Privacy Policy

1. Introduction

CMPly ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our cookie consent management platform (the "Service").

This Privacy Policy complies with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other applicable data protection laws.

By using CMPly, you consent to the data practices described in this policy.

2. Data Controller

For the purposes of GDPR, the data controller is:

3. Information We Collect

3.1 Account Information

When you create an account, we collect:

• Email address
• Name (optional)
• Password (encrypted)
• Company/organization name (optional)
• Account creation date

3.2 Website Information

When you add a website to CMPly, we collect:

• Domain name and URL
• Website scan results (cookies, scripts, trackers found)
• Cookie categories and purposes
• Consent banner configuration
• API keys (encrypted)

3.3 Consent Records

When visitors interact with consent banners on your website, we collect:

• Consent choices (categories accepted/rejected)
• Timestamp of consent
• IP address (hashed with SHA-256 for anonymization)
• User agent string
• Consent ID (UUID)

Note: We do NOT store raw IP addresses. All IPs are immediately hashed using SHA-256 encryption to ensure anonymization and GDPR compliance.

3.4 Payment Information

Payment information is processed by Paddle. We do not store full credit card details. We receive:

• Last 4 digits of card
• Card brand (Visa, Mastercard, etc.)
• Billing address
• Transaction history
• Paddle customer ID

3.5 Usage Data

We automatically collect:

• IP address (for security and fraud prevention)
• Browser type and version
• Operating system
• Pages visited on our Service
• Time and date of visits
• Time spent on pages
• Referring website

3.6 Cookies and Tracking

We use cookies to:

• Maintain your login session (necessary)
• Remember your preferences (functional)
• Analyze usage patterns (analytics) - only with consent

You can control cookies through your browser settings. Disabling necessary cookies may affect Service functionality.

4. How We Use Your Information

We use collected information for the following purposes:

4.1 Service Provision

• Create and manage your account
• Provide cookie consent management tools
• Scan websites for cookies and trackers
• Store and retrieve consent records
• Generate compliance reports

4.2 Communication

• Send service-related notifications
• Respond to support requests
• Send important updates about the Service
• Send billing and payment confirmations

4.3 Service Improvement

• Analyze usage patterns to improve features
• Monitor and maintain Service performance
• Develop new features and functionality
• Conduct research and analytics

4.4 Security and Compliance

• Detect and prevent fraud
• Ensure Service security
• Comply with legal obligations
• Enforce our Terms of Service

4.5 Marketing (Optional)

• Send newsletters and product updates (only if you opt-in)
• Provide promotional offers

You can unsubscribe from marketing emails at any time using the unsubscribe link or by contacting us.

5. Legal Basis for Processing (GDPR)

We process your personal data based on the following legal grounds:

• Contract Performance: Processing necessary to provide the Service
• Legitimate Interest: Service improvement, security, fraud prevention
• Consent: Marketing communications, optional cookies
• Legal Obligation: Compliance with laws, court orders, regulations

6. Data Sharing and Disclosure

6.1 Third-Party Service Providers

We share data with trusted third parties who help us provide the Service:

• Paddle: Payment processing
• MongoDB Atlas: Database hosting
• Hosting Providers: Server infrastructure
• Email Service: Transactional emails

All third parties are contractually bound to protect your data and use it only for specified purposes.

6.2 Legal Requirements

We may disclose information if required by:

• Legal obligations or court orders
• Law enforcement requests
• Protection of our rights and safety
• Investigation of fraud or security issues

6.3 Business Transfers

If CMPly is involved in a merger, acquisition, or sale of assets, your data may be transferred. We will notify you before your data is transferred and becomes subject to a different Privacy Policy.

6.4 Public Information

Certain information may be publicly visible:

• Company name (if you choose to display it)
• Website domains you add (visible only to you)

6.5 We DO NOT:

• Sell your personal data to third parties
• Share data for advertising purposes
• Use your data for purposes unrelated to the Service

7. Data Retention

We retain your data for as long as necessary to provide the Service and comply with legal obligations:

• Account data: Until account deletion + 30 days
• Consent records: Minimum 3 years (GDPR compliance requirement)
• Payment records: 7 years (tax law requirements)
• Logs and analytics: Maximum 24 months
• Backups: Automatically deleted after 90 days

After retention periods expire, we securely delete or anonymize your data.

8. Your Rights (GDPR & CCPA)

You have the following rights regarding your personal data:

8.1 Right to Access

Request a copy of all personal data we hold about you.

8.2 Right to Rectification

Correct inaccurate or incomplete personal data.

8.3 Right to Erasure ("Right to be Forgotten")

Request deletion of your personal data, subject to legal retention requirements.

8.4 Right to Restrict Processing

Request that we limit how we use your data in certain circumstances.

8.5 Right to Data Portability

Receive your data in a structured, machine-readable format and transfer it to another service.

8.6 Right to Object

Object to processing based on legitimate interests or for direct marketing purposes.

8.7 Right to Withdraw Consent

Withdraw consent at any time for processing based on consent.

8.8 Right to Lodge a Complaint

File a complaint with your local data protection authority.

To exercise these rights, contact us at privacy@cmply.app. We will respond within 30 days.

9. Data Security

We implement industry-standard security measures to protect your data:

• Encryption in transit (TLS/SSL)
• Encryption at rest for sensitive data
• Regular security audits and updates
• Access controls and authentication
• Employee training on data protection
• Secure password hashing (bcrypt)
• IP address hashing (SHA-256)
• Regular backups with encryption

While we strive to protect your data, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security.

10. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence. We ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) for EU data
• Adequacy decisions by the European Commission
• Data Processing Agreements with all processors

11. Children's Privacy

Our Service is not intended for children under 16 years of age. We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided us with personal data, please contact us, and we will delete it.

12. California Privacy Rights (CCPA)

California residents have additional rights:

• Right to know what personal data is collected
• Right to know if personal data is sold or disclosed
• Right to say no to the sale of personal data (we don't sell data)
• Right to access personal data
• Right to delete personal data
• Right to equal service and price

To exercise these rights, email privacy@cmply.appwith "California Privacy Rights" in the subject line.

13. Changes to Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Email notification
• Notice on our website
• In-app notification

Changes take effect 30 days after notification. Your continued use of the Service constitutes acceptance of the updated Privacy Policy.

14. Contact Us

For questions, concerns, or to exercise your privacy rights, contact us: