Cookie Policy
Last updated: May 31, 2026
Document owner: Privacy Engineering Lead and Data Protection Officer delegate Review cadence: Quarterly; ad hoc on tracker, vendor, product, or legal requirement changes Effective date: 2026-05-31 Controller / Legal entity: EthicPages, Inc. Registered address: 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ Primary contact: ethicpages+contact@invictosoft.com
1. Purpose and scope
This Cookie Policy explains how EthicPages, Inc. ("EthicPages," "we," "us," or "our") uses cookies and similar technologies when you visit our website, authenticate to your workspace, interact with hosted Trust Center pages, process subscription checkout flows, or engage with support surfaces and product communication interfaces.
This policy should be read together with our Privacy Policy, Terms of Service, and Data Processing Agreement. If you are a customer administrator, you may have additional responsibilities to provide notice to your users regarding technologies deployed in your own configured public pages.
2. What cookies and similar technologies are
Cookies are small text files placed on a device (browser, mobile webview, or similar client) to store identifiers or settings. Similar technologies include:
- local storage/session storage entries
- SDK or script-generated identifiers
- pixel tags and event beacons
- server logs that correlate session identifiers
For readability, this policy uses "cookies" as an umbrella term unless a distinction is legally required.
2.1 Categories used in this policy
| Category | Description | Typical legal basis in EEA/UK |
|---|---|---|
| Strictly necessary | Required for core site and account functions such as authentication and security | Legitimate interest and/or contract necessity; consent typically not required |
| Functional | Supports preferences and enhanced usability (language, display state) | Consent where legally required |
| Analytics | Measures traffic, behavior trends, and service performance | Consent in EEA/UK; legitimate interests in some other jurisdictions |
| Performance diagnostics | Detects errors and latency to improve reliability | Consent in EEA/UK where non-essential identifiers are used |
| Marketing/advertising | Attribution and campaign optimization cookies | Consent required in EEA/UK |
EthicPages does not rely on cross-context behavioral advertising cookies for resale of user data. We do not sell personal data as defined by many privacy laws.
3. How and why we use cookies
We use cookies to keep the Service secure, stable, and usable for procurement and compliance workflows. Specific uses include:
- Maintaining authenticated sessions and preventing account misuse.
- Preserving security signals required to detect suspicious activity.
- Improving product quality through aggregated usage measurements.
- Understanding performance bottlenecks and reliability patterns.
- Supporting lawful and transparent billing and checkout experiences.
3.1 Essential versus analytics distinction
| Use case | Essential? | Why |
|---|---|---|
| Session authentication and CSRF defense | Yes | Required to safely log in and keep sessions protected |
| Checkout and anti-fraud validation | Yes | Required for secure payment completion and abuse prevention |
| Feature usage counting for product planning | No | Useful for optimization but not required to provide core service |
| Campaign attribution for growth analysis | No | Optional and consent-gated where required |
| Error diagnostics with persistent identifiers | Usually no | Helpful for debugging but not always essential |
Where a cookie is not essential, we request consent before storing or reading it in jurisdictions that require prior consent (including EEA and UK contexts).
4. Consent management and user choices
EthicPages uses a consent interface that allows users to review cookie categories and make category-level choices. The interface appears on first relevant visit and can be reopened through footer controls or preference settings.
4.1 Consent states and behavior
| Consent state | Strictly necessary cookies | Analytics cookies | Marketing cookies |
|---|---|---|---|
| No choice yet | Allowed | Blocked in consent-required regions | Blocked in consent-required regions |
| Accept all | Allowed | Allowed | Allowed |
| Reject non-essential | Allowed | Blocked | Blocked |
| Custom selection | Allowed | Based on user choice | Based on user choice |
4.2 Withdrawal of consent
Users can withdraw consent at any time via cookie settings. Withdrawal does not affect lawfulness of processing before withdrawal but stops future processing relying on consent. Existing cookies may remain until expiry unless manually removed from browser settings; however, we stop using blocked categories after preference update.
5. EEA/UK and similar jurisdiction requirements
For visitors located in the European Economic Area (EEA), United Kingdom, and similar jurisdictions, EthicPages applies an opt-in model for non-essential cookies. This means we do not activate analytics or other non-essential categories unless consent is collected.
5.1 Regulatory alignment posture
| Requirement area | EthicPages approach |
|---|---|
| Prior consent for non-essential cookies | Enabled for EEA/UK flows |
| Granular category controls | Provided via cookie banner/preferences panel |
| Ability to withdraw consent | Provided at all times via settings/footer access |
| Documentation and records | Consent states retained according to retention policy |
| Vendor transparency | Listed in this policy and Subprocessors |
Where local law differs by country or sector, Customer remains responsible for jurisdiction-specific obligations in its own implementation context.
6. Cookie inventory
The following inventory describes common cookie classes used by EthicPages. Names may vary by deployment, browser, and update cycle. We periodically review and update this table.
6.1 Authentication and session cookies
| Cookie or identifier class | Provider | Purpose | Category | Typical retention |
|---|---|---|---|---|
| ep_session | EthicPages | Maintains authenticated user session | Strictly necessary | Session to 30 days depending on remember-me setting |
| ep_csrf | EthicPages | Prevents cross-site request forgery | Strictly necessary | Session |
| ep_auth_state | EthicPages | Stores sign-in flow state and anti-replay metadata | Strictly necessary | Session |
| ep_org_context | EthicPages | Persists selected workspace context | Functional/necessary | Up to 30 days |
6.2 Security and abuse prevention
| Cookie or identifier class | Provider | Purpose | Category | Typical retention |
|---|---|---|---|---|
| ep_security_token | EthicPages | Correlates suspicious session behavior | Strictly necessary | Up to 12 months |
| ep_rate_limit_key | EthicPages | Supports anti-automation controls | Strictly necessary | Up to 24 hours |
| stripe_mid / related anti-fraud keys | Stripe | Fraud detection and secure payment processing | Strictly necessary | Varies by processor policy |
6.3 Analytics and performance
| Cookie or identifier class | Provider | Purpose | Category | Typical retention |
|---|---|---|---|---|
| ep_analytics_id | EthicPages analytics stack | Distinguishes repeat visits for aggregate reporting | Analytics | Up to 13 months where consented |
| ep_perf_session | EthicPages monitoring tools | Correlates page performance traces | Performance diagnostics | Session to 30 days |
| ep_feature_flags | EthicPages | Enables staged rollout analysis and experiment governance | Functional/analytics | Up to 90 days |
6.4 Communication and campaign measurement
| Cookie or identifier class | Provider | Purpose | Category | Typical retention |
|---|---|---|---|---|
| ep_campaign_ref | EthicPages | Stores referral source for campaign attribution | Marketing/analytics | Up to 90 days |
| ep_newsletter_pref | EthicPages | Stores explicit email preference selections | Functional | Up to 12 months |
This inventory is representative and may change as vendors and service architecture evolve. Material changes affecting legal rights are reflected in policy updates and, where required, renewed consent prompts.
7. Retention and lifecycle management
Cookie retention is based on purpose, legal basis, and operational need. We avoid indefinite storage and remove or rotate identifiers as part of security and privacy controls.
7.1 Retention standards
| Data class | Retention approach |
|---|---|
| Strictly necessary session identifiers | Usually session-based or short-lived persistent tokens for secure authentication |
| Security event correlation tokens | Longer retention when required to investigate abuse and attacks |
| Analytics identifiers | Limited retention with periodic rotation and consent dependence |
| Marketing attribution values | Short-to-medium retention based on campaign measurement need and consent |
We may shorten retention windows in response to legal updates, incident learnings, or customer commitments.
8. Browser and device controls
Most browsers allow users to block, restrict, or delete cookies. Device controls may include private browsing modes, cookie lifetime restrictions, site-level settings, and anti-tracking features.
8.1 Practical implications of disabling cookies
| Action by user | Potential impact |
|---|---|
| Block all cookies | Sign-in, account persistence, and checkout may fail |
| Delete session cookies frequently | Repeated sign-ins and interrupted workflows |
| Block third-party cookies only | Some integrations, payment steps, or diagnostics may degrade |
| Use strict anti-tracking mode | Certain embedded content or analytics features may not function |
Blocking strictly necessary cookies can prevent secure use of the Service. If a procurement or legal team requires strict lockdown settings, we recommend validating critical workflows in advance.
9. Do Not Track and global privacy controls
Some browsers transmit "Do Not Track" (DNT) signals or related preference headers. Because industry standards for DNT response have not been uniformly adopted, our handling may vary by context and legal requirement. In jurisdictions where recognized global privacy controls have legal force, we honor them in accordance with applicable law and technical feasibility.
10. Third-party technologies and subprocessors
Certain cookies are set by trusted third-party providers supporting hosting, billing, analytics, communication, and reliability functions. Third-party processing is governed by contractual safeguards and review controls described in our Subprocessors List and Data Processing Agreement.
10.1 Third-party safeguards
| Safeguard | Description |
|---|---|
| Vendor due diligence | Security, privacy, and reliability review before onboarding |
| Contractual controls | Data processing agreements and confidentiality clauses |
| Access limitation | Role-based access and least privilege for operational access |
| Transfer mechanisms | SCCs and supplementary safeguards where required |
11. Customer responsibilities for hosted pages
If you use EthicPages hosted Trust Center capabilities, you remain responsible for:
- Providing legally accurate disclosures to your own visitors.
- Configuring consent behavior to align with your jurisdictional obligations.
- Ensuring your own embedded scripts or external tags comply with law.
- Coordinating privacy notices with your legal, security, and procurement teams.
EthicPages provides configuration support but does not assume legal responsibility for Customer-specific compliance determinations.
12. Children and sensitive categories
EthicPages is a B2B service and is not directed at children. We do not intentionally deploy non-essential tracking to users known to be under legal age thresholds for consent. We also avoid building categories intended to infer sensitive personal characteristics from behavioral data.
13. Security controls for cookie data
Where applicable, we apply security controls such as:
- secure and HttpOnly cookie flags for authentication tokens
- same-site policies to reduce CSRF exposure
- encryption in transit
- limited internal access to cookie-derived telemetry
- retention and deletion controls aligned to purpose
Cookie data can still present risk if user devices are compromised. Customers should enforce endpoint hygiene and organizational security controls.
14. Policy updates and change notifications
We may update this Cookie Policy to reflect legal requirements, technology changes, or product development. Material changes are announced through website notices, application prompts, or direct communication where appropriate. The "Effective date" and last-updated value identify the active version.
If required by law, we seek renewed consent before activating materially different non-essential cookie purposes.
15. Contact and rights requests
For cookie-related questions, consent records, or privacy rights requests, contact us at ethicpages+contact@invictosoft.com. You may request additional details about cookie categories, retention logic, and jurisdictional handling.
15.1 Contact matrix
| Inquiry type | Contact route |
|---|---|
| Cookie and tracker questions | ethicpages+contact@invictosoft.com (subject: Cookies) |
| Privacy rights request | ethicpages+contact@invictosoft.com (subject: Privacy Rights) |
| Security concern | ethicpages+contact@invictosoft.com (subject: Security) |
| Postal notice | EthicPages, Inc., 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ |
Related documents: Privacy Policy · Terms of Service · Data Processing Agreement · Subprocessors · Acceptable Use Policy