Privacy-first by design.
PrivacyKit is designed to minimize risk — both for you and your users. It operates without third-party scripts, avoids unnecessary data collection, and ensures that consent handling runs entirely client-side.
This architecture reduces security exposure and simplifies vendor approval processes.
Delivered via edge, framework-agnostic, and designed to keep the core functionality fully client-side.
Delivered via a globally distributed edge network, accessible through cdn.privacykit.eu
No installation or framework dependencies
Framework-agnostic (works with any stack)
Stateless client-side execution
Lightweight backend at privacykit.eu for subscription validation only
Key point: Core consent functionality runs entirely in the browser and does not depend on backend availability.
Assets are served as static files, with no server-side execution required for core functionality.
All script execution stays under your consent mechanism.
PrivacyKit itself does not include:
Analytics
Tracking
Marketing scripts
External SDKs
All script execution is fully controlled by the consent mechanism.
PrivacyKit stores only what is required to manage subscriptions:
Email address
Domain name
Subscription status and expiry
Not stored:
Payment data (handled entirely by Paddle)
End-user data (your website visitors)
Analytics or behavioral data
Important: PrivacyKit does not process personal data from your website visitors.
Payments are handled externally, with no card or billing details stored in PrivacyKit.
Payments are handled by Paddle (external payment provider)
No access to card or billing details
No payment data stored within PrivacyKit systems
A minimal architecture reduces exposure and keeps the dependency surface small.
Private source code repositories
Controlled access
Continuous deployment pipeline
Minimal dependency surface
HTTPS enforced (TLS 1.2+)
No third-party runtime dependencies
No unnecessary script execution
Hosted on a managed platform with automated scaling and security updates
Data stored within the EU
Design principle: A minimal architecture reduces attack surface and limits potential vulnerabilities.
Encrypted in transit, stored within the EU, and access restricted to the operator only.
Data in transit: encrypted via HTTPS
Data at rest: stored within EU-based infrastructure
Access: restricted to the operator only
No shared credentials
Consent continues to work even if backend services are temporarily unavailable.
Delivered via a globally distributed edge network
High availability by design
Backend used only for subscription validation
Important: Consent functionality continues to operate even if backend services are temporarily unavailable.
PrivacyKit uses a minimal set of infrastructure providers.
Vercel — hosting and edge delivery
Paddle — payment processing
Database hosting provider (EU-based)
No additional third-party services are used.
Dependencies are kept up to date and security issues are addressed promptly.
Dependencies are kept up to date
Security issues are addressed promptly
The system is designed to support external security testing if required
Designed to support GDPR and ePrivacy requirements.
PrivacyKit is designed to support:
GDPR (General Data Protection Regulation)
ePrivacy requirements
Key principles:
No tracking without consent
Data minimization
Full control over script execution
For security or compliance inquiries: support@privacykit.eu
A low-risk, privacy-focused solution that can be adopted quickly.
PrivacyKit is intentionally simple:
No third-party scripts
No tracking or analytics
Minimal data storage
Client-side execution
This results in a low-risk, privacy-focused solution that can be adopted quickly without introducing unnecessary complexity.
