Privacy Policy
Last Updated: November 11, 2025
1. Introduction
This Privacy Policy explains how ValKev ("we," "our," or "us"), operating as CookieFast, collects, uses, discloses, and protects personal data when you use our cookie consent management platform.
We are committed to protecting your privacy and complying with the:
- UK General Data Protection Regulation (UK GDPR)
- EU General Data Protection Regulation (EU GDPR)
- Data Protection Act 2018 (UK)
- Privacy and Electronic Communications Regulations (PECR)
This Privacy Policy applies to all of CookieFast services, domains and subdomains.
2. Data Controller Information
For the purposes of UK GDPR and EU GDPR, the data controller is:
ValKev
Website: https://valkev.tech
Email: legal@valkev.tech
If you have any questions about how we process your personal data, please contact our Data Protection Officer at the email address above.
3. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person.
- "Customer" means individuals or entities who register for a CookieFast account.
- "End User" means visitors to our Customers' websites who interact with the CookieFast widget.
- "Processing" means any operation performed on personal data, including collection, storage, use, and deletion.
- "Service" means the CookieFast platform, including website, dashboard, API, and widget.
4. What Personal Data We Collect
4.1 Data We Collect from Customers (You)
Account Registration Data
- Full name - to identify you in our system
- Email address - for authentication, account verification, and communications
- Password - stored as a cryptographic hash using bcrypt (we never see your actual password)
- Account creation date - for record-keeping
Property Configuration Data
- Property URLs or app identifiers - websites/apps where you deploy our widget
- Property names and descriptions - for organization in your dashboard
- API keys - unique identifiers generated for each property
- Banner customization settings - colors, text, positioning preferences
- Cookie policy text - custom text you provide for your banner
- Privacy policy URLs - links you provide
- Script configurations - URLs and code for analytics/marketing scripts
Payment Data
- Email address - shared with Stripe for payment processing
- Stripe Customer ID - for linking payments to your account
- Payment Intent ID and Checkout Session ID - for tracking transactions
- Purchase history - plan type, quantity, amount, currency, timestamps
Note: We do NOT collect or store payment card information. All card data is processed and stored by Stripe in compliance with PCI DSS standards.
Technical and Usage Data
- Authentication tokens - Laravel Sanctum tokens for API access
- Login timestamps - when you access your account
- IP addresses - for security and fraud prevention
- Browser user agent - for compatibility and troubleshooting
4.2 Data We Collect from End Users (On Behalf of Customers)
When End Users interact with our Customers' cookie banners, we collect and process the following data on behalf of our Customers as a Data Processor:
Consent Interaction Data
- Event type - view, accept, reject, customize, category_toggle
- Timestamp - when the interaction occurred
- Consent choices - which cookie categories were accepted/rejected
Analytics and Geolocation Data
- Country - ISO 3166-1 country code (e.g., "GB", "IT")
- Region - state or province
- City - city name
- IP address - IPv4 or IPv6 address (optional, can be disabled)
- User agent string - browser and device information
Cookie Data Stored in End User's Browser
- Cookie name:
cookiefast_consent - Purpose: Store End User's consent preferences
- Data stored: JSON object containing timestamp and accepted cookie categories
- Expiry: 365 days
- Type: Strictly necessary cookie (exempt from consent requirements under PECR)
5. Legal Basis for Processing
Under UK GDPR and EU GDPR, we must have a lawful basis to process personal data. Our legal bases are:
5.1 For Customer Data
| Data Type | Legal Basis | Explanation |
|---|---|---|
| Account registration data | Contract (GDPR Art. 6(1)(b)) | Necessary to provide the Service you signed up for |
| Payment data | Contract (GDPR Art. 6(1)(b)) | Necessary to process payments |
| Property configurations | Contract (GDPR Art. 6(1)(b)) | Necessary to deliver the Service |
| Marketing communications | Consent (GDPR Art. 6(1)(a)) | Only if you opt-in (currently not implemented) |
| Security logs (IP, user agent) | Legitimate interests (GDPR Art. 6(1)(f)) | Fraud prevention and security |
| Purchase history | Legal obligation (GDPR Art. 6(1)(c)) | Tax and accounting compliance |
5.2 For End User Data (Processed on Behalf of Customers)
We process End User data as a Data Processor under the instructions of our Customers (the Data Controllers). The legal basis is determined by our Customers, typically:
- Consent (GDPR Art. 6(1)(a)) - for tracking analytics and consent choices
- Legitimate interests (GDPR Art. 6(1)(f)) - for understanding consent banner performance
6. How We Use Personal Data
6.1 Customer Data
We use your personal data to:
- Provide the Service - create and manage your account, properties, and banner configurations
- Process payments - handle purchases via Stripe
- Communicate with you - send transactional emails (account verification, password resets)
- Improve the Service - analyze usage patterns to enhance features
- Ensure security - detect and prevent fraud, abuse, and security incidents
- Comply with legal obligations - respond to legal requests, enforce Terms of Service
- Provide customer support - respond to inquiries and troubleshoot issues
6.2 End User Data
We process End User data on behalf of our Customers to:
- Store consent preferences - remember End Users' cookie choices
- Generate analytics - provide Customers with insights on banner performance
- Display geographic data - show Customers where consent is being given/denied
7. Data Sharing and Third-Party Services
We do not sell, rent, or trade personal data. We share data only in the following circumstances:
7.1 Third-Party Service Providers
Stripe (Payment Processing)
- Data shared: Email address, Customer ID, transaction amounts
- Purpose: Process payments securely
- Location: USA (with EU data residency options)
- Privacy Policy: https://stripe.com/privacy
- Legal basis: Standard Contractual Clauses (SCCs) for international transfers
hCaptcha (Bot Protection)
- Data shared: IP address, browser user agent, captcha response token
- Purpose: Prevent automated abuse during registration and login
- Location: USA
- Privacy Policy: https://www.hcaptcha.com/privacy
Email Service Provider
- Data shared: Email address, name, verification tokens
- Purpose: Send transactional emails (account verification, notifications)
- Providers: Postmark, Amazon SES, or Resend (depending on configuration)
Slack (Internal Notifications)
- Data shared: Email, name, payment events, error logs (internal use only)
- Purpose: Team notifications for registrations, payments, and errors
- Privacy Policy: https://slack.com/privacy-policy
7.2 Hosting and Infrastructure
- Web hosting: Vercel (website and CDN) - Privacy Policy
- API hosting: Amezmo or similar providers
- Database: MySQL/MariaDB hosted on secure servers
- Location: EU/UK data centers where possible
7.3 Legal Requirements
We may disclose personal data if required by law, including to:
- Comply with legal obligations (court orders, subpoenas)
- Protect our rights and property
- Prevent fraud or security threats
- Respond to government or regulatory requests
7.4 Business Transfers
If we undergo a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity. We will notify you of any such change via email and/or dashboard notice.
8. International Data Transfers
CookieFast operates globally, and some of our third-party service providers are located outside the UK and European Economic Area (EEA), particularly in the United States.
8.1 Transfer Mechanisms
When we transfer personal data internationally, we ensure appropriate safeguards:
- Standard Contractual Clauses (SCCs) - approved by the European Commission
- Adequacy decisions - transfers to countries deemed adequate by the EU/UK
- Binding Corporate Rules - where applicable
8.2 Specific Transfers
- Stripe: EU-US Data Privacy Framework and SCCs
- hCaptcha: SCCs for international transfers
- Vercel: Data residency options and SCCs
9. Data Retention
9.1 Customer Account Data
- Active accounts: Retained indefinitely while your account is active
- Deleted accounts: Soft-deleted with data retention for 30 days (for recovery), then permanently deleted
- Purchase history: Retained for 7 years for tax and accounting compliance (legal obligation)
- Authentication tokens: Valid until logout or expiry (30 days)
9.2 End User Analytics Data
- Analytics events: Retained for 90 days by default
- Consent cookies: Stored in End User's browser for 365 days
9.3 Retention Rationale
We retain data only as long as necessary for:
- Providing the Service
- Complying with legal obligations (e.g., tax records)
- Resolving disputes and enforcing agreements
10. Your Rights Under UK GDPR and EU GDPR
You have the following rights regarding your personal data:
10.1 Right of Access (Article 15)
You have the right to obtain confirmation of whether we process your personal data and to request a copy of that data.
10.2 Right to Rectification (Article 16)
You can update inaccurate or incomplete personal data through your Account settings or by contacting us.
10.3 Right to Erasure / "Right to be Forgotten" (Article 17)
You can request deletion of your personal data by:
- Deleting your Account through the dashboard (Settings → Profile → Delete Account)
- Contacting us at legal@valkev.tech
Limitations: We may retain certain data where we have a legal obligation (e.g., purchase history for tax compliance).
10.4 Right to Restriction of Processing (Article 18)
You can request that we restrict processing of your personal data in certain circumstances.
10.5 Right to Data Portability (Article 20)
You can request a copy of your personal data in a structured, commonly used, machine-readable format (JSON/CSV). Contact us to request a data export.
10.6 Right to Object (Article 21)
You can object to processing based on legitimate interests or for direct marketing purposes.
10.7 Right to Withdraw Consent (Article 7(3))
Where processing is based on consent, you can withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
10.8 Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority:
- UK: Information Commissioner's Office (ICO) - https://ico.org.uk
- EU: Your local Data Protection Authority - List of EU DPAs
10.9 How to Exercise Your Rights
To exercise any of these rights, contact us at:
- Email: legal@valkev.tech
- Subject line: "Data Subject Rights Request - [Your Right]"
We will respond to your request within 30 days (or 60 days for complex requests) as required by law.
11. Data Security
We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction:
11.1 Technical Measures
- Encryption in transit: All data transmitted via HTTPS/TLS 1.3
- Encryption at rest: Database encryption for sensitive data
- Password security: Bcrypt hashing with configurable cost factor (default: 12 rounds)
- API authentication: Laravel Sanctum tokens with automatic expiry
- Access controls: Role-based access and principle of least privilege
- Security monitoring: Logging of authentication attempts and suspicious activity
11.2 Organizational Measures
- Regular security assessments and penetration testing
- Employee training on data protection and security best practices
- Incident response procedures for data breaches
- Data minimization and privacy by design principles
11.3 Data Breach Notification
In the event of a data breach that poses a risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority within 72 hours (as required by GDPR)
- Notify affected individuals without undue delay
- Provide information about the nature of the breach, potential consequences, and mitigation measures
12. Children's Privacy
Our Service is not intended for children under the age of 18. We do not knowingly collect personal data from children.
If you are a parent or guardian and believe your child has provided us with personal data, please contact us at legal@valkev.tech, and we will delete such data promptly.
13. Automated Decision-Making and Profiling
We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you.
We use hCaptcha for bot detection during registration and login, but this does not result in automated decisions with legal or significant effects.
14. Cookies and Tracking Technologies
14.1 Cookies We Use
Essential Cookies (Strictly Necessary)
| Cookie Name | Purpose | Duration | Type |
|---|---|---|---|
next-auth.session-token | Maintain authenticated session in dashboard | 30 days | HTTP-only, Secure |
next-auth.csrf-token | CSRF protection | Session | HTTP-only, Secure |
cookiefast_consent | Store End User consent preferences (on Customer sites) | 365 days | First-party, SameSite=Lax |
14.2 Analytics Cookies
We currently do not use analytics cookies on our website or dashboard (cookiefa.st, dashboard.cookiefa.st).
14.3 Marketing Cookies
We do not use marketing or advertising cookies.
14.4 Managing Cookies
You can control cookies through your browser settings. However, disabling essential cookies may prevent you from using certain features of the Service.
Browser cookie management guides:
15. Data Processing Addendum for Customers
When you use CookieFast, you (the Customer) act as a Data Controller for your End Users' data, and we act as a Data Processor.
15.1 Our Obligations as Data Processor
We commit to:
- Process personal data only on your documented instructions (via Service configuration)
- Ensure persons authorized to process data are subject to confidentiality obligations
- Implement appropriate technical and organizational security measures
- Engage sub-processors only with your general authorization (listed in Section 7)
- Assist you in responding to data subject rights requests
- Assist you in ensuring compliance with GDPR security and breach notification requirements
- Delete or return personal data at the end of the provision of services (when you delete your Account)
- Make available information necessary to demonstrate compliance with GDPR Article 28 obligations
15.2 Your Obligations as Data Controller
You must:
- Have a valid legal basis for processing End User data
- Provide appropriate privacy notices to your End Users
- Ensure End User data is collected lawfully
- Handle data subject rights requests from your End Users
- Maintain your own privacy policy
15.3 Sub-Processors
We use the sub-processors listed in Section 7.1. By using the Service, you provide general authorization for these sub-processors. We will notify you of any changes to sub-processors with 30 days' notice.
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, regulatory, or operational reasons.
When we make material changes, we will:
- Update the "Last Updated" date at the top of this policy
- Notify you via email to the address associated with your Account
- Display a notification in your dashboard
- Post a notice on our website
We encourage you to review this Privacy Policy periodically. Continued use of the Service after changes constitutes acceptance of the updated policy.
17. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
- Data Protection Officer: legal@valkev.tech
- General inquiries: support@valkev.tech
- Website: https://cookiefa.st
Company: ValKev
Website: https://valkev.tech
This Privacy Policy is effective as of November 11, 2025. By using CookieFast, you acknowledge that you have read and understood this Privacy Policy.
