--- title: "Privacy Policy" url: "https://consenttheater.org/privacy" description: "How ConsentTheater handles your data. Short version: we collect nothing. No analytics, no telemetry, no cookies, no consent banner — because there's nothing to consent to." --- Privacy # Privacy Policy Last updated 2026-04-29 ## Short version We run a tracker lookup. You type a cookie name or a domain, we tell you who's behind it. We collect **nothing** about you in the process — no analytics, no telemetry, no advertising trackers, no cookies set by us for marketing or measurement. There is no consent banner on this site because there is nothing to consent to. ## What we store in your browser One `ct_settings` entry in localStorage — your theme, contrast and language preferences, set when you change them in the settings panel. This qualifies as _strictly necessary_ under [ePrivacy Directive Art. 5(3)](/law/eprivacy/art-5/) (it remembers a choice you explicitly made on this site) and never leaves your browser. That's the entire list. No cookies, no session storage, no IndexedDB, no fingerprinting probes, no third-party scripts. ## No analytics ConsentTheater runs **no analytics**. No Plausible, no Cloudflare Analytics Engine, no Google Analytics, no first-party visit counter, nothing. Visitors are not counted, not classified by country, not bucketed by device class. We don't know who reads this page and neither does anyone else. A privacy-tool site that catalogues trackers should not, in our view, be running trackers — even privacy-respecting ones. The integrity of the project comes first. ## What happens when you search Every search issues a `GET /api/search?q=…` request to our edge endpoint. The endpoint runs on Cloudflare Workers. Your query is matched in memory against the Playbill — our tracker knowledge base — and the match (or an empty result) is returned. Queries are not persisted by us. Cloudflare, our infrastructure provider, operates the edge network and may process standard request metadata (IP address, timestamp, user-agent, requested path) to route traffic and defend against abuse. Cloudflare's processing is governed by their [privacy policy](https://www.cloudflare.com/privacypolicy/). We do not access or retain those logs for analytics or marketing. ## Legal basis & your rights Under the EU General Data Protection Regulation, the limited request metadata processed by our infrastructure provider is processed on the basis of legitimate interest (GDPR Art. 6(1)(f)) — specifically, keeping the service reachable and protecting it from abuse. You have the right to access, rectify, or erase data about you, to restrict or object to processing, to data portability, and to lodge a complaint with a supervisory authority. Since we don't keep identifiable records of individual users, most of these rights are satisfied by default — but if you have a concrete request, email us (below) and we'll answer. ## Browser extension The ConsentTheater browser extension (Chrome / Firefox) is a separate piece of software from this website and has its own, more detailed privacy policy. The short version is the same: **nothing leaves your browser**. The extension has no server, no accounts, no telemetry, no analytics, and performs zero outbound requests to us during normal use. Scans only run when you click _Scan this page_. It never observes your regular browsing. Full text and per-permission breakdown: [extension privacy policy](https://github.com/ConsentTheater/extension/blob/main/PRIVACY.md). Overview and install links: see the [browser extension page](/extension/). ## Sub-processors * **Cloudflare, Inc.** (101 Townsend Street, San Francisco, CA 94107, USA) — CDN edge network and Workers runtime that serves this site and the `/api/search` lookup endpoint. * Acts as our **data processor** under a signed [Cloudflare Data Processing Addendum (DPA)](https://www.cloudflare.com/cloudflare-customer-dpa/) . * International transfers from the EU/UK to Cloudflare's US entities are covered by the [EU-US Data Privacy Framework](https://www.dataprivacyframework.gov/list) (Cloudflare is a self-certified active participant) and, as a fallback, by [Standard Contractual Clauses (SCCs)](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en) where DPF does not apply. * [Cloudflare's privacy policy](https://www.cloudflare.com/privacypolicy/) · [GDPR resource hub](https://www.cloudflare.com/trust-hub/gdpr/) That's the whole list — one infrastructure provider for static content and the lookup endpoint, and nothing else. If it ever grows, we'll update this page and note the change date at the top. ## International data transfers ConsentTheater is operated from the European Union. There are no analytics flows, no telemetry, no event-collection backend — so there is nothing about visitors that crosses borders. The only network layer that carries any visitor data at all is Cloudflare's CDN: * **Static page requests** are served from the nearest Cloudflare PoP to the visitor — for EU/UK visitors that's an EU/UK Point of Presence (Frankfurt, Amsterdam, London, Paris, etc.). The visitor's IP terminates at Cloudflare's edge, where the country code is derived. Our worker code receives the country code only — it never sees, logs, or stores the IP. * **Cloudflare's processing of the IP itself** at the network layer (TLS termination, routing, DDoS / abuse defence) is carried out under **Cloudflare's own legitimate-interest basis** as a network operator (GDPR Art. 6(1)(f)), independent of any instruction from us. Cloudflare publishes a [network-abuse policy](https://www.cloudflare.com/trust-hub/abuse-approach/) and a [transparency report](https://www.cloudflare.com/transparency/) covering this layer. If the EU-US Data Privacy Framework is ever invalidated by the CJEU (as Privacy Shield was in _Schrems II_), the SCCs fallback continues to apply for the Cloudflare static-content path. We will publish a notice on this page within 14 days of any material change. ## Changes When we change this policy, the date at the top of the page changes. Material changes (new sub-processors, new categories of data collected) will be reflected in that date and summarised at the top of this section. ## Contact Data controller: **ConsentTheater**. Email: [developer@consenttheater.org](mailto:developer@consenttheater.org)