Privacy Policy

Last Updated: March 21, 2025

This Privacy Policy explains how Consentmo (iSenseLabs dba as Consentmo) collects, uses, stores, and shares personal data when you install or use the Consentmo app (the “Service”) on a Shopify-supported store. It also outlines the measures we take to protect your data, how we use Artificial Intelligence (AI) within our services, and your rights regarding your personal information.

• Information from Shopify upon Installation:
When you install our app, we receive certain information from your Shopify account as part of the app setup. This includes your store’s .myshopify.com domain name and the contact email associated with your store. We store this information to identify your account and to provide you with customer support. This access is visible during the app installation process on Shopify. We keep your store domain and email confidential and do not share them with third parties except as needed to operate our Service.

• Information You Provide Directly:
We only collect additional personal information if you or your customers voluntarily provide it to us. For example, if you contact us via email or live chat for support, or if a customer submits a request through one of the app’s compliance pages, we will receive any personal data you include (such as your name, email address, or details of the request). We use this information solely to respond to and address your inquiry or request. We do not sell this information or use it for any purpose unrelated to your specific support or compliance request.

• Cookie Consent Records:
When a visitor on your store interacts with the cookie consent bar (for example, by accepting or declining cookies), our app records the action. We log details such as the visitor’s customer ID on your store (if they are logged in or have an account), their email address (if available), a masked IP address (for privacy, the visitor’s IP is partially anonymized in our records), the ID of the privacy policy page they accepted, and the date and time of the action. This information provides you with an audit trail of consents and preferences, which is important for compliance record-keeping.

• Compliance Requests:
If a visitor (or customer) submits a data subject request through one of the app’s compliance pages (for example, a GDPR or CCPA request to access or delete their personal data), the app collects the details needed to fulfill that request. We record data including: your store ID, the type of request made (e.g., data access, deletion, or other privacy request), the visitor’s customer ID and email (if the visitor is logged in or provides an email for contact), the visitor’s masked IP address and browser user agent (to log the environment of the request), and the date and time of the request. For specific deletion requests, we similarly log the customer ID (if any), email, and timestamp of the request. We use this information to process the request and to provide you (the merchant) and the requesting user with a record of the action. Importantly, if the request is for data access or portability, our app retrieves the relevant personal data directly from Shopify on your behalf and delivers it to the user; we do not permanently store that personal data on our own servers.

• Required Shopify Permissions:
To perform the above functions, the Consentmo app integrates with your Shopify store via Shopify’s API. Upon installation, the app will request certain permissions (scopes) such as access to customer and order information and the ability to manage store content. For example, the app needs to read customer data (to identify users making requests and to fetch their data for access requests), read order data (for requests related to order information), and create or edit content on your store (to generate the compliance pages, like your store’s privacy policy or cookie policy page). It also requires access to settings like script tags, theme info, and locale settings to ensure the cookie consent bar functions correctly on your site. By installing the app, you agree to grant these permissions. These permissions are used strictly to provide the compliance features of the Service, and you can review them during the installation process. All data accessed via these permissions is handled as described in this Privacy Policy.

On our corporate website (outside of the app on your store), we use Google Analytics to understand usage and improve the website experience. Google Analytics may collect information about your visit (such as pages viewed, time spent on site, and approximate location based on IP address). No personal data like your name or email is collected through Google Analytics on our site, and we do not use any other third-party analytics or tracking cookies on our website. You have the option to opt out of Google Analytics tracking by using Google’s official Analytics Opt-out Browser Add-on.

The Consentmo app sets two cookies in your store visitors’ browsers to remember their privacy preferences:

• cookieconsent_status: This cookie stores the visitor’s choice on the cookie consent bar. For example, it notes whether a visitor clicked “dismiss” (closed the banner without action), accepted all cookies, or chose a customized setting (like “accept selected”). This cookie ensures that once a visitor makes a choice, the banner won’t repeatedly show up unnecessarily.
‍Duration: 1 year.

• cookieconsent_preferences_disabled: This cookie stores which categories of cookies are disabled for the visitor. Based on your store’s settings and the visitor’s selections, it records which cookie groups (e.g., marketing, analytics) the visitor has not consented to. If the visitor later updates their preferences, this cookie is updated to reflect those changes.
‍Duration: 1 year (reset with each preference change).

These cookies are essential for the functionality of the Consentmo app on your store, as they help implement the visitor’s choices for cookie consent. They do not track users across other sites and are not used for advertising purposes. Instead, they only contain information needed to enforce the visitor’s consent decisions on your site.

• With the Merchant (Your Store):
As the store owner, you have access to the data that our app collects on your behalf (such as the logs of cookie consents and data requests described above). This data is available in your Consentmo app dashboard and is meant for your records and compliance needs.

• With Service Providers (Sub-processors): We use trusted third-party services to help operate our app and support our users.

These include:

• Shopify: Our app runs on the Shopify platform and uses Shopify’s infrastructure. Shopify may have access to data insofar as necessary to allow our app to function (per Shopify’s terms and policies). Any data transmitted to or stored in Shopify’s systems is protected by Shopify’s agreements.

• Crisp (Chat Platform): We provide customer support via chat on our website using Crisp. If you use the chat feature, information you provide (like your email or messages) will be processed through Crisp’s system so we can respond. Crisp is GDPR-compliant and obligated to protect any data processed on our behalf.

• CrispAI  (AI Service): Crisp technology powers the AI chatbot in our support chat. If you interact with the chatbot, the content of your chat may be sent to Crisp service to generate responses. Crisp is also bound by data protection obligations. (See Use of AI below for more on how these work.)These service providers only receive information as needed to perform their functions, and they are not permitted to use your information for anything unrelated to providing services to Consentmo.

• For Legal Reasons: We may disclose information if required to do so by law or in response to a valid legal request (for example, a subpoena, court order, or government demand). In such cases, we will only disclose the information that is necessary to comply with the request. If the law allows, we will try to notify you of such requests (for example, if a government agency requests data related to your store) so you are aware of it.

• Business Transfers: If Consentmo (iSenseLabs) is involved in a merger, acquisition, sale of assets, or reorganization, your data (and your customers’ data collected through the app) may be transferred to the succeeding entity. If such a transfer occurs, we will ensure that your data remains protected and will inform you of any significant changes to the Privacy Policy or data handling practices.

Outside of these scenarios, no data is shared with other parties. We do not provide customer data to advertisers or unrelated third parties.

We incorporate AI technologies into certain features of our Service to improve functionality and user experience. We are committed to using AI in a transparent and responsible manner, in compliance with the emerging EU AI Act and other relevant regulations.

Here’s how we use AI and what it means for you:

AI in Customer Support (Chatbot): Our website’s support chat may be handled initially by an AI-powered chatbot. This chatbot (provided by the Crisp platform) can answer common questions and provide guidance 24/7. When you type into the chat, the AI processes your message to determine an appropriate answer. The data you provide (like your name, email, or question) is used only to generate a helpful support response.
‍Human Oversight: If the chatbot cannot assist or if you request a human agent, our support team will take over the conversation. A human is always available upon request – the AI is simply a first-line assistant. We clearly indicate in the chat interface when you are talking to the AI. All chat data is handled according to our Privacy Policy and Crisp/ENUM’s privacy commitments. No automated decisions with legal or significant effects are made by the chatbot; it’s purely a convenience tool.

• AI for Cookie Categorization (Scanner): Consentmo offers a cookie scanner feature that uses AI algorithms to identify and categorize cookies on your website. This helps you automatically generate a comprehensive cookie list for your cookie policy. The AI scans your site for cookies and, based on patterns (like cookie names or domains), classifies each cookie (e.g., as “analytics” or “marketing”).
‍No Personal Data Processed: This scanning process deals only with cookie data and website script information. It does not collect or use any personal information about your visitors. The result of the scan is a list of cookies and their categories, which you can review. This feature helps ensure you inform your visitors about all cookies in use, aiding compliance with laws like GDPR that require transparency about cookies.

We have implemented internal policies to govern our AI usage responsibly:

• Risk Assessment: We evaluate our AI systems to ensure they are considered low-risk under the EU AI Act. For example, our chatbot and cookie scanner are not making high-stakes decisions; they assist with customer service and data classification, which are low-risk activities. We periodically review these features for any potential risks.

• Bias & Fairness: We train and configure our AI to treat all inputs neutrally. We also review outcomes (like chatbot responses) to ensure they are free of inappropriate bias. If any biased behavior is detected, we adjust the system or its training data.

• Human Control: We maintain human oversight over AI outputs. As mentioned, our support team monitors the AI chatbot interactions, and a human can step in at any time. Similarly, the results of the cookie scanner can be reviewed and adjusted by you (the merchant) — you are not forced to accept the AI’s categorization if something looks off.

• Security: Any data processed by AI is subject to the same security measures described in this policy. We protect it during transit and at rest. Additionally, we ensure that our AI providers (like ENUM) have robust security and privacy measures in place.

• Transparency: We aim to be transparent about where and how AI is used. This Privacy Policy, as well as in-app descriptions, inform you when a feature is AI-driven. If our use of AI significantly changes, we will update this document.

• Continual Compliance: We keep abreast of new regulations and guidance around AI. As laws like the EU AI Act evolve and possibly come into effect, we will update our practices to remain compliant. We will also update you (through this policy or other notices) about significant changes in our AI use.

• Your Choices Regarding AI: Using Consentmo does not mean you must interact with AI if you prefer not to. For example, you can skip the AI chatbot and directly email us for support. The cookie scanner is an optional tool; you can also manually input cookie information if desired. If you have any concerns about how AI is used in our Service, you can contact us at support@consentmo.com, and we will provide additional information or alternative solutions where feasible. We want you to feel comfortable and informed about the technology behind our service.

We retain personal data only for as long as necessary to fulfill the purposes described in this policy, or as required by law or for legitimate business purposes. Below are our key retention practices:

• Consent and Request Logs: Data that our app collects for compliance purposes — such as records of cookie consents and records of GDPR/CCPA requests — is retained for 12 months from the date of collection. After 12 months, these records are automatically deleted from our database. For example, if a customer’s consent was recorded on January 1, 2025, that record will be purged around January 1, 2026. We implement this retention limit to minimize how long we hold personal data, in line with privacy regulations and best practices.

• Data on Uninstall: If you (the merchant) uninstall Consentmo from your store, we will retain the data that was collected on your behalf (such as your store’s consent logs) for up to 3 months after uninstallation. The purpose of this retention is to preserve the records in case you reinstall the app or need to access the data for legal purposes shortly after removal. After 3 months post-uninstall, any personal data and logs specific to your store that remain on our systems will be securely deleted. Keep in mind that once deleted, these records cannot be recovered.

• Customer Support Data: If you interact with our support (via email or chat), we may keep that correspondence for a period of time. Typically, support emails and chat transcripts are retained as long as necessary to resolve your inquiry and for us to analyze and improve our support services. These communications may be retained in our support system (e.g., email archives or Crisp chat history) but are kept confidential. If you want us to delete a support conversation record and it’s within our power to do so, you can request that.

• Storage Location: The data that Consentmo collects and processes is stored on secure servers with reputable cloud providers. For our GDPR compliance features, all data is stored in the European Union (we utilize a data center in Amsterdam, Netherlands). Keeping data in the EU helps ensure that it is handled under strict European data protection standards. In cases where data might be transferred outside of the EU (for example, if you as a user are outside the EU and access your data, or if our support team outside the EU accesses it), we rely on appropriate safeguards such as Standard Contractual Clauses to protect the data.

• Security Measures: We have implemented robust security measures to protect your data against unauthorized access, alteration, disclosure, or destruction. This includes using encryption for data in transit (HTTPS) and, where applicable, encryption at rest. We also limit access to personal data to authorized personnel who have a legitimate need to work with it (for example, support or engineering staff) and those individuals are bound by confidentiality obligations. We routinely update our software and infrastructure to address security vulnerabilities and regularly review our security practices. In the unfortunate event of a data breach or security incident affecting your or your customers’ personal data, we have a response plan to notify you and the appropriate authorities as required by law.

After the above retention periods expire or data is no longer needed, we either delete the personal data or anonymize it (so it can no longer be associated with an individual), except to the extent we are required to keep it longer by law (for example, some transaction logs may need to be kept for financial auditing or legal compliance purposes beyond the standard retention time).

Both you (as a merchant using Consentmo) and your customers (the visitors to your store) have certain rights regarding personal data. Consentmo is designed to help you facilitate many of these rights for your customers.
‍
Below is a summary of those rights and how you or your customers can exercise them:
‍
• Right of Access:
Individuals have the right to know what personal data is collected about them and to obtain a copy of that data. Through Consentmo’s compliance pages on your store, a customer can request access to their personal data. When such a request is made, our app compiles the relevant information (e.g., customer data and order data) from your Shopify store and provides it to the requester. As noted, our app itself does not store personal data long-term; it acts as a bridge to retrieve data from Shopify on your behalf. As a merchant, you also can request to see the data that Consentmo has logged for your store (like consent logs).

• Right of Rectification:
If a person’s data is incorrect or incomplete, they have the right to have it corrected. Most of the personal data (like name or email) displayed to a customer via our app comes directly from your Shopify store data. If a customer finds an error in their personal data, they would typically contact you (the store) to correct it in Shopify. Any corrections in Shopify will flow through to our system when that data is next used (e.g., if the customer makes another request). If there is any data specifically in Consentmo’s logs that needs correction, you can reach out to us and we will assist in updating the record if appropriate.

• Right to Deletion (Right to be Forgotten):
Individuals can request that you delete their personal data. Our app provides a “forget me” or deletion request option on the compliance page for this purpose. When a deletion request is submitted, you (the merchant) receive a notice and can take action to delete the customer’s data from your store (Shopify provides tools for this, which our app can help trigger or facilitate). Our app will log that a deletion request occurred and, once you confirm the data is deleted in Shopify, our system will also remove any corresponding records (aside from the request log itself, which is kept for 12 months as noted). In short, if a customer asks to be forgotten, we help ensure their data is removed from both your store and our app’s records, as required.

• Right to Object or Restrict Processing:
A user can object to certain processing of their data or ask that processing be limited. In practice, this can be exercised through our app by, for instance, refusing consent to certain cookies (objecting to non-essential tracking) or toggling preferences to “off” in the preference center (which is effectively a restriction on processing of, say, marketing data). If a store visitor has a more specific objection (for example, they do not want their data used by the Consentmo tool at all), they could contact you or us. We would then explain that our tool’s processing is minimal and solely for compliance, but we can also ensure we exclude or delete their data if possible. As a merchant, if you object to any aspect of how we process data on your behalf, you can contact us to discuss those concerns as well.

• Right to Data Portability:
Individuals have the right to obtain their personal data in a commonly used, machine-readable format, and to have it transferred to another controller if desired. Through our app’s export function (when a user requests data access), the information compiled from Shopify can be provided in a CSV or JSON format, which meets the criteria of being machine-readable. That data can then be given to the individual, fulfilling a portability request. Since our app primarily interfaces with Shopify, the data format will align with Shopify’s export formats.

• Right to Withdraw Consent:
If our processing of personal data is based on consent (for example, placing certain cookies or sending marketing emails), individuals have the right to withdraw that consent at any time. Our cookie consent mechanism allows visitors to change their mind: they can revoke consent to optional cookies by adjusting the sliders in the preference popup (or clear their cookies, which will reset the state). Likewise, if someone has subscribed to our newsletter (consented to marketing emails from Consentmo or iSenseLabs), they can withdraw consent by clicking “unsubscribe” in any email we send or by contacting us directly to opt-out. Withdrawing consent does not affect the lawfulness of processing that happened before the withdrawal.

• Rights related to Automated Decision-Making:
Under GDPR and similar laws, individuals can request human intervention or challenge a decision made solely by automated means if it has significant effects on them. As explained, Consentmo’s use of AI does not make impactful decisions about individuals – it’s either providing information (chatbot) or categorizing cookies. There are no consequential decisions like credit scoring or job selection being made. Nonetheless, we affirm that a human is always in the loop for our AI features. If any user ever felt an AI aspect of our service was affecting them, they are entitled to have a human review it. For example, if a customer thought the AI chatbot gave an inappropriate answer regarding their data rights, our support team would review and correct any misinformation.

• Non-Discrimination:
If a user exercises any of their privacy rights (such as opting out of cookies or requesting data deletion), we (and you as the merchant) will not treat them differently unfairly. For example, a user who declines cookies will still be able to access your site’s core features; we simply won’t load the blocked cookies. This principle is built into laws like CCPA (which forbids denying services or charging different prices just because someone exercised their privacy rights), and our Service is designed to help you honor that.

To exercise any of these rights with respect to data that Consentmo processes, you or your customer can use the built-in tools (cookie banner, compliance pages) as described. If there’s a special case or any difficulty (for instance, a customer emails a request instead of using the form), you can always reach out to us at support@consentmo.com for assistance. We will help facilitate the request to ensure compliance with applicable laws.

When you use Consentmo, we are effectively acting as a data processor on your behalf for the personal data of your store’s visitors (where you are the data controller). Laws like the GDPR require a data processing agreement whenever a controller uses a processor. By agreeing to our Terms of Service and installing the app, you are entering into a data processing agreement with us (the terms of which are often referred to in our policies or available as a separate DPA document on our site).

Here are the key points regarding data processing and compliance:

• Shopify as Processor/Controller: Because our app runs on Shopify, certain data interactions are covered by your agreements with Shopify. Shopify’s own Data Processing Addendum (DPA) extends to apps you install, meaning Shopify imposes certain privacy obligations on apps like ours. We align our practices with Shopify’s requirements to ensure consistency and compliance.

• Consentmo’s DPA: Our detailed Data Processing Addendum outlines our obligations and your rights concerning data processed via our app.
‍
In summary, we:
• Only process personal data based on your instructions (as given through using the app’s features and as needed to operate the Service).
• Implement appropriate security measures to protect personal data (as described in the Security Measures section above).
• Ensure our staff are bound to confidentiality and only process data as necessary. • Will assist you, where possible, in fulfilling your obligation to respond to individual rights requests (as demonstrated by the features we provide).
• Will inform you if we believe any instruction infringes on data protection laws (though this is unlikely given the nature of our Service).
• Engage sub-processors (like the ones listed in the “Service Providers” section) only with proper agreements in place and remain liable for their compliance.
• Will, upon termination of the service, delete or return personal data we processed for you, as outlined in the retention section.
• Provide certifications or information reasonably requested to verify our compliance, and allow for audits or inspections under the conditions permitted by our Terms (typically, remote audits or review of documentation, given the scalable nature of a SaaS app).

• International Data Transfers: If you or your customers are in the European Economic Area (EEA) or United Kingdom, and personal data is transferred out of those regions (for example, a user in the EU interacts with our servers not in the EU), we ensure such transfers are legally protected. We have Standard Contractual Clauses in place as part of our DPA for any EU-US data transfers, and as noted, we store EU citizen data in the EU where possible.

By using the Consentmo app, you agree to the terms of the DPA. If you need a signed copy for your records, you can contact us to obtain one.

We may update or revise this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make material changes to the policy, we will notify you by appropriate means – for example, by posting a prominent notice on our website, updating the policy in the app interface, or emailing you if you’ve provided an email for contact. Minor changes (such as clarifications or typographical corrections) may occur without direct notice, but the “Last Updated” date at the top will always reflect the latest revision.

We encourage you to review this Privacy Policy periodically. Continued use of the Consentmo Service after any changes to this policy constitutes your acceptance of those changes. If you do not agree with any update, you should discontinue use of the Service and can request us to remove your data as per the Your Rights section.

If you have any questions, concerns, or requests regarding this Privacy Policy or how Consentmo handles personal data, please contact us:

Consentmo Support Team
‍Email: support@consentmo.com
‍Address: Prof. Georgi Bradistilov Str. No.4, 1700 Sofia, Bulgaria.
EU Registration Number: 112660079

We will be happy to assist you and address any questions you may have.