Tickbox.dev Sign in →

Legal · privacy · last updated 2026-05-27

Privacy. The short version.

We make consent management software. It would be embarrassing to bury what we do with your data behind a 4,000-word policy. Below is everything, in plain English.

tickbox.dev (this site)

This marketing site sets no cookies, runs no analytics, and embeds no third-party trackers. Our own server access logs hold standard fields (IP, user agent, URL, timestamp) for a few days for debugging, then they roll off.

We load fonts from fonts.googleapis.com and fonts.gstatic.com so the page renders in our typeface; Google sees your IP for that request. If that's a problem we'd self-host the fonts — open an issue.

docs.tickbox.dev

Same as above. No cookies, no trackers. Code samples and a search index served as plain static files.

app.tickbox.dev (the dashboard)

Paid surface. If you sign in here, we store the minimum needed to run the service:

  • Your account email and the OIDC sub claim from our identity provider (Keycloak).
  • The sites you create, their public API keys, and the per-site banner theme you edit.
  • A signed session cookie (tb_session) so you stay logged in — HttpOnly, no third-party.
  • If you subscribe to a paid plan: a Stripe customer ID. Card details live with Stripe, never us.

Delete a site and its data is removed. Close your account and we purge everything tied to your sub on request — email hello@tinysystems.io.

The audit log (your visitors' data)

When one of your sites uses @tickboxhq/cloud, the SDK POSTs each consent decision to api.tickbox.dev/v1/events. The payload is small on purpose:

  • SHA-256 of a cookie value (hashed in the visitor's browser before it ever leaves) — not the cookie itself, not the IP, not a fingerprint.
  • The jurisdiction, policy version, and per-category accept/reject map.
  • The country code derived from the Cloudflare edge headers — no IP stored.
  • User agent string (so you can spot bots).
  • A timestamp.

These rows live in Cloudflare D1 (UK / EU). Free and paid plans have automatic retention windows (30 days, 90 days, 1 year). Unlimited customers can set their own. Stop deploying @tickboxhq/cloud and no new events are logged — the OSS SDK is fully usable without it.

What we don't do

  • Sell, rent, or share data with marketing partners. There are no marketing partners.
  • Profile individuals across sites — the visitorHash is per-site and we can't join it to anything else.
  • Touch GA / Meta / TikTok pixels. We're a consent SDK; we'd be the joke of the year.
  • Bake third-party JavaScript into anything customer-facing.

Your rights

Under UK GDPR / EU GDPR you can access, correct, export, restrict processing of, or erase your data. Email hello@tinysystems.io and we'll respond within the statutory month — usually within a day.

UK supervisory authority: the ICO. You can complain to them about us if you ever need to.

Contact

Tickbox is operated by Tiny Systems Ltd, a company registered in England & Wales. For anything privacy-related — hello@tinysystems.io.

Changes to this policy are recorded in the CHANGELOG.md of the source repo. Material changes get a note in our release announcement.

← Back to tickbox.dev