> ## Documentation Index
> Fetch the complete documentation index at: https://agentref.co/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Consent & GDPR

> How AgentRef's tracking script respects cookie consent before setting any cookies or recording clicks.

AgentRef's tracking script has built-in consent gating. When consent mode is enabled for your program, the script will not set cookies or record clicks until the visitor grants consent. This lets you integrate with any cookie banner without writing custom coordination logic.

## How consent mode works

Consent state is stored in `localStorage` under the key `agentref_consent` with values `'granted'` or `'denied'`. On each page load, the script checks this value before doing anything:

* **No consent stored + consent required** – the script initializes (sets `ready`) but skips cookie writing and click recording. A `consent_pending` warning is added to the debug info.
* **`'granted'`** – tracking proceeds normally.
* **`'denied'`** – any existing AgentRef cookies are cleared and tracking is disabled.
* **Consent not required** – tracking always proceeds regardless of stored consent (the default for programs that have not enabled consent mode).

You enable consent mode in your program's **Settings → Tracking** page. Once enabled, `trackingRequiresConsent` is baked into the served script config for your program.

## Integrating with a cookie consent manager

<Tabs>
  <Tab title="Cookiebot">
    Listen for Cookiebot's consent event and call `AgentRef.setConsent()`:

    ```js theme={null}
    window.addEventListener('CookiebotOnAccept', function() {
      if (window.Cookiebot && window.Cookiebot.consent.statistics) {
        window.AgentRef && window.AgentRef.setConsent('granted');
      }
    });

    window.addEventListener('CookiebotOnDecline', function() {
      window.AgentRef && window.AgentRef.setConsent('denied');
    });
    ```
  </Tab>

  <Tab title="OneTrust">
    Use OneTrust's `OptanonWrapper` callback, which fires after any consent change:

    ```js theme={null}
    function OptanonWrapper() {
      // Check if the "Performance Cookies" category is active
      // Replace 'C0002' with your actual category ID for analytics/tracking
      var groups = window.OnetrustActiveGroups || '';
      if (groups.indexOf('C0002') !== -1) {
        window.AgentRef && window.AgentRef.setConsent('granted');
      } else {
        window.AgentRef && window.AgentRef.setConsent('denied');
      }
    }
    ```
  </Tab>

  <Tab title="Custom banner">
    If you manage consent yourself, call `AgentRef.setConsent()` when the visitor makes a choice:

    ```js theme={null}
    // When user clicks "Accept all"
    document.getElementById('accept-btn').addEventListener('click', function() {
      window.AgentRef && window.AgentRef.setConsent('granted');
      hideBanner();
    });

    // When user clicks "Reject" or "Accept necessary only"
    document.getElementById('reject-btn').addEventListener('click', function() {
      window.AgentRef && window.AgentRef.setConsent('denied');
      hideBanner();
    });
    ```

    `setConsent('granted')` automatically calls `AgentRef.refresh()` internally – tracking initializes immediately without a page reload.
  </Tab>
</Tabs>

## Deferring tracking with `data-consent`

If you want to prevent the script from running at all until consent is determined (for example, to avoid the script executing before your banner has loaded), you can enable consent mode in program settings rather than using a script attribute. The `trackingRequiresConsent` flag is embedded in the script config served from the endpoint.

There is no `data-consent` HTML attribute – consent gating is controlled entirely through your program settings and the `AgentRef.setConsent()` API.

## What happens without consent

When consent is required and not yet granted:

* No cookies are written (`agentref_cid`, `agentref_pid`, `agentref_src`, `agentref_vid`, `agentref_ts`)
* Clicks are not recorded to AgentRef's backend
* `AgentRef.getCheckoutMetadata()` returns `{}`
* `AgentRef.ready()` callbacks still fire (with empty state), so your checkout code won't hang

When consent is explicitly denied:

* All existing AgentRef cookies are cleared from the visitor's browser
* Tracking remains disabled until consent is granted in a future session

## GDPR compliance summary

<Accordion title="What data does AgentRef store?">
  When a click is recorded, AgentRef stores:

  * The referral code (affiliate identifier)
  * The page URL the visitor landed on
  * The visitor's IP address (for unique click deduplication – not linked to personal identity)
  * User agent string
  * Country (derived from IP, not stored as IP)
  * UTM parameters and ad-click IDs present in the URL
  * Sub-IDs passed by the affiliate
  * An anonymous visitor ID generated by the script

  No name, email, or other personally identifiable information is collected by the tracking script itself. PII only enters the system when a Stripe payment event fires (from Stripe's data, not AgentRef's collection).
</Accordion>

<Accordion title="How long is data retained?">
  Click records are retained according to your program's cookie duration setting (default 30 days) for active attribution. Conversion records are retained indefinitely as they are financial records tied to affiliate payouts.

  The anonymous visitor ID cookie (`agentref_vid`) has a 365-day lifetime. This is a random string with no external linkage – it is used only to deduplicate click counts within AgentRef.
</Accordion>

<Accordion title="Can visitors request deletion?">
  Visitors can delete AgentRef cookies at any time through their browser settings. Since the anonymous visitor ID has no linkage to personal identity, there is no personal data to delete from AgentRef's backend based on a cookie value alone.

  If a visitor makes a data deletion request that you need to fulfill, contact AgentRef support with the relevant click tokens or conversion IDs.
</Accordion>

<Accordion title="Is the data shared with third parties?">
  No. Click and attribution data is stored in AgentRef systems and shared only with the merchant (you) and the affiliate who drove the click, as part of normal program reporting.
</Accordion>

<Note>
  This page describes how AgentRef's technical implementation supports GDPR compliance. It is not legal advice. Consult your legal team to determine the correct consent category and wording for your cookie banner.
</Note>
