=== Biscotti CMP ===
Contributors: campcruisers, danielbosch
Donate link: https://www.biscotti-cmp.com
Tags: cookie-consent, gdpr, consent-management, tcf, privacy
Requires at least: 6.0
Tested up to: 7.0
Stable tag: 4.2.3
Requires PHP: 7.4
License: GPL v2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

GDPR Cookie Consent Management with cloud-based detection, Google Consent Mode v2, and TCF 2.3.

== Description ==

**Biscotti CMP** is a WordPress plugin that connects your website to the [Biscotti Cloud](https://www.biscotti-cmp.com) consent management platform. The plugin's admin screens — including the banner designer, settings, compliance overview, and legal documents — are rendered **natively inside your WordPress dashboard** by the plugin's own PHP templates. The plugin communicates with the Biscotti Cloud API only to **exchange data** (your banner configuration, consent records, cookie-scan results, and legal documents) over a documented REST/JSON interface. Cookie scanning, consent analytics, and AI legal-document generation run on the Biscotti Cloud service; everything you see and edit in WordPress is rendered locally by the plugin.

**Important:** A free or paid Biscotti account is required. You can create an account at [app.biscotti-cmp.com](https://app.biscotti-cmp.com). By creating an account, you agree to the Campcruisers GmbH Terms of Service ([Deutsch](https://www.biscotti-cmp.com/de/agb) | [English](https://www.biscotti-cmp.com/terms)), Privacy Policy ([Deutsch](https://www.biscotti-cmp.com/de/datenschutz) | [English](https://www.biscotti-cmp.com/privacy)), and Data Processing Agreement ([Deutsch](https://www.biscotti-cmp.com/de/avv) | [English](https://www.biscotti-cmp.com/dpa)).

= Key Features =

* **GDPR & DSGVO Compliant** — Full compliance with European data protection regulations
* **Google Consent Mode v2** — Native integration for Google Analytics, Ads, and Tag Manager
* **Cloud-Based Cookie Detection** — Automatic scanning and categorization of cookies and tracking scripts via the Biscotti Cloud
* **EU AI Act Transparency (Art. 50)** — Dedicated "AI Services" consent category for chatbots, recommendation systems, and AI-generated content, supporting the transparency obligations under Article 50 of Regulation (EU) 2024/1689 (EU AI Act)
* **GPC (Global Privacy Control) Support** — Automatic detection and respect of browser privacy signals
* **Multi-Language** — Available in 44 languages including German, English, French, Spanish, Italian, Dutch, Polish, Portuguese (Brazil & Portugal), Danish, Swedish, Finnish, Norwegian, Czech, Slovak, Hungarian, Romanian, Bulgarian, Croatian, Bosnian, Serbian, Slovenian, Greek, Turkish, Russian, Ukrainian, Japanese, Chinese (Simplified & Traditional), Arabic, Hindi, Marathi, Hebrew, Thai, Vietnamese, Indonesian, Catalan, Basque, Galician, Lithuanian, Estonian, Latvian, Maltese, and Irish
* **Geo-IP Based Compliance** — Show appropriate banners based on visitor location
* **TCF 2.3 Compatible** — Full Transparency & Consent Framework 2.3 support with Vendor List, partner disclosure, and configurable TCF toggle in plugin settings
* **Customizable Design** — Match your brand colors and style with 21 template presets including seasonal and multicultural themes, plus custom icon upload
* **Zero-Waste Rollover** — Unused sessions roll over to next month (paid plans)

= Why Biscotti CMP? =

Unlike other consent tools, Biscotti CMP was built with **German privacy law expertise** and focuses on:

1. **Legal Compliance First** — Every feature is designed with GDPR Article 7 in mind
2. **Transparency** — Clear documentation of all cookies with purpose, duration, and legal basis
3. **User-Friendly** — Clean, modern interface that doesn't annoy your visitors
4. **Performance** — Lightweight script that won't slow down your website
5. **Fair Pricing** — Pay only for what you use with metered billing

= Perfect For =

* Bloggers and content creators
* E-commerce stores (WooCommerce compatible)
* Agencies managing multiple client websites
* Enterprises requiring detailed consent documentation
* Anyone using Google Analytics, Facebook Pixel, or marketing tools

= How It Works =

1. Create a free account at [app.biscotti-cmp.com](https://app.biscotti-cmp.com)
2. Install the plugin and enter your Website ID in the setup wizard
3. The cloud-based scanner automatically detects cookies and scripts on your website
4. Customize your consent banner appearance in the Biscotti Dashboard or via the WordPress admin
5. Go live with compliant cookie consent!

= Integrations =

* Google Analytics 4
* Google Tag Manager
* Google Ads
* Facebook Pixel
* Meta Conversions API
* Matomo
* HubSpot
* Hotjar
* LinkedIn Insight Tag
* TikTok Pixel
* All major marketing & analytics tools

= Page Builder Compatibility =

Biscotti CMP provides native widgets, blocks, or modules for all major page builders:

* **Gutenberg Block Editor** – 8 native blocks with inspector controls and live preview
* **Elementor** – 8 dedicated widgets in the Biscotti CMP category
* **Divi Builder** – 8 native modules with visual builder support
* **Beaver Builder** – 8 native modules in the Biscotti CMP group
* **WPBakery (Visual Composer)** – 8 mapped elements with visual controls
* **Oxygen Builder** – 8 native elements with option controls
* **Spectra** – Works automatically via Gutenberg blocks
* **Kadence Blocks** – Works automatically via Gutenberg blocks
* **Brizy** – Works via native shortcode support
* **Thrive Architect** – Works via native shortcode support

= Translation Plugin Compatibility =

* **WPML** – Full support via Language Bridge
* **Polylang** – Full support via Language Bridge
* **TranslatePress** – Full support via Language Bridge
* **Weglot** – Full support via Language Bridge
* **MultilingualPress** – Full support via Language Bridge
* **Loco Translate** – Full support (standard WP locale)

= WooCommerce Compatibility =

* Automatic cookie categorization (essential, analytics, marketing)
* Consent-aware tracking script deferral
* Google Analytics for WooCommerce integration

== External Services ==

This plugin connects to the external Biscotti Cloud platform to provide its core functionality. Cookie scanning, consent analytics, and legal-document generation are performed on the Biscotti Cloud service, not locally. The plugin's admin screens are rendered locally in WordPress by the plugin's own PHP templates; the plugin exchanges only **data** (not user-interface code) with the Cloud API. **The plugin requires an active connection to the Biscotti Cloud API to function.**

The following external services are used:

= 1. Biscotti Cloud API (Required Service) =

The Biscotti Cloud API is the core external service that powers the plugin's data and consent functionality. The plugin's WordPress admin pages are rendered **locally** by the plugin's PHP templates; they call the Cloud API over a documented REST/JSON interface to read and write data.

**Admin data exchange:** When you open a Biscotti CMP admin page, the plugin requests the relevant **data as JSON** from `api.biscotti-cmp.com` (for example: your saved banner configuration, settings, consent statistics, cookie-scan results, or legal documents) and renders it locally using its own PHP templates. When you save a setting, the plugin sends the changed values as JSON to the same API. No user-interface markup or executable code is downloaded from the API for the admin screens.

**Consent banner script:** On every frontend page load (when the banner is enabled), the plugin loads the consent banner JavaScript (`biscotti.min.js`) from `api.biscotti-cmp.com/scripts/biscotti.min.js`, so all sites receive the current engine without manual plugin updates. A copy of the same script ships with the plugin (in `assets/js/`) as an offline fallback. This script renders the consent banner, manages visitor consent choices, and communicates consent decisions back to the Cloud API.

**Domains contacted:**

* `api.biscotti-cmp.com` — API server for admin data exchange, configuration, consent data, and delivery of the consent banner script (`biscotti.min.js`)

**Data sent to the Biscotti Cloud API:**

* Website domain and Website ID (for account identification)
* Consent preferences (visitor consent choices per category)
* Anonymized visitor data (consent interactions, no personal data)
* Configuration settings (banner design, language, enabled features)
* Legal entity data (company name, address, contact details — only when using the Legal Suite)

**Service Provider:**
Campcruisers GmbH
Berliner Str. 21 B
D-14612 Falkensee, Germany

Commercial Register: HRB 40180 P (District Court of Potsdam)
VAT ID: DE368000447

* Terms of Service: [Deutsch](https://www.biscotti-cmp.com/de/agb) | [English](https://www.biscotti-cmp.com/terms)
* Privacy Policy: [Deutsch](https://www.biscotti-cmp.com/de/datenschutz) | [English](https://www.biscotti-cmp.com/privacy)
* Data Processing Agreement (AVV): [Deutsch](https://www.biscotti-cmp.com/de/avv) | [English](https://www.biscotti-cmp.com/dpa)
* Imprint: [Deutsch](https://www.biscotti-cmp.com/de/impressum) | [English](https://www.biscotti-cmp.com/imprint)

= 2. Google Gemini AI (Legal Document Generation) =

The plugin's Legal Suite feature uses **Google Gemini AI** to generate legal documents including Impressum (Legal Notice), Privacy Policy, and Cookie Policy.

**Trigger:** AI document generation is triggered **only by explicit user action** in the Legal Suite wizard. It is never triggered automatically. The site administrator must actively click the "Generate" button in the wizard to initiate AI document generation.

**Data flow:** When the administrator triggers document generation, the following data is sent from WordPress to the Biscotti Cloud API, which then forwards it to Google Gemini for processing:

* Company name, legal form, and registration details
* Business address and contact information (email, phone, fax)
* Data Protection Officer (DPO) information (if provided)
* Industry-specific details provided in the Legal Suite wizard

**Processing location:** All AI processing occurs server-side on the Biscotti Cloud infrastructure. No AI processing occurs within the WordPress installation. The generated documents are returned to WordPress via the Cloud API.

**Legal Disclaimer:** AI-generated legal documents may contain errors, omissions, or inaccuracies. Campcruisers GmbH does not guarantee the correctness, completeness, or legal validity of any AI-generated document. **We expressly recommend that all AI-generated documents be reviewed by a qualified legal professional (Fachanwalt) before publication on your website.** Use of AI-generated documents is at your own risk. Biscotti CMP does not constitute legal advice and cannot replace consultation with a qualified attorney.

* Google Gemini Terms of Service: [https://ai.google.dev/gemini-api/terms](https://ai.google.dev/gemini-api/terms)
* Google Privacy Policy: [https://policies.google.com/privacy](https://policies.google.com/privacy)

= 3. GeoIP Location Services =

The plugin uses external GeoIP APIs to determine visitor location for regional compliance (showing GDPR banners for EU visitors, CCPA notices for California visitors, etc.).

**Important — Pre-Consent Processing:** GeoIP lookups occur **before** the consent banner is displayed, because the plugin must determine the visitor's region to show the legally correct banner type. This processing is based on **legitimate interest (GDPR Art. 6(1)(f))** — without knowing the visitor's country, the plugin cannot fulfill its core purpose of providing region-appropriate consent management.

**Privacy-preserving measures:**

* The plugin first checks CDN/proxy headers (e.g., CloudFlare `CF-IPCountry`) which require no external request
* External API calls are only made as a **fallback** when no CDN header is available
* Only the **2-letter country code** is retrieved — no precise location, city, or coordinates
* Results are **cached server-side for 24 hours** to minimize external requests

**ipapi.co**

* Service: IP geolocation lookup (primary provider)
* When: On first page load by a visitor if no CDN header is available (result cached for 24 hours)
* Data sent: Visitor's IP address
* Data received: 2-letter country code only
* Privacy Policy: [https://ipapi.co/privacy/](https://ipapi.co/privacy/)

**ipinfo.io**

* Service: IP geolocation lookup (first fallback)
* When: If primary lookup (ipapi.co) fails, or for US state-level compliance (CCPA)
* Data sent: Visitor's IP address
* Data received: Country code or US state name
* Privacy Policy: [https://ipinfo.io/privacy](https://ipinfo.io/privacy)

**geoplugin.net**

* Service: IP geolocation lookup (second fallback)
* When: If both ipapi.co and ipinfo.io are unavailable
* Data sent: Visitor's IP address
* Data received: Country code (extracted from JSON response)
* Privacy Policy: [https://www.geoplugin.com/privacy](https://www.geoplugin.com/privacy)

= 4. IAB TCF Vendor List =

The plugin supports the **IAB Transparency & Consent Framework (TCF) versions 2.2 and 2.3**. When TCF is enabled, the plugin loads the IAB Global Vendor List from the Biscotti Cloud API and manages vendor consent signals.

**Data flow:** When a visitor grants consent via the TCF-compliant banner, vendor consent signals (TC String) are generated and transmitted to participating ad-tech vendors according to the IAB TCF specification. These signals indicate which vendors the visitor has consented to for specific processing purposes.

**Default state:** TCF support is **enabled by default**. Site administrators can disable TCF in the plugin settings under Settings → Consent.

* IAB TCF Policies: [https://iabeurope.eu/tcf-2-0/](https://iabeurope.eu/tcf-2-0/)

= 5. Third-Party Script Detection =

The plugin's consent banner script (`biscotti.min.js`) contains domain name patterns used to detect, manage, and block third-party services that may be present on your website. These patterns include references to domains such as `googletagmanager.com`, `google-analytics.com`, `facebook.net`, `connect.facebook.net`, `intercom.io`, `widget.intercom.io`, and many others.

**Important:** The plugin itself does **not** connect to any of these third-party services. These domain references are used **exclusively** for:

* **Consent management blocking rules** — intercepting and blocking scripts until the visitor grants consent
* **Content Security Policy (CSP) generation** — generating appropriate CSP headers based on consented services

The actual connections to these third-party services only exist if the site operator has independently installed them on their website. The plugin merely manages consent for those pre-existing services.

= 6. Cookie & Local Storage =

The plugin sets the following storage entries on the visitor's browser:

**Cookie: `biscotti_consent`**

* Purpose: Stores the visitor's consent decisions as a JSON object (which categories were accepted or rejected)
* Duration: 365 days (configurable by the site administrator)
* Set: Only after the visitor interacts with the consent banner (not on page load)
* Classification: Strictly necessary for consent management

**Local Storage: `biscotti_consent`**

* Purpose: Stores the same consent decisions in the browser's localStorage for client-side consent verification
* Persistence: Until the visitor clears browser data or revokes consent
* Classification: Strictly necessary for consent management

Both storage mechanisms are **strictly necessary** for the plugin's core purpose of managing and verifying cookie consent decisions. Neither is set until the visitor actively interacts with the consent banner.

= 7. Data Processing (GDPR Art. 28) =

When the plugin transmits visitor consent data and website configuration to the Biscotti Cloud API, **Campcruisers GmbH acts as data processor** under GDPR Article 28 on behalf of the website operator (data controller).

**Data Processor:**
Campcruisers GmbH
Berliner Str. 21 B
D-14612 Falkensee
Brandenburg, Federal Republic of Germany

Commercial Register: HRB 40180 P (District Court of Potsdam)
VAT ID: DE368000447
Managing Director: Daniel Bosch

**Data residency:** All data is stored on **EU servers located in Germany**. No data is transferred outside the European Union.

**Data Processing Agreement (DPA/AVV):**

* Deutsch: [https://www.biscotti-cmp.com/de/avv](https://www.biscotti-cmp.com/de/avv)
* English: [https://www.biscotti-cmp.com/dpa](https://www.biscotti-cmp.com/dpa)

Website operators who use this plugin are advised to enter into a Data Processing Agreement with Campcruisers GmbH to fulfill their obligations under GDPR Article 28.

**Full legal links:**

* Terms of Service: [Deutsch](https://www.biscotti-cmp.com/de/agb) | [English](https://www.biscotti-cmp.com/terms)
* Privacy Policy: [Deutsch](https://www.biscotti-cmp.com/de/datenschutz) | [English](https://www.biscotti-cmp.com/privacy)
* Data Processing Agreement (AVV): [Deutsch](https://www.biscotti-cmp.com/de/avv) | [English](https://www.biscotti-cmp.com/dpa)
* Imprint: [Deutsch](https://www.biscotti-cmp.com/de/impressum) | [English](https://www.biscotti-cmp.com/imprint)

== Source Code ==

The full plugin source code is publicly available at:
https://github.com/dbosch-a11y/biscotti-cmp-wordpress

The unminified source code for biscotti.min.js is included as biscotti.js in the assets/js/ directory.
The client-side consent engine source code repository is publicly available at:
https://github.com/dbosch-a11y/biscotti-cmp-client

Build instructions are documented in assets/js/BUILD.md.
Build tool: esbuild
Build command: npm run build:engine

== Installation ==

= Automatic Installation =

1. Go to Plugins → Add New in your WordPress admin
2. Search for "Biscotti CMP"
3. Click "Install Now" and then "Activate"
4. Go to Biscotti CMP → Assistant to complete the setup wizard

= Manual Installation =

1. Download the plugin ZIP file
2. Go to Plugins → Add New → Upload Plugin
3. Choose the ZIP file and click "Install Now"
4. Activate the plugin
5. Navigate to Biscotti CMP in your admin menu

= Configuration =

1. Complete the setup wizard (Biscotti CMP → Assistant)
2. Enter your Website ID from the [Biscotti Dashboard](https://app.biscotti-cmp.com)
3. Customize your banner under Biscotti CMP → Einwilligungsbanner
4. Configure integrations under Biscotti CMP → Integrationen

**Note:** The plugin requires an active internet connection to the Biscotti Cloud API. The admin screens are rendered locally in WordPress; the plugin exchanges configuration and consent **data** with the Cloud API over a REST/JSON interface (see the External Services section above for full details).

== Frequently Asked Questions ==

= Is Biscotti CMP free? =

Yes! The Free plan includes 5,000 sessions/month with essential GDPR features. Paid plans start at €4.99/month for higher session limits and advanced features (managed entirely via your Biscotti Dashboard).

= Does it work with caching plugins? =

Yes, Biscotti CMP is fully compatible with all major caching plugins including WP Rocket, W3 Total Cache, LiteSpeed Cache, and WP Super Cache.

= Is it GDPR compliant? =

Absolutely. Biscotti CMP was designed by German privacy experts to meet all GDPR requirements including Article 7 (Conditions for consent), Article 12 (Transparent information), and Article 13 (Information to be provided).

= Does it support Google Consent Mode v2? =

Yes! Native Google Consent Mode v2 integration is included. Consent signals are automatically sent to Google Analytics, Ads, and Tag Manager based on user choices.

= Can I customize the appearance? =

Yes, you can fully customize colors, texts, position, and style of the consent banner to match your brand.

= Does it block scripts before consent? =

Yes, the auto-blocking feature prevents tracking scripts from loading until the user gives consent, ensuring legal compliance.

= Is there a cookie scanner? =

Yes! The cloud-based scanner automatically detects and categorizes cookies and tracking technologies on your website. The scan is performed by the Biscotti Cloud service — the plugin transmits your website's URL and receives a structured list of detected cookies, scripts, and third-party services. Any cookies detected include their name, provider, purpose, duration, and legal basis.

= How does the EU AI Act transparency category work? =

Biscotti CMP includes a dedicated "KI-Dienste" (AI Services) consent category. Article 50 of the EU AI Act (Regulation (EU) 2024/1689) requires providers and deployers of certain AI systems to ensure transparency — particularly that individuals are informed when they are interacting with an AI system (e.g., chatbots, recommendation engines, or AI-generated content). The "AI Services" category allows website operators to obtain and document separate user consent for AI-powered features on their website, supporting compliance with these transparency obligations.

Please note: This feature provides a technical framework for managing AI-related consent. It does not constitute legal advice and does not guarantee full compliance with the EU AI Act, which may impose additional obligations depending on the risk classification of specific AI systems.

= Can I use it on multiple websites? =

Yes! Depending on your plan, you can use Biscotti CMP on multiple domains. The Agency plan includes unlimited domains.

= Where is the data stored? =

All data is stored on EU servers (Germany) in compliance with GDPR. No data is transferred outside the EU. See the External Services section for full details.

= Does the plugin send data before consent is given? =

The plugin performs a GeoIP lookup before displaying the consent banner to determine the visitor's country. This is necessary to show the legally correct banner type (GDPR for EU, CCPA for California, etc.) and is based on legitimate interest (GDPR Art. 6(1)(f)). See the GeoIP Location Services section under External Services for full details on privacy-preserving measures.

== Screenshots ==

1. Modern, customizable consent banner
2. Detailed cookie information with legal basis
3. Granular consent options per category
4. WordPress admin dashboard
5. Setup wizard for easy configuration
6. Cookie scanner results
7. Analytics and consent statistics

== Changelog ==
= 4.2.3 =
* New: Added Estonian, Latvian, Maltese and Irish — the plugin, consent banner and admin UI now cover all 24 EU official languages (44 locales in total). Portuguese remains split into pt-BR and pt-PT.
* Fix: Estonian, Latvian, Maltese and Irish WordPress sites no longer fall back to English for the consent banner and language picker.
= 4.2.2 =
* Critical Fix: Tracking scripts that are pre-blocked before consent (Google Analytics, Meta Pixel, Microsoft UET, etc.) are now correctly re-activated after the visitor accepts. Previously a pre-blocked script could be restored with a non-executable type and never run, so analytics/marketing recorded no data even after consent was granted.
* Improved: Faster first paint of the IAB TCF banner on a cold first visit (preconnect to the Biscotti API), which reduces a brief non-IAB to IAB banner flash.
* Internal: Updated bundled consent engine (US sale/share opt-out + IAB GPP handling, Do-Not-Sell reset on positive consent).

= 4.2.1 =
* Rename: The "White Label" admin section is now called "Branding" (logo, brand color, custom CSS) for clarity.
* Improved: Jurisdiction and Target Region selectors now offer the full server-resolvable jurisdiction list, including individual US states (e.g. Texas / TDPSA).
* New: The IAB TCF 2.3 toggle is now available directly in the Banner Designer (per website), and the live preview reflects the IAB layout.
* Remove: The redundant "Setup" page was removed — connect and configure directly from the Dashboard and the Banner Designer.
* Remove: Dropped the inaccurate fixed "document count" on the Subscription page; the required documents are determined by the Legal Wizard.
* Fix: The "complete the setup" admin notice now links to the Biscotti CMP dashboard (the obsolete setup-wizard link was removed).
* Fix: A/B Testing — variant editor labels and the Position/Type dropdowns (and the default variant name) are now translated; they previously appeared in English when adding a variant.
* Fix: Connection screen — the "Invalid Website ID format" error message is now translated.
* Fix: Jurisdiction & Targeting — hardened the consent-model hint against a rare load-order JavaScript error.
* i18n: Repo-wide translation-quality pass across all 40 languages — corrected 1235 wrong-sense/wrong-word-form translations (e.g. the "Running" A/B status had been translated as the sport, "Trial" as a court trial, "Minor" as underage, "Position" as a job title) and decoded 575 HTML-entity artifacts (e.g. &quot;, &#x27;) back to real characters. All 40 locales remain 100% translated.

= 4.2.0 =
* Admin UI: Completed the native rebuild — every admin screen (Dashboard, Scanner/Tools, Subscription, Documents, Services & Providers, Legal Wizard, Compliance, Jurisdiction, Company Data, Terms (AGB) Questionnaire, A/B Testing, White Label) now renders locally in WordPress via the plugin's own PHP templates and local scripts. No remote-loaded admin markup or scripts.
* i18n: All user-facing admin strings are now fully translated into 40 languages (.po/.mo shipped); the admin interface follows the selected plugin language consistently.
* New: Multi-step Legal Wizard, native Provider Editor, A/B test creation with per-variant colour pickers, and a conditional Terms (AGB) questionnaire.
* Fix: Document generation no longer times out for longer AI generations (extended the admin request timeout for generation actions).
* Fix: Plugin language can now be set to region-specific locales (e.g. pt-BR, pt-PT, zh-TW).
* Fix: A/B test creation persists variant banner configuration correctly.

= 4.1.0 =
* Architecture: Admin screens are now rendered **natively** inside WordPress by the plugin's own PHP templates (banner designer, settings, compliance, documents, about). The plugin no longer embeds or loads remote admin UI — it exchanges only data (JSON) with the Biscotti Cloud API.
* Fix: Banner Designer no longer renders a blank page — the native editor form always renders with saved-or-default values.
* Fix: Removed all iframe-based admin embedding in favor of local PHP rendering, aligning with WordPress.org plugin guidelines.
* Compliance: External Services disclosure rewritten to accurately describe the native-rendering / data-only architecture; removed an unused secondary API domain reference.
* Internal: Added native local templates for the remaining admin screens.

= 4.0.1 =
* Critical: Pre-Boot Shield now ships with the plugin and runs as the very first <script> in <head>
* Fix: Inline tracking pixels (Meta Pixel, Google Analytics, LinkedIn Insight, etc.) are now blocked BEFORE the network request fires, not just after the DOM mutation
* Fix: _fbp, _ga, _uet*, _clck and other tracker cookies no longer set pre-consent
* Improved: Site Kit blocking patterns extended (googlesitekit-consent-mode, googlesitekit-events-provider, googlesitekit-modules)
* Internal: Boot blob auto-generated from biscotti-shield.js + cmp-stub.js by build pipeline (no manual sync)

= 4.0.0 =
* Architecture: Admin pages now use sandboxed iframe (like Jetpack/Mailchimp) instead of injecting remote JS/CSS
* Fix: All CSS output uses wp_add_inline_style() — no more direct echo
* Fix: Google Site Kit restore script uses wp_add_inline_script() — no more raw <script> tags
* Fix: White-label customCss sanitized with wp_strip_all_tags() before output
* Fix: TranslatePress $TRP_LANGUAGE global access documented with clarifying comment
* Added: Public source code repository linked in readme (https://github.com/dbosch-a11y/biscotti-cmp-client)
* Added: Source Code section in readme.txt per WordPress.org Guideline 4
* Compliance: All escaping issues resolved per WordPress.org review feedback
* Compliance: No more externally-loaded executable code in admin context

For the complete version history, see changelog.txt (shipped with the plugin) or the source repository.

== Upgrade Notice ==

= 4.2.2 =
Critical fix: analytics and marketing tags now fire correctly after consent. A pre-blocked tracker could previously stay disabled even after the visitor clicked Accept, so no data was recorded. Recommended for all users.

= 4.2.1 =
Translation-quality release: corrects 1200+ mistranslated UI labels across all 40 languages, renames White Label to Branding, removes the redundant Setup page, adds the TCF 2.3 toggle to the Banner Designer, and fixes several admin links and labels. Recommended for all users.

= 3.4.0 =
Compliance: Complete readme.txt rewrite with full External Services disclosure section covering Cloud API, AI usage, GeoIP services, TCF, cookies, data processing, and third-party script detection. All legal links bilingual (DE/EN). Recommended for all users.

= 3.3.2 =
Fix: TCF 2.3 compliance improvements — correct vendor counting, Purpose 11 in all 39 languages, tcfEnabled defaults to true. Recommended for all users.

= 3.2.2 =
Fix: Critical syntax errors in i18n file corrected. Full 40-locale dashboard translation coverage. 108-jurisdiction settings panel. Recommended for all users.

= 3.2.1 =
Fix: TCF vendor list now visible by default. Missing admin i18n keys added. Strongly recommended for all users.

= 3.2.0 =
Critical: Fixes broken dropdowns, missing 39-language selector, and TCF 2.3 compliance. All admin views now render correctly. Strongly recommended for all v3.0+ users.

= 3.1.0 =
New: Full page builder compatibility (Gutenberg, Divi, Beaver Builder, WPBakery, Oxygen), translation plugin support (WPML, Polylang, TranslatePress, Weglot, MultilingualPress, Loco Translate), WooCommerce integration, and API-first document sourcing with local archiving.

= 3.0.0 =
Major architecture rewrite! The plugin is now a lightweight cloud-bridge shell (238 lines, down from 2200). All admin pages are dynamically loaded from the Biscotti Cloud API. 39 languages supported. Please ensure your Website ID is configured after upgrading.

= 1.3.0 =
This update includes improved GDPR compliance with automatic storage duration detection and full vendor information display. Recommended for all users.
