Privacy Policy

CookieFlag ("we", "us", "our") provides a cookie consent banner service for websites. This privacy policy explains how we collect, use, and protect the personal information of our customers — the site owners who sign up for CookieFlag.

We collect the following information when you create an account:

• Email address — used for authentication (magic link login) and account communications.
• Billing information — processed and stored by Stripe. We do not store credit card numbers or payment details on our servers.
• Banner configuration — the colors, text, and settings you choose for your consent banner.

CookieFlag does not collect, store, or process any data about your website's visitors. The cookie banner widget runs entirely in the visitor's browser. No visitor data — IP addresses, cookie choices, device information, or browsing behavior — is sent to or stored on CookieFlag servers.

• To authenticate you and provide access to your dashboard.
• To serve your customized banner script to your website.
• To process your subscription payments via Stripe.
• To send transactional emails (login links, billing receipts). We do not send marketing emails.

We use the following third-party services to operate CookieFlag:

• Stripe (San Francisco, USA) — payment processing.
• Resend (San Francisco, USA) — transactional email delivery.
• Neon (USA) — database hosting.
• Vercel (San Francisco, USA) — application hosting and CDN.

Each of these services has their own privacy policy. We only share the minimum data necessary for each service to function.

We retain your account data for as long as your account is active. If you cancel your subscription or delete your account, we will delete your personal data within 90 days, except where we are required to retain it for legal or billing purposes.

You can:

• Access your data at any time via your dashboard.
• Delete your account and all associated data by contacting us.
• Export your banner configuration from the dashboard.

If you are located in the EU, you have additional rights under GDPR including the right to rectification, restriction of processing, and the right to lodge a complaint with a supervisory authority.

We use HTTPS everywhere, authenticate via secure magic links (no passwords stored), and follow security best practices for our infrastructure. Access to customer data is limited to what is necessary to operate the service.

We may update this policy from time to time. We will notify you of material changes via the email address associated with your account. Continued use of CookieFlag after changes constitutes acceptance.

For privacy-related questions, email us at privacy@cookieflag.com.