Privacy Policy

Last updated: 7 May 2026

1. Introduction

Exceedity Cookies (“we”, “our”, or “the Service”) is a Consent Management Platform (CMP) operated by Exceedity Ltd. This Privacy Policy explains how we collect, use, store, and protect data when you use our Service at cookies.exceedity.com, and when our consent banner runs on partner websites.

This policy covers two categories of people:

  • Platform Users— partners and team members who log in to cookies.exceedity.com to manage banner config, sites, and audit logs
  • Site Visitors— visitors of partner websites where our consent banner is embedded; the banner records the visitor’s consent decision and prevents non-essential trackers from running before consent

Privacy is the product. We treat the consent record as legally protective evidence, not as marketing data. The principles in this policy reflect that.

2. Data We Collect from Platform Users

2.1 Account Information

Authentication is handled via Exceedity SSO (shared with bi.exceedity.com, ab.exceedity.com, and other Exceedity partner apps). We access:

  • Email address (for authentication)
  • Organisation membership (which partner orgs you belong to)
  • Role within the organisation (admin, member)

2.2 Activity Logging

Admin actions are logged for audit purposes — who published a policy version, who added or modified an origin override, who triggered a cookie scanner run, etc. These logs are retained for the lifetime of the organisation account.

2.3 Cookies on cookies.exceedity.com

We use only essential cookies required for authentication and session management (the SSO session cookie shared across the .exceedity.com subdomain family). We do not use advertising cookies, analytics trackers, or cross-site tracking technologies on the platform itself.

3. Data We Collect from Site Visitors

When a partner site embeds our consent banner, a small JavaScript shim and main bundle run in the visitor’s browser. The partner organisation (not Exceedity) is the data controller for the consent records collected; Exceedity acts as a data processor on their behalf.

3.1 Visitor Identifiers

The CMP uses two distinct, non-linked identifiers:

  • _excvid — a randomly generated UUID minted only after the visitor takes a consent decision (Accept / Reject / Customise / GPC auto-honored). Stored as a first-party cookie, 365-day expiry, SameSite=Lax. Per-site only— never shared across partner organisations or sites. NOT linked to any personal identity.
  • _excses — a session identifier used before the visitor takes a decision (so we can count banner views vs decisions vs dismissals to produce drop-off analytics). Stored in localStorage with a 30-minute idle timeout. NOT linked to _excvid or any post-decision data. Defends against the “identifying you to log that we asked if we can identify you” circular-defense critique under GDPR Article 5(3).
  • _excons — a first-party cookie holding the visitor’s decision payload (which categories they accepted, when, against which policy version). Used by the banner to skip re-prompting on subsequent visits.

3.2 Consent Records

When a visitor takes a decision, the following is recorded in an append-only, cryptographically hash-chained log:

  • Decision type (accept_all / reject_all / customise / gpc_auto_honored)
  • Categories accepted (necessary, preferences, analytics, marketing)
  • Policy version the decision was taken against
  • Jurisdiction detected from Cloudflare’s country signal
  • Timestamp
  • The visitor’s _excvid
  • SHA-256 hash of the previous record for the same visitor (chain integrity)

3.3 Pre-Decision Banner Events

To measure how visitors interact with the banner (banner shown, banner dismissed, returning visitor with stored decision, etc.) we record session-scoped events keyed on _excses. Retention 90 days. These events do not contain personal data and are not linked to consent records.

3.4 Bot Detection Signals

To filter automated traffic from the audit log and analytics, we collect:

  • User-Agent string
  • Cloudflare-derived signals (country, IP family) at request time only — not stored on the event row
  • Whether HMAC signature on the event batch was valid
  • Whether the browser flagged WebDriver / headless mode

These signals contribute to a per-visitor bot score (0–100). Visitors with score ≥100 are excluded from analytics aggregates but retained in the audit log for completeness. Bad-signature batches are NEVER rejected — they land in a separate malformed_events sink for audit completeness.

3.5 Cookie Scanner Data

The cookie scanner crawls partner sites on a schedule (default weekly) using a Playwright-driven headless browser. It records the cookies set during the visit, the URLs that set them, and a classification (known tracker / first-party / necessary / unclassified). The scanner does not collect data about real visitors — it visits the site as itself, not as anyone’s session.

3.6 What We Do NOT Collect from Site Visitors

  • Names, email addresses, or phone numbers
  • IP addresses (used only at request time for jurisdiction detection; not persisted on event rows)
  • Payment card details
  • Behavioural profiles or browsing histories beyond the consent record
  • Cross-site identifiers (each partner site has its own_excvid namespace)
  • Precise geographic location (country only, never city or coordinates)

4. Legal Basis for Processing

For platform users, we process data based on contractual necessity (providing the Service you signed up for) and legitimate interest (audit logging, security).

For site visitor consent records, the legal basis is compliance with a legal obligation (UK-DUAA, GDPR, CCPA, etc. require operators to record consent decisions to demonstrate compliance). The partner organisation is the data controller for these records.

For pre-consent banner events and bot signals, the legal basis is legitimate interest in measuring the consent funnel and protecting the integrity of the audit log. No PII is involved.

5. How We Use Site Visitor Data

We use site visitor data solely to provide consent management services:

  • Record and prove the visitor’s consent decision to satisfy regulators
  • Apply jurisdiction-specific defaults (GDPR opt-in for EU/UK, CCPA opt-out for California, GPC auto-honor for US privacy-control jurisdictions, etc.)
  • Block non-essential trackers from firing before consent
  • Activate consented trackers post-decision
  • Provide partners with audit-log exports for compliance reviews
  • Provide partners with the cookie inventory their site sets (scanner output)
  • Provide partners with aggregate visibility metrics (e.g., “X% of visitors consented to analytics this week”) via the BI dashboard. Aggregate counts only — never per-visitor data crosses to BI.

5.1 What We Do NOT Do With Site Visitor Data

We explicitly do not:

  • Sell, rent, or transfer visitor data to third parties
  • Use visitor data for advertising, retargeting, or profiling
  • Share data between different partner organisations
  • Use visitor data to train AI or machine-learning models (the AI cookie classifier described in Section 8 operates on the cookies’ metadata published by vendors, not on visitor traffic)
  • Track visitors across different websites or partner organisations
  • Attempt to identify individual visitors by name, email, or contact details
  • Behaviourally profile visitors who have declined consent

6. Data Storage and Security

6.1 Where We Store Data

Data is stored using Supabase (PostgreSQL) with infrastructure hosted in the European Union. The application server is hosted by Vultr in London. All traffic is encrypted in transit (HTTPS / TLS).

6.2 Security Measures

  • Row-level security (RLS) with deny-all anonymous policies on every table — anonymous database keys cannot read or write directly. All ingest goes through SECURITY DEFINER stored procedures.
  • Append-only audit log — database triggers refuse UPDATE on hash-chained consent records. Even our own engineers cannot edit historical consent decisions.
  • HMAC signature verification on every consent batch posted from the banner
  • Service role keys stored as environment variables, never exposed to browsers
  • k≥20 anonymity floor on aggregate metrics shared cross-product with the BI dashboard
  • Bot detection processed server-side via Supabase Edge Functions

7. Data Retention and Deletion

7.1 Consent Records

Consent records are retained for the legal-evidence period (typically 3-5 years depending on jurisdiction). Records are append-only and hash-chained — deletion of historical records would break the integrity chain and is technically blocked by database triggers. Partner organisations may request full account deletion (which removes all of their data); see Section 7.5.

7.2 Pre-Decision Banner Events

Pre-consent events (banner shown, banner dismissed, returning visitor with stored decision) are retained for 90 days, then automatically deleted.

7.3 Cookie Scanner Data

The most recent scan result is retained per site. Historical scans are retained for 90 days for trend analysis, then automatically deleted.

7.4 Visitor Cookies

_excvid: 365 days, then automatic deletion. _excses: 30-minute idle timeout (renews on activity). _excons: tied to the policy version that was active when the decision was taken; persists until the partner publishes a new policy version with material changes (which prompts re-consent).

7.5 Account Deletion

Partner organisations may request complete deletion of their account and all associated data (banner config, scanner data, pre-consent events) by contacting us. Consent records subject to legal-retention obligations may be retained for the minimum legal period before deletion.

8. Data Sharing

We do not share data with third parties except in the following limited circumstances:

  • Service Providers: Supabase (database hosting), Cloudflare (edge network for the banner CDN), Vultr (application server hosting). These providers process data on our behalf under strict contractual obligations and do not retain access beyond the operational scope.
  • AI cookie classification (Anthropic):When the cookie scanner encounters an unknown cookie or vendor, we send the cookie’s name and publicly-available vendor URLs to Anthropic’s Claude API for classification with citations. No visitor data is sent— only metadata already published by the vendor. Anthropic’s data-handling terms apply.
  • Cross-product BI dashboard (bi.exceedity.com): Aggregate consent counts (e.g., total sessions, decided sessions, analytics-consented sessions per day) are pushed to the BI dashboard so partners can see how many visitors are visible to their analytics tools. k≥20 anonymity floor — daily aggregates with fewer than 20 sessions are not shared. Per-visitor data never crosses.
  • Legal Requirements: We may disclose data if required by law, court order, or governmental authority.

9. Your Rights

Under applicable data protection laws (including UK GDPR), you have the right to:

  • Access: request a copy of the data we hold about you
  • Rectification: request correction of inaccurate data
  • Erasure: request deletion of your data (subject to legal-retention obligations on consent records)
  • Portability: request your data in a machine-readable format
  • Withdraw Consent: revoke consent at any time via the persistent re-open trigger on any partner site running our banner
  • Object: object to certain processing of your data

To exercise these rights, contact us.

Site visitorswho wish to exercise their rights with respect to a specific consent record should contact the partner organisation (data controller) that operates the website where the record was created. Partner organisations can export their site’s consent log via the platform.

10. Partner Site-Owner Responsibilities

If you operate a partner organisation using Exceedity Cookies on your website, you are the data controller for the consent records collected by our banner on your sites. You are responsible for:

  • Updating your website’s privacy policy to disclose the use of our CMP and the cookies it sets (_excvid, _excses, _excons)
  • Responding to data subject access requests from your customers
  • Honouring requests for consent withdrawal — note that the persistent re-open trigger on the banner gives every visitor a one-click path to revisit and change their decision
  • Ensuring your cookie inventory (managed in the cookies admin) accurately describes what each tracker does and which categories it falls under

10.1 Sample Privacy Policy Text for Your Site

You may adapt the following text for your site’s privacy policy:

Cookie Consent

We use a Consent Management Platform (CMP) operated by Exceedity Ltd to manage cookies and tracking on our website. The CMP places the following first-party cookies on your device:

  • _excvid — a random visitor identifier created when you take a consent decision (365-day expiry; per-site only; never used for cross-site tracking)
  • _excses— a session identifier used while you’re deciding (localStorage only; 30-minute idle timeout; not linked to any other identifier)
  • _excons— your consent decision so we don’t prompt you again on every page

These cookies do not identify you personally (no name, email, IP address, or cross-site tracking). The CMP also blocks non-essential trackers from running on this site until you give consent.

You can change your decision at any time using the Cookie Preferences button in the bottom-left corner of every page. You can also clear these cookies via your browser’s cookie settings.

For more information about how the CMP handles data, see the Exceedity Cookies Privacy Policy.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes to how we handle data, we will notify platform users via email before the changes take effect.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us.

  • Company: Exceedity Ltd (Company No. 14683104)
  • Registered Address:
Willoughby House
2 Broad Street
Stamford
PE9 1PB
United Kingdom
← Back to Exceedity Cookies