Axeptio Data Protection: Mandatory Disclosures for Website Operators

Axeptio is a European Consent Management Platform (CMP) that supports website operators in the legally compliant management of user consents. Anyone using Axeptio processes personal data – both for the functioning of the platform itself and as part of consent management. This guide shows what information belongs in the privacy policy and how Axeptio is correctly documented in data protection terms.

A. Purpose and Function of Axeptio

Axeptio provides a JavaScript-based cookie banner and preference centre. The CMP loads via a snippet (<script>) on the website and enables:

• Cookie banner display – on the first visit or in case of missing consent decision
• Consent widget & preference centre – for granular cookie category selection
• Consent logging – documentation of user decisions
• Technical integration – coupling with third-party tools (Google Analytics, marketing platforms, etc.) via IAB TCF or API
• Google Consent Mode support – real-time signalling of consent status to Google

The snippet is typically embedded in the <head> area of the website and loads an Axeptio domain.

B. Mandatory Disclosures in the Privacy Policy when Using Axeptio

If you use Axeptio, you must cover the following points in your privacy policy:

1. Naming of the CMP controller – Axeptio SAS as service provider
2. Purpose of processing – consent management, cookie tracking, legal compliance
3. Legal bases – Art. 6(1)(c) and (f) GDPR; Section 25(2)(2) TDDDG
4. Data recipients – possibly processors, third-party consent platforms
5. Data categories – consent status, browser identifiers, IP address, user agent
6. Retention period – typically 13 months for consent cookies
7. Data subject rights – rights of access, erasure and objection
8. Data protection officer or contact – contact person for data protection questions

You can adapt the following text templates:

C. Provider of Axeptio

Axeptio SAS is a French company based in the EU (Clermont-Ferrand, France). The official privacy policy can be found at:

• Website: axeptio.eu
• Privacy Policy: axeptio.eu/privacy (English/French)
• Data Processing Agreement (DPA): Available on request

Axeptio is subject to the French data protection supervisory authority (CNIL) and the GDPR. Data is stored exclusively in EU data centres.

D. Data Processing – Sequence in Steps

E. Data Collected by Axeptio

Axeptio collects and processes the following personal data:

Web server log data:

• IP address (truncated for anonymisation)
• HTTP request headers (referer, user agent)
• Timestamp of the request
• HTTP status code

Browser information:

• Browser type and version
• Device type (smartphone, desktop, tablet)
• Language setting
• Cookies and local storage data

Coarse location data:

• Country and possibly region (from IP geolocation)
• Note: No precise location determination

Device data:

• Device identifier (Device ID)
• Screen resolution
• Time zone

Consent events and conversion data:

• Cookie categories (accepted/rejected)
• Time of decision
• Possibly user ID (if recorded in the preference centre)

This data is not used for profile creation or behaviour analysis, but exclusively for the provision of functionality and compliance documentation.

F. Purposes of Use

The processing by Axeptio takes place for the following purposes:

Provision of functionality:

• Display of the cookie banner and preference centre
• Storage of user consents
• Conversion of consent decisions into signals for third-party tools

Security and abuse protection:

• Detection and prevention of bot traffic
• Rate limiting (protection against DoS attacks)
• Anomaly detection (unusual access patterns)

Compliance and legal enforcement:

• Creation of audit logs for GDPR evidence
• Archiving of consent decisions
• Fulfilment of statutory retention obligations

Service improvement:

• Anonymised usage statistics (aggregation)
• Error diagnostics and performance monitoring
• Security updates and bug fixes

G. Legal Bases for Data Processing by Axeptio

The processing is legally permissible under the following bases:

1. Processing for functional purposes (Art. 6(1)(f) GDPR): Your legitimate interests in functional security and compliance evidence outweigh the user's interests. This processing takes place without prior consent, as it serves the technical provision.

2. Processing for security (Art. 6(1)(f) GDPR): The protection of your IT infrastructure against attacks is a legitimate interest.

3. Processing for compliance documentation (Art. 6(1)(c) GDPR): The audit log creation is carried out to fulfil data protection evidence obligations.

4. Legal basis for the cookie banner itself (Section 25(2)(2) TDDDG): You need a legal basis to be able to display a banner at all. This results from your obligation to obtain consents before storing cookies.

Note: For the cookies that lie behind the banner (analytics, marketing), the legal situation remains unchanged – here you need prior consent from the user (Art. 7 GDPR, Section 25(1) TDDDG).

H. Special Features and Notes on Axeptio

Important features:

• EU residency – Axeptio SAS is based in France; data storage takes place exclusively in the EU.
• Data Processing Agreement (DPA) – Axeptio offers a standard DPA, which you should integrate as a processor agreement under Art. 28 GDPR.
• IAB TCF Compliance – Axeptio supports the Transparency & Consent Framework (TCF) 2.2 of the IAB Europe and thus meets requirements for the ad-tech ecosystem.
• Google Consent Mode – Axeptio signals consent status to Google Analytics 4, Google Ads and other Google services.
• Processor – Axeptio acts as a processor on your behalf; you remain the controller (Art. 4(7), Art. 28 GDPR).
• Audit logs – All consent events are logged and can be used as evidence of compliance.

I. Frequently Asked Questions

Q: Is Axeptio a processor? Yes. Axeptio processes data on behalf of your website. You must conclude a DPA and name Axeptio in your privacy policy.

Q: Do I need consent to display the Axeptio banner? No. The banner itself is necessary in order to obtain consents – it is part of legal compliance. Consent-required are the cookies and trackers behind the banner.

Q: How long does Axeptio store consent data? Typically 13 months. This depends on your configuration and the Axeptio guidelines. Check your instance settings.

Q: Do I have to name Axeptio in my privacy policy? Yes. You must name all processors. Axeptio is one of them.

Q: Is Axeptio compliant with the GDPR and TDDDG? Axeptio is designed to be usable in a GDPR-compliant manner. However, overall compliance also depends on your configuration (e.g. which cookies you manage via the banner, whether you obtain consents correctly).

Q: What is IAB TCF? The Transparency & Consent Framework of IAB Europe is a standard for cookie banners in the ad-tech sector. It enables consent decisions to be shared with third parties (e.g. advertising partners) – legally compliant if all partners are registered in the TCF ecosystem.

Q: Can I use Axeptio without obtaining consents? No. Axeptio is a tool for obtaining consents. The need to collect consents arises from the GDPR and TDDDG – not from the tool itself.

J. Conclusion and Next Steps

Axeptio is a privacy-friendly and European consent management system. To use it in a legally compliant manner:

1. Conclude DPA – Download the standard DPA from Axeptio and sign it.
2. Update privacy policy – Incorporate the templates presented here.
3. Define cookie categories – Classify your cookies correctly (necessary, functionality, analytics, marketing).
4. Retain audit logs – The consent logs provided by Axeptio are your evidence for GDPR compliance.
5. Set up data subject rights – Make sure you can process access and erasure requests (including erasure of Axeptio data if necessary).

Authorship

This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.

matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.

Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.

According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.

Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.

His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.

For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.

More about Dr. Helbing: www.thomashelbing.com