Privacy Policy
Last updated: March 2026
1. Data controller
Purefun Commerce AB
Mossvägen 10, SE-314 40 Torup, Sweden
VAT: SE556744520901
Email: support@coookiemonster.com
Purefun Commerce AB ("we", "us", "our") is the data controller for personal data processed through the CoookieMonster service (coookiemonster.com and app.coookiemonster.com).
2. What data we collect
Account data
When you create a CoookieMonster account, we collect:
- Email address
- Name (if provided)
- Password (hashed, never stored in plaintext)
- Billing information (processed by Stripe, not stored by us)
Site configuration data
When you set up your cookie consent widget, we store:
- Your website domain(s)
- Widget configuration and customization settings
- Cookie categories and descriptions you define
Usage and analytics data
To provide the service and display statistics in your dashboard, we collect:
- Pageview counts (aggregated, not per-visitor)
- Consent rates (percentage of accept/reject, no personal data)
- Widget load counts
What we do NOT collect
- IP addresses of your website visitors
- Personal data of your website visitors
- Browsing behavior or tracking data
3. Legal basis for processing
| Data | Legal basis |
|---|---|
| Account data | Contract performance (Art. 6(1)(b) GDPR) |
| Billing data | Contract performance & legal obligation (Art. 6(1)(b), (c)) |
| Usage analytics | Legitimate interest in service improvement (Art. 6(1)(f)) |
| Support communications | Contract performance (Art. 6(1)(b)) |
4. Sub-processors
We use the following third-party services to deliver CoookieMonster:
| Service | Purpose | Location |
|---|---|---|
| Supabase | Database & authentication | EU (Frankfurt) |
| Vercel | Website & application hosting | Global CDN (EU primary) |
| Stripe | Payment processing | EU |
All sub-processors are bound by data processing agreements and comply with GDPR requirements.
5. Data storage and security
Your data is stored in EU-based infrastructure. We implement appropriate technical and organizational measures to protect personal data, including encryption in transit (TLS) and at rest, access controls, and regular security reviews.
6. Data retention
- Account data: Retained for the duration of your account. Deleted within 30 days of account deletion.
- Usage analytics: Aggregated data retained for up to 24 months. No personal data is included.
- Billing records: Retained for 7 years as required by Swedish accounting law (Bokföringslagen).
- Support communications: Retained for 12 months after resolution.
7. Your rights
Under the GDPR, you have the right to:
- Access -- Request a copy of your personal data
- Rectification -- Correct inaccurate personal data
- Erasure -- Request deletion of your personal data
- Portability -- Receive your data in a structured, machine-readable format
- Restriction -- Restrict processing in certain circumstances
- Objection -- Object to processing based on legitimate interest
To exercise any of these rights, email support@coookiemonster.com. We will respond within 30 days.
8. International transfers
We primarily store and process data within the EU/EEA. Where data is processed outside the EU (e.g., Vercel edge nodes), appropriate safeguards are in place, including Standard Contractual Clauses (SCCs).
9. Changes to this policy
We may update this privacy policy from time to time. Significant changes will be communicated via email to registered account holders. The "Last updated" date at the top of this page reflects the most recent revision.
10. Complaints
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) at www.imy.se.