Privacy Policy

Retegio LLC
cookiegap.com
[email protected]

For users in the European Union or United Kingdom, Retegio LLC acts as the data controller for the personal data described in this policy.

2.1 Account Information

When you create an account, we collect:

• Email address — used for authentication and transactional emails
• Password — stored as a salted hash managed by Supabase; we never see or store your plaintext password
• Name and company (optional) — provided by you on your profile page
• Google OAuth tokens — if you sign in with Google, we receive your name, email address, and profile picture from Google; we do not receive your Google password

2.2 Scan Data

When you submit a URL or domain for scanning, we collect and store:

• The URL or domain you submitted
• The full scan result, including cookies found, privacy violation scores, CMP detection results, and AI-generated recommendations
• The region you selected for the scan (e.g., EU, California)
• Scan status and timestamps

Scan results are stored in our database so you can access them later from your dashboard. Anonymous scans (not linked to an account) are also stored and can be claimed by creating an account.

2.3 Monitored Domain Configuration

If you set up recurring monitoring, we store the domains or URLs you add, your chosen scan frequency, region preference, and notification settings.

2.4 Billing Information

Payments are processed by Paddle. We do not collect or store your credit card number or full payment details. We receive from Paddle: your subscription tier, subscription status, and a Paddle customer ID.

2.5 Usage and Technical Data

We may collect standard web server logs including IP addresses, browser type, referring URLs, and pages visited. This data is used for security, abuse prevention, and service reliability. We do not currently use third-party web analytics (e.g., Google Analytics) on authenticated dashboard pages.

2.6 Communications

If you contact us at [email protected], we retain your messages to resolve your inquiry and improve support.

We use the information we collect to:

• Provide the Service — run website scans, store results, and power your compliance dashboard
• Send transactional emails — scan alerts, monitoring reports, weekly summaries, and account notifications. You can opt out of optional notification types in your account settings.
• Process billing — manage your subscription tier and enforce usage limits
• Improve and secure the Service — diagnose bugs, prevent abuse, and optimize scan accuracy
• Respond to support requests — answer questions and resolve account issues
• Comply with legal obligations — respond to lawful requests from authorities when required

We do not sell, rent, or trade your personal data to third parties for their own marketing purposes.

If you are located in the European Union or United Kingdom, we rely on the following legal bases under GDPR:

• Contract performance — processing necessary to provide the Service you signed up for
• Legitimate interests — security monitoring, fraud prevention, service improvement, and transactional emails related to your account
• Legal obligation — complying with applicable laws
• Consent — where we ask for it (e.g., optional marketing communications, if introduced in the future)

We share data with the following processors to operate the Service. Each has its own privacy policy.

We do not share your data with any other third parties except as required by law or with your explicit consent.

Somewhat ironically, we use a small number of strictly necessary cookies and browser local storage:

• Authentication session cookie — set by Supabase to keep you logged in. Necessary for the Service to function; cannot be opted out of while logged in.
• Local storage: scan claim token — if you run a scan without an account, a claim token is stored in your browser so you can associate the scan with your account when you sign up. It is cleared after the scan is claimed.

We do not use advertising cookies, cross-site tracking cookies, or analytics cookies.

When you delete your account via Dashboard → Settings → Delete Account, we delete your scan history, monitored domain configuration, and authentication record. Residual data in backups is overwritten in the normal backup rotation cycle.

Depending on where you are located, you may have the following rights:

• Access — request a copy of the personal data we hold about you
• Correction — update inaccurate or incomplete data (most profile data can be updated directly in Settings)
• Deletion — request that we delete your data. You can do this yourself via the account deletion feature, or by emailing [email protected]
• Portability — request your data in a machine-readable format
• Objection / restriction — object to or ask us to restrict certain processing
• Withdraw consent — where processing is based on consent, you may withdraw it at any time

EU/UK users: You have the right to lodge a complaint with your local data protection authority if you believe we have processed your data unlawfully.

California residents: Under the CCPA/CPRA, you have the right to know what personal information we collect, to delete it, to opt out of its sale (we do not sell personal information), and to non-discrimination for exercising your rights.

To exercise any of these rights, email us at [email protected]. We will respond within 30 days.

We use industry-standard security measures including:

• TLS encryption for all data in transit
• Encrypted storage via Supabase (hosted on AWS)
• Row-level security on our database so users can only access their own data
• Subscription tier and billing data stored in server-controlled fields not modifiable by users
• Non-root container deployment; minimal attack surface

No method of transmission or storage is 100% secure. If you believe your account has been compromised, contact us immediately at [email protected].

The Service is intended for users who are 18 years of age or older. We do not knowingly collect personal data from children under 13. If we learn we have collected data from a child under 13, we will delete it promptly. Contact us at [email protected] if you believe we have collected data from a minor.

Our servers are hosted in the United States. If you are located outside the US — including in the EU or UK — your data will be transferred to and processed in the United States. We rely on Standard Contractual Clauses or other approved transfer mechanisms where required by applicable law.

We may update this Privacy Policy from time to time. When we do, we will update the "Last reviewed" date at the top. For material changes, we will notify you by email or by a notice on the Service. Your continued use of the Service after any change constitutes your acceptance of the updated policy.

Questions, requests, or complaints about this Privacy Policy:

Email: [email protected]
Entity: Retegio LLC
State: North Carolina, United States