Skip to content

Privacy Policy

Last updated: 20 March 2026

Pixadoro Ltd. (“Company”, “we”, “us”, “our”) is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you visit our website at kukie.io, use our platform at app.kukie.io, or interact with any of our services (collectively, the “Services”).

By using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our Services.

Important: This Privacy Policy applies to the personal data we collect from you as our customer or website visitor. It does not apply to any data we process on your behalf as a data processor when you use our cookie consent management platform to collect consent from your own website visitors. That processing is governed by the terms of your subscription agreement with us.

1. Data Controller

The data controller responsible for the processing of your personal data is:

Pixadoro Ltd.
Blvd. Cherni Vrah 47A, 1407, Sofia, Bulgaria
Company number: 206777328
VAT: BG206777328
Email: [email protected]

For any enquiries regarding this Privacy Policy or your personal data, please contact us at [email protected].

2. Legal Basis for Processing

We process your personal data only when we have a lawful basis to do so. The legal bases we rely on include:

  • Performance of a contract (Article 6(1)(b) GDPR): Processing necessary to provide the Services you have subscribed to, manage your account, and fulfil our contractual obligations to you.
  • Legitimate interests (Article 6(1)(f) GDPR): Processing necessary for our legitimate business interests, such as improving the Services, ensuring security, preventing fraud, and communicating with you about your account, provided these interests are not overridden by your fundamental rights and freedoms.
  • Legal obligation (Article 6(1)(c) GDPR): Processing necessary to comply with applicable laws, regulations, or legal proceedings.
  • Consent (Article 6(1)(a) GDPR): Where we rely on your consent, such as for marketing communications. You may withdraw your consent at any time by contacting us or using the unsubscribe mechanism provided.

3. Personal Data We Collect

We collect and process the following categories of personal data:

3.1. Account Data

When you register for an account, we collect your name, email address, password (stored in hashed form), and organisation name. If you enable two-factor authentication, we store the associated recovery codes in encrypted form.

3.2. Billing and Financial Data

When you subscribe to a paid plan, we collect billing-related information including your payment method details (processed and stored by our payment provider, Stripe - we do not store your full card details), VAT number (if applicable), and billing address. Transaction records, invoices, and subscription history are maintained for accounting and legal purposes.

3.3. Site and Configuration Data

We collect the domain names you register on the platform, your banner configuration settings (layout, colours, texts, translations, region rules), cookie categorisations, legal document content you create using our generator, and script or service configurations.

3.4. Scan Data

When you run a cookie scan, we collect and store the scan results, including the cookies and tracking technologies detected on your website, page URLs crawled, and categorisation data.

3.5. Technical and Usage Data

When you access the Services, we automatically collect technical information including your IP address, browser type and version, operating system, device type, referring URL, pages visited within our platform, timestamps, and general usage patterns. This data is collected through server logs and may be supplemented by analytics tools.

3.6. Communication Data

If you contact us via email, our contact form, or other channels, we collect the content of your communications along with associated metadata (such as your email address and the date and time of the message).

3.7. Team and Invitation Data

If you invite team members to your organisation, we collect and process the email addresses of invitees and their role assignments within the organisation.

4. How We Collect Your Data

4.1. Directly from You

We collect data you provide when you register an account, subscribe to a plan, configure your sites, create legal documents, contact us, or otherwise interact with the Services.

4.2. Automatically

We collect technical and usage data automatically when you access our website or platform through server logs, cookies, and similar technologies. See Section 9 for details on cookies we use.

4.3. From Third Parties

We may receive data from our payment processor (Stripe) regarding the status of your transactions and subscriptions.

5. How We Use Your Data

We use your personal data for the following purposes:

5.1. Providing the Services

  • Creating and managing your account and organisations
  • Processing your subscriptions and payments
  • Delivering the cookie consent management platform, including the banner script, cookie scanner, consent logging, analytics, and legal document generator
  • Providing customer support and responding to your enquiries

Legal basis: Performance of a contract.

5.2. Improving the Services

  • Analysing usage patterns to improve the platform’s functionality, performance, and user experience
  • Identifying and fixing bugs, errors, and security issues
  • Developing new features and capabilities

Legal basis: Legitimate interests (improving and maintaining the quality of our Services).

5.3. Security and Fraud Prevention

  • Protecting the Services against unauthorised access, abuse, and security threats
  • Detecting and preventing fraudulent activity, including trial abuse
  • Monitoring compliance with our Terms of Service

Legal basis: Legitimate interests (security of our systems and protection against fraud).

5.4. Communications

  • Sending transactional emails related to your account and subscription (e.g. trial reminders, scan completion notifications, subscription changes, site transfer requests)
  • Notifying you of changes to our Terms, Privacy Policy, or Services
  • Sending marketing communications, where you have opted in or where permitted by applicable law

Legal basis: Performance of a contract (transactional), legitimate interests (service updates), and consent (marketing).

5.5. Legal Compliance

  • Complying with applicable tax, accounting, and regulatory obligations
  • Establishing, exercising, or defending legal claims

Legal basis: Legal obligation and legitimate interests.

5.6. Aggregated Statistics

We may create aggregated, anonymised statistics from your data (such as total pages scanned across the platform) for use in marketing materials and platform improvement. This data cannot be used to identify you.

Legal basis: Legitimate interests.

6. Data Sharing and Disclosure

We do not sell, rent, or trade your personal data. We may share your data in the following circumstances:

6.1. Service Providers (Sub-processors)

We engage trusted third-party service providers who process personal data on our behalf to help us operate and improve the Services. These providers are contractually bound to process data only on our instructions and to implement appropriate security measures.

Current sub-processors:

  • Hetzner Online GmbH (Gunzenhausen, Germany) - Server hosting and infrastructure. Data stored in the European Union (EU). Privacy Policy
  • Cloudflare, Inc. (San Francisco, USA) - CDN, DDoS protection, and DNS services. May process IP addresses of visitors. Privacy Policy
  • Stripe, Inc. (San Francisco, USA) - Payment processing. Processes billing and payment data. Privacy Policy
  • MaxMind, Inc. (Waltham, USA) - Geolocation database (GeoLite2) for region detection in the banner script. Processes anonymised IP-based lookups locally on our server; no personal data is transmitted to MaxMind. Privacy Policy

We will update this list as sub-processors change.

6.2. Legal Requirements

We may disclose your personal data if required to do so by law, regulation, legal process, or governmental request, or if disclosure is necessary to protect our rights, property, or safety, or the rights, property, or safety of others.

6.3. Business Transfers

In the event of a merger, acquisition, or sale of all or a portion of our assets, your personal data may be transferred to the acquiring entity. We will notify you of any such change and any choices you may have regarding your personal data.

6.4. With Your Consent

We may share your data with third parties when you have given us explicit consent to do so.

7. International Data Transfers

Your personal data is primarily stored and processed on servers located within the European Union (EU), operated by Hetzner Online GmbH.

Some of our sub-processors (notably Stripe and Cloudflare) are based in the United States. Where personal data is transferred outside the European Economic Area (EEA), we ensure that appropriate safeguards are in place, including:

  • European Commission adequacy decisions
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • EU-U.S. Data Privacy Framework certification (where applicable)

You may request a copy of the applicable transfer safeguards by contacting us at [email protected].

8. Data Retention

8.1. Account Data

We retain your account data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where we are required by law to retain certain information (e.g. for tax and accounting purposes, which may require retention for up to 10 years under Bulgarian law).

8.2. Billing Data

Billing and transaction records are retained for the period required by applicable tax and accounting regulations (up to 10 years from the end of the financial year in which the transaction occurred).

8.3. Configuration and Scan Data

Site configurations, banner settings, and scan results are deleted when you remove the associated site from your account or when your account is deleted.

8.4. Consent Data

End-user consent logs collected through the banner script are retained according to the retention period defined by your subscription plan (12, 24, or 36 months). After expiry, consent data is automatically deleted and may only be used in aggregated, anonymised form for platform statistics.

8.5. Communication Data

Support correspondence is retained for a reasonable period to resolve enquiries and for quality assurance, typically no longer than 2 years after the last interaction.

8.6. Technical Logs

Server logs and technical data are typically retained for no longer than 90 days, unless longer retention is required for security investigations or legal proceedings.

9. Cookies on Our Website

When you visit our marketing website (kukie.io) and platform (app.kukie.io), we may use the following types of cookies:

9.1. Strictly Necessary Cookies

These cookies are essential for the operation of the Services. They include session cookies for authentication, CSRF protection tokens, and language preferences. These cookies cannot be disabled as the Services would not function without them.

9.2. Functional Cookies

These cookies enable enhanced functionality and personalisation, such as remembering your dashboard preferences and display settings.

9.3. Analytics Cookies

We may use analytics cookies to understand how visitors interact with our website. These cookies collect information in an aggregated, anonymised form. We will only set analytics cookies with your prior consent.

You can manage your cookie preferences at any time through the cookie banner displayed on our website or through your browser settings. Disabling certain cookies may affect the functionality of the Services.

10. Data Security

We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit using TLS/SSL
  • Hashed and salted password storage
  • Two-factor authentication option for user accounts
  • Regular security audits and vulnerability assessments
  • Access controls limiting data access to authorised personnel on a need-to-know basis
  • Infrastructure hosted in EU data centres with physical security measures
  • Cloudflare DDoS protection and WAF

While we strive to protect your personal data, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee absolute security, but we are committed to implementing industry-standard safeguards.

11. Your Rights

Under applicable data protection laws, including the GDPR, you have the following rights regarding your personal data:

11.1. Right of Access

You have the right to request a copy of the personal data we hold about you and to obtain information about how we process it.

11.2. Right to Rectification

You have the right to request that we correct any inaccurate or incomplete personal data we hold about you. You can also update most of your account information directly through the dashboard.

11.3. Right to Erasure

You have the right to request that we delete your personal data, subject to any legal obligations that require us to retain it. You can delete your account at any time from the account settings page.

11.4. Right to Restriction of Processing

You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to our processing.

11.5. Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller. You can export your data from the dashboard at any time.

11.6. Right to Object

You have the right to object to the processing of your personal data where we rely on legitimate interests as the legal basis. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

11.7. Right to Withdraw Consent

Where processing is based on your consent, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

11.8. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority. The relevant authority for Bulgaria is:

Commission for Personal Data Protection (CPDP)
2 Prof. Tsvetan Lazarov Blvd.
1592 Sofia, Bulgaria
Website: www.cpdp.bg

If you are located in another EU member state, you may also lodge a complaint with your local supervisory authority.

11.9. Exercising Your Rights

To exercise any of your rights, please contact us at [email protected]. We will respond to your request within 30 days. If your request is complex, we may extend this period by a further 60 days, in which case we will inform you of the extension and the reasons for it.

We may need to verify your identity before processing your request. There is no fee for exercising your rights, unless your request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request.

12. Children

Our Services are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe that a child has provided us with personal data, please contact us at [email protected] and we will take steps to delete such data promptly.

13. Third-Party Links

Our website and Services may contain links to third-party websites. We are not responsible for the privacy practices or content of those websites. We encourage you to review the privacy policies of any third-party sites you visit.

14. Marketing Communications

We may send you marketing communications about our products and services where you have opted in to receive them or where permitted by applicable law. You can opt out of marketing communications at any time by clicking the “unsubscribe” link in any marketing email or by contacting us at [email protected].

Opting out of marketing communications does not affect transactional emails related to your account and subscription (such as billing notifications, security alerts, and service updates).

15. Data Processing on Your Behalf

When you use the Kukie.io platform to collect consent from your website visitors, we act as a data processor on your behalf. In this capacity:

  • You are the data controller for end-user consent data
  • We process end-user data strictly in accordance with your instructions and the functionality of the Services
  • The terms of this processing are governed by your subscription agreement with us

End-user consent records include an anonymised IP address (first half only), browser user agent, site domain, timestamp, consent choices, and an encrypted identifier. Full IP addresses are not stored in consent logs.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. Material changes will be communicated to registered users by email at least 30 days before they take effect. The updated Privacy Policy will also be published on our website with the revised “Last updated” date.

Your continued use of the Services after any changes constitutes acceptance of the updated Privacy Policy.

17. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

Pixadoro Ltd.
Blvd. Cherni Vrah 47A, 1407, Sofia, Bulgaria
Company number: 206777328
VAT: BG206777328
Email: [email protected]
Website: kukie.io