Cookie Policy

    Last updated: 30 June 2026

    This Cookie Policy explains how we use cookies and similar technologies on our website and forms part of our comprehensive Privacy Policy.

    1. What are cookies?

    Cookies are small text files placed on your device by websites you visit. They are widely used to make websites function properly, improve user experience, and provide website owners with information about how their services are used. A full list of cookies, including their legal basis, can be found in Section 6 below.

    2. Legal basis for processing

    • Strictly Necessary Cookies: Performance of a contract (Article 6 (1)(b) GDPR). These cookies are indispensable to deliver the service you explicitly request (e.g., page navigation, security, remembering your privacy settings). Where technically unavoidable legitimate-interest processing occurs, ClausePilot has carried out a balancing test confirming that (i) the processing is expected by users, (ii) the data are limited to what is necessary, and (iii) users can object at any time (Article 21 GDPR).
    • Performance and Analytics Cookies: Consent (Article 6(1)(a) GDPR) - requires your explicit consent
    • Functionality Cookies: Consent (Article 6(1)(a) GDPR) - requires your explicit consent
    • Marketing Cookies: Consent (Article 6(1)(a) GDPR) - requires your explicit consent

    Legitimate-Interest Assessment (summary). We concluded that (i) the use of strictly necessary cookies is expected by visitors, (ii) the data collected are limited to what is technically required, and (iii) the processing does not materially affect your rights and freedoms. You may object at any time as explained in Section 9.

    3. Types of cookies we use

    Strictly Necessary Cookies

    Essential for the operation of our website (e.g., remembering your consent choices, maintaining security). These cookies are exempt from consent requirements under the ePrivacy Directive as they are strictly necessary for the service requested by you.

    Performance and Analytics Cookies

    Help us understand how visitors use our site so we can improve its functionality and usability. Requires your consent.

    Functionality Cookies

    Allow us to remember your preferences and personalize your experience. Requires your consent.

    Marketing Cookies

    Used to track visitors across websites in order to display relevant ads and measure campaign effectiveness. Requires your consent.

    4. Consent management

    How we obtain consent

    We use a consent management platform (Cookiebot) that presents you with clear information about our cookies before any non-essential cookies are placed. Your consent must be:

    • Freely given: You can refuse non-essential cookies without any impact on core page navigation; however, certain preference-based features (e.g., remembering language settings) may not work if you reject those category-specific cookies.
    • Specific: You can choose which categories of cookies to accept
    • Informed: We provide clear information about each cookie's purpose
    • Unambiguous: Your consent is indicated through clear affirmative action

    Non-essential cookies and any associated scripts (including Mixpanel, Hotjar, and the LinkedIn Insight Tag) are disabled by default. They are loaded and set only after you have given explicit consent via our cookie banner. If you decline or close the banner without choosing ‘Accept’, those cookies will not be deployed.

    Closing the banner without making a choice is interpreted as a refusal of all non-essential cookies.

    Withdrawing consent

    • Clicking the cookie consent banner that appears on our website
    • Adjusting your preferences through the cookie settings panel
    • Contacting us using the details provided below
    • Adjusting your browser settings to block or delete cookies

    When you withdraw consent, we immediately disable the affected cookies and erase the related personal data, except where, and only for as long as, continued storage is strictly required to comply with a documented statutory retention obligation (e.g., tax or accounting laws). Such data is locked for any other purpose and deleted once the statutory retention period expires.

    Our cookie banner displays three buttons, “Accept all”, “Reject all”, and “Customise”, with equal visual prominence and size. No category is pre-selected, and closing the banner without choice is treated as a refusal of non-essential cookies. You can revisit the banner at any time via the floating “Cookie settings” icon in the footer.

    5. Tools and services we use

    a) Cookiebot
    Purpose: Provides the consent management platform and ensures compliance with cookie laws
    Data processed: IP address, consent preferences, browser information
    Legal basis: Legitimate interest (essential for compliance, to deliver core functionality securely)

    b) Mixpanel
    Purpose: Collects analytics about how users interact with our site
    Data processed: Usage patterns, device information, pseudonymised user interactions
    Legal basis: Consent
    Data location: United States (Mixpanel is certified under EU-US Data Privacy Framework (DPF) `https://www.dataprivacyframework.gov/participant/7814`)

    c) Hotjar
    Purpose: Analyzes user behavior to improve user experience through heatmaps and session recordings
    Data processed: Mouse movements, clicks, scrolling behavior, device information
    Legal basis: Consent
    Data location: Ireland (EU/EEA)

    d) LinkedIn Insight Tag
    Purpose: Enables conversion tracking, website audience building, and retargeting for our LinkedIn advertising campaigns, and measures the effectiveness of those campaigns
    Data processed: IP address (truncated), timestamp, page-event data, device and browser information, and LinkedIn member/cookie identifiers where present
    Legal basis: Consent
    Data location: United States and Ireland (LinkedIn Ireland Unlimited Company is the EU/EEA controller; transfers to LinkedIn Corporation in the United States rely on the EU-US Data Privacy Framework and Standard Contractual Clauses)

    For analytics data collected through Mixpanel and Hotjar, and for advertising data collected through the LinkedIn Insight Tag, Mixpanel, Hotjar, and LinkedIn act as our sub-processors (data processors) within the meaning of Article 28 GDPR. A current list of sub-processors is available as an appendix in our DPA.

    6. Cookie table

    CategoryNameProviderProvider countryPurposeExpiryTypeCookie classification*Third-party processingGDPR legal basis
    Strictly NecessaryCookieConsentCookiebot A/SDenmark (EU)Stores your cookie consent state1 yearHTTPFirst-partyNoLegitimate interest (Art. 6 (1)(f))
    Strictly NecessarycbCookiebot A/SDenmark (EU)Ensures correct functioning of consent bannerSessionHTTPFirst-partyNoLegitimate interest (Art. 6 (1)(f))
    Analytics_hjSessionUser_*Hotjar Ltd.Ireland (EU)Attribute behaviour across visits1 yearHTTPFirst-party cookie third-party analytics processingYes (Hotjar)Consent (Art. 6 (1)(a))
    Analytics_hjFirstSeenHotjar Ltd.Ireland (EU)Identify first sessionSessionHTTPFirst-party cookie third-party analytics processingYes (Hotjar)Consent
    Analytics_hjIncludedInSessionSampleHotjar Ltd.Ireland (EU)Determine sampling30 minHTTPFirst-party cookie third-party analytics processingYes (Hotjar)Consent
    Analytics_hjSession_*Hotjar Ltd.Ireland (EU)Current session data30 minHTTPFirst-party cookie third-party analytics processingYes (Hotjar)Consent
    Analyticsmp_*_mixpanelMixpanel Inc.United StatesIdentify distinct users1 yearHTTPFirst-party cookie third-party analytics processingYes (Mixpanel)Consent
    Analyticsmp_*Mixpanel Inc.United StatesStore event data1 yearHTTPFirst-party cookie third-party analytics processingYes (Mixpanel)Consent
    Marketingli_sugrLinkedIn Ireland Unlimited CompanyIreland (EU) / United StatesBrowser-identifier matching for ad delivery and conversion tracking90 daysHTTPThird-partyYes (LinkedIn)Consent (Art. 6 (1)(a))
    MarketingbcookieLinkedIn Ireland Unlimited CompanyIreland (EU) / United StatesBrowser identifier used for advertising and platform features1 yearHTTPThird-partyYes (LinkedIn)Consent (Art. 6 (1)(a))
    MarketinglidcLinkedIn Ireland Unlimited CompanyIreland (EU) / United StatesFacilitates data-centre selection for ad delivery1 dayHTTPThird-partyYes (LinkedIn)Consent (Art. 6 (1)(a))
    MarketingUserMatchHistoryLinkedIn Ireland Unlimited CompanyIreland (EU) / United StatesLinkedIn Ads ID syncing and retargeting30 daysHTTPThird-partyYes (LinkedIn)Consent (Art. 6 (1)(a))
    MarketingAnalyticsSyncHistoryLinkedIn Ireland Unlimited CompanyIreland (EU) / United StatesStores timing of sync with lms-analytics cookie for ad measurement30 daysHTTPThird-partyYes (LinkedIn)Consent (Art. 6 (1)(a))
    Functionality_hjTLDTestHotjar Ltd.Ireland (EU)Determine generic cookie pathSessionHTTPFirst-party cookie third-party analytics processingYes (Hotjar)Consent

    Our CMP (Cookiebot) scans the website at least once every 30 days. The public table above is refreshed automatically within 24 hours of each scan to ensure that any new, modified, or retired cookie is promptly reflected.

    7. International data transfers

    Some cookies involve transferring personal data to countries outside the European Union/European Economic Area (EU/EEA).

    ProviderDestinationTransfer mechanismKey safeguardsTransfer-Impact Assessment (TIA) outcomeFallback mechanism
    MixpanelUnited StatesAdequacy Decision: EU-US Data Privacy Framework (Art. 45 GDPR), Commission Implementing Decision (EU) 2 2023/1795Certified under DPF; data encrypted in transit & at rest; limited retentionA TIA was completed and is reviewed periodically. It concluded that U.S. law does not materially undermine the protection of the transferred data when combined with Mixpanel’s contractual commitments and technical safeguards.2021 SCCs (Commission Decision (EU) 2021/914, Module 2) + supplementary measures will be used automatically if the DPF is invalidated
    LinkedInUnited StatesAdequacy Decision: EU-US Data Privacy Framework (Art. 45 GDPR), Commission Implementing Decision (EU) 2023/1795LinkedIn Corporation is certified under the DPF; data encrypted in transit & at rest; IP addresses truncated; limited retentionA TIA was completed and is reviewed periodically. It concluded that U.S. law does not materially undermine the protection of the transferred data when combined with LinkedIn’s contractual commitments and technical safeguards.2021 SCCs (Commission Decision (EU) 2021/914, Module 2) + supplementary measures will be used automatically if the DPF is invalidated

    Analytics cookies are processed in the United States by our sub-processor Mixpanel Inc., and advertising cookies set via the LinkedIn Insight Tag are processed by LinkedIn Corporation in the United States. Transfers rely on the EU-US Data Privacy Framework and, as a fallback, SCCs. Hotjar processes data within the European Union. You may request a copy of the SCCs and a summary of the TIA by e-mailing privacy@clausepilot.com.

    8. Data retention

    Cookie data retention:

    Data setRetention periodRationale under Art. 5 (1)(e) GDPR
    Individual cookie filesAs shown in §6 tableTechnical expiry set by provider, longer than necessary is avoided
    Analytics event dataUp to 26 monthsNeeded to compare year-on-year usage patterns and identify seasonal trends that inform product development
    Consent records2 yearsStatutory limitation period for regulatory audits; required to prove lawful consent (Art. 7 (1) GDPR)
    Marketing profiling data2 years or until consent withdrawalTypical length of sales cycle; older data has no business utility

    Personal data deletion: When cookies expire or consent is withdrawn, associated personal data is deleted without undue delay. Further retention will occur only if, and strictly for the duration that, a specific legal obligation (such as mandatory tax- or accounting-record retention) requires it. During that period the data is securely archived, access-restricted and permanently deleted once the statutory deadline elapses. For strictly necessary cookies the technical expiry is 12 months or less.

    To comply with the GDPR accountability principle (Art. 5(2)), we keep an auditable record of each consent event for two (2) years. These records, namely the user’s pseudonymised IP hash, date/time, consent status and banner version, are stored in Cookiebot’s encrypted consent log, hosted in the EU. Access is strictly limited to authorised compliance staff and may be provided to supervisory authorities on request.

    9. Your rights under GDPR

    Right of access. Request confirmation of whether we process your personal data and obtain a copy of such data.

    Right to rectification. Request correction of inaccurate personal data.

    Right to erasure ("right to be forgotten"). Request deletion of your personal data in certain circumstances.

    Right to restrict processing. Request limitation of processing in specific situations.

    Right to data portability. Receive your personal data in a structured, machine-readable format and transmit it to another controller.

    Right to object. You may object to any processing that relies on our legitimate interests, unless we demonstrate compelling legitimate grounds which override your interests, such as processing that is strictly necessary for the functioning of the service you have requested. You can exercise this right by:
    1) Opening the “Cookie settings” icon in the footer and switching off the individual cookies marked “Legitimate interest” in the table, or
    2) E-mailing us at privacy@clausepilot.com with the subject line “COOKIE OBJECTION”.***

    Right to withdraw consent. Withdraw consent at any time (without affecting lawfulness of processing prior to withdrawal).

    Right to lodge a complaint. If you believe that the processing of your personal data infringes the GDPR, you may lodge a complaint with the competent supervisory authority.
    Primary supervisory authority: Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH)
    Postal address: 1363 Budapest, Pf.: 9., Hungary
    Telephone: +36 (30) 683-5969; +36 (30) 549-6838; +36 (1) 391 1400
    E-mail: ugyfelszolgalat@naih.hu
    Website: `https://naih.hu`
    You may also complain to the data-protection authority in the EU/EEA member state of your habitual residence, place of work, or place of the alleged infringement.

    How to exercise your rights. To exercise any of these rights, please contact us using the information provided below. We will respond to your request within one month (extendable by two additional months for complex requests).

    10. Browser settings

    You can also manage cookies through your browser settings:

    • Chrome: Settings > Privacy and security > Cookies and other site data
    • Firefox: Options > Privacy & Security > Cookies and Site Data
    • Safari: Preferences > Privacy > Cookies and website data
    • Edge: Settings > Cookies and site permissions

    Please note that blocking all cookies may affect website functionality.

    11. Children's Privacy

    ClausePilot’s Platform and services are not directed to, designed for, or intentionally targeted at children of any age. ClausePilot does not knowingly collect, process, store, or use Personal Data from children of any age. If you believe that a child’s data have been processed, please contact us immediately at privacy@clausepilot.com and we will delete such data without undue delay. Users are required to confirm that they are legal professionals, thus we also ensure that children do not use ClausePilot.

    12. Updates to this policy

    We may update this Cookie Policy from time to time to reflect changes in technology, legislation, or our practices.

    • Update the "Last updated" date
    • Notify you through our website banner
    • For significant changes affecting your rights, obtain fresh consent where required

    We encourage you to review this policy periodically.

    13. Contact information

    ClausePilot does not meet any of the mandatory GDPR criteria to appoint a data protection officer. If you have any questions about cookies or this policy or in general in relation to privacy, the privacy lead of ClausePilot is available at the following email: privacy@clausepilot.com. This Cookie Policy should be read in conjunction with our main Privacy Policy, available at clausepilot.com/privacy-policy, which contains additional information about how we process your personal data.

    This site uses cookies, for details read our Cookie Policy.