Privacy Policy for End Users

Last updated About 4 hours ago

Last updated in April 2026

1. Introduction

This Privacy Policy applies to you as an end user of a website or application that uses Consent Studio as its consent management platform. Consent Studio is a product of Vallonic B.V., based in the Netherlands.

Consent Studio consists of two components that may be active on a website you visit:

  • Consent Studio Web CMP: the consent management platform that presents you with a consent banner and records your preferences

  • Consent Studio Launcher: a client-side tag manager that controls when and whether third-party tags and scripts are allowed to fire on a page, based on the consent signal provided by the Web CMP

This notice explains what data each component processes, why, and how we protect it. It also covers the incidental processing of technical data that occurs as part of operating any internet-facing service securely.

2. Who Is the Data Controller?

Vallonic B.V. acts as a data processor on behalf of the website or application you visited. That website or application is the data controller and is responsible for presenting you with a lawful consent request and for correctly configuring which tags are permitted to fire under which consent conditions.

If you have questions about how your data is used by a specific website, or which third-party tools that website has deployed, you should consult that website's own privacy policy.

3. What Data We Process

We process two distinct categories of data: functional data collected as part of delivering our services, and infrastructure data processed incidentally as part of operating a secure, reliable platform.

3.1 Functional Data: Consent Studio Web CMP

When you interact with a Consent Studio-powered consent banner, we record the following data.

Collected automatically:

  • Your user agent (browser type and version, operating system)

  • Your IP address, with the last octet nulled before storage (e.g., 192.168.1.x) so that your full IP address is never retained

  • The timestamp of your consent interaction

  • Your country of origin, determined at the network edge before your request reaches our core infrastructure. The country is identified at that point and your IP address is anonymised immediately upon arrival, without being queried against any geo-IP database on our end

Collected from your interaction:

  • Your consent choices: which categories of cookies or processing activities you accepted, rejected, or configured

Optionally added by the website operator:

  • A hashed identifier: the website operator may attach a one-way cryptographic hash derived from an identifier on their side, such as a user account ID. This hash cannot be reversed by Vallonic B.V. or any other party within our infrastructure to identify you. The website operator who submitted the hash retains the ability to link it back to a readable value within their own system. Their use of this identifier is governed by the agreement between the website operator and Vallonic B.V., and by the website operator's own privacy policy. Whether this identifier is attached to your consent record depends on the website you visited and how that operator has configured their Consent Studio integration.

We do not collect your name, email address, or any other directly identifying personal data as part of the consent registration process.

3.2 Functional Data: Consent Studio Launcher

The Consent Studio Launcher is a tag management component that runs in your browser. Its function is to read the consent signal established by the Web CMP and gate the firing of third-party tags accordingly. Tags are only permitted to execute when the corresponding consent category has been granted by you.

As part of its functional operation, the Launcher does not transmit personal data to Vallonic B.V. As with any request made over the internet, standard infrastructure-level data such as IP addresses and access timestamps may be processed incidentally by our network and security systems when your browser fetches the Launcher script. This is described in Section 3.3 below.

Please note: The Launcher enforces consent-based tag firing, but it is the responsibility of the website operator to correctly configure which tags require which consent categories. Consent Studio provides all the necessary tools for website operators to configure this correctly. Whether those tools are used appropriately is the responsibility of the data controller.

3.3 Infrastructure Data: Security and Operational Logging

To maintain the security, stability, and performance of our services, our network and security systems automatically process technical data when any request is made to our infrastructure. This applies to all Consent Studio components and includes requests made when loading the Launcher script, submitting a consent signal, or otherwise interacting with our platform.

This data may include:

  • IP address

  • Browser type and version

  • Device and operating system information

  • Referring URLs

  • Pages or endpoints accessed and timestamps

  • Error messages or system logs

This data is used to:

  • Detect and prevent fraud, abuse, and denial-of-service attacks

  • Apply rate limiting and other security controls

  • Monitor system health and performance

  • Diagnose and resolve technical issues

This processing is based on our legitimate interest in ensuring the secure and reliable operation of our services (GDPR Article 6(1)(f)). Infrastructure data is stored securely, accessible only to authorised personnel, and retained only for as long as necessary for these purposes. It is not used to identify individual end users or linked to functional consent records.

4. Why We Process Functional Data

We process consent record data for the following purposes:

  • Storing and proving your consent: to create a verifiable record that demonstrates a lawful consent signal was obtained, in compliance with the GDPR and the ePrivacy Directive

  • Honouring your preferences: to ensure the website you visited respects your choices on return visits, and that the Launcher uses your signal to gate tag firing correctly

  • Enabling consent lookup by the website operator: where a hashed identifier has been provided, to allow the website operator to retrieve the consent record associated with a specific user in their system, for example to fulfil a data subject access request or to verify consent before processing

  • Fraud and abuse prevention: to detect and prevent manipulated or automated consent submissions that would undermine the integrity of the consent record

  • Audit and compliance: to allow the data controller to demonstrate compliance with applicable privacy regulations upon request by a supervisory authority

The legal basis for processing functional consent data is legitimate interest (GDPR Article 6(1)(f)), specifically the legitimate interest of data controllers in maintaining a verifiable, tamper-evident record of consent, and our legitimate interest in ensuring the integrity of the consent infrastructure.

5. Third-Party Tags and the Launcher

When a website uses Consent Studio Launcher, third-party tags and scripts on that website are managed through the Launcher. Examples of such tags include analytics tools, advertising pixels, and chat widgets.

These third-party tools are not operated by Vallonic B.V. and are outside our control. If a third-party tag fires on a page you visit, that third party may collect data about you under their own terms and privacy policies.

Consent Studio Launcher is designed to ensure that such tags only fire when you have given the appropriate consent. However, the selection of which tags are deployed and how they are categorised is determined entirely by the website operator. For a full list of tags active on a specific website, please refer to that website's cookie policy or privacy notice.

In some cases, a website operator may choose to allow a third-party tag to load regardless of your consent signal, and instead pass that signal through to the third party for them to honour within their own platform. A common example of this is Google Consent Mode v2, where a tag such as Google Analytics may continue to load but operates in a restricted mode determined by the tag vendor based on the consent signal it receives.

In such configurations, the Launcher is not the enforcement point for that tag. The website operator has made a deliberate decision to delegate consent enforcement to the third-party vendor, and it is that vendor's terms, privacy policy, and technical implementation that govern what data is collected and how it is processed. Vallonic B.V. has no visibility into or control over how third-party vendors handle consent signals passed to them in this way.

6. Data Sovereignty and Storage

Your consent data is stored exclusively within the European Economic Area (EEA). All infrastructure used by Consent Studio, including servers, databases, and content delivery, is operated by European-owned companies. No data is transferred to the United States or any other third country.

We do not rely on Standard Contractual Clauses or other transfer mechanisms because no international transfer takes place.

7. Data Retention

Functional consent records are retained for 12 months from the date they were created, after which they are deleted on a rolling basis. If the website operator's Consent Studio account is cancelled, or the relevant website is removed from their account, all associated end user consent records are deleted immediately, even if the 12-month period has not yet elapsed.

Infrastructure and security logs are retained only for as long as necessary for the operational and security purposes described in Section 3.3. They are not retained in line with the functional consent record schedule.

8. Data Sharing

We do not sell, rent, or share your data with third parties for commercial purposes.

Your consent record may be accessed by or shared with:

  • The website operator whose consent banner you interacted with. They are the data controller and are entitled to access the records collected on their behalf, including querying records by hashed identifier where they have configured this feature.

  • Regulatory or supervisory authorities, where required by law.

A full list of sub-processors engaged by Vallonic B.V. in the delivery of Consent Studio is maintained separately and kept up to date.

9. Your Rights Under GDPR

As a data subject, you have the following rights:

  • Right of access: request a copy of the consent record associated with your interaction

  • Right to rectification: request correction of inaccurate data

  • Right to erasure: request deletion of your consent record

  • Right to restrict processing: request that we limit processing of your data

  • Right to object: object to processing based on legitimate interests

Because we do not store a name or email address linked to your consent record, you will need to provide the website URL and an approximate date and time of your interaction so we can locate the relevant record. Alternatively, if the website operator has attached a hashed identifier to your record, you may ask the website operator to locate and action your record directly, as they hold the means to query by that identifier.

Please note that rights requests relating to infrastructure and security logs may be subject to limitations where retention is necessary for security purposes or compliance with legal obligations.

To exercise your rights directly with Vallonic B.V., contact us at: support@consent.studio

You also have the right to lodge a complaint with a supervisory authority. In the Netherlands, this is the Autoriteit Persoonsgegevens at autoriteitpersoonsgegevens.nl.

10. Security

We protect the data we process using the following measures:

  • Encrypted connections (TLS) for all data in transit

  • Data stored on secured, access-controlled servers within the EEA

  • IP addresses anonymised at the network edge, before reaching our core infrastructure

  • Country of origin determined without any geo-IP lookup on our core systems

  • One-way hashing of any optional user identifiers, which cannot be reversed by Vallonic B.V. or any other party within our infrastructure

  • Access to consent records and infrastructure logs restricted to authorised personnel only

  • Security monitoring, rate limiting, and abuse detection applied across all endpoints

11. Changes to This Policy

We may update this policy from time to time. Material changes will be published on this page with an updated date. We encourage you to review this notice periodically.

12. Contact

If you have any questions or concerns about this Privacy Policy or the processing of your personal data, please contact us at:

Vallonic B.V.
Lange Nieuwstraat 172
5041 DJ
Tilburg
The Netherlands

Email: support@consent.studio
Website: https://consent.studio
Phone: +31 (0)416 788 118

EU VAT ID: NL863265777B01
Dutch KVK: 84575174