Legal

Privacy Policy

Last updated: December 23, 2025

1. Introduction

This Privacy Policy explains how Artatol ("we", "us", or "our") collects, uses, and protects your personal information when you use the ArtaConsent service - our Cookie Consent Management Platform (CMP) for GDPR, ePrivacy, and Google Consent Mode v2 compliance.

2. Information We Collect

2.1 Account Information (Dashboard Users)

When you create an ArtaConsent account, we collect:

  • Email address, username, password (encrypted), name
  • Organization name and member information
  • Domain information (URLs where you install ArtaConsent)
  • Banner configuration and customization settings
  • Cookie definitions and categorizations
  • Subscription tier (free, starter, growth, business) and usage limits

2.2 End-User Consent Data (Website Visitors)

When visitors interact with the ArtaConsent banner on your websites, we collect:

  • Visitor ID: Hashed identifier (not personally identifiable)
  • Consent choices: Which cookie categories were accepted/rejected (necessary, functional, analytics, marketing)
  • Google Consent Mode state: GCM v2 consent signals for Google services
  • TC String: IAB TCF 2.2 encoded consent string (if TCF is enabled)
  • IP country: Country derived from IP address for regulation detection (GDPR/CCPA)
  • User Agent: Browser and device information
  • Consent metadata: Timestamp, consent type (explicit/implicit), action (accept/reject/custom)

Note: We do NOT store full IP addresses for end-users, only the derived country code for regulation compliance.

2.3 Cookie Scanner Data

When you use our automatic cookie scanner:

  • Cookie names, domains, paths, and durations detected on your website
  • Scan metadata (pages scanned, timestamps, trigger type)
  • Cookie categorization (automatic + manual overrides)

2.4 Analytics and Usage Data

  • Banner view counts and interaction statistics
  • Consent rate analytics (accept all, reject all, custom selection)
  • Regional breakdown of consent choices
  • Dashboard usage and API access logs
  • Technical data: IP addresses (dashboard users), browser type, device information

3. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our consent management platform
  • Record and store consent choices for your website visitors
  • Generate Google Consent Mode v2 signals and IAB TCF 2.2 strings
  • Detect applicable regulations (GDPR, CCPA) based on visitor location
  • Scan websites for cookies and automatically categorize them
  • Generate analytics and insights about consent rates and user preferences
  • Provide dashboard access and API functionality
  • Enforce usage limits based on subscription tiers
  • Send important service notifications and updates
  • Provide customer support and respond to inquiries
  • Detect, prevent, and address security issues and abuse
  • Comply with legal obligations

4. Legal Basis for Processing (GDPR)

We process your data based on the following legal grounds:

  • Contract: Processing necessary to provide our services (Art. 6(1)(b) GDPR)
  • Legitimate Interest: Security, fraud prevention, service improvement (Art. 6(1)(f) GDPR)
  • Legal Obligation: Compliance with applicable laws (Art. 6(1)(c) GDPR)
  • Consent: Where explicitly provided for optional features (Art. 6(1)(a) GDPR)

5. Data Storage and Security

We store your data on secure servers located in the European Union and implement appropriate technical and organizational measures:

  • Database storage: PostgreSQL hosted on OVH Frankfurt, Germany (Kubernetes)
  • Queue management: Redis hosted on OVH Frankfurt, Germany (Kubernetes)
  • Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
  • Passwords: Bcrypt hashing (one-way, not reversible)
  • Consent records: Hashed visitor identifiers (SHA-256, not reversible)
  • Database security: Row-level security (RLS) on PostgreSQL
  • Monitoring: Regular security audits and access logs for all operations

6. Data Sharing

We do not sell your personal information. We may share your information with:

  • Artatol Account: Authentication and access management (shared infrastructure)
  • Service providers: OVH (database, queue, infrastructure), Cloudflare (security and performance)
  • Legal authorities: When required by law or to protect our rights
  • Your organization members: Dashboard users within your organization can access shared domain and consent data

Note: All application traffic is routed through Cloudflare's reverse proxy for DDoS protection, WAF security, and performance optimization. Cloudflare processes request metadata (IP addresses, User-Agent, cookies) as part of this service.

Important: End-user consent data collected via the ArtaConsent SDK is processed as a Data Processor on your behalf. You remain the Data Controller for your website visitors' consent data.

7. Data Retention

We retain your data according to the following schedule:

  • Account data: Retained while account is active
  • Consent records: Retained for 2 years from collection date (GDPR requirement for proof of consent)
  • Analytics data: Aggregated daily statistics retained indefinitely (anonymized)
  • Cookie scan results: Retained while domain is active, updated with each scan
  • Usage logs: Retained for 90 days
  • Deleted accounts: All data anonymized or permanently deleted within 30 days

You can request deletion of your data at any time by contacting us at [email protected].

8. Your Rights

Under GDPR and applicable data protection laws, you have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate personal data
  • Erasure: Request deletion of your personal data ("right to be forgotten")
  • Restriction: Object to or restrict processing of your data
  • Portability: Receive your data in a structured, machine-readable format (JSON/CSV)
  • Withdrawal: Withdraw consent at any time
  • Objection: Object to automated decision-making
  • Complaint: Lodge a complaint with your local data protection authority

To exercise these rights, please contact us at [email protected].

9. Cookies Used by ArtaConsent

The ArtaConsent SDK sets the following cookies on your website visitors' browsers:

  • artaconsent_visitor_id: Hashed visitor identifier (1 year)
  • artaconsent_consent: Stores consent choices (1 year or until withdrawn)

ArtaConsent Dashboard uses essential authentication cookies (artatol_refresh_token, account_id) and preference cookies (locale, theme).

10. Third-Party Services

ArtaConsent integrates with third-party services that may process data independently:

  • Google Consent Mode v2: Consent signals are sent to Google's services on your behalf
  • IAB TCF 2.2: Consent strings may be shared with TCF-registered vendors you configure

Please review the privacy policies of these third parties. We are not responsible for their data practices.

11. International Data Transfers

Your data is primarily stored and processed in the European Union (AWS eu-west-1). If data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or adequacy decisions by the European Commission.

12. Children's Privacy

Our services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes by posting the new policy on this page and updating the "Last updated" date. For material changes, we will provide prominent notice or obtain consent where required by law.

14. Contact Us

If you have any questions about this Privacy Policy or want to exercise your data protection rights, please contact our Data Protection Officer:

Data Protection Officer

Email: [email protected]

Mailing address: Artatol, Prague, Czech Republic