Privacy Policy — CookieScript Webflow App
1. PURPOSE AND SCOPE
Objectis, UAB (also referred to as we, us or the Company), company registration number 304037472, having its registered office at Laisvės str. 60, LT-05120 Vilnius, Lithuania, acts as the data controller and is committed to protecting and respecting your privacy.
This Privacy Policy (the Policy) explains what personal data we collect and for what purposes when you use:
-
the CookieScript Webflow App (the App) in Webflow, which enables you to add and manage the CookieScript code on your Webflow website (including a Cookie Banner and consent signaling, such as Google Consent Mode where enabled); and
-
our related website, support, billing, and account services.
All personal data collected by us are processed in accordance with the EU General Data Protection Regulation (GDPR) 2016/679 when processing activities relate to the European Union, and in accordance with the UK GDPR and the UK Data Protection Act 2018 when processing activities relate to the United Kingdom, as well as other applicable legal acts.
For questions regarding this Policy or requests regarding your personal data, contact our DPO at: dpo@cookie-script.com.
2. IMPORTANT ROLES (CONTROLLER / PROCESSOR)
App user / customer (you): When you install and use the App, we process personal data related to your account, billing, and support as a data controller.
End Users (visitors of your website): When your Webflow website uses CookieScript, you (the website owner/operator) typically act as the data controller for End User data collected on your site (e.g., consent choices). In that context, CookieScript typically acts as a data processor on your behalf for the consent logging functionality you enable.
3. WHAT INFORMATION WE COLLECT WHEN YOU USE THE WEBFLOW APP
When you install/connect/use the App, we may collect or receive (depending on the permissions you grant in Webflow) the following categories of data that are necessary to provide the integration:
A) Webflow integration data
-
Webflow site/workspace identifiers and installation status (technical identifiers)
-
your website domain(s) connected to CookieScript
-
integration configuration choices you set in the App (e.g., which site is connected, whether code is enabled, banner settings you select via CookieScript)
B) Authentication / security data (if applicable)
-
authorization data/tokens needed to keep the App connected to Webflow (stored securely)
-
technical logs related to authentication, installation, and error handling
C) Communications and support
-
your name, email address, and message content when you contact support or submit an inquiry
What we do not need (and do not intentionally request)
-
access to your Webflow design content, passwords, or payment card details
-
access to your End Users’ personal accounts in Webflow
(If Webflow provides any data beyond what is required for the integration, we limit processing to what is necessary for the App to function.)
4. END USER DATA PROCESSED BY COOKIESCRIPT ON YOUR WEBSITE
Where you enable consent logging, the CookieScript code may automatically log the following data about End Users (website visitors):
a) an anonymous and random key (the “Key”);
b) End User’s choice (accept or reject and/or category choices);
c) anonymized End User’s IP address (last digits after “.” are set to 0);
d) date and time of End User’s agreement/rejection;
e) the page where consent was given/revoked;
f) End User’s browser agent.
The Key, together with the consent state, is stored in the End User’s browser as a First-party cookie called “CookieScriptConsent” in JSON encrypted form. This information is used to remember the End User’s choice. The Key can also be used as proof of the End User’s consent. The Key is not considered personal data.
5. PURPOSES, LEGAL BASES, AND RETENTION
We set out below how and why we use personal data, including for the App.
| Purpose | Legal basis | Data collected | Retention period |
|---|---|---|---|
| To answer your inquiry (when you use the contact form / support) | Consent (GDPR Art. 6(1)(a)) | Name, email address, message content | 2 years |
| To identify you as a contracting party, enable secure login, and provide the CookieScript Service (including App access) | Performance of a contract (GDPR Art. 6(1)(b)) | Email address (Account data) | 90 days after account closure |
| To issue invoices, process payments, and handle subscriptions | Performance of a contract / Legal obligation (GDPR Art. 6(1)(b), (1)(c)) | Full name, email, contact address, business name and activity, PayPal or Stripe transaction ID (credit card data not stored) | 5–10 years per applicable tax law |
| To provide and operate CookieScript Items (banner configuration) | Performance of a contract (GDPR Art. 6(1)(b)) | Website domain name, pop-up content and settings entered by the user | 30 days after account closure |
| To provide and operate the CookieScript Webflow App integration | Performance of a contract (GDPR Art. 6(1)(b)) | Webflow integration data (site/workspace identifiers as needed, installation status), connected domain(s), integration configuration, technical logs | 90 days after uninstall/account closure (unless required longer below) |
| To contact you regarding services, updates, or account matters | Performance of a contract (GDPR Art. 6(1)(b)) | Name, email, message content | Until closure of account |
| To comply with accounting, tax, or legal requirements | Legal obligation (GDPR Art. 6(1)(c)) | Membership and billing data | 3 years after account closure (and/or longer where required by tax law) |
Upon expiration of the retention period, we will delete and/or reliably and irrevocably depersonalize your data. We may retain personal data longer when:
-
necessary to defend against existing or threatened claims, exercise rights, or resolve a dispute/complaint/claim;
-
there is a suspicion of illegal activity; or
-
required by applicable laws.
6. Google Consent Mode (WHEN ENABLED)
If enabled by you, CookieScript can support passing consent signals to Google tags via Google Consent Mode. This helps ensure that Google tags behave according to the End User’s consent choices (e.g., consent for analytics/ad storage).
You are responsible for your Google services configuration and for ensuring your website disclosures and legal basis for cookies/trackers used on your Webflow site.
7. PROCESSING OF CHILDREN’S DATA
Our Services are not intended for children under 16 (or the lower age of digital consent, between 13 and 16, that applies in your EEA/UK jurisdiction). CookieScript is not designed to process children’s personal data and we will delete such data if we become aware of it.
8. HOW WE SHARE YOUR PERSONAL DATA
We may disclose your personal data to recipients in the following categories:
-
public authorities, institutions, courts and other third parties, but only when required by applicable laws or lawful procedures;
-
third parties providing services to the Company (infrastructure, security, user identification/authentication, payment processing, customer support). They may process personal data only in accordance with our instructions and may not use it for other purposes;
-
third parties for the performance of the contract concluded with you;
-
third parties in connection with a business sale transaction and/or due diligence.
Payment providers: PayPal Pte. Ltd. and Stripe Payments Europe Ltd. may act as independent data controllers for certain processing operations and handle personal data in accordance with their own privacy policies.
Webflow: When you use the App, Webflow processes data under its own terms/policies, and we process Webflow integration data necessary to provide the App.
9. INTERNATIONAL DATA TRANSFERS
If your personal data is transferred outside the EEA or UK, we take steps to ensure appropriate safeguards (e.g., adequacy decisions, Standard Contractual Clauses (SCCs), and for UK transfers the UK Addendum/UK transfer mechanism, or other lawful measures/derogations under GDPR).
10. YOUR RIGHTS
You have the right to be informed, access your data, rectify, request deletion, restrict processing, object, and (where applicable) data portability; and to withdraw consent where processing is based on consent.
You also have the right to lodge a complaint with a supervisory authority:
-
Lithuania: State Data Protection Inspectorate of the Republic of Lithuania (L. Sapiegos st. 17, LT-10312 Vilnius, phone +370 5 271 2804 / 279 1445, email ada@ada.lt).
-
UK: Information Commissioner’s Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, phone +44 303 123 1113.
To exercise your rights, contact support@cookie-script.com. DPO contact: dpo@cookie-script.com. We respond within 30 calendar days, with possible extension as allowed by law.
11. HOW WE PROTECT YOUR PERSONAL DATA
We implement technical and organizational security measures to minimize the risk of unauthorized access or improper use of personal data. Our staff and relevant third-party service providers are contractually obligated to respect confidentiality.
12. COOKIES
If you access our information or Services through our website, we use cookies. strictly necessary cookies are used to operate the site; other cookies require consent where applicable.
On websites using CookieScript, End Users can change their consent in the Cookie Banner, and can delete cookies manually or via browser settings.
13. LINKS TO OTHER WEBSITES
Our website or documentation may contain links to other websites not operated by the Company. We are not responsible for their content or privacy practices.
14. CHANGES TO THIS POLICY
We may update this Policy at any time in accordance with applicable laws. Changes take effect upon publication.
15. CONTACT US
Objectis, UAB
Laisvės st. 60, LT-05120 Vilnius, Lithuania
Support: support@cookie-script.com
DPO: dpo@cookie-script.com