Privacy Policy
Derniere mise a jour : May 25, 2026
This Privacy Policy describes the personal data processing carried out by ConsentLab, published by Bob le Développeur (hereinafter "we", "our" or "ConsentLab"), in accordance with the General Data Protection Regulation (GDPR — Regulation EU 2016/679) and the French Data Protection Act of 6 January 1978 as amended.
1. Data controller
The data controller is:
- Company name: Bob le Développeur (SIRET 891 488 512 00015)
- Website: bob-le-developpeur.com
- Registered office: France
- Email: contact@consentlab.eu
- Data Protection Officer (DPO): not required under Article 37 of the GDPR. For any GDPR enquiry: privacy@consentlab.eu
2. ConsentLab's dual role
ConsentLab acts in two distinct roles regarding data protection:
- As data controller for the data of its own Customers (account creation, billing, support). This Policy covers this scope.
- As processor (within the meaning of Article 28 of the GDPR) for Visitor consent data on Customers' websites. This scope is covered by our Data Processing Agreement (DPA).
3. Data collected as data controller
3.1 Customer account data
| Data | Purpose | Legal basis | Retention period |
|---|---|---|---|
| Identification, communication, billing | Performance of the contract (Art. 6-1-b) | Duration of the account + 3 years | |
| First name, last name | Service personalisation, billing | Performance of the contract (Art. 6-1-b) | Duration of the account + 3 years |
| Company name | Billing (optional) | Performance of the contract (Art. 6-1-b) | Duration of the account + 3 years |
| Password | Authentication | Performance of the contract (Art. 6-1-b) | Duration of the account (stored as an irreversible bcrypt hash) |
3.2 Billing data
| Data | Purpose | Legal basis | Retention period |
|---|---|---|---|
| Stripe identifier (customer_id, subscription_id) | Subscription and payment management | Performance of the contract (Art. 6-1-b) | Duration of the contract + statutory accounting retention period (10 years, Art. L.123-22 French Commercial Code) |
| Plan, subscription status, periods | Service management and billing | Performance of the contract (Art. 6-1-b) | Duration of the contract + 10 years |
Important note: ConsentLab does not collect or store any bank data (card number, CVV, etc.). Payments are processed exclusively by Stripe, which is PCI-DSS certified.
3.3 Technical data
| Data | Purpose | Legal basis | Retention period |
|---|---|---|---|
| IP address (server logs) | Security, intrusion detection, rate limiting | Legitimate interest (Art. 6-1-f) — service security | 12 months |
| JWT tokens (access + refresh) | Session authentication | Performance of the contract (Art. 6-1-b) | 15 min (access) / 7 days (refresh) |
3.5 Free legal-document generators
If you use one of our public generators (Terms of Use, Terms of Sale, Legal Notice, Privacy Policy) at /terms-of-use-generator and similar URLs, we collect:
- Email address — to send you the generated document
- Form parameters — company name, registration ID, processing purposes, etc., used solely to generate the document you requested
- Hashed IP + user-agent — for anti-spam protection and activity evidence (we never store the raw IP)
- Marketing consent — if you ticked the dedicated box, we may occasionally send you product updates or GDPR best practices
Legal bases: performance of the contract (delivering the requested document, GDPR Art. 6-1-b) and explicit consent (newsletter, GDPR Art. 6-1-a).Retention period: 3 years from the last active contact. You can unsubscribe anytime via the link in each email or by emailing contact@consentlab.eu.
4. Data processed as processor
As part of its CMP service, ConsentLab processes the following data on behalf of its Customers (data controllers):
| Data | Processing method |
|---|---|
| Visitor hash | Irreversible SHA-256 (IP + user-agent + rotating daily salt) |
| Consent choices | JSON: necessary, analytics, marketing (true/false) |
| User-agent | Stored for device-type statistics |
| Country (ISO code) | IP-based geolocation (no IP storage) |
| Timestamp | UTC date and time of the choice |
The detailed conditions of this processing are defined in our Data Processing Agreement (DPA).
5. Data recipients
5.1 Technical processors
| Processor | Function | Location | Safeguards |
|---|---|---|---|
| OVHcloud (OVH SAS) | Infrastructure and database hosting | France | ISO 27001, HDS, SOC 2 certified |
| Stripe (Stripe Payments Europe, Ltd.) | Payment processing | Ireland (EU) | PCI-DSS certified, GDPR compliant |
| Resend | Transactional email delivery | United States | EU-US Data Privacy Framework (adequacy decision of 10 July 2023) |
| Sentry (Functional Software, Inc.) | Application error tracking (stack traces, technical context) | United States | EU-US Data Privacy Framework + Standard Contractual Clauses. No account or payment data is sent — only technical error metadata. |
| Cloudflare, Inc. | DNS resolution and DDoS protection (edge proxy) | United States (worldwide anycast) | EU-US Data Privacy Framework + Standard Contractual Clauses. Traffic transits through the Cloudflare network for proxied domains; no data is persistently stored there. |
| GitHub, Inc. (Microsoft) | Source code hosting, continuous integration, and container image registry | United States | EU-US Data Privacy Framework. Has no access to production data nor to Visitor or Customer personal data. |
5.2 No data sale
ConsentLab does not sell, rent or transfer any personal data to third parties for commercial, advertising or profiling purposes.
6. International transfers
Customer account data and Visitor consent data are exclusively hosted in France (OVH, Roubaix).
Only the following data is transferred outside the European Union:
- Transactional emails (via Resend, USA): content of notification emails (welcome, password reset, quota alerts). This transfer is governed by the EU-US Data Privacy Framework.
- Application error metadata (via Sentry, USA): stack traces, URLs called, HTTP status codes, technical context. Contains no account or payment data. Transfer governed by the EU-US Data Privacy Framework.
- Edge traffic (via Cloudflare, USA, anycast): for proxied domains, HTTP requests transit through the Cloudflare network for DDoS protection and performance. No persistent storage. Transfer governed by the EU-US Data Privacy Framework.
7. Data security
ConsentLab implements the following technical and organisational security measures, in accordance with Article 32 of the GDPR:
- Password encryption with bcrypt (12 salting rounds)
- Authentication via JWT tokens with automatic rotation
- Encryption in transit (TLS/HTTPS)
- Brute-force protection (rate limiting: 5 to 20 attempts/min depending on endpoints)
- HTTP security headers (Helmet.js: CSP, X-Frame-Options, HSTS, etc.)
- Anonymisation of Visitor data via irreversible SHA-256 hashing with daily salt
- Data isolation between Customers (filtering by project and API key)
- Docker containerisation with non-root user and signed images
- Automated dependency auditing (npm audit in CI)
8. Your rights
In accordance with Articles 15 to 22 of the GDPR, you have the following rights:
- Right of access (Art. 15): obtain confirmation that your data is being processed and obtain a copy of it
- Right to rectification (Art. 16): correct inaccurate or incomplete data
- Right to erasure (Art. 17): request the deletion of your data
- Right to restriction (Art. 18): request restriction of processing
- Right to data portability (Art. 20): receive your data in a structured, machine-readable format (CSV export available)
- Right to object (Art. 21): object to processing based on legitimate interest
To exercise these rights, write to us at privacy@consentlab.eu. We will respond to your request within a maximum of thirty (30) days in accordance with Article 12-3 of the GDPR.
If you encounter difficulties exercising your rights, you may lodge a complaint with the CNIL (France's data protection authority): www.cnil.fr. EU residents may also lodge a complaint with their local data protection authority.
9. Automated decision-making
ConsentLab does not carry out any automated decision-making or profiling within the meaning of Article 22 of the GDPR. The auto-scale feature (automatic plan upgrade) is activated manually by the Customer and does not constitute automated decision-making.
10. Cookies
Information on the cookies used on consentlab.eu is available in our dedicated Cookie Policy.
11. Changes
This Policy may be modified. Any substantial change will be notified to Customers by email. The version in force is always accessible at this URL.
12. Contact
For any question relating to the protection of your data: privacy@consentlab.eu.