Privacy Policy
Last updated: 2 June 2026
Handwired LLC ("we", "us", "our") operates ConsentIQ at consentiq.co. This policy explains what personal data we collect, why, how long we keep it, and your rights over it.
1. Who We Are
ConsentIQ is a tag governance and consent compliance audit tool for websites using Google Tag Manager, GA4, and consent management platforms. We are operated by Handwired LLC. For privacy enquiries: hello@consentiq.co
2. Data We Collect and Why
Free scan submissions
When you submit a free scan we collect:
- Email address — to send a verification link and your results
- Website URL — to run the compliance audit
- IP address — for rate limiting (1 scan per IP per hour) and abuse prevention
- Consent record — timestamp, IP address, and exact wording of the consent checkbox you ticked. This is a legal record required by GDPR Article 7 and equivalent regulations
- Scan results — tag names, cookie names and attributes, consent mode state, and module scores from your website's front end. We do not collect any data about your website's end users
Self-serve report purchases
When you purchase a report we additionally collect:
- Purchase consent record — timestamp, IP address, and exact wording of the purchase clickwrap you agreed to
- Payment data — processed entirely by Stripe. We never see or store card details
Paid engagement clients
When you engage Handwired LLC for remediation work we additionally collect:
- Name and company — for engagement records and communication
- Engagement consent record — timestamp, IP address, and exact wording of the engagement authorisation you submitted at
/engage/{token} - Correspondence — emails and notes related to the engagement
What we do NOT collect
Our scanner operates read-only on your website's front end. We do not collect, store, or process any personal data belonging to your website's visitors. We capture tag names, cookie attributes, and consent state — not user identities, sessions, or behaviour.
3. Legal Basis for Processing (GDPR)
- Contract performance — processing necessary to deliver the scan or engagement you requested (Article 6(1)(b))
- Legal obligation — retaining consent records as required by privacy regulations (Article 6(1)(c))
- Legitimate interests — rate limiting and abuse prevention (Article 6(1)(f))
4. Cookies We Set
| Cookie | Purpose | Duration | Consent required |
|---|---|---|---|
consentiq_consent | Stores your cookie preference | 365 days | Necessary — set on any choice |
GA4 (_ga, _ga_*) | Analytics | 2 years / 24h | Yes — analytics category only |
| Session cookie | Authentication (Rowena only) | Session | Not set on public routes |
GA4 fires only after you accept analytics cookies. Our consent banner is built to our own audit standard — it passes ConsentIQ's own CHK-004, CHK-006, CHK-007, CKS-001, and CKS-003 checks.
5. Third-Party Services
| Service | Purpose | Data shared |
|---|---|---|
| Google Analytics 4 | Analytics — post-consent only | Anonymised usage events |
| SendGrid (Twilio) | Transactional email | Email address, email content |
| Stripe | Payment processing | Payment details (not stored by us) |
| Azure Blob Storage | Report storage | Generated PDF reports |
| Azure App Service | Hosting | All application data |
| hCaptcha | Bot protection on scan form | IP address, interaction data |
6. Data Retention
| Data type | Retention period |
|---|---|
| Free scan records (unverified) | 30 days |
| Free scan records (verified, unpurchased) | 90 days after scan date |
| Free scan reports (purchased) | 2 years (permanent Azure Blob storage) |
| Paid engagement records and reports | 5 years (legal and accounting obligation) |
| Consent records (clickwrap logs) | 5 years (GDPR Article 7 compliance) |
| IP addresses (rate limiting logs) | 30 days |
7. Your Rights
Depending on your location, you may have the right to:
- Access (GDPR Art. 15 / CCPA) — request a copy of personal data we hold about you
- Rectification (GDPR Art. 16) — request correction of inaccurate data
- Erasure (GDPR Art. 17 / CCPA) — request deletion of your data, subject to legal retention obligations. Use our Right to Be Forgotten form
- Restriction (GDPR Art. 18) — request we limit processing while a dispute is resolved
- Portability (GDPR Art. 20) — receive your data in a structured, machine-readable format
- Opt-out of analytics — use the cookie settings in our consent banner at any time
- Connecticut CTDPA — residents may appeal our decisions regarding your rights request within 45 days
To exercise any right: hello@consentiq.co or use the Right to Be Forgotten form for erasure requests.
8. Security
- All data transmitted over HTTPS/TLS
- Secrets stored in Azure App Service configuration, never in code
- Reports stored in private Azure Blob Storage containers
- Access to internal dashboard restricted to a single authorised account via Google OAuth
9. International Transfers
We use Microsoft Azure (US East region) and Twilio/SendGrid (US). Both participate in the EU–US Data Privacy Framework. We rely on standard contractual clauses where applicable.
10. Children
ConsentIQ is not directed at children under 16. We do not knowingly collect data from children.
11. Changes to This Policy
We will post material changes here and update the "last updated" date. For significant changes we will notify active clients by email.
12. Contact
Handwired LLC — ConsentIQ
Email: hello@consentiq.co
Right to Be Forgotten requests: consentiq.co/rtbf