theConsent
Get started

Legal

Privacy Policy

Last updated: May 26, 2026

1. Who we are

theConsent is operated by theCSS Agency. This Privacy Policy explains what data we collect when you use the theConsent service ("Service"), how we use it, and your rights regarding that data.

2. Data we collect

From you (account holders)

  • Email address and name (via Clerk authentication)
  • Billing information (handled by Razorpay — we never see your card details)
  • Webflow workspace data (site names, IDs) via OAuth — only if you connect Webflow
  • Encrypted Webflow access tokens (AES-256-GCM) for script injection

From your site visitors (when they use your banner)

  • Consent choices (which categories accepted/rejected)
  • Anonymous visitor identifier (hashed, no PII)
  • Country code (from request headers — no IP stored)
  • GPC signal status (true/false)
  • Timestamp of consent

We do not store IP addresses, user agents, or any personally identifiable information about your site visitors. The visitor hash is a random opaque string used only to de-duplicate events.

3. How we use your data

  • Provide the Service (banner config, analytics, compliance reporting)
  • Process payments and manage subscriptions
  • Send transactional emails (sign-in, billing receipts, security alerts)
  • Improve the Service (aggregate analytics, never tied to individuals)

4. Data retention

  • Account data: retained until you delete your account
  • Banner configs: retained until you delete the site
  • Consent logs: 7 days (Starter), 90 days (Pro), 1 year (Agency). Automatically deleted after retention period.
  • Audit logs: 1 year

5. Data sharing

We share data only with these processors:

  • Clerk — authentication
  • Neon — database (PostgreSQL, EU region)
  • Upstash — caching (Redis, EU region)
  • Vercel — hosting (US/EU multi-region)
  • Cloudflare — CDN for banner script
  • Razorpay — payment processing
  • Resend — transactional email

We never sell or share data for advertising or marketing purposes.

6. Your rights (GDPR / CCPA)

  • Access: Request a copy of your data — email privacy@gettheconsent.com
  • Deletion: Delete your account from Settings → Account (or email us)
  • Portability: Export your data as JSON
  • Correction: Update your profile from Settings
  • Withdraw consent: Disconnect Webflow OAuth from Settings

7. Security

  • All data in transit encrypted via TLS 1.3
  • Webflow OAuth tokens encrypted at rest with AES-256-GCM
  • Passwords hashed via Clerk (industry standard)
  • Database access logged and audited

8. Contact

For privacy questions, contact privacy@gettheconsent.com.