Privacy Policy

1. Who We Are

ClearConsent ("we", "us", "our") operates the website clearconsent.app. We provide an automated privacy compliance scanning tool for small e-commerce businesses. You can reach us at [email protected].

2. Data We Collect

We collect the minimum data necessary to provide the Service:

Account Data

• Email address — used for account login and service communications.
• Password — stored as a one-way bcrypt hash. We never store or see your plain-text password.
• Google account info (if using Google Sign-In) — your Google ID, name, and email address, received via Google OAuth. We do not access any other Google data.

Scan Data

• URLs you submit — the website addresses you ask us to scan.
• Scan results — trackers, cookies, and privacy signals detected on those URLs.

Payment Data

• Stripe handles all payment processing. We never see or store your credit card number. We receive only your Stripe customer ID and subscription status.

Shopify Integration Data

• Shop domain and access token — stored (encrypted at rest) to manage your Shopify store integration. We access only the Shopify API scopes you authorize during installation.
• Billing status — subscription plan and billing state managed through Shopify's Billing API.

Contact Form

• Email and message content — stored to respond to your inquiry.

Automatically Collected

• Essential cookies — session authentication and scan tracking. Always active.
• Analytics (optional, consent-required) — if you accept analytics cookies, we use PostHog to collect anonymized usage data (page views, feature usage). We send only a pseudonymous user identifier to PostHog — no email, name, or other personal information. You can accept or decline analytics from the cookie banner, and change your preference at any time.
• IP address — used for rate limiting. Not stored long-term.

3. How We Use Your Data

• To provide and operate the scanning service.
• To authenticate your account and manage your subscription.
• To respond to support requests.
• To prevent abuse (rate limiting).

We do not use your data for advertising, profiling, or any purpose beyond delivering the Service.

4. Data Sharing

We do not sell, rent, or share your personal data with third parties, except the following service providers who process data on our behalf:

• Stripe — payment processing. See Stripe's Privacy Policy.
• Shopify — app integration and billing for Shopify merchants. See Shopify's Privacy Policy.
• Google — OAuth authentication (Sign in with Google). See Google's Privacy Policy.
• PostHog — anonymized product analytics (only with your consent). See PostHog's Privacy Policy.
• Sentry — error monitoring and application stability. See Sentry's Privacy Policy.
• Railway — application hosting infrastructure. See Railway's Privacy Policy.
• Cloudflare — DNS, email routing, and encrypted backup storage. See Cloudflare's Privacy Policy.
• Resend — transactional email delivery. See Resend's Privacy Policy.
• Law enforcement — if required by law or valid legal process.

5. Data Retention

• Scan results — stored in our database for up to 1 year, then permanently deleted.
• Account data — retained while your account is active. Deleted upon request.
• Contact messages — retained for up to 1 year.
• Audit & security logs — administrative activity logs retained for up to 2 years. Failed login records purged after 90 days.

6. Cookies

We use the following cookies:

Essential (always active)

• Session cookie — keeps you logged in. HttpOnly, secure, expires after 14 days.
• Scan session cookie — links anonymous scans to your browser. Expires after 24 hours.
• CSRF token — protects against cross-site request forgery.

Analytics (consent required)

• PostHog analytics — only loaded if you click "Accept Analytics" on the cookie banner. Tracks anonymized page views and feature usage. No personal information is sent. You can change your preference at any time using the "Cookie Preferences" link in the site footer.

We do not use advertising cookies or any third-party tracking for ad purposes.

7. Your Rights

Depending on your location, you may have the right to:

• Access — request a copy of the personal data we hold about you.
• Delete — request deletion of your account and associated data.
• Correct — update inaccurate personal data.
• Opt out of sale — we do not sell your data, so there is nothing to opt out of.
• Data portability — receive your data in a structured format.

To exercise any of these rights, email [email protected]. We will respond within 30 days. You can also manage your email notification preferences at any time.

8. Security

We protect your data with:

• HTTPS encryption for all traffic.
• Bcrypt password hashing.
• Signed session cookies (HMAC).
• SSRF protection on scan submissions.
• Rate limiting on all endpoints.

9. Children's Privacy

The Service is not directed to children under 13. We do not knowingly collect data from children. If you believe we have, contact us and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will note the "Last updated" date at the top. Continued use of the Service after changes constitutes acceptance.

11. Contact

Questions about this Privacy Policy? Contact us at [email protected] or use our contact form.