Legal

Cookie Policy

Version 1.0 — Effective: 11 July 2026

Five necessary cookies. Two optional analytics cookies. No advertising, no cross-site tracking. See also our Privacy Policy.

Your current choice

Analytics cookies are off unless you turned them on. You can change your mind here, at any time, and it takes effect immediately — we also delete the Google cookies already in your browser when you withdraw.

Strictly necessary cookies

Required for the site to work. No consent needed, and they cannot be turned off.

Strictly necessary cookies
CookieSet byPurposeExpires
authjs.session-tokenAffectLog (first-party)Keeps you signed in. Without it you would be logged out on every page.30 days
authjs.csrf-tokenAffectLog (first-party)Protects sign-in and form submissions against cross-site request forgery.Session
authjs.callback-urlAffectLog (first-party)Returns you to the page you started from after signing in.Session
al360_consentAffectLog (first-party)Remembers this cookie choice. Refusing it is not possible — without it we would have to ask you again on every page.6 months
themeAffectLog (first-party)Remembers whether you chose the light or dark interface.1 year

Analytics cookies — only if you accept

Set by Google Analytics 4, and only after you accept the analytics category. Decline, and these are never created.

Analytics cookies
CookieSet byPurposeExpires
_gaGoogle AnalyticsDistinguishes one visitor from another so we can count unique visitors rather than raw page loads.13 months
_ga_M03YS3PB52Google AnalyticsHolds the current session state for GA4.13 months

1. What this policy covers

This Cookie Policy explains the cookies and similar technologies (local storage, session storage) used on affectlog.com, app.affectlog.com, and any other AL360° Oceans by AffectLog subdomain. It supplements our Privacy Policy, which explains our processing of personal data generally. A cookie is a small file a website asks your browser to store. Some are required for a site to work at all. Others — including every analytics cookie — are optional, and under EU law we may not set them until you say yes.

2. Our position, in one paragraph

We set five strictly necessary cookies and, only if you agree, two Google Analytics cookies. That is the entire list. We run no advertising cookies, no remarketing pixels, no social media trackers, no session-recording or heatmap tools, and no cross-site tracking of any kind. Google's four advertising signals (ad_storage, ad_user_data, ad_personalization, and personalised advertising) are switched off permanently in our source code — not merely left unticked in a preference centre where a future configuration change could quietly re-enable them. We think a company that sells AI governance should be able to show its own homework.

3. Strictly necessary cookies

These cookies are required for the Platform to function: they keep you signed in, protect forms against forgery, remember your interface theme, and record your cookie choice. They set no third-party cookie and send nothing to any external company. Under the ePrivacy Directive and GDPR these do not require consent, because you cannot use the service without them. They cannot be switched off from the preference centre. You can still block them in your browser settings, but the Platform will not work: you will be unable to sign in.

4. Analytics cookies — optional, off by default

If, and only if, you accept the analytics category, we load Google Analytics 4 (GA4) and it sets the two cookies listed above. What we use it for: understanding which pages people arrive on, which paths they take through the site, which calls to action they use, and where they get stuck. It tells us that "eleven people started the scope calculator and three finished it" — the kind of thing that tells us the calculator is too long. What we send to Google: • The page you are on, with the query string stripped of any session ids, payment references, invitation tokens, or email addresses before it leaves your browser. • Categorical labels for what you clicked — for example plan_group: "self_serve", or cta_id: "scope_estate". These are fixed values from a list in our code, not free text. • If you are signed in, an opaque internal user id, plus your role and plan tier as categories. This lets us tell whether vendors and buyers get stuck in different places. What we never send to Google: • Your name, email address, telephone number, or postal address. • Your organisation's name or identifier. • Anything you type into a form, upload, or scan. • Payment card details, Stripe identifiers, invoice numbers, or session ids. This is enforced in code, not merely by policy: a blocklist strips any parameter matching those categories before dispatch, and it drops any value that looks like an email address or a Stripe identifier regardless of the name it was given.

5. Nothing loads before you choose

Until you make a choice, no Google script is fetched at all. Not a tag, not a pixel, not a "cookieless ping". This is stricter than Google's own recommended setup, which loads the tag immediately and sends anonymous pings while consent is pending in order to model the conversions it cannot measure. We do not do that, because even an anonymous ping transmits your IP address to a server in the United States, and the French supervisory authority — CNIL, our lead authority — has held that this is itself a transfer requiring a legal basis. We would rather have less data than a footnote in our own compliance story.

6. International transfer and retention

Google Analytics is operated by Google Ireland Limited, with onward transfer to Google LLC in the United States. That transfer relies on the EU–US Data Privacy Framework, under which Google LLC is certified, and on Standard Contractual Clauses as a secondary safeguard. Google acts as our processor under the Google Ads Data Processing Terms. We have configured GA4 with IP addresses not stored, Google Signals disabled, and advertising features disabled. Data retention in GA4 is set to the shortest available option (2 months for user-level and event-level data; aggregate reporting is unaffected). We rely on your consent — GDPR Art. 6(1)(a) — as the legal basis. There is no legitimate-interest fallback: if you decline, we do not measure you.

7. Changing your mind

You can change or withdraw your choice at any time, and it takes effect immediately — no page reload, no waiting period. Use the "Cookie settings" link in the footer of any page, or the button at the top of this one. When you withdraw analytics consent we do two things: we stop all measurement, and we actively delete the _ga cookies already in your browser. Merely stopping is not enough; leaving a 13-month identifier sitting in your browser after you have said no is not, in our view, an honest reading of "withdraw". Your choice is stored for 6 months, after which we ask again. This follows CNIL's guidance that consent should be renewed rather than treated as permanent.

8. Browser-level controls

Independently of our preference centre, every major browser lets you block or delete cookies: • Chrome — Settings › Privacy and security › Third-party cookies • Firefox — Settings › Privacy & Security › Cookies and Site Data • Safari — Settings › Privacy › Manage Website Data • Edge — Settings › Cookies and site permissions We honour the Global Privacy Control (GPC) signal where your browser sends one. Note that blocking strictly necessary cookies at browser level will prevent you from signing in.

9. Contact and complaints

Questions about this policy: [email protected]. The data controller is AffectLog. Our lead supervisory authority in the EEA is the Commission Nationale de l'Informatique et des Libertés (CNIL), France, and you have the right to lodge a complaint with them or with your local supervisory authority. This policy was last updated on 11 July 2026. Material changes — in particular the addition of any new vendor or cookie — will reset every stored consent and you will be asked again.