Privacy Policy
Last updated: 4 April 2026
Conzentor is a cookie consent management platform operated by SOAK A/S, a company incorporated in Denmark (the “Company”, “we”, “us”, or “our”). This Privacy Policy explains how we collect, use, and protect personal data when you use our website and services.
1. Data Controller
SOAK A/S is the data controller for any personal data processed through the Conzentor platform. For questions about this policy, contact us at privacy@conzentor.com.
2. Data We Collect
2.1 Account Data
When you create a Conzentor account, we process your name, email address, and authentication credentials using Better Auth. Passwords are hashed before storage and are never stored in plaintext.
2.2 Billing Data
Subscription and payment information is processed by Lemon Squeezy as our merchant of record. We store your subscription plan, status, and Lemon Squeezy customer identifiers. We do not have access to your full credit card number.
2.3 Consent Logs
When a visitor interacts with a consent banner powered by Conzentor, we record the following data:
- Hashed IP address — a SHA-256 hash of the visitor’s IP address, combined with a daily rotating salt. We never store raw IP addresses.
- Country code — derived from the IP address at the time of the request (e.g., “DE”, “US”).
- Consent choices — which cookie categories the visitor accepted or rejected.
- Session identifier — a randomly generated ID used to group consent interactions within a single browser session.
- User agent hash — a hashed representation of the visitor’s browser user agent string.
- Timestamp — the date and time the consent decision was recorded.
2.4 What We Do Not Collect
We do not store raw IP addresses, full user agent strings, or any data that would directly identify a website visitor. All personally identifiable information derived from network requests is hashed before storage using SHA-256 with daily rotating salts, making re-identification computationally infeasible.
3. Legal Basis for Processing
We process personal data on the following legal bases:
- Performance of a contract (Art. 6(1)(b) GDPR) — to provide the Conzentor service to our customers.
- Legitimate interest (Art. 6(1)(f) GDPR) — to maintain GDPR-compliant audit trails of consent decisions on behalf of our customers. Our customers need verifiable consent records to demonstrate compliance with the ePrivacy Directive and GDPR.
- Legal obligation (Art. 6(1)(c) GDPR) — where we are required to retain certain records for tax, accounting, or regulatory purposes.
4. Data Retention
Consent log records are retained for a minimum of 12 months and a maximum of 36 months, in accordance with regulatory guidance on consent record-keeping. After the retention period, records are automatically purged from our systems.
Account data is retained for as long as your account is active. Upon account deletion, your data is removed within 30 days.
5. Sub-processors
We use the following sub-processors to deliver the Conzentor service:
| Sub-processor | Purpose | Location |
|---|---|---|
| Neon | PostgreSQL database hosting | Frankfurt, Germany (EU) |
| Cloudflare | CDN, API hosting, and edge compute | Global |
| Lemon Squeezy | Billing and subscription management | United States |
| Resend | Transactional email delivery | United States |
6. EU Data Residency
All consent data (consent logs, hashed identifiers, and audit records) is stored in our Neon PostgreSQL database located in Frankfurt, Germany. This ensures that consent data remains within the European Union.
7. Data Security
We implement appropriate technical and organisational measures including:
- Encryption in transit via TLS for all API and dashboard traffic.
- Hashing of all personally identifiable information (IP addresses, user agents) using SHA-256 with daily rotating salts.
- Row-level security (RLS) on all database tables to ensure strict tenant isolation.
- Regular access reviews and principle of least privilege for all internal systems.
8. Your Rights
Under the GDPR, you have the following rights with respect to your personal data:
- Right of access — request a copy of the personal data we hold about you.
- Right to rectification — request correction of inaccurate personal data.
- Right to erasure — request deletion of your personal data, subject to legal retention obligations.
- Right to data portability — receive your data in a structured, commonly used, and machine-readable format.
- Right to object — object to processing based on legitimate interest.
- Right to restriction — request restriction of processing in certain circumstances.
To exercise any of these rights, contact us at privacy@conzentor.com. We will respond within 30 days.
9. Supervisory Authority
You have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is the Danish Data Protection Agency (Datatilsynet).
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. The “last updated” date at the top of this page indicates when the policy was last revised.
11. Contact
For any questions or concerns regarding this Privacy Policy or our data practices, contact us at:
SOAK A/S
Email: privacy@conzentor.com