Cookie Policy

Cookies are small text files that are stored on your computer or mobile device when you visit a website. They are widely used to make websites work, or work more efficiently, as well as to provide information to the owners of the site.

This Cookie Policy explains how SoraWebs, Inc. ("we", "us", or "our") uses cookies and similar technologies on our website (https://www.croisa.com) and through our Services.

This policy also covers similar tracking technologies such as web beacons, pixels, local storage, and session storage when used in conjunction with our Services.

We use cookies for several essential purposes:

• Strictly Necessary Cookies:These are essential for the website and Service to function properly. They enable core functionality such as user login, account management, security features (like preventing cross-site request forgery), and processing payments. You cannot opt-out of these cookies as the Service cannot operate without them.
• Functionality Cookies:These cookies allow our website to remember choices you make (such as your username, language preference, or region) and provide enhanced, more personalized features. For example, they might remember your progress in the website creation form or your preferred language for the interface.
• Performance and Analytics Cookies:These cookies collect information about how you use our Service, such as which pages you visit most often, how long you spend on pages, and if you encounter error messages. This data helps us understand and improve how the Service performs. We typically use third-party analytics services (like Google Analytics or Microsoft Clarity) for this purpose.
• Marketing and Targeting Cookies:These cookies track your browsing activity to display relevant advertisements and measure the effectiveness of our marketing campaigns. They may be set by us or third-party advertising partners and can track you across different websites.
• Third-Party Service Cookies:Some features rely on third-party services which may set their own cookies.

• Session Cookies: These are temporary and expire once you close your browser.
• Persistent Cookies: These remain on your device for a set period or until you delete them.
• First-Party Cookies: These are set directly by SoraWebs, Inc.
• Third-Party Cookies: These are set by external services we use (listed below).

Different cookies have different retention periods depending on their purpose:

• Strictly Necessary Cookies: Typically retained for the duration of your session or up to 1 year for authentication purposes.
• Functionality Cookies: Usually retained for 30 days to 1 year to remember your preferences.
• Analytics Cookies: Typically retained for 26 months (Google Analytics default) or as specified by the third-party service.
• Marketing Cookies: Usually retained for 30 days to 2 years depending on the advertising platform.
• Consent Cookies: Retained for up to 1 year to remember your cookie preferences.

You can always delete cookies manually through your browser settings, which will override these retention periods.

Some cookies on our Service are placed by third parties. We do not control these cookies directly, but we use services from reputable providers. These may include:

• Microsoft Clarity(Privacy Policy)
• Google Analytics(Privacy Policy)

These third parties have their own privacy and cookie policies, linked above. We encourage you to review them.

Some of these third-party services may transfer your data internationally. Please refer to their respective privacy policies for information about international data transfers and safeguards.

Regarding Google Maps Platform/Places API:

This service is essential for features like finding and displaying business information, including the business search autocomplete. While Google operates under its own policies (linked in our main Privacy Policy), and their documentation indicates that the Places API itself does not set cookies for its operation, the use of these mapping features on our site is inherently tied to the core functionality you access by agreeing to our Terms of Service. The cookie consent banner primarily manages consent for optional cookies used for analytics, performance, or advertising by us or other third parties, not these core mapping functionalities provided by Google Platform services.

Our system uses a privacy-focused approach to track and store your cookie consent decisions:

Pseudonymous UUID System

We use a pseudonymous UUID (Universally Unique Identifier) stored in a first-party browser cookie to track and log your consent decisions. This UUID serves as the key identifier for your consent history, ensuring that records remain device- or browser-specific without broader linkages.

No Linking to User Accounts

For enhanced privacy, UUIDs are not associated with registered accounts (e.g., email or login details). This prevents unnecessary merging of personal data across sessions or devices, aligning with GDPR's data minimization principle under Article 5(1)(c), which mandates that personal data be adequate, relevant, and limited to what is necessary for the purposes.

UUID Presence in Browser Cookies

The UUID is always generated and stored in your browser cookie upon interaction with the consent banner or management tool. It persists across sessions on the same device/browser, allowing you to view your consent history directly through a self-service interface that reads the cookie. This setup ensures accessibility without requiring additional identification, supporting GDPR Article 7(1) by enabling demonstration of consent while respecting storage limitations in Article 5(1)(e).

Device-Specific Histories

If you switch devices or browsers, a new UUID is generated, resulting in a separate consent history for that context. Each history remains accurate and reflective of the decisions made on that specific device/browser, promoting privacy by avoiding cross-device tracking. This approach complies with GDPR Recital 30, which recognizes online identifiers like cookies as personal data only when they can single out individuals, but allows for pseudonymous handling to reduce identification risks.

Given our non-linking policy, access to consent records is uniform and browser-dependent for all users, whether registered or anonymous:

For All Users (Registered or Anonymous)

Access is facilitated through the browser cookie containing the UUID. You can retrieve your records via our DSAR UI tool or privacy page by allowing the system to read the cookie. No account authentication is needed or used for this purpose, as linking would introduce unnecessary personal data processing. If the cookie is present, the system displays the associated timestamped consent logs (e.g., accept/decline actions, banner versions), fulfilling the right of access under GDPR Article 15.

Implications of Cookie Deletion or Device Changes

If you delete cookies, use incognito mode, or switch devices, you lose access to the previous UUID and its history. In such cases, a new consent prompt appears, generating a fresh UUID. This may result in "different" histories across devices, but each is precise to your actions in that context. GDPR Article 11(1) supports this by stating that if the controller cannot identify the data subject (e.g., without the UUID), they are not obliged to acquire additional data solely to comply with rights requests, provided purposes can still be met otherwise. If you need to consolidate histories (e.g., across devices), you are encouraged to manually persist your UUID as needed, but this is not automated to maintain privacy safeguards.

Denial Scenarios

If you cannot provide the UUID (e.g., due to cookie loss) and request access without verifiable means, the request is denied under GDPR Article 12(2), which allows refusal if the data subject cannot be identified. We can request additional information to confirm identity per Article 12(6), but only if reasonable doubts exist. This is handled transparently, with explanations provided to you, ensuring fairness as per Article 5(1)(a).

Our setup directly addresses GDPR Article 12(1) by providing transparent information about processing and facilitating rights exercises:

Transparency

Our privacy policy clearly explains the UUID-based system, including its device-specific nature and the risks of cookie deletion, enabling you to understand how your data is handled and accessed. This meets the requirement for concise, accessible communication.

Facilitation of Rights

By relying on browser cookies for lookup, we make it easy for you to exercise rights like access (Article 15) and withdrawal (Article 7(3)) without barriers like mandatory account creation. For registered users, while accounts exist for other purposes, consent records remain isolated in cookies to avoid privacy-invasive linkages, reducing risks of data breaches or over-collection.

Privacy Benefits and Compliance Balance

Emphasizing data minimization enhances user trust and aligns with GDPR's overarching principles. It ensures histories are always accurate to your decisions on a given device, reflecting true privacy choices without fabricating unified profiles across contexts.

When you first visit our website, you will be presented with a cookie consent banner, allowing you to accept or reject non-essential cookies (Functionality, Performance, Marketing/Targeting). Strictly Necessary cookies cannot be disabled.

You can change your cookie preferences at any time through our cookie consent banner.

Browser-Level Cookie Controls

Additionally, most web browsers allow some control over cookies through the browser settings. You can configure your browser to refuse cookies or to alert you when cookies are being sent. However, if you disable strictly necessary cookies, some parts of our Service may not function properly.

To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.aboutcookies.org or www.allaboutcookies.org.

Third-Party Opt-Out Tools

For some third-party analytics cookies (like Google Analytics), you may be able to opt-out directly via their provided tools (e.g., https://tools.google.com/dlpage/gaoptout)

We may update this Cookie Policy from time to time to reflect changes in technology, legislation, or our practices. We will post any changes on this page and update the "Last Updated" date. We encourage you to review this policy periodically.

If you have any questions about our use of cookies, please contact us at privacy@croisa.com.