Privacy Policy

1. Who we are and the scope of this policy

ConsentX is a consent and preference management platform. This Privacy Policy applies to the ConsentX marketing website at consentx.io and its subpages (the “Website”). For the personal data described in this policy, ConsentX acts as the data controller, meaning we decide why and how that personal data is processed.

This policy does not cover personal data that our customers process through the ConsentX product at app.consentx.io. In the product, our customer is the controller and ConsentX acts as a processor (or service provider) on the customer’s documented instructions. Our processing of product data is governed by our customer agreement and our Data Processing Addendum. If you are an end user of a website that uses ConsentX and you want to exercise rights over data collected on that website, please contact the operator of that website, who is the controller.

2. Definitions

The following terms are used throughout this policy:

• Personal data means any information relating to an identified or identifiable natural person. It includes the equivalent concepts of “personal information” under United States laws and “personal data” under Indian law.
• Processing means any operation performed on personal data, such as collection, storage, use, disclosure or deletion.
• Controller means the party that determines the purposes and means of processing personal data.
• Processor means a party that processes personal data on behalf of, and on the instructions of, a controller.
• Data subject or you means the individual to whom personal data relates.
• GDPR means the EU General Data Protection Regulation, and UK GDPR means the UK version of that regulation as retained in United Kingdom law.

3. What personal data we collect

We aim to collect as little personal data as possible and only what we need for the purposes described in this policy. Depending on how you interact with the Website, we may collect the following categories of personal data.

Website visitors. When you browse the Website we may collect:

• Internet protocol (IP) address and approximate location derived from it.
• Device, browser and operating system information.
• Pages viewed, referring pages and the dates and times of your visits.
• Information collected through cookies and similar technologies (see section 5).

Leads, demo requests and enquiries. When you request a demo, contact us, sign up for updates or otherwise reach out, we collect the details you provide, which may include:

• Your name and job title.
• Your work email address and telephone number.
• Company name, size and country.
• The content of your message and any information you choose to include.

Account and billing data. If you create an account or purchase a paid plan through us, we (or our payment processor) collect account credentials, contact details, billing contact, company details and transaction records. We do not store full payment card numbers; these are handled by our payment processor.

Support data. When you contact support, we collect the messages, attachments and contact details you share, along with records of our correspondence so we can help you and keep accurate records.

Cookie and analytics data. We use privacy-friendly analytics to understand aggregate traffic and improve the Website. We also run the ConsentX consent banner on this Website, and when you make a cookie choice we keep a record of that choice so we can honour it and so we have evidence of consent. See section 5 and our Cookie Policy for details.

We do not intentionally collect special categories of personal data (such as health, biometric or political data) through the Website, and we ask that you do not send us such information.

4. How and why we use personal data, and our legal bases

We process personal data for the purposes set out below. Where the GDPR or UK GDPR applies, we rely on the legal basis stated for each purpose.

• To respond to enquiries, demo requests and sales conversations. Legal basis: our legitimate interests in responding to you and running our business, and taking steps at your request before entering into a contract.
• To create and administer accounts and provide paid services. Legal basis: performance of a contract with you or your organisation.
• To process payments and manage billing. Legal basis: performance of a contract and compliance with our legal obligations, including tax and accounting duties.
• To send marketing communications and product updates you have asked for. Legal basis: your consent, or our legitimate interests where permitted by law. You can withdraw consent or unsubscribe at any time.
• To operate, secure and improve the Website. Legal basis: our legitimate interests in maintaining a safe, reliable and useful website.
• To set non-essential cookies and similar technologies. Legal basis: your consent.
• To keep records and comply with the law. Legal basis: compliance with our legal obligations and our legitimate interests in keeping appropriate records, including evidence of consent.
• To establish, exercise or defend legal claims and prevent fraud or abuse. Legal basis: our legitimate interests and compliance with legal obligations.

Where we rely on legitimate interests, we balance those interests against your rights and freedoms, and you can object to that processing as described in section 9. We do not sell your personal data.

5. Cookies and similar technologies

We use cookies and similar technologies to operate the Website, remember your preferences and understand aggregate usage. Strictly necessary cookies are used to provide core functionality and do not require consent. Non-essential cookies, including analytics, are only set with your consent, which you give or refuse through the consent banner and can change at any time. For a full description of the cookies we use, their purposes and how to manage your choices, please see our Cookie Policy.

6. Who we share personal data with

We do not sell personal information and we do not share it with third parties for their own marketing. We disclose personal data only in the following circumstances:

• Service providers and subprocessors. We use a small set of trusted vendors who help us run the Website and communicate with you, such as our hosting, content delivery, email and analytics providers. Each is bound by contract to protect personal data and to process it only on our instructions. A current list is on our subprocessors page.
• Professional advisers. We may share data with our auditors, lawyers, insurers and accountants where reasonably necessary and subject to confidentiality.
• Authorities. We may disclose personal data where required by law, court order or a valid request from a public authority, or to protect our rights, users or the public.
• Business transfers. If we are involved in a merger, acquisition, financing or sale of assets, personal data may be transferred as part of that transaction, subject to this policy and applicable law.

7. International data transfers

We operate globally, so your personal data may be processed in countries other than your own. The ConsentX product is hosted on Amazon Web Services in the Asia Pacific (Mumbai) region, ap-south-1, in India. This marketing Website is hosted on Vercel, and we use Cloudflare for content delivery, domain name services and web application firewall protection. These providers may process data in other regions.

Where we transfer personal data outside the European Economic Area or the United Kingdom, we put in place appropriate safeguards, which include the European Commission Standard Contractual Clauses together with the UK International Data Transfer Addendum, and reliance on the EU-US Data Privacy Framework where the recipient is certified under it. You can request more information about the safeguards we use by contacting us at privacy@consentx.io.

8. How long we keep personal data

We keep personal data only for as long as necessary for the purposes for which it was collected, including to satisfy legal, accounting or reporting requirements. Our typical retention periods by category are:

• Leads and enquiry data. Kept while we handle your enquiry and for a reasonable period afterwards, then deleted or anonymised.
• Account and billing data. Kept for the life of the account and for the period required to meet tax, accounting and legal obligations after the account closes.
• Support correspondence. Kept for as long as needed to provide support and to maintain a reasonable service history.
• Consent records. Retained as evidence of consent for the period required by applicable privacy law.
• Aggregate analytics. Retained in aggregate form that does not identify you.

When personal data is no longer needed, we securely delete or anonymise it.

9. Security

We use appropriate technical and organisational measures designed to protect personal data against unauthorised access, loss, misuse or alteration. These measures include access controls, encryption in transit, network protection and regular review of our practices. No method of transmission or storage is completely secure, so we cannot guarantee absolute security. For more information, please see our Security page.

10. Your rights

The rights available to you depend on the laws that apply where you live. We honour the rights described below and will not discriminate against you for exercising them.

European Economic Area and United Kingdom (GDPR and UK GDPR). If you are in the EEA or the UK, you have the right to:

• Access the personal data we hold about you.
• Have inaccurate personal data rectified.
• Have your personal data erased in certain circumstances.
• Restrict our processing of your personal data in certain circumstances.
• Receive your personal data in a portable format and have it transmitted to another controller.
• Object to processing based on our legitimate interests and to direct marketing.
• Withdraw consent at any time where we rely on consent, without affecting prior processing.
• Lodge a complaint with your local Data Protection Authority, which is the supervisory authority for your country.

California (CCPA and CPRA). If you are a California resident, you have the right to:

• Know what personal information we collect, use and disclose.
• Request deletion of your personal information.
• Request correction of inaccurate personal information.
• Opt out of the sale or sharing of personal information.
• Limit the use and disclosure of sensitive personal information.
• Not be discriminated against for exercising your rights.
• Use an authorized agent to submit requests on your behalf.

We do not sell or share personal information as those terms are defined under California law. We honour the Global Privacy Control (GPC) signal as a valid opt-out of sale and sharing.

India (Digital Personal Data Protection Act). If you are in India, you have the right to:

• Access a summary of the personal data we process about you.
• Request correction and updating of your personal data.
• Request erasure of your personal data where appropriate.
• Have your grievances addressed through our grievance redressal process.
• Nominate another individual to exercise your rights in the event of death or incapacity.

Brazil (LGPD) and other jurisdictions. If you are protected by Brazil’s Lei Geral de Protecao de Dados or by another comprehensive privacy law, you may have rights similar to those described above, such as confirmation of processing, access, correction, anonymisation or deletion, portability and information about sharing. We will honour the rights granted to you under the privacy law that applies in your jurisdiction. If you are unsure which rights apply to you, contact us and we will help.

11. How to exercise your rights

To exercise any of the rights described above, email us at privacy@consentx.io. To protect your privacy, we may need to verify your identity before acting on your request, and we may ask for additional information for that purpose. If an authorized agent submits a request on your behalf, we may ask for proof of authorisation.

We will respond within the time required by applicable law. Under the GDPR and UK GDPR we aim to respond within 30 days, and under California law within 45 days, with extensions where permitted. We provide our responses free of charge, except where the law allows a reasonable fee for excessive or repetitive requests.

12. Automated decision-making

We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing, including profiling. If this changes, we will update this policy and provide the information and safeguards required by law.

13. Children

The Website is intended for businesses and is not directed to children under 16 (or under 18 where that higher age applies). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will take appropriate steps to delete it.

14. EU and UK Representative

Where required under Article 27 of the GDPR and the UK GDPR, we have appointed IntelligenceX, a compliance representation firm (intelligencex.org), as our representative in the European Union and the United Kingdom. You can contact our representative on matters relating to the processing of your personal data. The registered address of the representative is available on request, and you can reach us at privacy@consentx.io to be put in contact.

15. Data Protection Officer and contact

You can contact our privacy team about any matter relating to this policy or your personal data at privacy@consentx.io. For legal matters, contact legal@consentx.io, and for security matters, contact security@consentx.io. Where a Data Protection Officer is appointed, their contact details will be published here and you can reach them through our privacy address.

16. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, our services or the law. When we make material changes, we will update the date at the top of this page and, where appropriate, provide additional notice. We encourage you to review this policy periodically.

17. Contact and complaints

If you have a concern about how we handle your personal data, please contact us first at privacy@consentx.io so we can try to resolve it. You also have the right to lodge a complaint with your local supervisory authority or Data Protection Authority. We would, however, appreciate the chance to address your concerns before you approach a regulator.