Meet Zoro
EntrarComeçar

Cookie & GDPR Policy

Draft — counsel review pending. Pairs with the cookie consent banner: the banner captures the choice, this document explains what each category does, who sees it, and the lawful basis under GDPR/ePrivacy.

  1. Three cookie categories, no more.

    We use exactly three categories of browser storage: strictly necessary, preferences, and analytics. There is no advertising category, no cross-site tracking, no retargeting pixels, and no third-party ad SDKs. If a future category is added, the banner re-prompts and you re-consent.

  2. Strictly necessary — always on.

    Session cookies that keep you logged in, CSRF tokens that protect state-changing requests, and the consent record itself. Lawful basis under GDPR Art. 6(1)(b) (contract performance) and ePrivacy Art. 5(3) (strictly necessary exemption). You cannot turn these off because the product does not function without them.

  3. Preferences — off by default.

    Locale choice, theme, dismissed banners. Lawful basis: GDPR Art. 6(1)(a) consent. We default to off so the banner is opt-in compliant with CNIL/EDPB guidance — nothing in this category fires until you click Accept all or Save preferences with the toggle on.

  4. Analytics — off by default.

    First-party usage analytics (page views, error counts, button clicks). No personal data ships to a third party; no cross-site identifier is set. Lawful basis: GDPR Art. 6(1)(a) consent. Default off. You can withdraw at any time from the cookie settings link in the footer.

  5. What we never use.

    Advertising cookies, cross-site tracking pixels, social-network embed cookies, third-party analytics that share data with the vendor (Google Analytics, Mixpanel, Segment, etc.), session-replay tools, and fingerprinting libraries. If a vendor we onboard later requires any of these, we will re-prompt and not enable until you re-consent.

  6. Withdraw at any time.

    The Cookie settings link in the footer re-opens the banner. Changes take effect immediately on the next page navigation. There is no penalty for withdrawing consent — the product is just as functional without preferences or analytics.

  7. Your GDPR rights.

    You have the rights of access, rectification, erasure, restriction, portability, and objection under GDPR Art. 15–21. To exercise them, email privacy@kysenpool.io with the email associated with your account. We respond within 30 days. Cookie data tied to an unauthenticated browser cannot be linked back to you — we can only act on data tied to an account.