FewCookies

Documentation

How FewCookies works

Everything you can do, flow by flow — and exactly what to expect at each step.

FewCookies puts your whole compliance footer behind one scan and one script: it finds the cookies and trackers on your site, classifies them, shows a GDPR-ready consent banner, generates and hosts your cookie, privacy and terms documents, and records proof that your visitors consented.

This guide walks through everything you can do, in the order you will usually do it. The short version:

  1. Create your account and verify your email.
  2. Add your website and run your first scan.
  3. Review the cookies we found and how they are classified.
  4. Copy the one-line snippet to show your consent banner.
  5. Generate your legal documents and, optionally, display the compliance badge.

Getting started: account, sign-in & security

FewCookies signs you in with a secure server-side session that stays valid for up to seven days. You can use a regular email and password, or your Google account. Every new account starts on a 7-day Pro trial that needs no credit card, so you get the full product from day one. Right after you sign up we take you to a short guided setup that helps you add your first website and go live; from then on your dashboard is home base for scanning sites and generating cookie policies.

Create your account

  1. Go to the register page and enter your email and a password. Your password must be at least 8 characters and include an uppercase letter, a lowercase letter, and a number.
  2. Submit the form. If the email is already registered you will see a clear message; otherwise your account is created with a 7-day Pro trial (no card needed) and you are signed in immediately.
  3. We send you a welcome email and a separate verification email. Open the verification link to confirm your address.

Verifying your email is required before you can add sites, run scans, or view compliance pages. Until you verify, your dashboard shows a banner with a Resend button, and account areas (dashboard, settings, billing) stay fully usable so you can complete verification.

Sign in with Google

On the login page choose Continue with Google. We handle the whole Google handshake on the server, so no Google tokens ever reach your browser. If you sign up through Google and Google has already verified that email, your FewCookies account is created already verified — you can start right away. For your safety, a Google account whose email Google has not verified cannot be used to create or take over a FewCookies account.

Already have a password account? Open Settings and connect Google there, so you can use either method to sign in.

Your guided setup

Instead of dropping you on an empty dashboard, FewCookies opens a short guided setup the first time you sign in. It walks you through the four steps that get a working banner live: confirm your email, add your first website, paste the one-line snippet (with a one-click Verify installation check), and run your first scan. You can skip it at any time and finish later — the same checklist also lives on your dashboard and ticks itself off as you complete each step, so you always know what is left before you go live.

Verify your email

Click the link in the verification email. The link works whether or not you are currently signed in and stays valid for 24 hours. After verifying, the full product becomes available. Each verification link is one-time use; if it expired, use the Resend button on your dashboard to get a fresh one.

Reset a forgotten password

  1. On the login page click Forgot password and enter your email.
  2. You will always see the same confirmation message, whether or not the address is registered — this is intentional and protects your privacy.
  3. If you have an account, open the reset link (valid for 1 hour), choose a new password, and confirm it.
  4. After resetting you are sent to the login page, and any other devices that were signed in are logged out the next time they act.

Manage your account

In Settings you can change your email, set or change your password, connect or disconnect Google, and delete your account. Changing your email signs that address out of "verified" status and sends a new verification email. You cannot disconnect Google unless you have a password set, so you are never left without a way to sign in.

Deleting your account is permanent. It immediately signs you out and erases your sites, scans, consent records, reports, and billing rows. We keep an anonymized system audit trail with your personal reference removed.

Email delivery (welcome, verification, reset) is processed in the background. In a local or test setup without a mail provider configured, the verification and reset links are written to the server log instead of being emailed, so the flows remain testable.

Adding & managing your websites

A site is one website you manage with FewCookies. Everything else — scans, the consent banner, hosted legal documents, reports — hangs off a site. You can add a site as soon as your email is verified.

Add a website

  1. Open Sites and click Add site (or go to /sites/create).
  2. Enter the website address (it must start with http:// or https://) and a friendly name.
  3. Save. The site is created instantly and you land on its detail page.

Each site is issued a unique public API key in the form cg_…. This key powers your embed snippet, your hosted policy links, and the widget configuration — it is meant to be public (it sits in your page source), so there is no secret to protect here. The key is fixed for the life of the site and is not rotatable from the dashboard.

How many sites can I add?

Your plan sets the limit. Every account is on Pro — free during the 7-day trial, then €6/month (or a €3 one-year invite) to keep it:

PlanSites
Pro (including the free trial)5
Business (coming soon)Unlimited

If you are at your limit, the Add site action is blocked and you are returned to the list with an upgrade prompt. Deleting a site frees a slot. If your trial ends before you upgrade, the dashboard becomes read-only, so adding a site pauses until you upgrade — but your existing sites and their live banners keep working untouched.

Customise the consent banner

Open Configure on any site to tailor the banner without touching code: position, theme, colours, button text, language, and your privacy-policy link. A live preview shows your changes as you make them.

  1. Adjust the appearance and copy on /sites/:id/config.
  2. Save. FewCookies bumps an internal config version so every embedded banner picks up your changes the next time it loads.

The preview is a faithful mock-up inside the dashboard. The real banner on your live site refreshes automatically shortly after you save — there is nothing to re-paste.

Embed the snippet

On a site's detail or configuration page you can copy a one-line <script> snippet. Paste it into your site's HTML (ideally in the <head>) once, and the banner loads on every page using your saved configuration. See The consent banner & embed script for what the banner does for your visitors.

Edit or remove a site

You can rename a site or change its URL at any time. Deleting a site is a soft delete: the site disappears from your dashboard and its banner, hosted policies, and widget configuration immediately stop responding, so the script on your page goes quiet. Only the site's owner can view, edit, configure, or delete it.

Scanning your site for cookies and trackers

A scan is how FewCookies discovers what your website actually loads in a real browser: cookies, tracking pixels, third-party scripts, your consent banner, fingerprinting attempts, performance and basic security. Everything reported is observed by a headless browser visiting your pages, not guessed from your URL.

Starting a scan

  1. Open one of your sites and click the scan or re-scan button.
  2. You are taken to a live scan page showing a status (pending, running, completed or failed), a running timer, and a count of pages scanned so far.
  3. The page refreshes itself every couple of seconds, so you can watch the page count climb. When the scan finishes the results appear in place.

If a scan is already running for the same site, clicking again just opens that in-flight scan instead of starting a second one. You can trigger at most 10 scans per site per hour.

What the scanner looks at

Starting from your home page, the crawler follows internal links and inspects each page for cookies (HTTP and JavaScript), local and session storage, third-party requests, tracking pixels and beacons (Meta, Google, Hotjar, TikTok and more), fingerprinting behaviour, and known consent platforms (OneTrust, Cookiebot, Usercentrics, Didomi, the IAB TCF API and others). On the home page it runs a before-and-after consent check: it records what loads with no interaction, clicks accept-all, then records again, revealing trackers that fired before you could consent. It also measures Core Web Vitals, HTTPS and security headers, and SEO signals (titles, meta descriptions, headings, canonical, robots.txt and sitemap).

How many pages get scanned

PlanPages per scan (upper bound)
Pro (including the free trial)20
Business (coming soon)50

These are ceilings, not targets. A cookie audit samples your site to find distinct trackers, so the crawl often stops early once new pages stop revealing anything new.

Your results and score

When the scan completes you see Core Web Vitals, whether a consent banner was detected, the before-and-after consent breakdown, and a categorised cookie table (necessary, functional, analytics, marketing). Each scan also produces a single 0-100 Compliance and Quality Score from four real pillars: cookie compliance, SEO, security and performance, weighted 40, 30, 20 and 10. Any pillar a scan could not measure is left out and the score is recalculated over the rest, so it is never padded with fabricated data.

Cookies are auto-classified from a known-cookie database and heuristics. An AI classification fallback is planned but not yet active, so some cookies show their best heuristic guess.

When a scan cannot finish

Before launching the browser, FewCookies refuses to scan private or internal addresses for security reasons. If a scan fails you see a plain-language reason and usually a Retry button. Common reasons: the site could not be reached, the URL was blocked, the scan timed out, or the scanner browser is not installed (the one case retrying will not fix). Very large sites may hit a time budget and return a partial result, flagged clearly so you know the cookie list and generated policy may not cover every page.

A scan visits your real site with a real browser and clicks the accept button on your consent banner. Run it against a site you own.

How your cookies are classified

When you run a scan, FewCookies crawls your site, records every cookie that gets set, and then sorts each one into a category so your cookie policy can describe its purpose. Classification happens automatically as part of the scan — you do not configure anything. Every cookie ends up in one of four categories: necessary, functional, analytics, or marketing.

The steps we run for every cookie

We try each method in order and stop at the first confident answer. Earlier methods are more reliable, so each result carries a confidence score you can see in your scan detail.

  1. Known-cookie database (exact match). We compare the cookie name and domain against our built-in library of over 1,300 well-known cookies. An exact name match scores highest (0.95). This is how common cookies like Google Analytics, the Facebook Pixel, session cookies, and consent cookies get a precise provider name and a ready-written bilingual (Romanian and English) description.
  2. Known-cookie database (pattern match). If there is no exact hit, we match name patterns such as cookies that all start with the same prefix (0.90).
  3. Name-pattern heuristics. A second set of built-in patterns catches families like everything starting with _ga, _fbp, or _hj (0.85).
  4. Tracker-domain match. If the cookie belongs to a known advertising, analytics, or social domain, we classify by that domain (0.80).
  5. Script-source match. We look at which script set the cookie — for example a Google Tag Manager or Facebook script (0.75).
  6. Duration guess. Very short-lived or session cookies are treated as functional; cookies living longer than a year lean analytics (0.60).
  7. Value-shape guess. Random IDs and long hex strings look like analytics; simple true/false or numeric values look like functional (0.50).

If nothing matches, the cookie is marked unclassified with a confidence of 0 and a generic placeholder, so you can review it manually.

Descriptions in your policy

Cookies matched from the known database come with a specific, human-written description in both Romanian and English. Cookies that only match a heuristic get a generic, category-appropriate sentence instead — accurate enough for a policy, but less specific. You should expect named, detailed entries for popular trackers and shorter generic lines for the long tail.

Classification is the same on every plan. There is no premium tier that classifies cookies differently — the difference between plans is in scan frequency, page limits, and reporting, not in how a cookie is categorized.

Classification is rules-based, not AI-powered. There is no live machine-learning step today, so an unusual or brand-new cookie may land in unclassified or fall back to a duration or value guess. Always review low-confidence and unclassified cookies before publishing your policy, and treat the assigned category as a strong starting point rather than legal advice.

Re-running a scan after we expand the built-in database can upgrade a previously generic or unclassified cookie to a precise, named entry — so it is worth rescanning periodically.

Install with AI assistants (Claude Code, Cursor, Codex)

You do not have to wire the snippet by hand. If you build with an AI coding assistant — Claude Code, Cursor, Codex, Copilot, Windsurf or similar — FewCookies writes the integration prompt for you. Every site page in the dashboard has an Install with AI card: pick your tech stack, copy the generated prompt, paste it into your agent, and it installs the banner, links your hosted legal pages, and verifies the result.

How to use it

  1. Open your site in the dashboard and find the Install with AI card, right under the embed snippet.
  2. Choose your stack from the list. The prompt adapts to it — which file the tag goes in and the framework-specific pitfalls to avoid.
  3. Copy the prompt. It already contains your real API key, the exact widget script tag, and the URLs of the legal documents you have generated.
  4. Paste it into your AI coding tool inside your project and let it work.
  5. The prompt ends with a verification checklist, so the agent confirms the banner actually shows and no tracker fires before consent.

Supported stacks

Next.js (App Router and Pages Router), React / Vue / Svelte on Vite, Nuxt, Astro, SvelteKit, TanStack Start, Remix / React Router v7, Laravel (Blade), WordPress, Shopify, Django, Ruby on Rails, and plain HTML / PHP. If your stack is not listed, pick Plain HTML / PHP — the rules are universal; only the file the tag goes in differs.

What the prompt instructs the agent to do

  • Insert the exact <script> tag synchronously in the <head> — in the right file for your stack — before any analytics or marketing tags, with no async or defer.
  • Add footer links to your hosted cookie policy, privacy policy and terms (only the documents that already exist).
  • Convert inline tracking snippets to the widget's manual mode (type="text/plain" data-cookieguard="…") so nothing fires before consent.
  • Verify: the tag is in the raw HTML, the banner appears, window.CookieGuard exists, and no tracker requests precede consent.

Example (shortened)

You are working in my Next.js (App Router) project. Integrate the
FewCookies cookie-consent widget and link my hosted legal pages.

## 1. Add the consent widget
Insert this exact script tag — do not change any attribute:
<script id="cookieguard-script" src="https://fewcookies.com/widget.js"
        data-api-key="cg_YOUR_KEY" data-blocking-mode="auto"></script>
Where: the <head> of the root layout (app/layout.tsx) …

## 2. Link the legal pages in the footer
- Cookie policy: https://fewcookies.com/p/cg_YOUR_KEY/cookies
…

## 4. Verify
- The tag is present in the raw HTML <head> …
- The consent banner appears on first visit …

The prompt is always generated in English, even when your dashboard is set to Romanian — coding agents follow English instructions most reliably. Review the diff your agent produces before committing, as you would with any generated change.

Prefer doing it by hand? The one-line snippet and step-by-step instructions are in The consent banner & embed script above.

Dashboard, reports, competitors & Copilot

After you sign in and verify your email, the dashboard is your home base. It pulls together everything FewCookies has measured about your sites so you can see, at a glance, how your consent banner is performing and where your compliance stands.

The overview

Opening /dashboard shows every site you own, each with its own consent activity over the last 30 days. For each site you get a daily trend line (accept-all, reject-all, and custom choices), an action breakdown, and per-category accepted counts for the four cookie categories (necessary, functional, analytics, marketing). These numbers come straight from real visitor consents recorded by your banner. A brand-new site with no traffic yet simply shows zeros.

Monthly compliance reports

Open a site and go to its Reports page to read its monthly compliance reports, newest first. The page selects the latest completed report and renders its stored content: a health-score trend, consent accept/reject rates by month, score deltas versus the previous period, top issues, a compliance checklist, and suggested next steps.

Reports are generated automatically on the 1st of each month for the month that just ended. You do not trigger them yourself, and the page is read-only. Every figure is built from data FewCookies actually measured; anything never measured is shown as empty rather than invented. A report can show a status of generating or failed if its background job is still running or hit an error.

Competitor comparison

On a site's Competitors page you can add up to three competitor URLs and compare them side by side against your own site across cookies (by category), trackers, analytics and advertising tools, plus SEO and performance scores. Your own column is derived from your site's most recent completed scan, so it stays empty until you have run at least one scan.

  1. Enter a competitor URL and submit.
  2. The scan runs in the background; you will see a confirmation that it has started.
  3. Once it finishes, the competitor appears as a new comparison row.

Duplicate URLs and going over the three-competitor limit are rejected with an inline message. Competitor scans are rate-limited and crawl only a handful of pages, so results focus on the distinct trackers a site exposes rather than a full mirror.

Lighthouse deep audit (Business only)

The on-demand Lighthouse deep audit is reserved for the upcoming Business plan. Since every account today is on Pro, you currently see an upgrade prompt where the audit would run; it unlocks when Business launches. When it is enabled, triggering it launches a real headless Chrome and runs a full Lighthouse pass on your homepage, returning performance, SEO, best-practices and accessibility scores plus headline lab metrics (LCP, FCP, CLS, and more).

  1. Click to run the audit; you land on a result page that polls live while it works.
  2. Re-triggering while one is already in flight just takes you to the running audit instead of starting a second one.
  3. If the audit fails (timeout, unreachable URL, or no browser available), the page tells you why so you can retry.

Polling stops on its own after about six minutes, so a stuck worker will not spin the page forever. The audit is heavily rate-limited per site.

Compliance Copilot

The Compliance Copilot Q&A is currently not available in the app. The feature has been postponed: there is no page or working endpoint for it yet. The groundwork exists internally (including monthly question limits of 50 on Pro and unlimited on the upcoming Business plan), and the answer engine is a placeholder that returns pre-written guidance rather than a live AI model. Treat Copilot as coming-soon, not a feature you can use today.

Free public tools (instant scan, benchmark & badge)

FewCookies gives you a handful of tools you can use without an account, an API key, or even logging in. They all run anonymously and are rate-limited per IP address to keep them free for everyone.

The instant cookie check

Go to /check, type any website address, and press the button. You can also deep-link a result by opening /check?url=https://example.com — the scan starts automatically. Behind the scenes the page calls POST /api/v1/check, which fetches your site once from the server and reports what a single page response reveals.

You will see a health score out of 100, a risk level, the cookies that were set, any third-party trackers, whether a consent banner and a cookie-policy link were found (and the name of the consent tool, like OneTrust, when it can be identified), and a list of prioritised issues with recommendations. If your site has a critical problem — for example, non-essential cookies set with no consent banner — the score is forced into the red and never shows green.

This is a surface scan: one server-side fetch reading response headers and HTML. It does not run a full browser, so it sees less than the in-app audit. If a site genuinely cannot be reached, you will get a clearly labelled demo result instead of an error, so the page always shows something.

The check is limited to 5 scans per hour from the same IP address. If you hit that limit you will see a rate-limit message; wait and try again later, or create an account for full audits. Results are cached for about 10 minutes, so re-checking the same URL returns the same answer quickly.

The compliance badge

On /badge, enter your site address to generate a copy-paste embed snippet. You can embed the badge three ways: an SVG image (/badge.svg?url=...), an HTML chip in an iframe (/badge.html?url=...), or a Markdown link. There is also a raw JSON endpoint (/badge.json?url=...) if you want the numbers. The badge shows a score out of 100 and a label such as GDPR Compliant or GDPR Needs Attention, colour-coded, and links visitors back to a live check of your site.

The badge reuses a recent instant-check result when one is cached; otherwise it makes a quick lightweight request and estimates a score from HTTPS and a couple of security headers. It is meant as a public trust signal, not a legal certification. Badge responses are cached for about 10 minutes and the endpoints are deliberately embeddable on any domain.

The competitive benchmark

There is also a benchmark capability that compares your site against up to three competitors across compliance, security and SEO, scoring each from a single fetch. It is available as an API (POST /api/v1/benchmark) and is fully working server-side, but there is currently no public page in the site that drives it, so most users will not encounter it yet.

The waitlist

Before launch, the homepage shows a waitlist form. Enter your email and you are added to the list; submitting the same address twice is harmless and simply confirms you are in. You will see a success message once you join.

What is free versus paid

Everything on this page is free and requires no account. The catch is depth and rate limits: the instant check is a one-page surface scan capped at 5 runs per hour, whereas a registered account — which starts with a free 7-day Pro trial, no card required — unlocks the full browser-based audit, ongoing monitoring, the hosted consent banner and generated legal documents. The buttons throughout these tools nudge you toward registering when you need more than a quick look.

All of these tools refuse private, local, or internal addresses — they only scan publicly reachable http(s) sites — so you cannot point them at an intranet or a localhost address.

Plans & billing

FewCookies is built around a single paid plan — Pro — with a generous free trial and a second tier on the way. Every new account starts on a 7-day Pro trial that needs no credit card: you get the full product from day one and only decide whether to pay once you have seen the value.

The plans

FeatureProBusiness
Sites5Unlimited
Pages crawled per scan2050
Custom-branded banner (logo, colours, no “powered by”)IncludedIncluded
Lighthouse deep performance auditIncluded
Price€6/mo (launch price, normally €9)Coming soon

The cookie scanner, consent banner with Google Consent Mode v2, cookie classification, generated legal documents, hosted policy pages, the compliance badge, dark-pattern detection, consent logging and export are all part of Pro — which is exactly what your free trial unlocks. Business (unlimited sites, the Lighthouse deep audit, white-label reports) is not purchasable yet; you can ask to be notified from the pricing page.

There is no longer a permanent Free plan. Instead everyone gets the full Pro experience free for 7 days, then chooses how to continue.

How to pay

When you are ready to keep Pro, open Billing and choose one of two options:

  • Monthly subscription — €6/month. A launch price (normally €9), shown with the old price struck through. Click Upgrade and you are taken to Stripe's secure checkout; when you return, your account is Pro. Prices are tax-inclusive — you always pay exactly €6, with any VAT worked out and included automatically for your country.
  • One year for €3 — invite only. A one-time payment that gives a full year of Pro. The €3 button stays disabled until you enter a valid invite code on the billing page. We hand these codes out individually; redeem yours, then complete the one-time checkout.

Card details, receipts and cancellations are handled by Stripe. Once you are a paying subscriber, a Manage billing button opens the Stripe customer portal, where you can update your card, download invoices, or cancel anytime.

What the billing page shows

Open Billing to see, in one place:

  • your current access state — how many trial days are left, that you are subscribed, that you hold a one-year pass until a given date, or that your trial has ended;
  • your subscription status, price and billing period once you are paying;
  • your invoice history, with amounts shown in euros;
  • the invite-code box and the €6 / €3 upgrade buttons.

Before you have paid, the page shows your trial countdown (or, once it lapses, an upgrade wall) and no invoices yet. It is where every billing action lives.

When the trial ends without upgrading

Nothing breaks for your visitors. Your live consent banner keeps serving on every site exactly as configured — we never take down a banner that is protecting a real website. What changes is your dashboard: it becomes read-only. You can still sign in, view everything, export your consent records, and reach the billing page, but you cannot add or edit sites, change banner settings, or start new scans until you upgrade.

How plan limits feel in the product

  • Sites: trying to add a site beyond your limit returns you to the sites list with an upgrade prompt.
  • Lighthouse: the deep performance audit shows an upgrade prompt — it arrives with the Business plan.
  • Scan depth: each scan crawls up to your plan's page budget — enough to discover the trackers that matter.
  • Trial ended: changes (add or edit a site, save banner settings, start a scan) are paused and send you to the billing page; viewing your data stays open, and your live banners keep serving.

Behind the scenes: data, privacy, languages & reliability

A few cross-cutting things worth knowing about how FewCookies behaves, what it stores, and what to expect when work happens in the background.

English & Romanian

The entire product — the marketing pages, this documentation, and the dashboard — is available in English and Romanian. Use the EN / RO switch in the header to change language; your choice is remembered for a year. English is the reference language, so if a Romanian phrase is ever missing you will see the English version rather than a broken page.

What we store about your visitors

FewCookies is a privacy tool, so it collects as little as possible about the people who visit your site. When a visitor makes a consent choice, we record:

  • a one-way hash of their IP address — never the raw IP, and it cannot be reversed back to an address;
  • their choice (accept all / reject all / a custom selection) and which categories they allowed;
  • the banner version they saw, an anonymous visitor id, the browser's user-agent, and a country code derived from your CDN.

Because the IP is hashed with your account's secret, the same visitor produces the same hash (useful for grouping) while remaining anonymous. This is what lets you prove consent without holding personal data you do not need.

Proof of consent

You can export your consent records (see The consent banner & embed script). Each exported receipt is cryptographically signed, so it is tamper-evident — exactly what GDPR Article 7 expects when you need to demonstrate that consent was given.

Scans run in the background

Scanning drives a real headless browser, which takes time, so it runs as a background job rather than blocking your screen.

  • The scan page shows live progress and settles on a clear completed or failed result — never an endless spinner.
  • If you trigger a scan while one is already running for that site, FewCookies reuses the in-flight scan instead of starting a second one.
  • Transient failures are retried automatically; a scan that cannot finish is marked failed with a reason rather than hanging.

Email & reliability

Account emails — verification, password reset, the welcome message and monthly reports — are sent off the main request path so a momentary email-provider hiccup does not break your action; delivery is retried. Behind the scenes, an operations view lets our team see and re-run any failed scan, and a lightweight health check keeps the service monitored.

FewCookies helps you reach and document compliance, but it is a tool, not a law firm. The generated documents are a strong starting point — for anything legally sensitive, have them reviewed by a qualified professional.