Data and Logging Transparency
Last updated: February 18, 2026
This page explains what consent-related data Cybexo CMP retains for service operation, auditability, and regulatory support.
Cybexo is designed to process and store consent state information only, not personal profile data.
1. Typical Stored Fields
Section titled “1. Typical Stored Fields”Cybexo may store the following consent-related data elements:
- A pseudonymous consent token or consent identifier
- Consent status by category or purpose (for example advertising, analytics)
- Timestamp of consent creation
- Timestamp of last update
- Framework flags (for example TCF, GPP, Google Consent Mode v2)
- Region and policy evaluation flags used to determine applicable banner behavior
- Vendor or purpose selection state (where applicable under TCF/GPP)
These fields are required to:
- Maintain user consent state
- Support audit verification
- Synchronize consent with supported SDKs and integrations
- Comply with framework technical requirements
Cybexo does not enrich consent records with behavioral tracking or marketing data.
2. Typical Excluded Fields
Section titled “2. Typical Excluded Fields”Cybexo CMP does not store:
- Full names
- Email addresses
- Phone numbers
- Free-text user input
- Authentication credentials
- Payment data
- Device fingerprinting data beyond what is strictly necessary for consent state persistence
Consent identifiers are pseudonymous and are not intended to directly identify a natural person.
Customers remain responsible for any personal data processed outside of Cybexo CMP.
3. Storage and Processing Location
Section titled “3. Storage and Processing Location”Cybexo uses cloud infrastructure providers to host production systems.
- Primary processing region: United States
- Infrastructure: hosted within secure cloud environments managed by third-party infrastructure providers.
- Data is transmitted and processed over encrypted connections (TLS 1.2+).
If regional hosting becomes available or customer-specific arrangements are implemented, those will be documented in contractual agreements.
4. Retention
Section titled “4. Retention”Retention policies are designed to balance audit requirements and data minimization principles.
- Consent record retention:
Consent records are retained for the duration of the customer’s active subscription, unless earlier deletion is requested or required by law. - Audit/debug log retention:
Operational logs are retained for a limited period based on internal security and operational policies. - Deletion workflow:
Upon subscription termination or written request:- Consent data may be deleted or anonymized.
- Customers may request confirmation of deletion.
- Deletion timelines are governed by contractual terms.
Cybexo does not retain consent records longer than necessary for operational and compliance purposes.
5. Access and Export
Section titled “5. Access and Export”Access to consent-related records is restricted:
- Role-based access control (RBAC) applies.
- Least-privilege access is enforced for administrative systems.
- Administrative access is logged.
Export options:
- Customers may request export of consent data where contractually required.
- Export formats may include structured data formats (for example CSV or JSON), subject to subscription tier and operational policies.
- API-based access to consent state is available through documented SDK interfaces.