Privacy Policy

1. Introduction

ClearConsent DataSec Pvt Ltd ("ClearConsent", "we", "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect personal data when you use the ClearCookie Cookie Consent Manager ("Service").

This policy applies to all users of the Service, including website operators (our customers) and the end-users of websites that deploy our consent banner.

2. Data Controller & Grievance Officer

3. Data We Collect

3.1 Account Data (Website Operators)

• Full name, email address, company name
• Billing information (processed by Razorpay/PayU — we do not store card details)
• Domain names added for cookie scanning
• Banner and policy configuration settings

3.2 Consent Records (End-Users)

• Principal hash: A one-way SHA-256 cryptographic hash of the end-user identifier, computed client-side via the Web Crypto API. We never store raw identifiers, IP addresses, or emails of end-users.
• IP hash: One-way hash of the IP address for geo-detection purposes only.
• User agent hash: One-way SHA-256 hash used for consent verification.
• Geo country: Country-level location derived from IP for applying jurisdiction-specific rules (e.g., GDPR for EU, DPDPA for India).
• Consent choices: Which cookie categories were accepted or rejected.
• Consent method: How consent was given (banner, preference centre, API).
• Timestamps: When consent was collected and when it expires.

3.3 Cookie Scan Data

• Cookie names, domains, paths, expiry durations, and attributes found during automated scans of customer websites.
• Classification metadata (category, confidence score, classification method).
• No personal data of website visitors is collected during scanning.

3.4 Technical Data

• Server logs (request timestamps, HTTP status codes, response times).
• Error logs for debugging and service improvement.
• Logs contain only anonymised identifiers (user IDs, masked email addresses). Emails are masked (e.g., j***@domain.com) and passwords, tokens, or OTP codes are never logged.

4. How We Use Your Data

5. Data Storage & Security

• Encryption at rest: All sensitive configuration values (API keys, payment credentials, SMTP passwords) are encrypted using AES-256-GCM.
• Encryption in transit: All data is transmitted over TLS 1.2+.
• Password hashing: User passwords are hashed using bcrypt with random salts. Plain text passwords are never stored.
• Tenant isolation: All data is scoped by tenant ID. Cross-tenant access is architecturally impossible.
• Consent immutability: Consent records are append-only during normal operations, ensuring a tamper-proof audit trail. Records are only deleted when you exercise your right to erasure under GDPR Article 17 or DPDPA Section 12(3), upon explicit request.
• Infrastructure: Data is hosted on secured cloud infrastructure with regular backups.

6. Data Retention

7. Data Sharing & Sub-Processors

We do not sell personal data. We share data only with:

• Payment processors (Razorpay, PayU) — to process subscription payments.
• Email providers (Resend, SMTP) — to deliver transactional emails (OTP codes, password resets).
• Geolocation service (ip-api.com) — to detect visitor country for applying jurisdiction-specific consent rules. Only the visitor's IP address is sent; no other personal data is shared. IP addresses are not stored by us after lookup.
• Law enforcement — when required by valid legal process.

We do not use any third-party analytics, advertising, or tracking on the ClearCookie platform itself.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate data.
• Erasure: Request deletion of your account and associated data (subject to legal retention requirements).
• Data portability: Request an export of your data in a machine-readable format (JSON).
• Objection: Object to processing based on legitimate interest.
• Withdrawal of consent: Withdraw consent at any time where processing is based on consent.
• Restriction: Request restriction of processing in certain circumstances.

You can exercise data export and account deletion rights directly from your Settings → Account page using the "Export Data" and "Delete Account" buttons, or by contacting our DPO.

9. Right to Lodge a Complaint

If you are located in the EU/EEA or UK, you have the right to lodge a complaint with your local data protection supervisory authority if you believe that our processing of your personal data violates applicable data protection law (GDPR Article 77).

A list of EU/EEA supervisory authorities is available at edpb.europa.eu. For the UK, contact the Information Commissioner's Office (ICO).

If you are located in India, you may lodge a complaint with the Data Protection Board of India as established under the DPDPA 2023.

10. California Privacy Rights (CCPA/CPRA)

10.1 Do Not Sell or Share

ClearCookie does not sell and does not share your personal information with third parties for cross-context behavioural advertising purposes, as defined under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).

10.2 Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. You will not receive different pricing, a different quality of service, or be denied access to the Service for exercising your data rights.

10.3 Categories of Personal Information

In the preceding 12 months, we have collected the following categories of personal information: identifiers (name, email), commercial information (billing data, plan selection), and internet activity (hashed consent records, cookie scan data). We have not sold or shared any of these categories.

11. India-Specific Rights (DPDPA 2023)

11.1 Consent at Collection (Section 5-6)

When you sign up for ClearCookie, we collect your name, email address, and company name for account management, service delivery, and communication. Your explicit consent for this collection is obtained during registration via a consent checkbox, as required by DPDPA Section 5 and 6.

11.2 Nominee Rights (Section 14)

Under DPDPA Section 14, you have the right to nominate another individual to exercise your data rights (access, correction, erasure) in the event of your death or incapacity. To register a nominee, contact our Grievance Officer at grievance@clearconsent.in with your nominee's name and contact details. The nominee will be required to verify their identity before exercising any rights.

11.3 Grievance Redressal

If you have any grievance regarding the processing of your personal data, you may contact our Grievance Officer (details in Section 2 above). If your grievance is not resolved within 30 days, you may escalate to the Data Protection Board of India.

12. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms:

• Regulatory notification: We will notify the relevant supervisory authority (Data Protection Board of India under DPDPA Section 8, or EU supervisory authority under GDPR Article 33) within 72 hours of becoming aware of the breach.
• User notification: If the breach is likely to result in a high risk to your rights and freedoms, we will notify affected users without undue delay via email, with details of the breach, potential consequences, and measures taken.
• Record keeping: We maintain an internal breach register documenting all breaches, their effects, and remedial actions taken.

13. Automated Decision-Making

ClearCookie does not engage in automated decision-making or profiling that produces legal effects or similarly significant effects on you, as defined under GDPR Article 22. Cookie classification is automated but does not involve personal data and does not affect individuals.

14. Cookies on ClearCookie Platform

The ClearCookie platform itself uses only strictly necessary cookies for authentication (JWT token storage via localStorage) and session management. We do not use any analytics, marketing, or third-party tracking cookies on our own platform.

15. International Data Transfers

Our primary data processing occurs within India. If data is transferred outside India, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or equivalent mechanisms as required by applicable law.

16. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact our DPO immediately.

17. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to registered users via email at least 15 days before taking effect. The "Last updated" date at the top of this page reflects the most recent revision.

18. Contact Us

19. Regulatory Compliance

This Privacy Policy is designed to comply with:

• DPDPA 2023 — Digital Personal Data Protection Act (India) — Sections 5, 6, 8, 10, 12, 14
• GDPR — General Data Protection Regulation (EU/EEA) — Articles 13, 14, 17, 22, 33, 34, 77
• CCPA/CPRA — California Consumer Privacy Act (USA) — Sections 1798.100-1798.199
• LGPD — Lei Geral de Proteção de Dados (Brazil)
• PIPEDA — Personal Information Protection and Electronic Documents Act (Canada)
• PIPA — Personal Information Protection Act (South Korea)