Plain English: This agreement explains how I handle your end-users' consent data on your behalf. It's required by GDPR (Article 28) when someone processes personal data for you.
1. Who's Who
You (the customer) = Data Controller
You decide what happens with the consent data from your website visitors.
Consentify = Data Processor
We follow your instructions and only process data to provide you the service.
2. What Data we Process For You
When someone visits your website and interacts with your cookie banner, we store:
- Their consent choices - which cookie categories they accepted or rejected
- When they consented - timestamp of their choice
- A hashed IP address - SHA-256 hash (one-way, cannot be reversed to original IP)
- An anonymous ID - a random identifier (not their IP, email, or name)
- Which banner - which of your cookie banners they saw
- User agent - (optional) browser/device info for analytics
Why hash the IP? To recognize returning users without storing their actual IP address. The hash is one-way - WE cannot reverse it to get the original IP.
We do NOT collect IP addresses, emails, names, or other directly identifiable personal information from your end-users.
3. Why We Process This Data
I process consent data to:
- Store user consent choices so you can comply with GDPR
- Remember if someone already saw the banner (so it doesn't show again)
- Show you consent statistics in your dashboard
- Let you export consent records if needed
That's it. We don't use this data for anything else.
4. Where We Store Data
All personal data is stored in the EU
We use Supabase with servers in London. This means GDPR protection and no data leaving the EU.
Sub-processors We Use:
These are the services We rely on to run Consentify:
| Service | Purpose | Location |
|---|---|---|
| Supabase | Database & auth | πͺπΊ EU (London) |
| Stripe | Payments | πͺπΊ/πΊπΈ (with SCCs) |
| Vercel/AWS | Hosting | Global CDN |
| Sentry | Error & Performance Monitoring | πΊπΈ (with SCCs/DPF) or πͺπΊ |
SCCs = Standard Contractual Clauses (EU-approved contracts for data transfers outside EU)
5. How Long We Keep Data
- Consent logs: 12 months by default (you can configure this per plan)
- After you delete your account: We delete everything within 30 days
You can also manually delete consent records anytime via the dashboard or API.
6. Security Measures
Here's how we protect data:
What We Control:
- HTTPS/TLS 1.3 everywhere - encrypted connections
- Secure password hashing (bcrypt)
- Regular security updates for code and dependencies
- Access logs to track who accessed what
What Supabase Handles:
- Data encryption at rest (AES-256)
- Daily automated backups
- Database access control and authentication
- Infrastructure security and monitoring
7. Data Breach Notification
If something goes wrong and there's a security breach affecting your end-users' data:
We will notify you within 72 hours of becoming aware
We'll tell you what happened, what data was affected, and what we'm doing about it.
Your responsibility:
You decide if the breach needs to be reported to authorities (like Datatilsynet in Norway) or to your end-users. We'll give you all the information you need to make that decision and fulfill your obligations.
8. Helping You With Data Subject Rights
If one of your end-users wants to exercise their GDPR rights (access, delete, etc.), here's how we help:
- Access their data: You can export consent records via dashboard
- Delete their data: You can delete specific consent records via dashboard or API
- Correct their data: You can update consent records if needed
If someone contacts me directly: We'll forward their request to you immediately. We won't respond to them without your instructions (since you're the controller, not me).
9. Your Instructions to Me
I only process data according to your instructions:
- What you configure in the Consentify dashboard
- These terms and this DPA
- Written instructions you send me via email
If we think your instruction would violate GDPR: we'll let you know immediately so we can figure it out together.
10. When You Delete Your Account
Here's what happens to the data:
- 1. You can export everything first - Download all consent data as JSON
- 2. We delete all data within 30 days - Including all consent records
- 3. Exception: Payment records we're legally required to keep for accounting (7 years in Norway)
11. Audit Rights
You have the right to verify we'refollowing this agreement. You can:
- Ask us questions about how we protect data (we'll answer honestly)
- Request documentation about security measures
- Ask about Supabase's security certifications
For physical on-site audits: This isn't practical for a small SaaS, but we can discuss alternative ways to verify compliance if you have serious concerns.
12. International Transfers
Main rule: All your end-users' consent data stays in the EU (London via Supabase).
Exception: Payment data processed by Stripe may be transferred to the US, but they use EU Standard Contractual Clauses (SCCs) for protection.
13. Liability
Under GDPR, both you and us can be held liable to end-users for data protection violations.
My liability is limited as described in the Terms of Service(basically limited to what you've paid me in the last 12 months).
14. How Long This Agreement Lasts
This DPA is effective from when you create your Consentify account and continues as long as we process any personal data on your behalf.
It automatically ends 30 days after you delete your account (once all data is deleted).
15. Contact Me
Questions about data processing? Need help with a data subject request?
Email me: support@consentify.app
We care about doing this right. Don't hesitate to reach out!
TL;DR - What This Means
- I only process consent data as you instruct me
- Everything stored safely in EU (London)
- We'll notify you within 72 hours if there's a breach
- You can export/delete data anytime
- I help you respond to your users' GDPR requests
- Data deleted within 30 days after you close your account
This DPA works together with the Terms of Service andPrivacy Policy to protect your end-users' data.
How This Agreement Works
By using Consentify, you automatically accept this DPA as part of the Terms of Service. You don't need to sign anything separately.
Need a signed copy? Some companies require signed DPAs for their records. If you need this, email me at support@consentify.app and we'll send you one.
Need a copy of this DPA?