generated documents	Policy content referencing Controller's site configuration	None — documents about the site	Indefinite while subscribed

3. Controller's obligations

The Controller agrees to:

Ensure that any processing of personal data instructed to ConsentPixel has a lawful basis under applicable data protection law.
Provide all required notices to data subjects about data processing conducted through the ConsentPixel pixel, including disclosure of ConsentPixel as a sub-processor in the Controller's own privacy policy.
Not instruct ConsentPixel to process personal data in a way that would violate applicable law or the rights of data subjects.
Respond to data subject requests in accordance with applicable law — ConsentPixel will provide the Controller with the technical means to locate and delete specific visitor records upon request.

4. Processor's obligations

ConsentPixel agrees to:

Process only on instruction — process personal data only on the Controller's documented instructions, except where required by applicable law.
Confidentiality — ensure that all personnel with access to personal data are bound by confidentiality obligations.
Security — implement and maintain the technical and organisational security measures described in Section 6 below.
Sub-processors — engage sub-processors only as listed in our Sub-processors page, with equivalent data protection obligations. Notify the Controller at least 30 days before adding or replacing any sub-processor.
Data subject rights — provide reasonable technical assistance to the Controller in responding to data subject access, deletion, and portability requests.
Data protection impact assessments — provide reasonable assistance to the Controller where required for DPIA.
Deletion on termination — on termination of the service relationship, delete or return all personal data within 60 days unless required by law to retain it.
Audit rights — provide the Controller with reasonable information necessary to demonstrate compliance with this DPA, and contribute to audits where required by applicable law.

5. Sub-processors

ConsentPixel uses sub-processors to deliver the Service. The current list is published and maintained at consentpixel.com/legal/#subprocessors. By accepting this DPA, the Controller provides general authorisation for ConsentPixel to use sub-processors listed there, subject to 30 days advance notice of any change.

If the Controller objects to a sub-processor change, they may notify ConsentPixel within 30 days of the notice. ConsentPixel will use reasonable efforts to accommodate the objection. If it cannot, the Controller may terminate the service with a prorated refund of any prepaid fees.

6. Security measures

Category	Measure
Encryption in transit	TLS 1.3 enforced at Cloudflare edge for all public network transmission
Encryption at rest	AES-256 for all database storage and file storage
Pseudonymisation	All visitor identifiers SHA-256 hashed with a per-site salt before storage — raw IPs never stored
Access control	Least-privilege RBAC, MFA enforced for all internal system access, Cloudflare Zero Trust for admin tooling
Incident response	Written incident response plan, tested annually. 72-hour notification SLA to Controllers on confirmed breach affecting their data.
Penetration testing	Annual third-party penetration test. Results available to Enterprise clients on request under NDA.
Vulnerability management	GitHub Dependabot for automated dependency scanning. Critical vulnerabilities patched within 72 hours.
Audit logging	All data access events logged to Axiom, retained 12 months, immutable

7. International transfers

ConsentPixel's primary infrastructure is in the United States. Transfers of personal data from the EU/EEA to the US are made under:

EU-US Data Privacy Framework (DPF) — for sub-processors that are DPF-certified.
Standard Contractual Clauses (SCCs) — EU Commission Decision (EU) 2021/914, Module 2 (Controller to Processor) and Module 3 (Processor to Processor), incorporated by reference into this DPA for relevant transfers.

EU data residency is available on Agency and Enterprise plans. When enabled, consent log data is stored exclusively on EU-region Supabase instances and is not transferred to the US.

8. Breach notification

In the event ConsentPixel becomes aware of a personal data breach affecting data processed on the Controller's behalf, ConsentPixel will:

Notify the Controller by email within 72 hours of confirming the breach, without undue delay.
Provide the following information in the notification: nature of the breach, categories and approximate number of data subjects affected, likely consequences, measures taken or proposed to address the breach.
Co-operate with the Controller's incident response and regulatory notification process.

9. Duration and termination

This DPA is effective for the duration of the ConsentPixel service subscription. On termination of the subscription, ConsentPixel will delete all personal data within 60 days unless the Controller requests earlier deletion or applicable law requires longer retention. The Controller may request a certificate of deletion.

10. Governing law

This DPA is governed by the laws of the State of Delaware, USA, except to the extent that EU/UK data protection law applies, in which case those provisions of the DPA are governed by the law of the relevant EU member state or England and Wales.

🔗 Sub-processors

Sub-processors

Version 1.0 Last updated May 2026 Update notice 30 days advance

ConsentPixel uses the following third-party sub-processors to deliver its service. All are bound by data processing agreements with equivalent protections to our DPA. We provide 30 days' advance notice before adding or replacing any sub-processor. Subscribe to change notifications at privacy@consentpixel.com.

✓ Trust Charter commitment

Under our Trust Charter (Part II, Always list), we commit to disclosing the full list of sub-processors who handle client data, updated within 30 days of any change. This page fulfils that commitment.

Infrastructure & hosting

Sub-processorCountryClient data?DPA / SCCs

Cloudflare (Workers, KV, R2, Zero Trust)

Pixel CDN, edge config serving, file storage, Zero Trust access control

USA (global CDN)

Yes

DPF certified · SCCs

Railway

Backend API compute, Playwright scanner workers, BullMQ job processing

USA

Yes

DPA · SCCs

Vercel

Client portal and super admin panel hosting (Next.js app)

USA (global edge)

Limited

DPA · SCCs

Database & storage

Sub-processorCountryClient data?DPA / SCCs

Supabase (PostgreSQL, Auth, Storage, Realtime, Edge Functions)

Primary database for all consent logs, configurations, scan results, and generated documents. Auth for portal users. Realtime for notifications.

USA (EU region available)

Yes — primary

DPA · SCCs

Upstash (Redis)

Redis cache for banner configurations and BullMQ job queue state

USA (global)

Limited

DPA · SCCs

Communications

Sub-processorCountryClient data?DPA / SCCs

Resend

Transactional email delivery — account notifications, alert emails, compliance reports, billing receipts

USA

Limited — email addresses

DPA · SCCs

Twilio

SMS alert delivery for critical CIPA and compliance alerts (Agency Lite and Pro plans)

USA

Limited — phone numbers

DPA · SCCs

Payments

Stripe

Payment processing, subscription management, invoicing. Full card data handled exclusively by Stripe — ConsentPixel never sees or stores card numbers.

USA

Limited — billing data only

DPF · DPA · SCCs

Monitoring & observability

Sentry

Application error monitoring. PII is scrubbed from error payloads before transmission — error logs contain no personal data in identifiable form.

USA

Limited — scrubbed error logs

DPA · SCCs

Axiom

Log management and audit logging. All data access and modification events logged for security and compliance audit purposes.

USA

Limited — access logs

DPA · SCCs

Checkly

Uptime monitoring and synthetic testing of pixel delivery and portal availability

USA / EU

None — availability data only

DPA

Scanner infrastructure

Smartproxy / Oxylabs (residential proxies)

Residential proxy rotation for the active Playwright scanner, to simulate real visitor browsing patterns during site scans

USA (global)

None — scan routing only

Service agreement

Notify me of changes

Subscribe to sub-processor change notifications

Email privacy@consentpixel.com with the subject "Subscribe to sub-processor updates" and we'll notify you at least 30 days before any sub-processor is added, replaced, or removed. Automated notifications are also available via webhook for Enterprise clients — contact enterprise@consentpixel.com.

🍪 Cookie Policy

Cookie Policy

Version 1.0 Effective May 1, 2026 Applies to consentpixel.com only

This policy describes the cookies and tracking technologies used on consentpixel.com — our own marketing and product website. This policy does not cover the cookies on your website — those are managed through your ConsentPixel — Privacy · Verified console and described in the cookie policy we generate for your site.

✅ Our cookie commitment — we practise what we preach

consentpixel.com uses two strictly necessary cookies and one cookieless analytics tool. No advertising cookies. No session replay. No Meta Pixel. No Google Analytics. No cross-site tracking of any kind. We are our own most visible example of the practices we advocate.

1. What is a cookie?

A cookie is a small text file stored in your browser by a website you visit. Cookies serve different purposes — some are essential for the website to function, others track behaviour for analytics or advertising. Not all tracking is done via cookies — pixels, fingerprinting, and cookieless analytics also exist.

2. Cookies we use on consentpixel.com

Cookie name	Category	Purpose	Set by	Expiry	Consent required?
`__cp_session`	Strictly necessary	Maintains your authenticated session in the ConsentPixel portal. Without this cookie, you cannot stay logged in.	ConsentPixel (first party)	24 hours	No — required for core function
`__cp_consent`	Strictly necessary	Stores your consent decision for the ConsentPixel consent banner on this site. Required for our own compliance — we run our own product.	ConsentPixel (first party)	12 months	No — required to record consent
`__stripe_mid` `__stripe_sid`	Strictly necessary	Stripe payment security cookies — fraud prevention on checkout pages only. Not set on non-checkout pages.	Stripe (third party)	1 year / session	No — required for payment security

3. Analytics — Plausible (cookieless)

We use Plausible Analytics to understand how people use our website. Plausible is a privacy-first analytics tool that:

Sets no cookies — no cookie is stored in your browser
Collects no personal data — your IP address is never stored. Plausible uses a daily rotating hash of your IP + browser + domain to generate a unique visitor count without tracking individuals across days or sites.
Does no cross-site tracking — data cannot be used to track you across different websites
Is hosted in the EU — Plausible is a European company (Estonia) and processes data under GDPR
Does not require consent under GDPR or PECR because it processes no personal data

Plausible gives us anonymous aggregate data: page views, referrer sources, country (from IP, not stored), device type, browser. That's it. View their privacy policy at plausible.io/privacy.

4. What we do NOT use

The following tracking technologies are explicitly not used on consentpixel.com:

Google Analytics — not installed. We do not share data with Google for analytics purposes.
Meta Pixel — not installed. We do not track visitors for Facebook/Instagram advertising.
Any session replay tool — no Hotjar, FullStory, Clarity, Lucky Orange, or equivalent. We do not record your keystrokes, mouse movements, or screen.
Advertising cookies — no third-party advertising cookies of any kind.
Retargeting pixels — we do not build retargeting audiences from visitors to this site.
Cross-site tracking — no tracking technology that follows you across websites.
Device fingerprinting — we do not fingerprint browsers or devices.

5. Third-party cookies from embedded content

If you watch an embedded video (e.g. a product demo on YouTube), YouTube may set their own cookies. We use YouTube's privacy-enhanced embed mode (youtube-nocookie.com) where possible. We recommend checking YouTube's cookie policy for details.

The live chat widget (Intercom, if enabled) sets a session cookie for chat continuity. Intercom is only loaded after you click to open the chat widget — it does not load on page load and does not set cookies until you engage with it.

6. Managing cookies

Because we use only strictly necessary cookies and one cookieless analytics tool, there is no cookie banner required for consentpixel.com under GDPR's legitimate interest or strictly necessary exemptions. However, you have the following options:

Browser settings — all major browsers allow you to view, block, or delete cookies. This will not affect Plausible analytics (no cookies). Blocking the __cp_session cookie will log you out of the portal.
Opt out of Plausible — Plausible respects the navigator.doNotTrack browser setting. Enable "Do Not Track" in your browser to opt out of Plausible entirely.
Global Privacy Control — consentpixel.com reads the GPC signal (navigator.globalPrivacyControl). California visitors with GPC enabled receive automatic opt-out treatment in line with CCPA 2026 requirements.

7. Cookies on your ConsentPixel-powered website

The ConsentPixel pixel places the following cookies on your website visitors' browsers:

Cookie	Purpose	Expiry	Category
`cp_consent_{site_id}`	Stores the visitor's consent decision for your site. Records which categories were accepted/declined and the timestamp. Required for the consent system to function.	12 months	Strictly necessary
`cp_banner_v`	Stores the version of the consent banner that was shown to this visitor. Used for legal audit trail purposes.	12 months	Strictly necessary

These cookies are set by the ConsentPixel pixel on your domain (first-party cookies). They are described in the cookie policy we auto-generate for your site and are classified as "strictly necessary" under ICO and CNIL guidance because they are required to fulfil the user's explicit request (recording their privacy choice).

8. Changes to this policy

If we change the cookies or tracking technologies used on consentpixel.com, we will update this policy and the "Last updated" date. Material changes will be notified to account holders by email.

9. Contact

Questions about cookies or our tracking practices: privacy@consentpixel.com.