No-sale pledge
TL;DR: CookieVault will never sell, rent, lease, share for cross-context advertising, or otherwise monetize your data. This is a permanent, enforceable commitment covering every user and every data category — not a temporary marketing line — and it binds any future acquirer.
The no-sale pledge is CookieVault’s permanent, public commitment never to sell, rent, lease, share for cross-context advertising, or otherwise monetize user data for value. It exists because the browser-extension and cookie-tooling space has a long history of products being acquired and quietly turned into data-collection vehicles — so a privacy-first product needs to say, plainly and durably, that it will not do that.
Scope of the pledge
In short: The pledge covers every user (Free, Pro, Team) and every data category we touch — the email and billing IDs we can read, and the encrypted blobs we cannot. There are no carve-outs for “anonymized,” “aggregated,” or “de-identified” data.
Everything the pledge covers:
- Cookie contents — already end-to-end encrypted, and never sold or shared regardless
- Account email — never sold, rented, or shared for advertising
- Billing identifiers — the Paddle customer ID and related metadata
- Support correspondence — never mined or monetized
- Aggregate analytics — cookieless and aggregate-only, and never sold even in summary form
- Any “de-identified” derivative — explicitly in scope, because de-identification is the usual loophole
There is no asterisk for “anonymized” data, because re-identification of supposedly anonymous datasets is well documented and we will not lean on that fiction.
What “sale” means
In short: We adopt the broad CCPA definition — any disclosure of personal data to a third party for monetary or other valuable consideration — and explicitly include the indirect arrangements (licensing, lookalike audiences, ad bidding, cohort sales) that companies use to monetize data without calling it a sale.
| Practice | Counts as a “sale/share” under our pledge? |
|---|---|
| Selling data to a data broker | Yes — prohibited |
| Licensing data for a fee | Yes — prohibited |
| Lookalike-audience export to ads | Yes — prohibited |
| Programmatic ad bidding with data | Yes — prohibited |
| ”Anonymized” cohort sale | Yes — prohibited |
| Sharing for cross-context ads | Yes — prohibited |
We use the CCPA’s deliberately broad framing, which defines a “sale” to include releasing, disclosing, or otherwise communicating personal information for “monetary or other valuable consideration.”1 The CPRA amendment separately added “sharing” for cross-context behavioral advertising, and our pledge covers that too.2
Permitted disclosures
In short: Exactly three, and none is a sale: Paddle for billing, Cloudflare for hosting and transit, and lawful compulsion by a valid court order. We never receive value for any of these, and we resist overbroad demands.
The complete list of disclosures we do make:
- Paddle — to process payments and tax as our Merchant of Record
- Cloudflare — to host the service and transit your encrypted data
- Legal compulsion — only under a valid subpoena or court order, and only the minimum required
None of these is a sale: we receive no consideration, the recipients are service providers bound by contract or a court, and the encrypted blobs remain unreadable in transit and at rest. We commit to a transparency report summarizing any compelled disclosures.
How this is enforceable
In short: A stated no-sale promise is enforceable under the CCPA by regulators, and misrepresenting it is an unfair business practice. We reinforce that with a PGP-signed statement in Git, integration into the binding terms of service, and a change-of-control clause that binds any acquirer.
The enforceability stack, strongest legal layer first:
- Statutory — under the CCPA/CPRA a no-sale representation is enforceable by the California Privacy Protection Agency and Attorney General, and misstating it is an unfair business practice1
- Contractual — the pledge is folded into the binding terms of service, making it part of your agreement with us
- Successor-binding — a change-of-control clause carries the pledge to any acquirer, so a sale of the company cannot quietly enable a sale of your data
- Cryptographic provenance — a PGP-signed copy of the pledge is archived in the public Git history, timestamped and tamper-evident
See also
- Privacy policy — what we collect and never collect
- Security — the end-to-end encryption behind these promises
- Terms of service — where the pledge becomes contractually binding
- About — why we are funded by subscriptions, not data
Footnotes
-
The CCPA’s definition of “sale” and its enforcement are summarized by the California Attorney General: https://oag.ca.gov/privacy/ccpa. ↩ ↩2
-
The CPRA added the concept of “sharing” for cross-context behavioral advertising; for the consolidated California privacy code see the official legislative text portal: https://leginfo.legislature.ca.gov. ↩