Privacy Policy

1. Who We Are

ClearConsent ("we", "us", "our") operates the website clearconsent.app. We provide an automated privacy compliance scanning tool for small e-commerce businesses. You can reach us at [email protected].

2. Data We Collect

We collect the minimum data necessary to provide the Service:

Account Data

• Email address — used for account login and service communications.
• Password — stored as a one-way bcrypt hash. We never store or see your plain-text password.

Scan Data

• URLs you submit — the website addresses you ask us to scan.
• Scan results — trackers, cookies, and privacy signals detected on those URLs.

Payment Data

• Stripe handles all payment processing. We never see or store your credit card number. We receive only your Stripe customer ID and subscription status.

Contact Form

• Email and message content — stored to respond to your inquiry.

Automatically Collected

• Essential cookies only — session authentication and scan tracking. We do not use analytics, advertising, or third-party tracking cookies.
• IP address — used for rate limiting. Not stored long-term.

3. How We Use Your Data

• To provide and operate the scanning service.
• To authenticate your account and manage your subscription.
• To respond to support requests.
• To prevent abuse (rate limiting).

We do not use your data for advertising, profiling, or any purpose beyond delivering the Service.

4. Data Sharing

We do not sell, rent, or share your personal data with third parties, except:

• Stripe — processes payments on our behalf. See Stripe's Privacy Policy.
• Railway — hosts our application infrastructure. See Railway's Privacy Policy.
• Cloudflare — provides DNS and email routing. See Cloudflare's Privacy Policy.
• Law enforcement — if required by law or valid legal process.

5. Data Retention

• Scan results — visible in your dashboard for 30 days (Free) or 90 days (Pro). Stored in our database for up to 2 years, then permanently deleted.
• Account data — retained while your account is active. Deleted upon request.
• Contact messages — retained for up to 1 year.

6. Cookies

We use essential cookies only:

• Session cookie — keeps you logged in. HttpOnly, secure, expires when you close your browser or after 30 days.
• Scan session cookie — links anonymous scans to your browser. Expires after 24 hours.
• Cookie consent preference — remembers your banner dismissal. Stored in localStorage.

We do not use analytics cookies, advertising cookies, or any third-party tracking.

7. Your Rights

Depending on your location, you may have the right to:

• Access — request a copy of the personal data we hold about you.
• Delete — request deletion of your account and associated data.
• Correct — update inaccurate personal data.
• Opt out of sale — we do not sell your data, so there is nothing to opt out of.
• Data portability — receive your data in a structured format.

To exercise any of these rights, email [email protected]. We will respond within 30 days.

8. Security

We protect your data with:

• HTTPS encryption for all traffic.
• Bcrypt password hashing.
• Signed session cookies (HMAC).
• SSRF protection on scan submissions.
• Rate limiting on all endpoints.

9. Children's Privacy

The Service is not directed to children under 13. We do not knowingly collect data from children. If you believe we have, contact us and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will note the "Last updated" date at the top. Continued use of the Service after changes constitutes acceptance.

11. Contact

Questions about this Privacy Policy? Contact us at [email protected] or use our contact form.