Gretelfy

Privacy Policy

Last updated: February 3, 2026

1. Introduction

Gretelfy ("we," "our," or "us") operates the Gretelfy cookie compliance scanning platform at gretelfy.com. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our website and services.

We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Data Controller

Gretelfy is the data controller for the personal data processed through our platform. If you have questions about this policy or our data practices, contact us at privacy@gretelfy.com.

3. Data We Collect

3.1 Account Data

When you create an account, we collect:

  • Email address
  • Name (if provided)
  • Organization name (if provided)
  • Password (stored securely hashed, never in plain text)

3.2 Scan Data

When you use our scanning service, we collect and process:

  • URLs you submit for scanning
  • Cookie data found on scanned websites (cookie names, domains, expiry, flags)
  • Network requests made by scanned websites before consent
  • Consent Management Platform (CMP) detection results
  • Gretel Score and violation details

Scan data relates to the websites you scan, not to your personal browsing. We do not track your personal browsing activity.

3.3 Usage Data

We automatically collect limited technical data:

  • IP address (anonymized for analytics)
  • Browser type and version
  • Pages visited on gretelfy.com
  • Referring URL
  • Timestamps of visits

3.4 Payment Data

Payment processing is handled by Paddle, our Merchant of Record. We do not store your full credit card number. We receive and store only a tokenized reference, card brand, last four digits, and expiration date for display purposes.

4. How We Use Your Data

We use the data we collect for the following purposes:

  • Service delivery: To perform cookie compliance scans, generate reports, and provide your Gretel Score
  • Account management: To create and maintain your account, authenticate your identity, and manage your subscription
  • Communication: To send scan results, compliance alerts, and service notifications you have opted into
  • Improvement: To analyze usage patterns and improve our scanning accuracy and platform features
  • Legal compliance: To comply with legal obligations and enforce our Terms of Service

5. Legal Basis for Processing (GDPR)

We process your personal data under the following legal bases:

  • Contract performance: Processing necessary to provide you with our scanning services (Article 6(1)(b) GDPR)
  • Legitimate interest: Analytics and service improvement where your rights are not overridden (Article 6(1)(f) GDPR)
  • Consent: Marketing communications and optional cookies, which you can withdraw at any time (Article 6(1)(a) GDPR)
  • Legal obligation: Where we are required to process data by law (Article 6(1)(c) GDPR)

6. Data Sharing

We do not sell your personal data. We share data only with the following categories of third parties, strictly as needed to deliver our services:

  • Supabase: Database hosting and authentication (EU-hosted)
  • Vercel: Application hosting and edge delivery
  • Browserbase: Managed browser infrastructure for running scans
  • Paddle: Payment processing and Merchant of Record (PCI DSS Level 1 compliant)
  • Sentry: Error tracking and application monitoring

All third-party processors are bound by data processing agreements and are required to handle your data in accordance with GDPR.

7. Data Retention

  • Account data: Retained for the duration of your account plus 30 days after deletion
  • Scan data: Retained according to your plan (Scout: 30 days, Tracker: 90 days, Pathfinder: 1 year, Ranger: 2 years)
  • Usage/analytics data: Anonymized and retained for up to 26 months
  • Payment records: Retained for 7 years as required by tax regulations

8. Your Rights

Under GDPR, you have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you
  • Rectification: Request correction of inaccurate data
  • Erasure: Request deletion of your data ("right to be forgotten")
  • Restriction: Request that we limit how we use your data
  • Portability: Receive your data in a structured, machine-readable format
  • Objection: Object to processing based on legitimate interest
  • Withdraw consent: Withdraw consent at any time where processing is consent-based

To exercise any of these rights, email us at privacy@gretelfy.com. We will respond within 30 days.

9. Cookies on Gretelfy.com

We practice what we preach. Gretelfy.com uses only strictly necessary cookies by default. We do not load any analytics or marketing cookies until you provide explicit consent via our cookie banner.

  • Strictly necessary: Session authentication, CSRF protection, consent preferences
  • Analytics (with consent): Anonymized usage analytics to improve the platform

10. International Data Transfers

Some of our service providers may process data outside the European Economic Area (EEA). Where this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

11. Security

We implement appropriate technical and organizational measures to protect your data, including encryption in transit (TLS 1.2+), encryption at rest, access controls, and regular security reviews. However, no method of electronic storage or transmission is 100% secure.

12. Children's Privacy

Gretelfy is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by placing a notice on our website. Your continued use of Gretelfy after changes take effect constitutes acceptance of the updated policy.

14. Contact & Complaints

For questions, requests, or complaints regarding this policy or our data practices, contact us at:

Email: privacy@gretelfy.com

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.