Privacy Policy

1. Introduction

EasyConsent ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our cookie consent management platform.

We comply with the General Data Protection Regulation (GDPR) and other applicable privacy laws in the European Union and European Economic Area.

By using our Service, you consent to the data practices described in this policy.

2. Data Controller

For the purposes of GDPR, the data controller is:

3. Information We Collect

3.1 Account Information

When you register for an account, we collect:

• Company name
• Full name
• Email address
• Password (encrypted using bcrypt with cost factor 12)

3.2 Payment Information

When you subscribe to a paid plan, we collect payment information through our payment processor, Stripe. We do not store full credit card numbers on our servers. Stripe processes and stores your payment information securely in compliance with PCI DSS requirements.

3.3 Consent Data

Through our widget, we collect and process consent logs on behalf of our customers, including:

• Consent action (accept/decline/customize)
• Selected cookie categories
• Timestamp of consent
• Page URL where consent was given
• Language preference
• Device type (mobile/tablet/desktop)
• Browser information
• Anonymized IP address (SHA-256 hash)
• Country code (derived from IP, then IP is discarded)

3.4 Usage Data

We automatically collect certain information when you use our Service:

• Log data (IP address, browser type, pages visited)
• Device information (device type, operating system)
• Usage statistics and analytics (feature usage, performance metrics)
• Error logs and diagnostic data

3.5 Cookies and Tracking

We use essential cookies to operate our Service. See Section 12.1 for detailed information about cookies we use.

4. How We Use Your Information

We use the collected information for the following purposes:

• Service Provision: To create and manage your account, provide the cookie consent management platform, and deliver our services
• Billing: To process payments and manage subscriptions
• Communication: To send service-related emails, respond to inquiries, and provide customer support
• Compliance: To maintain audit logs as required by GDPR and demonstrate compliance
• Analytics: To understand how our Service is used and improve functionality
• Security: To detect, prevent, and address technical issues, fraud, and abuse
• Legal Obligations: To comply with applicable laws and regulations

5. Legal Basis for Processing (GDPR)

Under GDPR, we process your personal data based on the following legal grounds:

• Contract Performance (GDPR Art. 6(1)(b)): Processing necessary to perform our contract with you (account creation, service delivery, billing)
• Consent (GDPR Art. 6(1)(a)): Where you have given explicit consent for specific processing activities (e.g., marketing communications)
• Legitimate Interests (GDPR Art. 6(1)(f)): For analytics, security, and service improvement, where our interests do not override your rights. We have conducted balancing tests to ensure this processing is appropriate.
• Legal Obligation (GDPR Art. 6(1)(c)): To comply with legal requirements, such as maintaining audit logs for 3 years as required by data protection regulations

6. Data Sharing and Disclosure

We do not sell or rent your personal information. We may share your information in the following circumstances:

6.1 Subprocessors (Service Providers)

We engage the following third-party service providers ("Subprocessors") who process personal data on our behalf under Data Processing Agreements compliant with GDPR Article 28:

Complete Subprocessor List: A complete and updated list of all subprocessors, including their data processing activities, is available upon request by contacting privacy@easyconsent.com. We will notify customers of any changes to our subprocessor list with at least 30 days' notice.

Subprocessor Obligations: All subprocessors are contractually obligated to:

• Process data only according to our documented instructions
• Implement appropriate technical and organizational measures
• Maintain confidentiality of personal data
• Assist with data subject requests and security incidents
• Delete or return data upon termination of services

6.2 Legal Requirements

We may disclose your information if required by law, court order, or governmental request, or to:

• Comply with legal obligations
• Protect our rights and property
• Prevent fraud or abuse
• Protect the safety of our users or the public

7. Data Retention

We retain your personal information for as long as necessary to provide the Service and fulfill the purposes described in this policy:

• Account Data: Retained while your account is active and for 30 days after deletion (to allow for account recovery)
• Consent Logs: Retained for 3 years as required by GDPR compliance and audit requirements
• Billing Records: Retained for 7 years for tax and accounting purposes as required by law
• Analytics Data: Aggregated and anonymized after 12 months
• Security Logs: Retained for 12 months for security monitoring and incident response

After the retention period, we securely delete or anonymize your personal data using industry-standard data destruction methods.

8. Your Rights Under GDPR

Under GDPR, you have the following rights regarding your personal data:

• Right of Access (Art. 15): You can request a copy of your personal data
• Right to Rectification (Art. 16): You can request correction of inaccurate data
• Right to Erasure (Art. 17): You can request deletion of your data ("right to be forgotten"), subject to legal retention requirements
• Right to Restrict Processing (Art. 18): You can request limitation of how we use your data
• Right to Data Portability (Art. 20): You can receive your data in a structured, machine-readable format (JSON or CSV)
• Right to Object (Art. 21): You can object to processing based on legitimate interests
• Right to Withdraw Consent (Art. 7(3)): You can withdraw consent at any time (where processing is based on consent)
• Right to Lodge a Complaint (Art. 77): You can file a complaint with your local data protection authority

To exercise any of these rights, please contact us at privacy@easyconsent.com. We will respond within 30 days (or 60 days for complex requests, with notification of the extension).

We may request additional information to verify your identity before processing rights requests.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction.

9.1 Technical and Organizational Measures

Technical Measures:

• Encryption in Transit: TLS 1.3 for all data transmission
• Encryption at Rest: AES-256 encryption for sensitive data at rest
• Password Security: bcrypt password hashing with cost factor 12
• Backups: Regular automated backups with encryption
• Web Application Firewall (WAF): Protection against common web attacks
• Rate Limiting: DDoS protection and abuse prevention
• Security Updates: Regular security patches and updates
• Penetration Testing: Annual security assessments by third parties

Organizational Measures:

• Access Control: Role-based access control (RBAC) to personal data
• Principle of Least Privilege: Minimal necessary access for all personnel
• Training: Mandatory data protection training for all employees
• Confidentiality: Confidentiality agreements with all personnel
• Vendor Assessment: Security reviews of all subprocessors
• Incident Response: Documented procedures for security incidents
• Policy Review: Regular review and update of security policies
• Impact Assessments: Data protection impact assessments (DPIAs) for high-risk processing

Access Logging and Monitoring:

All access to personal data is logged and monitored. We maintain audit logs for at least 12 months for security and compliance purposes. Logs include: user actions, system changes, data access, and authentication events.

While we strive to protect your data using industry-standard security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

10. International Data Transfers

Your data is primarily stored and processed within the European Economic Area (EEA). If we transfer data outside the EEA, we ensure appropriate safeguards are in place, such as:

• Standard Contractual Clauses (SCCs): Approved by the European Commission for data transfers to third countries
• Adequacy Decisions: Transfers to countries recognized by the EU as providing adequate data protection
• Binding Corporate Rules: For transfers within multinational organizations

For transfers to the United States (e.g., Stripe), we rely on Standard Contractual Clauses and additional safeguards as required by the Schrems II decision.

11. Children's Privacy

Our Service is intended for businesses and organizations. We do not knowingly collect personal information from children.

11.1 Age Requirements by Jurisdiction

Different age requirements apply across jurisdictions:

• General Requirement: 18 years or age of majority in your country
• EU Member States: 16 years (or lower if local law permits, minimum 13 years)
• Sweden, Denmark, Norway, Finland: 13 years with parental consent for ages 13-17
• Germany: 16 years (parental consent required for under 16)

If you are under the applicable age requirement, you must have parental or guardian consent to use our Service. We do not knowingly collect data from children without appropriate consent.

If we become aware that we have collected personal data from a child without proper consent, we will delete that information within 30 days.

12. Data Breach Notification

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (as required by GDPR Art. 33)
• Notify affected individuals without undue delay (as required by GDPR Art. 34)
• Provide information about the nature of the breach, likely consequences, and measures being taken to address the breach and mitigate harm
• Document all data breaches, including facts, effects, and remedial actions taken

Our incident response team is trained to handle security incidents and will coordinate the response, investigation, and notification process.

12.1 Cookies and Tracking Technologies

We use cookies and similar technologies to operate and secure our Service. Below is detailed information about the cookies we use:

Cookies We Use:

Cookie Categories:

Strictly Necessary Cookies:

These cookies are essential for the website to function and cannot be disabled. They are usually set in response to actions you take such as logging in or filling in forms. They enable core functionality like security, authentication, and accessibility.

Functional Cookies:

These cookies remember choices you make (such as language preference or "remember me" option) to provide enhanced, personalized features. They may be set by us or by third-party providers whose services we use.

Managing Cookies:

You can control cookies through your browser settings. However, disabling strictly necessary cookies may affect your ability to use the Service.

Browser Controls:

• Chrome: Settings → Privacy and Security → Cookies
• Firefox: Settings → Privacy & Security → Cookies and Site Data
• Safari: Preferences → Privacy → Cookies and website data
• Edge: Settings → Privacy, search, and services → Cookies

Third-Party Cookies:

We do not use any third-party cookies for advertising or tracking purposes. The only third-party services that may set cookies are:

• Stripe (payment processing, strictly necessary for checkout)

Consent Management:

For our customers' websites, consent for cookies is managed through our EasyConsent widget in accordance with ePrivacy Directive and GDPR requirements. Users can accept, reject, or customize their cookie preferences at any time.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by:

• Posting the new Privacy Policy on this page with an updated "Last updated" date
• Sending an email notification to registered users at least 30 days before the changes take effect
• Displaying a prominent notice in the application dashboard

For material changes that require your consent (e.g., processing data for new purposes), we will obtain your consent before the changes take effect.

Your continued use of the Service after changes become effective constitutes acceptance of the updated Privacy Policy. If you do not agree to the updated policy, you must stop using the Service and may request deletion of your account.

14. Contact

If you have any questions about this Privacy Policy or our data practices, please contact us:

You also have the right to lodge a complaint with your local data protection authority if you believe we have not complied with applicable data protection laws.

15. EU Data Protection Authority

For users in Sweden, the relevant supervisory authority is:

For users in other jurisdictions, please refer to Section 16 for your local supervisory authority.

16. Specific Jurisdictional Requirements

16.1 California Residents (CCPA/CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to know what personal information is collected, used, shared, or sold
• Right to delete personal information (subject to exceptions)
• Right to opt-out of sale of personal information (Note: We do not sell personal information)
• Right to correct inaccurate personal information
• Right to limit use of sensitive personal information
• Right to non-discrimination for exercising CCPA/CPRA rights

To exercise these rights, contact privacy@easyconsent.com

16.2 UK Residents (UK GDPR)

Following Brexit, UK GDPR applies to UK residents. You have the same rights as under EU GDPR. The UK supervisory authority is:

16.3 Swiss Residents (FADP)

For Swiss residents, the revised Federal Act on Data Protection (FADP) applies. The supervisory authority is:

16.4 Nordic-Specific Requirements

For residents of Nordic countries, local data protection acts supplement GDPR requirements:

Contact your local supervisory authority for jurisdiction-specific guidance.