Cookie Policy
Effective May 2, 2026 · UAIU Holdings Corp
The short version
ADAWCAG.org uses two strictly-necessary cookies and one local-storage entry for your consent choice. We do not use Google Analytics, Facebook Pixel, advertising cookies, session-replay, or any third-party tracker. The Calendly booking widget — the only third-party script we load — is gated behind your “Functional” consent and won't load until you opt in.
The four categories on the preferences modal
| Category | What it covers | On by default? |
|---|---|---|
| Strictly necessary | Auth session JWT and CSRF token. Required to log in and submit forms securely. Cannot be turned off. | Always on |
| Functional | Loads the Calendly booking widget when you choose to schedule a call. No tracking pixels. | Off — opt-in |
| Analytics | Privacy-preserving page-view counts (HMAC-hashed IP, no fingerprint). No GA, no Pixel. | Off — opt-in |
| Marketing | Reserved. We currently set zero marketing cookies; the toggle exists in case we ever add a remarketing pixel. | Off — opt-in |
Global Privacy Control (GPC)
We honor the Global Privacy Control browser signal. If your browser sends GPC (Brave, Firefox with the flag, DuckDuckGo, Privacy Badger), we automatically treat your visit as a deny-all opt-out: the banner never appears, Functional / Analytics / Marketing toggles are locked off in the preferences modal, and a notice explains why. This is required by the California CCPA/ CPRA, the Colorado Privacy Act, and the Connecticut Data Privacy Act.
Cookies we set
| Name | Type | Purpose | Lifespan |
|---|---|---|---|
session | Strictly necessary | HTTP-only, signed JWT used to keep you logged in. Without it you cannot use the dashboard. | 30 days, refreshed on use |
csrf-token | Strictly necessary | Anti-CSRF token paired with the session cookie to prevent forged form submissions. | Session |
Both cookies have HttpOnly, Secure, and SameSite=Lax set. Neither carries marketing identifiers and neither is shared with third parties.
Local-storage entries
| Key | Purpose | Lifespan |
|---|---|---|
adawcag_consent_v2 | JSON record of your per-category cookie choices (necessary, functional, analytics, marketing) plus a flag for whether GPC was active. So we don't re-prompt you. | Until you clear it |
adawcag_consent_v1 | Mirror of the v2 analytics flag (“accepted” / “rejected”) for backward-compat with older code paths. Will be removed in a future release. | Until you clear it |
What gets sent when you accept analytics
If you accept, we record one privacy-preserving page-view row per route visit:
- Path you visited (e.g.
/en/pricing) and locale - Referrer (the previous page) — never the full session history
- Your User-Agent string (browser + OS)
- An HMAC-SHA256 hash of your IP address salted with our server-side
JWT_SECRET— the raw IP is never written to disk
That's it. No fingerprint, no canvas hash, no advertising ID.
What we do not use
- No Google Analytics or GA4
- No Facebook Pixel or Meta tags
- No advertising or remarketing cookies
- No Hotjar, FullStory, LogRocket, or any session-replay tool
- No cross-domain identifiers
Change your mind
You can revisit your choice at any time:
Or clear adawcag_consent_v1 from your browser's storage. To delete the session cookies, use your browser's “clear cookies for this site” option, or sign out from the dashboard.