[00]open source · v0

Privacy & consent, as primitives.

PolicyStack ships small, composable building blocks that let teams handle privacy and consent the way they handle auth, payments, or feature flags — as code, in their stack, version-controlled, testable, and ready for AI agents.

read the docs browse products

openpolicy.ts

import { defineConfig, LegalBases } from "@openpolicy/sdk";

export default defineConfig({
  company: {
    name: "Acme, Inc.",
    contact: { email: "privacy@acme.com" },
  },
  jurisdictions: ["eu", "us-ca"],
  data: {
    collected: {
      "Account Information": ["Name", "Email"],
      "Usage Data": ["Pages visited", "IP address"],
    },
  },
  cookies: {
    used: { essential: true, analytics: true, marketing: true },
  },
});

https://acme.com/privacy

Home / Legal / Privacy

Privacy Policy

Acme, Inc. · Last updated April 2026 · Effective May 2026

We collect a small amount of data to keep your account working and to understand how the product is used. The categories below are the complete list — nothing else is stored or shared.

1. Information we collect

The following data is associated with your account.

account: email, name
analytics: device, ip

2. Cookies and trackers

We only set cookies in the categories you have accepted.

necessary: session
analytics: ga
marketing: meta_pixel

[01]the thesis

The consent ecosystem doesn’t fit modern apps.

Today’s privacy story is heavy SaaS banners glued to hand-written legal pages. Nothing composes with your stack. Nothing is testable. Nothing speaks to AI agents.

PolicyStack is built on the opposite premise: consent and policy are infrastructure. They belong in your repo, behind types, in your tests, and out of the way.

[02]three building blocks

Use one. Use all three.

Each repo is independently useful and Apache-2.0 licensed. PolicyCloud sits on top when you want a hosted control plane.

A headless consent state machine.: Sub-4kb core with adapters for React, Vue, Solid, Svelte, and Angular. A Vite plugin flags ungated cookies at dev time. Integrations for GA, Meta Pixel, and more.
Your policy as a typed config.: Define your privacy and cookie policy once in TypeScript. Render it as React components, or generate Markdown. Ships a shadcn-style consent banner.
The hosted control plane.: Centralized policy versioning, audit trails, and consent analytics across every app in your stack. Optional. Plays nicely with the OSS pieces.

[03]byproduct

Good DX that agents love.

We didn’t design PolicyStack for AI. We designed it so a human could grep their policy, diff a consent rule in a PR, and trust that what’s rendered matches what’s tested.

Claude reading the same typed config is just what falls out. The machine-readable surface isn’t the goal — it’s the receipt.

claude — acme-web

Add a cookie banner and privacy policy.

React + Vite detected. I’ll wire up @opencookies/react for the banner and @openpolicy/react for the policy page.

pnpm add @opencookies/core @opencookies/react

↳ added 2 packages in 1.4s

pnpm dlx @openpolicy/cli init

↳ created src/openpolicy.ts

● Edit src/App.tsx

+ import { OpenCookiesProvider } from "@opencookies/react";
+ import { CookieBanner } from "./CookieBanner";
+
+ <OpenCookiesProvider config={cookieConfig}>
+   <App />
+   <CookieBanner />
+ </OpenCookiesProvider>

● Write src/routes/privacy.tsx

Banner gates analytics on consent. /privacy renders from openpolicy.ts. Want me to fill in the data block next?

[04]principles

Built like the rest of your stack.

Version-controlled: Policies live next to your code. Changes go through PR review, not a vendor dashboard.
Testable: Type-checked configs, snapshot tests for rendered policy, unit tests for consent state.
Composable: Headless cores with framework adapters. Use the parts you want, swap the ones you don’t.
Tiny: OpenCookies core ships under 4kb gzipped. OpenPolicy renders zero JS by default.
Open source: Apache-2.0 across the board. PolicyCloud is the only commercial piece, and it’s optional.
Honest: It generates documents and manages state. It does not give legal advice.

[05]sponsor

Keep the core free, forever.

OpenCookies and OpenPolicy are Apache-2.0 and will stay that way — no relicensing, no features held back behind a cloud tier. Sponsorship pays for the time it takes to keep both repos maintained, audited, and worth depending on.

sponsor on github

[06]get started

Stop pasting cookie banners. Start shipping.

Pick a repo, install one package, and have a typed policy and a working consent flow before lunch.

get started join policycloud