Cookie Policy
A transparent list of every cookie set by PrivacyLens, why we set it, how long it lasts, and how to control it.
1. What is a cookie?
A cookie is a small text file that a website stores on your device when you visit it. Cookies are used to make websites work, to remember your preferences, and sometimes to track your behaviour for advertising. Under the EU ePrivacy Directive and GDPR Article 7, non-essential cookies require your prior, explicit, informed consent.
2. Our approach: no tracking, no banner required
PrivacyLens uses strictly necessary cookies only. We do not load advertising, marketing or behavioural-analytics cookies on this site. We do not place cookies before you interact with the Service. The full list is below.
Under ePrivacy Directive Article 5(3) and Recital 66,
cookies that are strictly necessary for the provision of a
service explicitly requested by the user — including bot-management
and fraud-prevention cookies such as __cf_bm and
Stripe's __stripe_mid — are exempt from the
consent requirement. This is why PrivacyLens does not
display a consent banner: there is nothing non-essential to consent
to. The European Data Protection Board confirms this position in its
Guidelines 2/2023 on the technical scope of Article 5(3) (§§28–34).
If we ever introduce any non-essential cookie, a granular,
GDPR-compliant consent banner will appear before it is set.
Why we do not show a "this site uses cookies" notice before
the first request. Both the European Data Protection Board
(Guidelines 2/2023 §35) and the French CNIL (deliberation
2020-091) have explicitly confirmed that no prior notice
is required for strictly necessary cookies, because forcing a
notice before a security or fraud-prevention cookie can be set
would itself defeat the security purpose. Nevertheless, for
maximum transparency: visitors will encounter two
strictly-necessary cookies during their session
(__cf_bm from Cloudflare for bot management and
session_token from us when signed in), and they may
encounter __stripe_mid / __stripe_sid
later only if they choose to start a payment flow. None
of these cookies are used for advertising or cross-site tracking.
Their detailed purpose, retention and provider are documented in
the table in §3 below — exactly as required by EDPB Guidelines
05/2020 on consent §86.
3. The complete cookie inventory
| Name | Provider | Purpose | Duration | Type |
|---|---|---|---|---|
__cf_bm |
Cloudflare (first-party) | Bot-management cookie used by our edge layer to distinguish humans from automated traffic and prevent abuse. | 30 minutes | Strictly necessary |
__stripe_mid and __stripe_sid |
Stripe (set only on the externally-hosted
Stripe Checkout flow at checkout.stripe.com during
a Pro one-time unlock or Pro Monitoring subscription. They are
not set by any page on getprivacylens.com
itself; you will only encounter them after you explicitly click
a "Buy" or "Subscribe" button.) |
Fraud prevention during checkout. Strictly necessary under ePrivacy Article 5(3) and PCI-DSS requirement 8. | 1 year / 30 minutes | Strictly necessary |
We do not set Google Analytics, Facebook Pixel, Hotjar, Mixpanel, Segment, LinkedIn Insight, Microsoft Clarity, or any other tracking or marketing cookies.
3a. Technical appendix on __cf_bm
The Cloudflare __cf_bm cookie is a bot-management
cookie. Cloudflare's public documentation describes it as follows:
a token, refreshed on each page load, that records a derived
machine-learning risk score about whether the current request is
human-driven or scripted. The cookie value is opaque, has a hard
cap of 30 minutes, is scoped strictly to our domain (first-party),
and Cloudflare does not use it to identify individual
users, run advertising campaigns, or share data with third parties
for marketing. The cookie's full technical specification is
available at
Cloudflare's developer docs.
Privacy-hardened fallback. Users who block first-party cookies entirely can still browse the public marketing site (including the legal pages and public reports) — the cookie is only set on the first interaction, and the site remains fully readable in a session with cookies disabled.
3b. Roadmap: first-party embedded checkout
The __stripe_mid and __stripe_sid cookies
today live on Stripe's checkout.stripe.com domain
because we currently use Stripe's hosted-checkout redirect. We have
committed to migrate to Stripe's first-party embedded checkout
(Checkout Session with mode=embedded) on the dedicated
subdomain checkout.getprivacylens.com. This brings the
payment flow fully under first-party control and removes the
cross-domain cookie. Migration is scheduled for Q3 2026; the change
will not affect cookie purpose or retention (still fraud-prevention,
strictly necessary) but it will eliminate the third-party domain
footprint.
4. Local storage
The application may store a small amount of data in your browser’s
localStorage (for example, the last URL you scanned so
we can pre-fill the form). This data never leaves your device and is
not transmitted to our servers. You can clear it any time via your
browser settings.
5. How to control cookies
- Browser settings. All modern browsers let you view, manage and block cookies via their settings panel. See guides for Chrome, Firefox, Safari, and Edge.
- Do Not Track. We honour the standard Do-Not-Track signal where technically meaningful.
- Global Privacy Control (GPC). We treat a valid GPC signal as a request to opt out of any sale or sharing of personal information (we do neither by default).
6. Changes to this policy
If we add any new cookie or third-party technology, we will update this page and the “Effective” date at the top. Material changes will be flagged with a notice on the homepage.
7. Contact
Questions about cookies or this policy: privacy@getprivacylens.com.