HERO Lifetime Deal
Ending in!
00
Days
00
Hours
00
Minutes
00
Seconds
LocationGermany
Established2025
AlternativeCookiebot | Usercentrics | CookieYes | CookieHub | Consentmanager
Team
MRR$1K
Why LTDBiscotti
Biscotti is a lightweight, ultra-fast consent management platform built for GDPR, CCPA, TCF 2.3 and global privacy law compliance, with EU-hosted data, native Google Consent Mode v2, and one-click integrations for all major CMS and e-commerce platforms.
TL;DR
Biscotti is a modern consent management platform that handles GDPR, CCPA, and 8+ global privacy regulations out of the box, with automatic geo-detection and a Pre-Boot Shield that blocks all cookies before consent is given.
With German-hosted servers, self-hosted fonts (no IP leaks), native Google Consent Mode v2, and official plugins for WordPress, Shopify, Shopware, Magento, PrestaShop and Joomla, it’s the compliant CMP that actually fits how small teams and agencies work.
At-A-Glance
Best For- Website Owners
- Agencies and Freelancers
- E-commerce Store Owners
- WordPress Developers
- Small Business Owners
- SaaS Founders
Alternative to- Cookiebot
- Usercentrics
- CookieYes
- CookieHub
- Consentmanager
Features- GDPR, CCPA, LGPD, POPIA, PDPA, PIPEDA, APPI, PIPL Compliance
- Pre-Boot Shield (blocks all cookies before consent)
- AI-Powered Cookie Scanner
- Google Consent Mode v2 (Native)
- A/B Banner Testing and Consent Rate Optimization
- Full Audit Trail and Consent Logs
- Self-Hosted Fonts (no IP leaks)
- Legal Text Generator
- Dedicated AI Services Category (ChatGPT, Claude, Gemini)
- Automatic Geo-Detection
- Rollover Sessions (unused sessions never expire)
- German EU Servers
Integrations- WordPress
- Shopify
- Shopware 6
- Magento 2 / Adobe Commerce
- PrestaShop
- Joomla
- Google Tag Manager
- Google Analytics 4
- REST API
Overview
Biscotti CMP is a modern, privacy-first consent management platform built by Campcruisers GmbH in Germany. Designed specifically for website owners, agencies, and e-commerce teams who need real compliance without the enterprise price tag, Biscotti combines technical precision with legal robustness across 8+ global privacy regulations.
Pre-Boot Shield and Lightweight Performance
Most cookie banners claim to block trackers before consent but few actually do it properly. Many load the banner and the tracking scripts at the same time, meaning data is already being collected before your visitor has made any decision. Biscotti’s Pre-Boot Shield is different. It ensures that absolutely nothing fires before the user makes a consent decision. No trackers, no pixels, no scripts, no exceptions. The consent script itself is built to be lightweight with zero performance impact and no Cumulative Layout Shift (CLS), so your site speed scores stay clean and your visitors don’t experience any layout jumping as the banner loads.
For site owners running on tight performance budgets or managing high-traffic pages, this matters as much as the compliance itself. Google rewards fast, stable pages and penalizes anything that degrades the user experience, so getting your CMP right is good for both your legal standing and your search rankings
AI-Powered Cookie Scanner
Manually identifying and categorizing every cookie on a modern website is a compliance nightmare, especially when third-party tools, plugins, and embedded scripts are constantly changing what they drop. Biscotti’s AI-powered scanner automatically detects and categorizes all first-party and third-party cookies, pixels, beacons, and tracking scripts active on your site. It identifies analytics, marketing, and social media trackers, then surfaces anything that’s firing before consent, which is where most GDPR violations happen.
The scanner runs directly from within the dashboard, so there’s no need for separate tools or external audits. As your site evolves and new integrations are added, the scanner keeps your cookie declaration accurate and up to date, reducing the risk of unknowingly falling out of compliance between manual reviews.
Native Google Consent Mode v2
Since March 2024, Google Consent Mode v2 has been mandatory for any site running Google Ads or Analytics targeting EU users. Without it, you lose access to ad personalization features and your conversion data becomes unreliable. Biscotti sends all required consent signals automatically with no manual configuration and no guesswork. It supports both Basic Mode, where Google tags load only after consent is given, and Advanced Mode, where tags load immediately but operate in a cookieless state until the user consents, enabling better conversion modelling from Google even when consent is declined.
Meta and Microsoft UET consent signals are also handled natively, so your full advertising stack stays functional and compliant without you having to manage multiple signal configurations across different platforms.
A/B Banner Testing and Consent Rate Optimization
Your consent acceptance rate directly affects your ad data quality, your analytics accuracy, and ultimately your ability to make informed marketing decisions. A banner that performs even 10% better at driving opt-ins means significantly more usable data flowing into your ad platforms. Biscotti lets you test banner variants against each other to find the configuration that maximizes opt-in rates for your specific audience, testing different layouts, placements, button text, and colour schemes.
Beyond optimization, a full audit trail logs every consent decision, change, and revocation across your domains, keeping you audit-ready at all times. If a data protection authority or legal challenge ever requires you to prove consent was properly obtained, Biscotti’s logs give you the documented evidence you need.
One-Click CMS and E-Commerce Integrations
Biscotti offers official plugins and native extensions for WordPress, Shopify, Shopware 6, Magento 2, Adobe Commerce, PrestaShop, and Joomla, covering the vast majority of websites and online stores that agencies and founders are actually running. The WordPress plugin is listed in the official WordPress plugin directory, supports Gutenberg blocks for easy placement, and includes shortcodes for embedding legal texts such as cookie declarations directly into your privacy policy pages without any custom coding.
The Shopify app integrates natively with theme settings and handles consent management automatically at the storefront level, keeping the checkout experience smooth and compliant. For teams with more complex setups or custom-built platforms, a full JavaScript API and server-side REST API are available, giving developers the flexibility to integrate Biscotti into virtually any tech stack.
Built for Agencies: Run Your Own White-Label Consent Business
Biscotti isn’t just for managing your own website. With the Agency plan, you can run cookie compliance as a service for your clients under your own brand. The dedicated Agency dashboard gives you a centralized view of all your clients in one place, with the ability to add new clients, manage their websites, and oversee their compliance status without ever logging out. Each client gets their own isolated account, their own consent configuration, and their own banner setup, while you retain full oversight from a single reseller dashboard.
Sub-accounts mean your clients can log in and manage day-to-day settings themselves if you choose, or you can handle everything on their behalf. With unlimited sessions, a real-time scanner, and dedicated support included in the Agency plan, you have everything you need to offer a professional, fully managed GDPR compliance service to your clients, whether you’re a web agency, a freelance developer, or a digital consultant looking to add a recurring revenue stream to your business.
Stop leaving your site exposed to GDPR fines and legal warnings.
Lock in your Biscotti lifetime deal exclusively at Earlybird.
Plan & Features
Deal Terms and Conditions
Lifetime access to Biscotti All future updatesYou must activate your license within 60 days of purchase
30 day money-back guarantee.
Try it out for 30 days to make sure it’s right for you!
Features Included In All Plans
Biscotti FAQ – Know Before You Fly
Can I use Biscotti across multiple websites?
Does Biscotti stay up to date with changes in privacy law?
Is Biscotti suitable for agencies managing client websites?
Does Biscotti work with WordPress?
Is my data stored in the EU?
What regulations does Biscotti cover?
Biscotti
Biscotti is a lightweight, ultra-fast consent management platform built for GDPR, CCPA, TCF 2.3 and global privacy law compliance, with EU-hosted data, native Google Consent Mode v2, and one-click integrations for all major CMS and e-commerce platforms.
- 73%
Price range: $49.00 through $399.00
Choose Your Plan
From the Founder
2 reviews for Biscotti
02 Customer(s) recommended this item
-
An opportunity not to be missed
I was already looking for software, and Biscotti exceeded my expectations. It’s not a simple program; it supports many languages, including Turkish. It’s fantastic cookie software for our websites in both Germany and Turkey – I don’t want to just say it’s great because there’s so much more to it. The support is essential; they dealt with any problems immediately. I feel very lucky to have had the early purchase opportunity. As someone who has tried many alternatives on the market, I think this time I’ve found the perfect software for my needs.
March 22, 2026Verified Review -
The Ultimate GDPR & Cookie Tool for Agencies
Running an agency means strict privacy compliance is a nightmare. I have purchased other LTD tools for website legal compliance in the past, and they are not better than this one at all. Managing consent usually meant choosing between bloated plugins or ridiculous monthly SaaS subscriptions, but this tool solves that completely, making it one of the highest-value additions to my stack.
The pre-boot shield genuinely blocks marketing scripts before consent without breaking site structure. Crucially, it integrates with modern consent modes to retain conversion data, while the automated legal suite generates compliant policies to save hours of boilerplate drafting.
The absolute super feature here is the automated website scanner. Instead of manually mapping pixels, the AI constantly crawls your domains—up to every fifteen minutes on the agency tier—to automatically detect, categorize, and block new cookies. If a client randomly installs a rogue tracking tool without telling you, the scanner catches it immediately, ensuring the site remains perfectly compliant without you having to lift a single finger.
The agency whitelabeling is also brilliant. Managing sub-accounts from a centralized dashboard looks incredibly professional. The user interface is gorgeous, and banners are completely customizable.
If you manage multiple domains and want to bulletproof sites without monthly fees, do not sleep on this. Five out of five stars!
March 17, 2026Verified Review
Leave feedback about this
You must be logged in to post a review.
Got a Question? Ask here.
Guest
March 10, 2026
Hi, what if the 25 sub accounts are all used? Do you offer paid extensions after that?
Founder
March 10, 2026
Yes, paid extensions are definitely in the cards. While we haven’t finalized the exact details and pricing for them yet, I can promise you that we won’t leave you hanging. We’ll make sure the pricing stays fair and specifically honors the value of your Earlybird Lifetime Deal!
Guest
March 10, 2026
This looks like a great product. I have a few questions though please:
What happens if we go over the allotted sessions per month?
What are the additional costs if we eventually require additional sessions or additional sub acocunts?
(Level 3 looks perfect for our use case right now, but always useful to know how costs may rise with growth)
Founder
March 10, 2026
Hi Tim,
we totally understand that you wish to plan ahead! Unused sessions from the current month automatically roll over to the next month (capped at 1x your monthly limit, so they don’t accumulate indefinitely. This gives you a natural buffer for busier months. If you do exceed your limit even with rollover, don’t worry — your banner won’t disappear or stop working. We’ll reach out and work something out. We’re still finalizing the exact pricing for add-on packages such as additional subdomains, so I can’t give you specific numbers just yet. What I can tell you is that we’re committed to keeping it fair and transparent — no surprise bills or aggressive overage charges. The Earlybird Lifetime Deal is genuinely lifetime for the included features and limits, and any future extensions will be priced reasonably.
Happy to answer any other questions!
Best, Daniel
Guest
March 10, 2026
On tier one:
-Can we create privacy policies?
-100K session limit is that per site we add?
-Can we change the look of the Cookie logo to a yellow or blue cookie icon if we prefer?
-Can we change the look of the cookie banner for example all black or all blue?
-Can we choose the location or languages for where the cookie can pop up? for example in the US cookie banners are not necessary.
Verified Gang Member
March 10, 2026
1. What are the features of the 25 Sub-Accounts for Tier 3?
2. For Tier 3 are the 5M sessions divided among the 25 Sub-Accounts?
3. Will the Sub-Accounts be able to access their account separately (for privacy reasons) from the other sub-accounts?
4. Is Custom Domain (CName) included for Tier 3 as part of White-Labeling?
Founder
March 12, 2026
Hi Peter,
thanks for getting back to me and sorry again for the wait on my end! I’ve put together the answers to your questions below.
First off, just a quick heads-up: we’ve recently added a new tier. Tier 4 is now our dedicated LTD for agencies (this is essentially what used to be Tier 3).
Regarding the sub-account features, we’ve actually upgraded the offer to 50 sub-accounts (up from 25). Each one gets its own separate dashboard with full CMP functionality, including consent banners, analytics, and compliance reports. As the agency owner, you can manage everything from a central dashboard with full whitelabeling—your own logo, brand colors, custom domain (CNAME), and even your own mail server.
The 5M sessions act as a shared pool for your agency and all sub-accounts. You can distribute these sessions however you like from your dashboard, which gives you a lot of flexibility based on your clients’ actual traffic. When it comes to access and privacy, every sub-account has its own login credentials. They can’t see each other’s data at all—they only have access to their own websites and settings, so privacy is guaranteed.
Lastly, regarding the custom domain (CNAME): this is an exclusive feature for the Agency plans (Tier 4). While Tier 3 (LTD Business) allows you to remove the Biscotti branding from the banner, the full CNAME functionality is reserved for Tier 4.
If you have any other questions or need more details on any of these points, please just let me know – I’m happy to help!
Guest
March 11, 2026
I would love to see a Tier 1 upgrade to get the white-label branding, because I do not need more sessions to get Tier 2 for that.
Founder
March 12, 2026
Hi Max, sorry for letting you wait. Tier 1 does actually allow you to remove all Biscotti branding from the banners you create. Plus you can manage as many websites as you like. However, the real white label features (the complete tool in your branding, your own mailserver, your domain, etc.) are only available in the agency plan. Let me know if you have any other questions.
Verified Gang Member
March 17, 2026
Hey folks; curious about the 1m credit packs. Am I right in assuming they’re one-time use credits to cover overages?
Cheers
Allen
Founder
March 18, 2026
Hi Allen! Yes, exactly. The 1M Session Credit Packs are one-time top-ups exclusively for Agency (Tier 4) users to cover traffic peaks. Credits are valid for 12 months, roll over month-to-month within that window, and are consumed after your plan’s included sessions are used up. Up to 5 packs can be active at once.
Verified Gang Member
March 18, 2026
Does your REST API support creating new websites, configuring banners, and retrieving embed codes programmatically? Can you share the API documentation? I can’t find it anywhere.
Founder
March 18, 2026
Hey Glenn,
Great question! I actually had to check in with the team on this one real quick.
We are going to build these features out for you, and the API documentation will follow shortly. Give us a couple of days, please. Are there any other specific data points or endpoints you’d like to have access to? Since we’re already working on implementing this, we might as well knock it all out at once!
Also, just as a heads-up: we will be adding the ability to query billing data for agencies. This way, agencies can easily pass the usage data of their sub-accounts straight to their CMS or invoicing tools.
Let me know if there’s anything else you’d like us to include in the API!
Best,
Daniel
Verified Gang Member
March 20, 2026
This is incredible — thank you for building to the community’s needs. You’ve opened pandoras box! We run an agency platform that automates blog deployment for local businesses each on their own domain. Our entire onboarding is automated end-to-end, so API access is the difference between Biscotti being a nice tool and being a core part of our stack.
Here’s our full wish list:
**Core endpoints (must-haves for us):**
1. **Create website** — POST with domain, company name, location (country/region), industry category. Returns a site_id.
2. **Configure policies per site** — Enable/disable specific policy types (cookie, privacy, TOS, acceptable use, return, app privacy) per site_id.
3. **Get embed codes** — Given a site_id, return the cookie consent banner script AND the hosted URLs / embed snippets for each enabled policy. This is the big one — we inject these into client sites automatically at deploy time.
4. **Update site** — Change domain, company name, or enabled policies after creation.
5. **Delete site** — Clean up when a client churns.
6. **List all sites** — GET all sites on our account with site_ids, domains, and enabled policy types.
**Agency/sub-account management:**
7. **Create/delete sub-accounts via API** — Assign websites to sub-accounts programmatically.
8. **Set session allocations per sub-account** — Distribute from the shared pool via API.
**Scanner & analytics:**
9. **Get scanner results via API** — Detected cookies/trackers per domain, so we can surface compliance status in our own client dashboard.
10. **Get consent analytics via API** — Acceptance/rejection rates per domain. Our clients want to see opt-in performance without logging into Biscotti.
**Customization:**
11. **Banner customization via API** — Set colors (hex values), position, button text. We store each client’s brand colors and want to auto-match their consent banner to their site design.
12. **Legal text regeneration via API** — Trigger a refresh when a client’s business details change.
**Webhooks:**
13. **Scan alert webhook** — Notify us if a rogue tracker is detected on a client site. We’d flag it in our dashboard automatically.
14. **Regulation change webhook** — Notify when policies need regeneration due to law changes.
**Billing (you mentioned this already):**
15. **Per-sub-account usage data** — Sessions consumed, scan counts, policy status. We’d pipe this into our invoicing.
**Our use case in a nutshell:** Client signs up → our system calls your API to create their compliance pack → configures policies based on their business type → retrieves embed codes → injects into their website automatically at deploy → banner matches their brand colors → client never touches compliance, it’s just done. Zero manual steps.
Happy to jump on a call if it helps scope any of this. We’re going Tier 4 either way — this is exactly the tool we’ve been looking for.
Glenn
Founder
March 21, 2026
Hey Glenn,
many thanks for your wish list — really helpful to see the full picture of your use case. Here’s an honest breakdown of where things stand today.
What’s already live and ready to use:
– The core website management endpoints exist. You can create a website via POST (passing domain, language, and target region — we’ll be adding company name and industry category fields soon), list all your sites, and retrieve the embed code (the consent banner script snippet) for any given site.
– Consent analytics are also available via the API — you can pull accept/reject/partial rates per domain for any time window, which covers your client dashboard needs.
– On the agency side, you can already list all sub-accounts and pull a full usage report with per-client session breakdowns, which should cover your invoicing pipeline.
– Banner customization is fully supported with complete CRUD — you can create, read, update, and delete banners via the API, setting theme colors (hex values), position, button text, and geo-targeting programmatically.
– Scanning can be triggered via the API as well.
– The webhook infrastructure is fully in place. You can create webhook endpoints, subscribe to event types, test delivery, view delivery history, and regenerate signing secrets. Currently it fires on consent.granted and consent.revoked events.
What’s partially built and easy to add (days, not weeks):
– Update website and delete website — the underlying operations exist in our internal API, they just need to be exposed on the public developer API. Trivial to wire up.
– Create and delete sub-accounts via API — listing already works on the public API, and the create/delete logic exists on the internal agency routes. Just needs to be mirrored to the public API.
– Set session allocations per sub-account — the sessionsLimit field already exists on each client record. We just need a PATCH endpoint on the public API.
– Configure policies per site — the data model supports this, but there’s no dedicated public endpoint yet. Straightforward to expose.
What’s not yet built:
– Get scan results via API — you can trigger scans today, but retrieving the actual findings (detected cookies, trackers, categories) via the public API isn’t wired up yet. The data is all there internally, so this is medium effort.
– Legal text regeneration via API — currently dashboard-only since it runs through our AI generation pipeline. Exposing it via API is feasible but needs careful rate-limiting and async handling.
– Scan alert webhook (rogue tracker detected) — the webhook infrastructure is ready, but this specific event type isn’t wired yet. We need the scanner to emit the event when it detects a new or unauthorized tracker. Moderate effort.
– Regulation change webhook — this is on our near-term roadmap and we expect to ship it within the next few weeks. It will notify you when policies need regeneration due to law changes.
Under the line, around two thirds of your requests are already live or a few days away from being launched. The biggest remaining items are scan result retrieval, legal text regeneration via API, and the scan alert webhook. The regulation change webhook is on the roadmap but will take weeks rather than days.
Happy to jump on a call to align on priorities and timelines for the remaining pieces. And welcome aboard on Tier 4!
Best regards,
Daniel
Founder
March 23, 2026
Hi Glenn, the API should now meet all your needs. We’re currently testing the webhooks on the dev environment, and they’ll be deployed soon.
Verified Gang Member
March 21, 2026
With Tier 4, can we buy more Sub-Accounts (Clients).
If so, what is the cost?
Founder
March 22, 2026
Hey Dan, hope you are well – thanks for reaching out. We are discussing this internally. I will get back to you.
Verified Gang Member
March 21, 2026
Hi, are you a Google-certified CMP partner?
Founder
March 23, 2026
Hi Mark, we’re working on this. We’re 95% done with IAB TCF 2.3 compliance; we just need to make two or three more fixes, and then the audit can begin. I’m optimistic that we’ll be able to send everything to IAB Europe tomorrow. Once the IAB audit is complete, Google certification will follow. We hope this goes quickly, but we want to—and need to—be transparent here: We have no influence over the duration of Google’s review process.
Guest
March 22, 2026
Hi team, will the white label allow us to use your cookie scanner under our own brand? Would be a great feature would could use so we can demonstrate where users are not compliant and therefore need our product.
Founder
March 23, 2026
Hi Andrew,
we’re currently building the white-label scanner and expect to have it ready for you within the next 10 days. It will work via a simple script tag that you can embed on your website, allowing the results to appear with your own branding and a custom call-to-action button. You’ll also have API access for programmatic use and can manage all branding settings directly from your dashboard. The idea is to let prospects scan their domains on your site and then direct them straight to your contact form based on their results. I’ll share an update as soon as it´s live and tested.
Cheers,
Daniel
Guest
March 24, 2026
When do I need the Data Processing Agreement (DPA) Generation that you only offer for Tier 3 and Tier 4?
Founder
today 4:44 am
Hi Max,
Thanks for your question! To be precise: you don’t actually need the “DPA Generation” feature itself—what you legally need is a DPA (Data Processing Agreement). Our tool in Tiers 3 and 4 simply helps you create one quickly and easily. You need a DPA (called AVV in German) whenever you process personal data on behalf of others (for example, if you run an agency and need to provide DPAs to your clients) or when you share user data with third-party processors. A classic example is using tools like Google Analytics or Mailchimp. Because they process your visitors’ data (like IP addresses or emails) on your behalf, you are legally required to have a DPA with them.
And this isn’t just a European requirement; US companies often need these agreements too:
– In Europe: Under the GDPR (Article 28), a DPA is a strict legal requirement whenever a third party processes personal data on behalf of a data controller. This applies to any business worldwide targeting EU citizens.
– In the US: Under state privacy laws like California’s CCPA/CPRA, Cal. Civ. Code § 1798.100(d) and CPRA Regulations § 7051 explicitly require a contract (often called a Service Provider Agreement) to strictly regulate data sharing and prohibit the external service from using the data for its own purposes. Functionally, this is exactly the same as a DPA.
One important disclaimer: We are software developers, not specialized lawyers. While our AI generates these DPAs in very high quality, this does not constitute official legal advice. For absolute legal certainty, we always recommend consulting a lawyer. We are actually planning to offer an optional secondary legal review by a certified lawyer directly within our app in the future, but this feature is not implemented just yet!
Best regards,
Daniel
Guest
March 24, 2026
Could you please provide us with more options to customize the Banner and other elements?
Founder
today 4:45 am
Hey Max, let me know what additional customisation options you need and I will see what I can do. Cheers ! 🙂
Verified Gang Member
today 5:59 am
*Pre-sales questions – Agency Tier 4 for WordPress managed services*
Hi Biscotti team,
We are a Swedish web agency (Win Win Web) managing WordPress sites for small business clients. We are considering Tier 4 and have a few questions before purchasing:
Swedish language & legal texts
1. Are the AI-generated legal texts (privacy policy, cookie policy) available in Swedish?
2. Are the Swedish texts adapted to IMY (Integritetsskyddsmyndigheten) guidelines — Sweden’s national data protection authority — and not just general GDPR requirements?
3. When Legal Auto-Update triggers, does it also update Swedish-language texts, or only certain languages?
Agency dashboard & workflow
4. When we add a new client domain from the agency dashboard, what exactly do we need to do on the WordPress site itself? Is it only a one-time plugin installation + API key connection?
5. After the plugin is installed on the client’s WordPress site, can we manage all banner configuration and legal texts entirely from the agency dashboard without touching the client’s WP admin?
Legal text generation & credits
6. On Tier 4, is legal text generation truly unlimited with no credits or usage limits?
Risk & continuity
7. If a client’s site uses Biscotti and we ever need to migrate to another CMP solution, how do we export consent logs and legal texts? Is there a data export function?
Thanks in advance — looking forward to your response.
Best regards,
Anders Granholm
Win Win Web, Sweden, Europe.
winwinweb.se
Hi Faruk,
Thank you so much for your review, your kind words, and your patience regarding the Turkish/German language mix in the banner. I’m glad we were able to resolve it on the fly. As Daniel mentioned, the new WordPress plugin will be released very soon. He wanted to send it over to you last night, but we decided to postpone and run all the WordPress directory compliance checks first, plus an additional auditing procedure, just to ensure everything works as promised.
We will be in touch shortly.
Best,
Philipp