Built by Exceedity
Cookie Consent
That Holds Up
Block trackers before consent. Honor regional rules automatically. Keep a tamper-evident audit log. Get insight into how many visitors your ad platforms can’t see — and what that costs you.
This platform is exclusively available to companies partnered with Exceedity. If you’re an existing partner, sign in below. Otherwise, apply to become a partner.
Works with your stack
Compliance by default
Region-specific rules (GDPR, UK-DUAA, CCPA, Quebec Law 25, LGPD, …) detected from the visitor's location and applied automatically. California's Global Privacy Control (GPC) signal is auto-honored — visitors with GPC enabled register a reject without the banner appearing. CCPA Section 1798.135 requires this; Tractor Supply was fined $1.3M in October 2025 partly for missing it.
Pre-consent script blocking
Most CMPs let trackers fire before consent and try to clean up after. We don't. A 2KB inline shim sits between every tracker and the page from the very first byte of HTML — Node.prototype insertion traps + type-rewriting + image/XHR/sendBeacon/fetch wraps. 11 known trackers (GA4, Meta Pixel, Clarity, Bing UET, etc.) are blocked at a hardcoded floor that can't be turned off.
Tamper-evident audit log
Every consent decision is recorded in an append-only log with SHA-256 hash-chaining per visitor. Any change to old records breaks the chain and is detectable. Four mutually-isolated event sinks (post-decision / pre-decision / malformed / operator-attested) keep the audit story complete. Signed JSONL export hands regulators a verifiable record.
How It Works
Embed once. Stay compliant. Surface insights.
Add your sites
Tell us your sites and the regions you serve. The jurisdiction rules engine handles the legal defaults; you customise the banner copy, theme, and category descriptions.
Embed our banner
A tiny inline shim (~2KB) installs the script-blocking traps before any tracker can fire. Async main bundle handles the banner UX, scanner, and consent capture. Total visitor budget: ≤16KB gz.
Get the audit + insights
Hash-chained consent log + cookie scanner findings + cross-product analytics. Export signed JSONL on demand for regulators or auditors.
Privacy-First by Construction
We don’t track non-consenting visitors for analytics. Visitor identifiers are per-site only — never cross-site fingerprinting. Pre-decision session IDs are not linked to post-decision identifiers. Aggregate counts above a k=20 floor are the only data that crosses to the BI dashboard.
11
Trackers blocked at a hardcoded floor that can’t be turned off
SHA-256
Hash-chained audit log with per-visitor verifier
≤16KB
Total banner gz budget. Core Web Vitals friendly.
Capabilities
Eight reasons partners pick the Exceedity CMP
Jurisdiction rules engine
Country and US-state detection drives banner copy + default category allow-lists + required UI elements. Versioned rule-set rows ship without code changes.
GPC auto-honor
12 US states require honoring Global Privacy Control. We do — automatically, before the banner mounts, with the audit log capturing every gpc_auto_honored decision.
Three-layer enforcement
Node.prototype insertion traps + script type-rewriting + img/XHR/sendBeacon/fetch wraps. Covers every primary tracker-injection path plus partner defensive re-wiring.
Symmetric, no dark patterns
Equal-prominence Accept / Reject / Customise. Closing the X is no-decision (banner returns). No pre-checked toggles. Persistent re-open trigger always visible.
Automatic cookie scanner
Playwright crawls every site weekly. Cookies are extracted via Chrome DevTools and classified against a curated catalog + community sources (Open Cookie Database, DDG Tracker Radar).
AI-assisted classification
Unknown vendors trigger a managed Claude agent that fetches the vendor's docs, classifies the cookie's purpose, and returns citations. Admin reviews and approves or overrides.
Signed JSONL export
4-section signed export with per-visitor hash chain verifier. Hand it to regulators or auditors as cryptographic evidence — no trust required.
Cross-product analytics
Daily aggregate visibility data feeds the Exceedity BI Marketing dashboard so partners can see how much revenue comes from invisible (non-consented) visitors per paid channel.
About Exceedity
The Exceedity CMP is built by Exceedity Ltd, a UK-based advisory firm working with ambitious ecommerce founders. We built this CMP because the off-the-shelf options either ship dark patterns by default, charge enterprise rates for compliance basics, or leak trackers pre-consent because they paper over the timing problem instead of solving it.
Our partner network gets a privacy-protective banner that holds up to legal scrutiny, costs nothing extra, and turns the consent funnel into actionable marketing insight via the BI dashboard.