Privacy Policy
Effective Date: 2026-03-01 Last Updated: 2026-03-01
This Privacy Policy describes how [ADD LEGAL NAME] ("we", "us", "Company"), operating the PureConsent platform at pureconsent.com, collects, uses, and protects personal data.
We act as a data controller for data collected from our Customers (users of our dashboard and API) and our website visitors. When processing End User data on behalf of our Customers, we act as a data processor — see our Data Processing Agreement for details.
1. Data Controller
Controller: [ADD LEGAL NAME] Tax ID: [ADD NIF/CIF] Address: [ADD REGISTERED ADDRESS], Spain Contact Email: legal@pureconsent.com
2. Categories of Personal Data We Collect
2.1 Customer Account Data
Data you provide when you create an account and use the Service:
| Data | Purpose | Legal Basis |
|---|---|---|
| Email address | Account creation, login, communications | Contract performance |
| Name | Account profile, communications | Contract performance |
| Password (hashed) | Authentication | Contract performance |
| IP address, user agent | Session security, fraud prevention | Legitimate interest |
| Billing information (via Stripe) | Payment processing | Contract performance |
We do not store full credit card numbers. Payment data is processed directly by Stripe.
2.2 Website Visitor Data
Data collected when you visit our website (pureconsent.com):
| Data | Purpose | Legal Basis |
|---|---|---|
| Consent preferences (pc_consent cookie, 1 year) | Consent management | Legitimate interest in maintaining and demonstrating consent records in accordance with applicable privacy laws |
| Session token (pc_session cookie, 7 days) | Dashboard authentication | Contract performance |
| Email address (newsletter signup) | Email communications | Consent |
| Turnstile challenge data | Bot/spam prevention | Legitimate interest |
2.3 End User Data (Processed on Behalf of Customers)
When deployed on a Customer's website, the Widget processes:
| Data | Purpose | Legal Basis |
|---|---|---|
| Visitor ID (pseudonymous UUID) | Consent record identification | Legitimate interest of Customer |
| Consent choices (categories) | Record of consent | Legal obligation |
| Country (derived at edge from request metadata such as Cloudflare geo headers; full IP addresses are not stored as part of consent records) | Jurisdiction detection | Legitimate interest of Customer |
| Page URL | Consent event context | Legitimate interest of Customer |
| Browser family + major version | Consent event context | Legitimate interest of Customer |
| Interaction method | Consent event context | Legitimate interest of Customer |
| Consent timestamp | Record of consent | Legal obligation |
| Language preference | Localization | Contract performance |
This data is processed under the Customer's instructions as data controller. See our DPA for details.
We do not store full IP addresses as part of consent event records. IP addresses processed for session security (dashboard login) are stored in their original form for the duration indicated in Section 6 (Data Retention).
2.4 Usage and Analytics Data
| Data | Purpose | Legal Basis |
|---|---|---|
| Session counts (pseudonymized via hashing) | Billing, plan enforcement | Contract performance |
| Domain/page aggregates | Usage dashboards | Contract performance |
| Country aggregates | Usage dashboards | Contract performance |
Session identifiers are computed using hashing techniques (combining IP address, User-Agent, Accept-Language header, organization identifier, and time window) to reduce identifiability. These identifiers are used solely for aggregate analytics and billing enforcement. Such identifiers may be considered pseudonymous data under GDPR. Raw IP addresses are not retained in our analytics datasets.
3. How We Use Your Data
We use personal data for:
- Service delivery — operating accounts, processing payments, delivering the Widget.
- Security — protecting against unauthorized access, fraud, abuse.
- Communications — transactional emails (password resets, billing), service announcements.
- Compliance — meeting legal obligations under GDPR, ePrivacy, and Spanish law.
- Improvement — analyzing aggregated usage patterns to improve the Service (no individual profiling).
We do not:
- Sell personal data to third parties.
- Use personal data for advertising or marketing profiling.
- Make automated decisions with legal effects based on personal data.
Where we rely on legitimate interests as a legal basis, we ensure that such interests are not overridden by your fundamental rights and freedoms.
4. Data Recipients and Processors
We share personal data with the following categories of recipients:
| Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Cloudflare, Inc. | Infrastructure hosting, CDN, edge compute, D1 database, Analytics Engine | All service data | Global (processing may occur at the nearest edge location, including within the EU) |
| Stripe, Inc. | Payment processing | Billing data, email | USA (EU SCCs in place) |
| Resend (via Resend, Inc.) | Transactional emails (password reset, newsletter welcome) | Email address | USA (EU SCCs in place) |
We do not share personal data with any other third parties except as required by law.
We may update our subprocessors from time to time and will provide notice of material changes where required by applicable law.
5. International Data Transfers
Your data may be processed outside the European Economic Area (EEA) by our processors:
- Cloudflare — operates a global network; processing may occur at the nearest edge location, which may be within or outside the EU. Subject to Cloudflare's DPA and SCCs.
- Stripe — USA-based. Transfers governed by Standard Contractual Clauses (SCCs).
- Resend — USA-based. Transfers governed by Standard Contractual Clauses (SCCs).
We ensure all international transfers have appropriate safeguards (SCCs, adequacy decisions, or equivalent measures) as required by GDPR Article 46.
6. Data Retention
| Data | Retention Period |
|---|---|
| Account data | Duration of account + 30 days after deletion |
| Billing records | 5 years (Spanish tax law) |
| Consent events (End User data) | Duration of Customer's account + 30 days |
| Session analytics | 90 days (rolling) |
| Session records (IP, user agent) | Deleted automatically after session expiry (7 days) |
| Password reset tokens | 1 hour |
| Newsletter subscribers (email only) | Until unsubscription. After unsubscription, we retain the email address and unsubscription status for suppression purposes. |
After the retention period, data is permanently deleted or anonymized.
7. Data Security
We implement appropriate technical and organizational measures to protect personal data:
- Data at rest encryption provided by Cloudflare D1.
- Data in transit encrypted (TLS/HTTPS).
- Access controls and authentication (session-based, rate-limited).
- Password hashing (industry-standard algorithms).
- Regular security updates and dependency monitoring.
- Edge-delivered architecture minimizing data exposure.
- Our infrastructure provider (Cloudflare) may process request metadata, including IP addresses, for network routing, security, and abuse prevention as part of normal platform operations.
In the event of a personal data breach affecting Customer data, we will notify the relevant Customer without undue delay after becoming aware of the breach, in accordance with applicable data protection laws and our Data Processing Agreement.
8. Your Rights (GDPR Articles 15-22)
As a data subject in the EU/EEA, you have the right to:
| Right | Description |
|---|---|
| Access (Art. 15) | Request a copy of your personal data. |
| Rectification (Art. 16) | Correct inaccurate or incomplete data. |
| Erasure (Art. 17) | Request deletion of your data ("right to be forgotten"). |
| Restriction (Art. 18) | Restrict processing in certain circumstances. |
| Portability (Art. 20) | Receive your data in a structured, machine-readable format. |
| Objection (Art. 21) | Object to processing based on legitimate interests. |
| Withdraw Consent (Art. 7) | Withdraw consent at any time (where consent is the legal basis). |
To exercise these rights, contact us at legal@pureconsent.com. We will respond within 30 days.
For End Users whose data is processed on behalf of our Customers: please contact the relevant Customer (data controller) directly. We will assist the Customer in responding to your request as required by our DPA.
9. Complaint to Supervisory Authority
If you believe your data protection rights have been infringed, you have the right to lodge a complaint with:
Agencia Española de Protección de Datos (AEPD) C/ Jorge Juan, 6 28001 Madrid, Spain Website: www.aepd.es
You may also contact the supervisory authority in your EU/EEA member state of residence.
10. Children's Privacy
The Service is not intended for individuals under 16 years of age. We do not knowingly collect personal data from children under 16. If we become aware that we have collected such data, we will take steps to delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service at least 30 days before they take effect. The "Last Updated" date at the top reflects the most recent revision.
12. Contact
For privacy-related inquiries or to exercise your rights:
- Email: legal@pureconsent.com
- Address: [ADD REGISTERED ADDRESS], Spain