Data Processing & Security
At CookieHub, we take data processing and security seriously. We are committed to maintaining high standards of data protection and operational security in line with GDPR and ISO/IEC 27001 principles.
This page provides an overview of our data processing practices and security measures.
Consent log
CookieHub does not intentionally collect directly identifiable personal information about your website’s end-users.
If the consent log feature is enabled for your domain, we collect and store only the pseudonymous and technical data necessary to demonstrate a user’s consent choices in accordance with GDPR Article 7(1).
Consent log entries are automatically deleted after 12 months unless otherwise agreed.
The consent log stores the following information:
| Property | Details / Purpose |
|---|---|
| Token | Unique string stored in the CookieHub cookie used to reference the consent log entry |
| Url | The page where consent was recorded |
| Widget revision | Version of the widget displayed at time of consent |
| IP address | Anonymized IP address with last segment removed |
| Country | Country derived from anonymized IP block |
| User agent | Browser and operating system information |
| Date and time | Timestamp of consent action |
Cookies used by CookieHub
Depending on configuration, CookieHub may use up to three cookies or local storage items:
| Name | Type | Purpose |
|---|---|---|
| cookiehub | Cookie | Stores user consent state and configuration metadata |
| cookiehub-ac | Local storage | Stores Additional Consent string when Google Additional Consent Mode is enabled |
| euconsent-v2 | Cookie | Stores IAB Transparency and Consent string when TCF is enabled |
cookiehub
To prevent the CookieHub widget from repeatedly appearing for the same user, the cookie choices must be stored in a first-party cookie within the user’s browser. The cookie is set to expire after one year by default but can be adjusted in the dashboard, the CookieHub tag in Google Tag Manager or by modifying the cpm variable in the inline HTML code.
Our aim is to store only necessary information and to be transparent about the data collected and processed. Detailed information about the CookieHub cookie structure and the purpose of each section can be found below.
To avoid issues caused by special characters that are not permitted in cookies, the cookie value is base64 encoded. The base64 encoded value will resemble the following:
eyJhbnN3ZXJlZCI6dHJ1ZSwicmV2aXNpb24iOjMsImRudCI6ZmFsc2UsImFsbG93U2FsZSI6dHJ1ZSwicmVnaW9uIjoiRzAiLCJ0b2tlbiI6IkVqN2FEb0dna2xLbVpUSEVZTWxQTE1Sc1pnOFVGY0hNZkNxblA4N1U3SWhKZnZhY25kTkYxMFlLUHRYcXIxclciLCJ0aW1lc3RhbXAiOiIyMDIyLTEyLTE3VDIzOjE3OjA1LjMxOFoiLCJhbGxBbGxvd2VkIjp0cnVlLCJjYXRlZ29yaWVzIjpbXSwidmVuZG9ycyI6W10sInNlcnZpY2VzIjpbXSwiaW1wbGljaXQiOmZhbHNlfQ==Once decoded, the value will be structured as a JSON object, similar to this:
{
"answered":true,
"revision":3,
"dnt":false,
"allowSale":true,
"region":"G0",
"token":"Ej7aDoGgklKmZTHEYMlPLMRsZg8UFcHMfCqnP87U7IhJfvacndNF10YKPtXqr1rW",
"timestamp":"2022-12-17T23:17:05.318Z",
"allAllowed":true,
"categories":[],
"vendors":[],
"services":[],
"implicit":false
}Below is a table that outlines the different properties of the JSON object used by CookieHub, along with their respective details and purposes:
| Property | Details / Purpose |
|---|---|
| answered | Indicates whether the user has made any cookie choices in the CookieHub widget, including allowing all categories, denying all categories or allowing some categories. |
| revision | By default, the value of this property is 1. However, if the “Reset consents” button is clicked in the CookieHub Dashboard, the value is increased by 1 each time. If the value of this property is set to a lower number than the current revision for the domain, the user will be prompted to make his or her cookie choices again. |
| dnt | If the user’s browser sends the “do-not-track” (DNT) flag, this value will be set to true. CookieHub respects the DNT flag and doesn’t automatically load cookie categories used for tracking if the DNT flag is sent. |
| allowSale | This property is only used when CCPA policy framework or IAB GPP is active. It is set to false if the user has opted-out of the sale of personal information. |
| region | This property displays the region code detected from the user’s IP address. |
| token | A unique token created for each user that can be used to look up the user’s consent in the consent log. |
| timestamp | The date and time when the last change to user consent was made is displayed in this property. |
| categories | This property lists the categories enabled for the domain. If the “allAllowed” property is set to true, this property is empty. |
| vendors | This property lists the vendors enabled for the domain. If the “allAllowed” property is set to true, this property is empty. |
| services | This property lists the services enabled for the domain. If the “allAllowed” property is set to true, this property is empty. |
| implicit | This property is set to true if implicit consent type was enabled, resulting in cookies being set prior to consent. |
cookiehub-ac
Used to store AC string (Google Additional Consent Mode) which contains a list of consented Google Ad Tech Providers that are not registered with IAB.
An AC string contains the following three components:
- Part 1: A specification version number, such as “1”
- Part 2: A separator symbol ”~”
- Part 3: A dot-separated list of user-consented Google Ad Tech Provider (ATP) IDs. Example: “1.35.41.101”
For example, the AC string 1~1.35.41.101 means that the user has consented to ATPs with IDs 1, 35, 41 and 101, and the string is created using the format defined in the v1.0 specification.
Google’s Additional Consent Mode technical specification
euconsent-v2
Used to store TC string which contains the transparency and consent established for vendors on IAB’s Global Vendor List (GVL)
Transparency and Consent String with Global Vendor
Security and Data Protection practices
CookieHub implements appropriate technical and organisational measures in accordance with Article 32 GDPR.
Our security practices are aligned with ISO/IEC 27001 principles and include:
- Encryption in transit (TLS)
- Encryption at rest where applicable
- Role-based access control
- Infrastructure monitoring
- Patch and vulnerability management
- Segregated environments
- Redundant hosting architecture
Primary application and consent log data are stored within the EEA.
International Transfers
Some service providers operate outside the European Economic Area.
Where personal data is transferred outside the EEA, appropriate safeguards under Chapter V GDPR, including Standard Contractual Clauses where applicable, are implemented.
Data Processing Agreement (DPA)
CookieHub acts as a data processor for customer data processed through the Service.
A Data Processing Agreement (DPA) is available upon request. Enterprise customers may request a signed or customized DPA subject to approval.
Server locations
CookieHub uses cloud infrastructure providers with data centers located in Germany, France, and the Netherlands.
Content delivery and network protection services operate globally to ensure performance and availability.
Sub-processors
CookieHub engages trusted third-party service providers to support its Services.
| Entity Name | Entity Location | Processing Location | Purpose |
|---|---|---|---|
| Amazon Web Services Inc. | United States | Germany, United Kingdom | Cloud hosting, data storage, monitoring and security solutions |
| Amazon Web Services Inc. * | United States | Worldwide | Content delivery network |
| Online S.A.S. ** | France | Netherlands | Cloud hosting, data storage |
| BunnyWay d.o.o. * | Slovenia | Worldwide | Content delivery network |
| Cloudflare | United States | Worldwide | Content delivery network, WAF and DDOS protection |
| Help Scout PBC | United States | United States | Customer support |
| Userlist, Inc. | United States | United States | Transactional and marketing email delivery |
Where sub-processors are located outside the EEA, appropriate safeguards are in place.