Legal
Privacy Policy
Last updated: June 12, 2026
Consent Validator (“we”, “us”) is a consent validation platform: you submit a publicly accessible URL, and we audit how that site behaves before consent, after rejection, and after acceptance. This policy explains what data we collect to do that, how we use and protect it, how long we keep it, and the rights you have over it. We act as the data controller for the account and usage data described here. Contact us any time at hello@consentvalidator.com.
1. Data we collect
Account data
When you create an account we store your email address and a salted hash of your password (we never store the password itself). Authentication is handled by Supabase Auth, and a session cookie keeps you signed in.
Validation data
For every validation you run we store the URL you submitted, your scan configuration (consent states, region, audit scope), and the results: detected consent banner and CMP, cookies and network requests observed on the scanned site, Consent Mode signals, findings, scores, and evidence screenshots of the rendered pages. Evidence describes how the scanned website behaved toward our automated browser — it is not data about identifiable individuals.
Monitoring data
If you enable monitoring we store your schedule (host, cadence, region), drift baselines, and the alerts the system raises for you.
Google Analytics data (optional integration)
If you connect a Google Analytics account, we store OAuth tokens, the connected Google email address, and read-only snapshots of your GA4 property configuration. This is covered in detail in section 4.
Technical logs
Our hosting providers keep standard server logs (IP address, user agent, request timestamps) for security, abuse prevention, and operations. We do not run analytics or advertising trackers on this site — see the cookie policy.
2. How we use your data
- To provide the service (legal basis: performance of a contract) — running validations, generating reports, scheduled monitoring, alerts, and the GA4 configuration audit.
- To keep the service secure (legitimate interest) — authentication, rate limiting, abuse and fraud prevention.
- To improve the product (legitimate interest) — understanding usage in aggregate. We do not build advertising profiles and we do not sell data.
- To comply with law (legal obligation) — when we are required to retain or disclose information.
We make no automated decisions about you that produce legal or similarly significant effects.
3. Storage and security
- Data is stored in Supabase (PostgreSQL database, authentication, and file storage for evidence screenshots), encrypted in transit (TLS) and at rest.
- Every workspace’s data is isolated with row-level security: your validations, reports, and tokens are queryable only by your authenticated account.
- Google OAuth tokens are stored server-side only and are never exposed to the browser; scan infrastructure secrets are likewise server-side.
- Access for support or debugging is restricted to what is necessary and is never used for any other purpose.
4. Google user data (GA4 integration)
The Google Analytics integration is optional — the core consent validation works without it. If you choose to connect Google, this section describes exactly what we access and how it is handled.
What we request
We request the read-only Google Analytics scope (https://www.googleapis.com/auth/analytics.readonly) plus your basic profile email (openid, email) so we can show which Google account is connected.
What we access and why
Using the Google Analytics Admin and Data APIs, we read your GA4 account and property list, data streams and measurement IDs, data-retention settings, Google-signals state, key events, and related configuration. We use this solely to generate your GA4 configuration audit — a report that checks those settings against GDPR and Consent Mode best practices. We read configuration and aggregate report data; we never write or change anything in your Google account.
What we store
We store the OAuth access and refresh tokens (server-side, row-level-secured, encrypted at rest), the connected Google email, and the audit reports generated for you. Audit reports contain configuration snapshots — not your website visitors’ analytics data.
What we never do with Google data
- Sell it, or transfer it to advertisers, data brokers, or any third party (we transfer it only to Google itself when calling Google APIs on your behalf).
- Use it for advertising, profiling, or training machine-learning models.
- Allow humans to read it, except with your explicit permission for support, where required for security or abuse investigation, or where required by law.
- Use it for any purpose other than producing the GA4 configuration audit you requested.
Limited Use disclosure
Consent Validator’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Revoking access
Disconnect at any time from Settings → Google Analytics → Disconnect, which immediately deletes the stored tokens, or revoke Consent Validator’s access from your Google Account permissions page. You can also request deletion of past audit reports — see section 6.
6. Retention and deletion
- Reports and scores are kept for as long as your account is active, so you have an audit history.
- Evidence screenshots are pruned automatically after 45 days when they are redundant — screenshots tied to a violation, a detected drift, or a current monitoring baseline are kept so your evidence trail stays intact.
- Google OAuth tokens are deleted immediately when you disconnect the integration.
- Account data is deleted when you ask us to close your account: email hello@consentvalidator.com from your account address and we will delete your account, validations, evidence, GA4 tokens, and audit reports within 30 days, except where the law requires us to keep specific records.
7. Your rights
Depending on where you live (and always under the GDPR if you are in the EU/EEA or UK), you have the right to:
- Access the personal data we hold about you and receive a copy (portability).
- Correct inaccurate data.
- Have your data erased (“right to be forgotten”).
- Restrict or object to processing based on legitimate interest.
- Withdraw consent at any time where processing is based on consent (e.g. the GA4 connection), without affecting prior processing.
- Complain to your supervisory authority if you believe we process your data unlawfully.
To exercise any of these, email hello@consentvalidator.com from your account address. We respond within 30 days.
8. International transfers
Our infrastructure providers may process data in the European Union and/or the United States depending on the region of their data centers. Where data leaves the EU/EEA, we rely on our providers’ standard contractual clauses and equivalent safeguards.
9. A note on scanned websites
Validations visit publicly accessible pages with an automated browser and record how the site behaves: which cookies it sets, which requests it makes, and how its consent banner responds. This is information about the website’s technical behavior, not about individuals. If an evidence screenshot inadvertently captures personal data that a scanned site displays publicly, contact us and we will delete it.
10. Children
Consent Validator is a business tool and is not directed at children under 16. We do not knowingly collect data from children; if you believe a child has created an account, contact us and we will delete it.
11. Changes to this policy
We will post any changes on this page and update the date at the top. For material changes we will notify you in the app or by email before they take effect. Continued use of the service after a change means you accept the updated policy.