Your data. Your rights. Your call.

GDPR gives you rights. To know what's collected. To say no. To change your mind. To be forgotten. Most sites bury all that in a 4,000-word policy nobody reads, then ignore it when you click reject.

The Vakteye badge sits on sites where we've tested whether what they say matches what the code does. The site pays us. The law decides the result, not us. If a site fails the test, the badge comes off.

This page is for you, not them.

Verify any badge →

Your rights

Six GDPR rights, short. Click any article link for the original text.

Right to know

What data they hold about you, why, who they share it with, how long they keep it, where they got it, and whether it feeds automated decisions.

GDPR Art 15(1)IMY · Ta del av dina personuppgifter

Right to refuse

Saying no can't be harder than saying yes. Consent has to be freely given and a real choice.

EDPB Guidelines 05/2020 · ePrivacy Art 5(3)EDPB Cookie Banner Taskforce 2023

Right to withdraw

You can change your mind anytime. Withdrawal stops future processing. Anything done before, based on the consent you'd given, stays lawful.

GDPR Art 7(3)IMY · Samtycke som rättslig grund

Right to be forgotten

You can ask them to delete your data, unless they have a legal reason to keep it.

GDPR Art 17 IMY · Radering av personuppgifter

Right to object

Against direct marketing and marketing-related profiling they have to stop, no exceptions. Against other processing based on legitimate interest you can also object, but the controller can refuse if they show compelling grounds.

GDPR Art 21(2)IMY · Att göra invändningar

Right to portability

You can get the data you actively provided in a standard format and move it elsewhere. Applies when you consented or signed a contract, and the data is processed automatically. Inferred or derived data isn't covered.

GDPR Art 20(1)IMY · Flytta dina personuppgifter

What the badge means, and what it doesn't

It means

The site passed an automated test against GDPR, ePrivacy, and Swedish law. If the result goes red and nothing gets fixed, the badge comes off this page.

It does not mean

That the site is perfect, or that anyone at Vakteye personally vouches for them. We test against the law. That's not the whole picture of a company.

Who pays us

The site does. But the result is decided by the law, not by us. If we softened findings to keep customers happy, the badge wouldn't be worth anything.

What we test

Eight things. Click any item for how we test it.

Does "Reject all" actually reject?
We click reject as a regular visitor and watch whether tracking cookies and pixels stop loading. If they don't, the site broke your choice.
Does data leak before you click anything?
Many sites load third-party trackers right at page-load, before you've said yes or no. We measure what's sent in the first half-second.
Do they tell trackers to ignore your "no"?
Google Consent Mode and Meta Pixel can be configured to report rejection but still send pseudonymised data. We decode the signals.
Are the basics set up safely: HTTPS, cookies, headers?
TLS, secure cookie flags, CSP, HSTS, X-Frame-Options.
Are they leaking your form inputs to ad networks?
We fill test values and watch whether the content is sent to third parties before the form was submitted.
Are they storing private keys in their JavaScript?
Hardcoded API keys and similar secrets in client code are a common leak. We scan with two detectors.
Is the site usable with a screen reader?
WCAG 2.1 AA, the level the EU Accessibility Directive requires for digital services.
Does their privacy policy match what they actually do?
We read the policy and compare against network traffic. Gap = breach.

We don't test everything

An automated scanner can't reach everything. Logged-in flows, payments, and manually configured privacy features are out of scope. If a WAF or browser challenge blocks us, we flag it.

What you can do right now

Why we built this

EU law says your personal data is yours. But the gap between what privacy policies promise and what code actually does is too large. Annual audits catch it too late. A badge that can't be revoked says nothing. We measure what the law requires, over and over, and show you the result.

Last reviewed: 2026-05-08

Found something wrong on this page? Email trust@vakteye.com

Your data. Your rights. Your call.

GDPR gives you rights. To know what's collected. To say no. To change your mind. To be forgotten. Most sites bury all that in a 4,000-word policy nobody reads, then ignore it when you click reject.

This page is for you, not them.

Your rights

Six GDPR rights, short. Click any article link for the original text.

Right to know

What data they hold about you, why, who they share it with, how long they keep it, where they got it, and whether it feeds automated decisions.

GDPR Art 15(1)IMY · Ta del av dina personuppgifter

Right to refuse

Saying no can't be harder than saying yes. Consent has to be freely given and a real choice.

EDPB Guidelines 05/2020 · ePrivacy Art 5(3)EDPB Cookie Banner Taskforce 2023

Right to withdraw

You can change your mind anytime. Withdrawal stops future processing. Anything done before, based on the consent you'd given, stays lawful.

GDPR Art 7(3)IMY · Samtycke som rättslig grund

Right to be forgotten

You can ask them to delete your data, unless they have a legal reason to keep it.

GDPR Art 17 IMY · Radering av personuppgifter

Right to object

GDPR Art 21(2)IMY · Att göra invändningar

Right to portability

GDPR Art 20(1)IMY · Flytta dina personuppgifter

What the badge means, and what it doesn't

It means

The site passed an automated test against GDPR, ePrivacy, and Swedish law. If the result goes red and nothing gets fixed, the badge comes off this page.

It does not mean

That the site is perfect, or that anyone at Vakteye personally vouches for them. We test against the law. That's not the whole picture of a company.

Who pays us

The site does. But the result is decided by the law, not by us. If we softened findings to keep customers happy, the badge wouldn't be worth anything.

What we test

Eight things. Click any item for how we test it.

Does "Reject all" actually reject?

We click reject as a regular visitor and watch whether tracking cookies and pixels stop loading. If they don't, the site broke your choice.

Does data leak before you click anything?

Many sites load third-party trackers right at page-load, before you've said yes or no. We measure what's sent in the first half-second.

Do they tell trackers to ignore your "no"?

Google Consent Mode and Meta Pixel can be configured to report rejection but still send pseudonymised data. We decode the signals.

Are the basics set up safely: HTTPS, cookies, headers?

TLS, secure cookie flags, CSP, HSTS, X-Frame-Options.

Are they leaking your form inputs to ad networks?

We fill test values and watch whether the content is sent to third parties before the form was submitted.

Are they storing private keys in their JavaScript?

Hardcoded API keys and similar secrets in client code are a common leak. We scan with two detectors.

Is the site usable with a screen reader?

WCAG 2.1 AA, the level the EU Accessibility Directive requires for digital services.

Does their privacy policy match what they actually do?

We read the policy and compare against network traffic. Gap = breach.

We don't test everything

An automated scanner can't reach everything. Logged-in flows, payments, and manually configured privacy features are out of scope. If a WAF or browser challenge blocks us, we flag it.