Compliance notes

An honest list of what we technically implement vs. what still needs legal validation.

Read this before shipping to customers. Compliance depends on context outside the software (DPA, sub-processors, copy review). We never claim "100 % GDPR compliant" or "IAB certified".

Implemented

• Postgres RLS isolates every tenant's data.
• No raw IPs are stored — only a per-website-peppered hash.
• The user agent is stored as a sha-256 hash.
• The anonymous visitor id is a client-side UUID, not linked to any account.
• Audit logs for banner publishes, geo edits and team changes.
• Default-deny consent state for EU/EEA/UK before any Google tag fires.

Requires legal validation

• Per-language banner copy and category descriptions.
• Geographic rule defaults (the seeded values reflect a sensible default-deny stance, not a legal opinion).
• The cookie declaration disclaimer wording.
• Sub-processor lists in your customer DPA (Supabase, Vercel, Stripe).

Items we don't implement (and why)

• IAB TCF v2.2 — out of scope for v1; revisit if your customers ask for it.
• Strict per-IP rate limiting on consent ingest — Phase 6 follow-up.
• Right-to-be-forgotten endpoint — coming in a follow-up release.