Cookie Policy

4. Detailed Cookie Table

Below is a comprehensive list of cookies used on our Services:

5. Third-Party Cookies

We allow trusted third-party service providers to set cookies on our Services for:

Analytics Partners:

• Google Analytics – Usage analytics and behavior tracking
• Mixpanel – Advanced analytics and event tracking
• Hotjar – User session recording and heatmaps

Marketing & Advertising:

• Facebook – Conversion tracking and audience building
• Google Ads – Performance marketing and retargeting
• Pinterest Ads – Visual commerce and audience targeting
• LinkedIn Ads – B2B advertising and lead generation
• Criteo – Dynamic product retargeting

Affiliate & Partner Tracking:

• Impact.com — affiliate click + conversion attribution via first-party domain impact.upmos.com; consent gated; opt out via Cookie Preferences (Marketing category). See Affiliate Program Terms for the underlying program.

Payments & Security:

• Stripe – Payment processing and fraud detection
• Cloudflare – DDoS protection and security

These third parties are bound by Data Processing Agreements and must comply with GDPR, CCPA, and other privacy laws.

6. Other Tracking Technologies

Pixels & Web Beacons

These are transparent 1×1 pixel images embedded in emails and pages to track:

• Email open rates and click-through rates
• Page views and engagement
• Conversion tracking

Device Fingerprinting

We may use device fingerprinting (non-PII identifiers like browser type, OS, screen resolution) to:

• Detect and prevent fraud
• Recognize returning users without cookies
• Comply with security requirements

Legal basis: device fingerprinting receives the same treatment as cookies under ePrivacy Directive Article 5(3) — where fingerprinting is strictly necessary for fraud prevention and security (an essential function of the Services), it is exempt from consent; otherwise we obtain consent and rely on GDPR Article 6(1)(f) (legitimate interests in security and abuse prevention).

Local Storage & IndexedDB

We use browser storage to:

• Cache essential data for faster loading
• Store offline functionality data
• Remember user preferences

You can clear local storage via browser settings.

7. Your Rights & Control

Cookie Consent Management

When you first visit our website, we present a consent banner allowing you to:

• Accept All: Accept all non-essential cookies
• Reject All: Reject all non-essential cookies (only essential cookies used)
• Customize: Choose which categories to accept/reject
• Manage Later: Update preferences anytime at Cookie Preferences

Browser Cookie Management

Most browsers allow you to control cookies. See guides for:

• Google Chrome
• Firefox
• Safari
• Edge & Internet Explorer

Disabling Cookies

Opting Out of Targeted Advertising

Opt out of behavioral advertising via:

• Digital Advertising Alliance (DAA)
• Network Advertising Initiative (NAI)
• TrustArc (IAPP)
• YourAdChoices

Withdrawal of Consent (GDPR Art. 7(3))

Per GDPR Article 7(3), withdrawing your cookie consent is as easy as giving it. The same one-click mechanism that records your consent also records its withdrawal:

• Click the “Cookie Preferences” link in our site footer (same surface as the acceptance banner)
• Toggle any cookie category off to withdraw consent for that category
• Changes take effect immediately across every page of the site

No emails, forms, or follow-up confirmations are required. Withdrawal does not affect the lawfulness of any cookies that were set before you withdrew consent (GDPR Art. 7(3) second sentence).

Managing Your Choices Later

You can also manage cookies the following ways:

• Clear cookies in Chrome
• Clear cookies in Firefox
• Clear cookies in Safari
• Email privacy@upmos.com to request manual removal of your consent record

8. Do Not Track & Global Privacy Control

Do Not Track (DNT)

Some browsers include a “Do Not Track” feature. We honor DNT signals where technically feasible, but DNT standards are not yet uniform across the industry. See EFF guidance on DNT.

Global Privacy Control (GPC)

Pursuant to Cal. Civ. Code § 1798.135 and 11 CCR § 7025, we recognize the Global Privacy Control (GPC) signal in your browser as a valid opt-out of sale/sharing request. The signal functions as an opt-out request for:

• Sale of personal information
• Sharing of personal information
• Targeted advertising

When GPC is enabled, we disable marketing and advertising cookies.

9. Amendments & Updates

Changes to This Policy

We may update this Cookie Policy to reflect changes in our practices, technology, or regulations. Material changes will be communicated via:

• Email notification to registered users
• Website notice
• Updated “Last Updated” date

Your continued use of our Services after updates constitutes acceptance of the revised Cookie Policy.

The change log for this Policy is maintained in the Version History table at the end of this document.

10. Children & Minors

Our Services are not directed to children under the age of 16 (or 13, where applicable under local law). We do not knowingly collect personal information from children through cookies or other tracking technologies.

Age-Gated Content

If we discover that cookies have collected data from a child under the applicable minimum age without verified parental consent, we will:

• Delete all associated cookie data and tracking information promptly
• Disable any analytics or marketing cookies that may have been activated
• Notify the parent or guardian if contact information is available

Applicable Laws

• COPPA (US): Children’s Online Privacy Protection Act, 15 U.S.C. § 6501 et seq.; implementing regulations at 16 CFR Part 312 — verifiable parental consent required before knowingly collecting personal information from a child under 13.
• UK Age Appropriate Design Code (Children’s Code): Information Commissioner’s Office statutory code of practice under Data Protection Act 2018 § 123 — applies to information society services likely to be accessed by children under 18. Upmos applies the “high privacy by default” standard for users we identify as minors: no marketing or analytics cookies, no behavioural advertising, no nudge techniques, no geolocation by default.
• GDPR Art. 8(1) (EU): Information-society services offered to a child require parental consent where the child is below the digital-consent age set by the member state (between 13 and 16, varying by member state).
• CPRA (California): Cal. Civ. Code § 1798.120(c) — affirmative opt-in required before selling or sharing personal information of consumers under 16; for children under 13, verifiable parental consent.
• GDPR (EU/EEA): Article 8(1) — for information society services offered directly to children, the age of digital consent is 16 by default; Member States may lower this floor to a minimum of 13.
• UK Age Appropriate Design Code: ICO statutory code under Data Protection Act 2018 § 123 — 15 standards for information society services likely to be accessed by children under 18.

11. Legal Basis & Consent

We process cookie data under the following legal bases as required by GDPR Article 6 and the ePrivacy Directive:

Withdrawal of Consent

You have the right to withdraw your cookie consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. To withdraw consent:

• Click “Manage Cookies” in the cookie banner
• Visit Cookie Preferences
• Email privacy@upmos.com
• Clear cookies via your browser settings

Upon withdrawal, we will cease setting non-essential cookies and delete any previously stored non-essential cookie data within 30 days.

Consent Records & Demonstration of Consent

To comply with GDPR Article 7(1), which requires controllers to demonstrate that valid consent was obtained, Upmos (via our Consent Management Platform, Complianz) records and stores the following for each consent decision:

• Timestamp: Date and time of the consent choice
• Consent Choices: Your cookie-category selections (Essential, Functional, Analytics, Marketing)
• Pseudonymized IP: The truncated IP address from which consent was provided
• User-Agent: Browser and device information for audit trail purposes

Legal basis. These consent records are processed under GDPR Article 6(1)(c) (compliance with a legal obligation) — specifically Article 7(1), which obligates us to retain proof that valid consent was obtained.

Retention. Consent records are retained for three (3) years from the date of consent (aligned with EDPB Guidelines 05/2020 and typical limitation periods for regulatory investigations), after which they are permanently deleted. You may request deletion of your consent records at any time by contacting dpo@upmos.com.

State & Federal Wiretap Compliance (CIPA, Wiretap Act, HIPAA Tracking)

Session-replay, heatmap, chatbot interaction logging, and certain third-party measurement pixels raise statutory concerns under actively litigated state and federal wiretap laws. Upmos obtains prior, informed, and affirmative consent before deploying any such tracking technology, in compliance with:

• California Invasion of Privacy Act (Cal. Penal Code §§ 631, 632) — all-party-consent statute applied to session-replay and behavior-tracking pixels in the Javier v. Assurance IQ, Greenley v. Kochava, and Saleh v. Nike line of cases (2023–2025)
• Federal Wiretap Act / ECPA (18 U.S.C. §§ 2510 et seq.) — federal prohibition on intercepting electronic communications without consent
• Pennsylvania Wiretap Act (18 Pa.C.S. § 5703) — implicated in Popa v. Harriet Carter Gifts, Inc. (3d Cir. 2022) for session-replay tracking without consent
• Massachusetts Wiretap Act (M.G.L. c. 272 § 99) — all-party-consent statute applied to interactive user monitoring
• HHS OCR HIPAA Online Tracking Guidance (Dec. 2022, updated Mar. 2024) — restricts non-essential cookies and third-party pixels on pages that handle protected health information

Before any session-replay tool, heatmap analyzer, chatbot analytics, or third-party measurement pixel is activated on your session, Upmos provides a specific, granular consent notice itemizing the technology, the data it will collect, and the recipients. Consent is not pre-checked; we do not bundle consent for these technologies with general analytics cookies. You may withdraw consent for individual tracking technologies at any time through Cookie Preferences or by contacting privacy@upmos.com.

12. Jurisdiction-Specific Rights

Depending on your location, you may have additional rights regarding cookies and tracking technologies:

European Union / EEA (GDPR & ePrivacy)

• Right to access data collected through cookies
• Right to erasure of cookie-collected data
• Right to data portability for cookie-collected information
• Right to lodge a complaint with your local Data Protection Authority
• Prior consent required for all non-essential cookies (ePrivacy Directive Art. 5(3))

Supervisory Authorities (GDPR Art. 77). You have the right to lodge a complaint with your national Data Protection Authority. Representative supervisory authorities include:

• Austria: Datenschutzbehörde (DSB)
• Belgium: Autorité de Protection des Données (APD)
• France: Commission Nationale de l’Informatique et des Libertés (CNIL)
• Germany: Bundesbeauftragte für Datenschutz (BfDI)
• Ireland: Data Protection Commission (DPC) — primary one-stop-shop authority for most US tech firms
• Italy: Garante per la Protezione dei Dati Personali
• Netherlands: Autoriteit Persoonsgegevens (AP)
• Poland: Urząd Ochrony Danych Osobowych
• Portugal: Comissão Nacional de Proteção de Dados (CNPD)
• Spain: Agencia Española de Protección de Datos (AEPD)
• Sweden: Integritetsskyddsmyndigheten (IMY)
• United Kingdom: Information Commissioner’s Office (ICO)

A full list of EEA supervisory authorities is published by the European Data Protection Board at edpb.europa.eu.

California (CCPA / CPRA)

• Right to know what personal information cookies collect
• Right to delete personal information from cookies
• Right to opt out of the “sale” or “sharing” of personal information via cookies
• Right to limit the use of sensitive personal information
• No discrimination for exercising your rights

California Privacy Protection Agency (CPPA). You may file a complaint with the California Privacy Protection Agency under Cal. Civ. Code § 1798.155 if you believe your CCPA/CPRA rights have been violated. You may also notify the California Attorney General at oag.ca.gov/privacy/ccpa.

United Kingdom (UK GDPR & PECR)

• Same rights as EU GDPR plus UK-specific protections under PECR
• ICO guidance on cookies applies
• Age Appropriate Design Code protections for minors

Brazil (LGPD)

• Right to confirmation and access to cookie data
• Right to correction and deletion of cookie data
• Right to object to processing based on cookies

Canada (PIPEDA + Quebec Law 25)

• Right to know about cookie data collection practices
• Right to access and correct cookie-collected data
• Meaningful consent required for non-essential cookies (Office of the Privacy Commissioner of Canada guidance)
• Quebec residents: additional rights under An Act respecting the protection of personal information in the private sector as amended by Law 25 (2021), including default-private settings and Privacy-by-Design

Japan (APPI)

• Right to disclosure, correction, and cessation of use of personal data, including data derived from cookies (Act on the Protection of Personal Information, Act No. 57 of 2003, as amended)
• Consent and joint-use disclosure for third-party transfers, including international transfers

Switzerland (nFADP)

• Rights under the revised Federal Act on Data Protection (in force 1 September 2023) closely paralleling GDPR access, rectification, and objection rights
• Right to lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC)

United States (State Privacy Laws — 2024-2026 Wave)

In addition to federal and California rights, you may have additional privacy rights under emerging state legislation:

• Connecticut (CTDPA): Conn. Pub. Act 22-15 (eff. Jul 1, 2023) — access, correct, delete, opt-out of sale/sharing/targeted advertising
• Texas (TDPSA): Tex. Bus. & Com. Code Ch. 541 (eff. Jul 1, 2024) — know, delete, correct, opt-out of sale/processing
• Oregon (ORCPA): ORS Ch. 646A.570 (eff. Jul 1, 2024) — access, delete, portability, opt-out of sale/sharing
• Montana (MCDPA): Mont. Code §§ 30-14-2801 et seq. (eff. Oct 1, 2024) — access, delete, correct, opt-out of targeted advertising
• Delaware (DPDPA): Del. Code Ch. 12D (eff. Jan 1, 2025) — know, delete, correct, opt-out of targeted advertising/profiling, portability
• Iowa (CDPA): Iowa Code Ch. 715D (eff. Jan 1, 2025) — access, delete, opt-out of sale/targeted advertising, correction
• New Hampshire: N.H. Rev. Stat. Ann. ch. 507-H (eff. Jan 1, 2025) — access, correction, deletion, opt-out of sale/targeted advertising
• New Jersey (NJDPA): N.J. Stat. Ann. §§ 56:8-166.4 et seq. (eff. Jan 15, 2025) — know, delete, correct, portability, opt-out of targeted advertising/sale
• Tennessee (TIPA): Tenn. Code Ann. §§ 47-18-3201 et seq. (eff. Jul 1, 2025) — access, delete, portability, opt-out of sale/sharing/targeted advertising
• Minnesota (MCDPA): Minn. Stat. ch. 325O (eff. Jul 31, 2025) — access, delete, correct, portability, opt-out of targeted advertising/sale/profiling
• Maryland (MODPA): Md. Code, Commercial Law §§ 14-4601 et seq. (eff. Oct 1, 2025) — access, delete, correct, portability, opt-out of targeted advertising/sale/profiling
• Indiana (CDPA): Ind. Code §§ 24-15-1 et seq. (eff. Jan 1, 2026) — know, delete, opt-out of sale/targeted advertising

13. Cross-Border Data Transfers

Cookie data collected on our Services may be transferred to, stored in, and processed in countries outside your country of residence, including the United States.

Safeguards

When we transfer cookie data internationally, we ensure adequate protections through:

• Standard Contractual Clauses (SCCs): European Commission Implementing Decision (EU) 2021/914 — the modular contractual safeguards used for transfers to third countries lacking an adequacy decision, in light of Schrems II (Case C-311/18)
• Adequacy Decisions: Transfers to countries deemed adequate by the European Commission
• EU-US Data Privacy Framework (DPF): Commission Implementing Decision (EU) 2023/1795 (eff. Jul 10, 2023) replaced Privacy Shield following the CJEU’s Schrems II decision. Upmos’s and our service providers’ DPF certification status (where applicable) can be verified at dataprivacyframework.gov. The DPF is currently subject to legal challenge before the CJEU (la Quadrature du Net v. European Commission); accordingly, Standard Contractual Clauses remain in place as a supplementary safeguard.
• Binding Corporate Rules: Internal rules for multinational data transfers
• Supplementary Measures: Technical and organizational measures including encryption, pseudonymization, and access controls
• UK Extension to the EU-US Data Privacy Framework: UK Secretary of State adequacy decision (eff. Oct 12, 2023) extending the DPF to UK-to-US transfers
• Swiss-US Data Privacy Framework: Swiss FDPIC recognition (eff. Sep 15, 2023) enabling DPF-certified transfers between Switzerland and the United States, aligned with the Swiss nFADP

14. Data Protection Officer

Our Data Protection Officer (DPO) oversees cookie compliance and data protection matters:

You may also contact your local Data Protection Authority if you are not satisfied with our response.

15. Frequently Asked Questions

What are strictly necessary cookies?