39,135 vendors pre-categorized · ready to useHMAC-SHA256 · every consent cryptographically signedPlaywright scanner · detects cookies, pixels, iFrames automaticallyGoogle Consent Mode v2 · native integration8 languages · DE EN FR NL ES IT PL PT12 KB gzipped · async · non-blockingHosted in Germany · EU-only · no US cloud39,135 vendors pre-categorized · ready to useHMAC-SHA256 · every consent cryptographically signedPlaywright scanner · detects cookies, pixels, iFrames automaticallyGoogle Consent Mode v2 · native integration8 languages · DE EN FR NL ES IT PL PT12 KB gzipped · async · non-blockingHosted in Germany · EU-only · no US cloud

Stop collecting consents.
Start proving compliance.

ConsentForge signs every consent with HMAC-SHA256, chains it into a tamper-proof audit trail, and delivers the proof your DPO needs when the next regulator comes knocking.

Start Free GDPR Check Read docs
🇪🇺 Made in Germany·Hosted in Germany·EU-only
39,135
vendors pre-categorized
12 KB
gzipped · async · non-blocking
10
automated compliance checks
8
languages · out of the box
Log vs. proof

Why a CSV log doesn't hold up in court.

An audit doesn't ask "do you have a log?" It asks "can you prove this log hasn't been altered after the fact?" Only one of these approaches answers that question.

Classic consent logDisputable
id,timestamp,user_hash,choices,banner_v
4821,2026-03-11T10:42:00Z,a3f9…2e7b,{analytics:true,marketing:false},7
4822,2026-03-11T10:43:11Z,b8c2…4d1a,{analytics:true,marketing:true},7
4823,2026-03-11T10:44:00Z,c7e1…8f3d,{analytics:true,marketing:true},7
4824,2026-03-11T10:45:12Z,d4a2…91c8,{analytics:false,marketing:false},7
Row 4823 was edited on 03/14. The CSV doesn't know.
  • Database rows, editable anytime
  • No cryptographic linkage between entries
  • An admin with write access can rewrite history
  • Burden of proof: on the controller
ConsentForge receipt chainVerifiable
#48210x8f3a…c21bprev: 0x7a1f…b84c✓ verified
#48220x7a1f…b84cprev: 0x9c4d…e17a✓ verified
#48230x9c4d…e17aprev: 0x3b8a…d29f✕ chain broken
#48240x3b8a…d29fprev: 0x5e2c…a87b✓ verified
Receipt 4823 was edited. The chain breaks exactly there.
  • HMAC-SHA256 signature per receipt
  • Every receipt references the previous one cryptographically
  • Tampering breaks the chain — instantly detectable
  • Burden of proof: mathematically met
Platform

Everything you need for GDPR compliance.

Built for developers, agencies, and compliance teams. Six products, one dashboard, one price.

CoreBanner

Smart Cookie Banner

Fully customizable banner with 8 languages, 3 layout themes, and your brand colors. Correct in every EU jurisdiction.

  • Light · Dark · Auto
  • WCAG 2.2 AA
  • GeoIP jurisdiction
Banner Preview
We use cookies to improve your experience.
NecessaryAnalyticsMarketing
Standard+Scanner

Playwright scanner

Automatically detects every cookie and tracker on your site. Runs weekly or daily depending on plan. Finds new trackers before the regulator does.

  • Headless Chromium
  • Diff between scans
  • CI webhook
Scan resultslive
Google Analytics
Analytics
Unclassified
Meta Pixel
Marketing
Blocked
_ga cookie
Analytics
Blocked
hotjar.com
Analytics
New
NewScore

Compliance score

Real-time GDPR health score for every property. 8 weighted criteria flag issues before they turn into fines.

  • 8 weighted checks
  • 3 hard-fail caps
  • Deltas per scan
Compliance score +4
87/100
Banner active
Policy published
Receipts enabled
Scanner running
Translations complete
CoreReceipts

Consent receipts

Every user interaction generates a cryptographic receipt with timestamp, IP hash, banner version, and choices.

  • HMAC-SHA256
  • Merkle chain
  • JSON + PDF export
Receipt #4821 chain intact
timestamp2026-03-11T10:42:00Z
choicesanalytics=true, marketing=false
ip_hashsha256:a3f9...2e7b
banner_v7
prev_hash0x8f3a...c21b
sigHMAC-SHA256
CoreIntegration

Google Consent Mode v2

Native integration with Google Consent Mode v2. Consent signals reach GA4, Google Ads, and Tag Manager in milliseconds — no GTM hacks.

  • 4 signals automatic
  • TCF v2.3
  • GTM · Segment · Tealium
consent-update.js
// Auto-fired on consent
gtag('consent', 'update', {
  ad_storage:         'denied',
  analytics_storage: 'granted',
  ad_user_data:      'denied',
  ad_personalization: 'denied',
});
NewAuto-Fix

Vendor Auto-Fix

One-click remediation for unclassified vendors the scanner detects. Matches against our vendor library with 80%+ confidence.

  • 39,135 vendors
  • Confidence score
  • Bulk-approve
Auto-Fix suggestions
Cloudflare Web Analytics
cloudflare-insights.com
94%
LinkedIn Insight
snap.licdn.com
97%
Hotjar
script.hotjar.com
99%
Taboola
cdn.taboola.com
88%
How it works

Three steps. 15 minutes. No sales call.

01

Install

One line of code. 12 KB gzipped. Async loaded. Works with GTM, WordPress, Shopify, Webflow, and every other stack — no developer review required.

→ scan
02

Scan

Our Playwright crawler inspects every page. Detects cookies, pixels, iFrames, local storage. Auto-categorizes against 39,135 known vendors. Flags the unknown.

→ prove
03

Prove

Every consent is HMAC-SHA256 signed and written into a hash chain. Export for regulators in 30 seconds. Every entry mathematically verifiable.

✓ audit-ready
Cryptographic Receipts

The difference between "we have a log" and "we have proof".

Every consent is HMAC-SHA256 signed with your tenant key. Receipt 847 cryptographically references receipt 846 — a single tampered entry breaks the chain. Regulators, auditors, and courts get mathematical certainty instead of a CSV file.

Chain fragment · last 5 receiptsMerkle root verified
#8470x8f3a2b91...c21b
prev: 0x7a1f...b84c14:32:08
#8460x7a1f8e42...b84c
prev: 0x9c4d...e17a14:31:52
#8450x9c4de2a1...e17a
prev: 0x3b8a...d29f14:31:31
#8440x3b8af715...d29f
prev: 0x5e2c...a87b14:30:44
#8430x5e2c119f...a87b
prev: 0x1d6a...f32e14:29:12
HMAC-SHA256 · Merkle-chainAudit export (JSON + PDF)
By the numbers

The platform in numbers.

Real data from the ConsentForge platform.

39,135
Vendors
pre-categorized
12 KB
Runtime
gzipped · async
10
Checks
automated compliance checks
8
Languages
DE · EN · FR · NL · ES · IT · PL · PT
Scanner

14 trackers found. 6 loaded without consent. Here they are.

Our scanner loads every page in a real headless browser, logs every request, and compares against the vendor DB. You don't just see what runs on your site — you see what ran before consent was granted.

scan · www.example-customer.com · 2 minutes agoLive
14
Trackers
6
Pre-consent
3
Warnings
247
Requests
Google Analytics 4www.google-analytics.com/g/collect
before-consent0.3s
Meta Pixelconnect.facebook.net/en_US/fbevents.js
before-consent0.4s
LinkedIn Insight Tagsnap.licdn.com/li.lms-analytics/insight.min.js
before-consent0.5s
!
Google Fontsfonts.googleapis.com/css2
no-dpa0.2s
!
Hotjarstatic.hotjar.com/c/hotjar-47293.js
before-consent0.6s
Stripejs.stripe.com/v3
strictly-necessary0.1s
Cloudflare Turnstilechallenges.cloudflare.com
strictly-necessary0.2s
Architecture

Three layers. No black box. Your stack stays yours.

Banner at the edge. Receipts in Germany. Export directly to your S3 or data warehouse. We're not the data custodian — we're the cryptographic infrastructure under your consent layer.

01

Edge Banner

EU edge · 12 KB gzipped · async, non-blocking · works on any page

02

Signing Vault

Germany · HMAC-SHA256 · tenant-isolated keys · Merkle-chained

03

Audit Export

S3 · GCS · Azure Blob · webhook · JSON + PDF + tamper-proof hash

Vendor database

39,135 services. Pre-categorized. Instantly blocked.

The most extensive vendor library in the CMP market. Cookie and script matchers identify services automatically — your team doesn't have to guess what an unknown request means.

Search vendors…⌘K
39,135 vendors available8 shown
Google Analytics 4
google-analytics.com
AnalyticsBLOCKED
Meta Pixel
facebook.com
MarketingBLOCKED
Hotjar
hotjar.com
AnalyticsBLOCKED
Intercom
intercom.com
NecessaryALLOWED
YouTube
youtube.com
External mediaBLOCKED
Stripe
stripe.com
NecessaryALLOWED
Segment
segment.com
AnalyticsBLOCKED
LinkedIn Insight
linkedin.com
MarketingBLOCKED
Vendor Auto-Fix

Unknown trackers aren't guessed — they're suggested.

VendorAutoFixService matches unknown requests against signatures, domains, and known variants. Your team clicks "Apply" — or "Bulk-Approve all".

5 unknown trackers detected
Cloudflare Web Analyticscloudflare-insights.com
94% match
Hotjar Heatmapsscript.hotjar.com
99% match
LinkedIn Insight Tagsnap.licdn.com
97% match
Taboolacdn.taboola.com
88% match
Intercom Messengerwidget.intercom.io
99% match
Compliance score

Eight criteria. One number. Three hard-fail caps.

Not a vanity metric. The score sums weighted checks and caps on real violations — broken blocking, unpublished policy, unknown trackers. You see at a glance what's missing and what it costs.

94/100
↗ +12
Blocking works15
No unknown trackers15
All vendors mapped15
Translations complete15
Policy published10
Scanner runs10
Receipts generated10
Distribution healthy10
Hard-fail caps
Blocking brokencap 40
Unknown trackercap 60
Policy unpublishedcap 50
Google Consent Mode v2

One integration. Four signals. No compromises.

Ad_storage, analytics_storage, ad_user_data, ad_personalization — mapped automatically. Ad performance stays measurable, GDPR compliance stays intact.

ad_storagegranted
analytics_storagegranted
ad_user_datadenied
ad_personalizationdenied
consent-init.jsJS
// One line. 12 KB gzipped. Async. No framework.
<script
  src="https://cdn.consentforge.com/embed.js"
  data-token="prop_9f3b2c1a"
  async
></script>

// Auto-sync with Google Consent Mode v2
window.consentforge.on('change', (c) => {
  gtag('consent', 'update', {
    ad_storage:          c.marketing     ? 'granted' : 'denied',
    analytics_storage:   c.analytics     ? 'granted' : 'denied',
    ad_user_data:        c.marketing     ? 'granted' : 'denied',
    ad_personalization: c.personalization ? 'granted' : 'denied',
  });
});
AGENCY / YOUR-AGENCY47 CLIENTS
01
Client 01
94
02
Client 02
91
03
Client 03
88
04
Client 04
71
05
Client 05
96
06
Client 06
93
07
Client 07
64
08
Client 08
89
09
Client 09
92
Agency mode

Whitelabel for agencies that scale compliance.

Your brand. Your domain. Clients as sub-tenants. Bulk operations roll a config change across 120 properties in 45 seconds.

  • Your logo, colors, domain
  • Multi-tenant RBAC
  • Pre-built banner templates
  • Bulk operations across n properties
  • Agency dashboard with score aggregation
  • Stripe-based reseller billing
Pricing

Free. For everyone.

ConsentForge is completely free to use. No credit card. No hidden fees.

Free
For all websites
0/ forever
  • Unlimited properties
  • Automated scanner
  • Cryptographic receipts
  • Google Consent Mode v2
  • 39,135 vendors
  • 8 languages
  • Email support
Get started
FAQ

Questions we hear often.

What makes you different from Cookiebot or OneTrust?
Cryptographic receipts. Our competitors log consents in a database — we sign every one with HMAC-SHA256 and chain them together. A single tampered entry breaks the chain. That's the difference between a log and a proof.

Ready to prove compliance — not claim it?

Start with the Free GDPR Check on your own site. Setup takes 15 minutes.

Free GDPR Check Read docs
No credit card required·15-minute setup·EU-hosted · GDPR-compliant