Consent & GDPR

AgentRef’s tracking script has built-in consent gating. When consent mode is enabled for your program, the script will not set cookies or record clicks until the visitor grants consent. This lets you integrate with any cookie banner without writing custom coordination logic. Consent state is stored in localStorage under the key agentref_consent with values 'granted' or 'denied'. On each page load, the script checks this value before doing anything:

No consent stored + consent required – the script initializes (sets ready) but skips cookie writing and click recording. A consent_pending warning is added to the debug info.
'granted' – tracking proceeds normally.
'denied' – any existing AgentRef cookies are cleared and tracking is disabled.
Consent not required – tracking always proceeds regardless of stored consent (the default for programs that have not enabled consent mode).

You enable consent mode in your program’s Settings → Tracking page. Once enabled, trackingRequiresConsent is baked into the served script config for your program.

Cookiebot
OneTrust
Custom banner

Listen for Cookiebot’s consent event and call AgentRef.setConsent():

window.addEventListener('CookiebotOnAccept', function() {
  if (window.Cookiebot && window.Cookiebot.consent.statistics) {
    window.AgentRef && window.AgentRef.setConsent('granted');
  }
});

window.addEventListener('CookiebotOnDecline', function() {
  window.AgentRef && window.AgentRef.setConsent('denied');
});

Use OneTrust’s OptanonWrapper callback, which fires after any consent change:

function OptanonWrapper() {
  // Check if the "Performance Cookies" category is active
  // Replace 'C0002' with your actual category ID for analytics/tracking
  var groups = window.OnetrustActiveGroups || '';
  if (groups.indexOf('C0002') !== -1) {
    window.AgentRef && window.AgentRef.setConsent('granted');
  } else {
    window.AgentRef && window.AgentRef.setConsent('denied');
  }
}

If you manage consent yourself, call AgentRef.setConsent() when the visitor makes a choice:

// When user clicks "Accept all"
document.getElementById('accept-btn').addEventListener('click', function() {
  window.AgentRef && window.AgentRef.setConsent('granted');
  hideBanner();
});

// When user clicks "Reject" or "Accept necessary only"
document.getElementById('reject-btn').addEventListener('click', function() {
  window.AgentRef && window.AgentRef.setConsent('denied');
  hideBanner();
});

setConsent('granted') automatically calls AgentRef.refresh() internally – tracking initializes immediately without a page reload.

If you want to prevent the script from running at all until consent is determined (for example, to avoid the script executing before your banner has loaded), you can enable consent mode in program settings rather than using a script attribute. The trackingRequiresConsent flag is embedded in the script config served from the endpoint. There is no data-consent HTML attribute – consent gating is controlled entirely through your program settings and the AgentRef.setConsent() API. When consent is required and not yet granted:

No cookies are written (agentref_cid, agentref_pid, agentref_src, agentref_vid, agentref_ts)
Clicks are not recorded to AgentRef’s backend
AgentRef.getCheckoutMetadata() returns {}
AgentRef.ready() callbacks still fire (with empty state), so your checkout code won’t hang

When consent is explicitly denied:

All existing AgentRef cookies are cleared from the visitor’s browser
Tracking remains disabled until consent is granted in a future session

What data does AgentRef store?

When a click is recorded, AgentRef stores:

The referral code (affiliate identifier)
The page URL the visitor landed on
The visitor’s IP address (for unique click deduplication – not linked to personal identity)
User agent string
Country (derived from IP, not stored as IP)
UTM parameters and ad-click IDs present in the URL
Sub-IDs passed by the affiliate
An anonymous visitor ID generated by the script

No name, email, or other personally identifiable information is collected by the tracking script itself. PII only enters the system when a Stripe payment event fires (from Stripe’s data, not AgentRef’s collection).

How long is data retained?

Click records are retained according to your program’s cookie duration setting (default 30 days) for active attribution. Conversion records are retained indefinitely as they are financial records tied to affiliate payouts.The anonymous visitor ID cookie (agentref_vid) has a 365-day lifetime. This is a random string with no external linkage – it is used only to deduplicate click counts within AgentRef.

Can visitors request deletion?

Visitors can delete AgentRef cookies at any time through their browser settings. Since the anonymous visitor ID has no linkage to personal identity, there is no personal data to delete from AgentRef’s backend based on a cookie value alone.If a visitor makes a data deletion request that you need to fulfill, contact AgentRef support with the relevant click tokens or conversion IDs.

Is the data shared with third parties?

No. Click and attribution data is stored in AgentRef’s database and shared only with the merchant (you) and the affiliate who drove the click, as part of normal program reporting.

This page describes how AgentRef’s technical implementation supports GDPR compliance. It is not legal advice. Consult your legal team to determine the correct consent category and wording for your cookie banner.

Getting Started

Merchant Guide

Agent Integration

Tracking

Integration Guides

Webhooks

For Affiliates

Resources

Getting Started

Merchant Guide

Agent Integration

Tracking

Integration Guides

Webhooks

For Affiliates

Resources

​How consent mode works

​Integrating with a cookie consent manager

​Deferring tracking with data-consent

​What happens without consent

​GDPR compliance summary

How consent mode works

Integrating with a cookie consent manager

Deferring tracking with `data-consent`

What happens without consent

GDPR compliance summary