1. What Are Cookies? 

Cookies are small text files placed on your device (computer, phone, tablet) when you visit a website. They serve different purposes: some are essential for the website to function, others help us understand how visitors use the site, and some are used for advertising. Similar technologies — such as local storage, session storage, and tracking pixels — are covered by this policy under the term “cookies” unless the distinction matters. 

Cookies may be set by us (first-party cookies) or by third-party services we use (third-party cookies). First-party cookies are created by the website you are visiting (aliat.io). Third-party cookies are created by a domain other than the one you are visiting and are typically used for analytics or advertising. 

2. How We Use Cookies 

aliat.io (marketing website): The public website at https://aliat.io and its subdomains (excluding the web application). This site uses strictly necessary cookies, functional cookies, and — only with your explicit consent — analytics cookies. 

app.aliat.io (web application): The authenticated web application at https://app.aliat.io. This site uses strictly necessary cookies only (session authentication, CSRF protection, language preference). Because these cookies are essential for the application to function and no analytics cookies are deployed in the authenticated application, no consent is required for cookies on this domain. 

3. Cookie Categories 

We classify cookies into three categories, consistent with the ePrivacy Directive (Directive 2002/58/EC as transposed by Romanian Law No. 506/2004) and guidance from the ANSPDCP and the European Data Protection Board (EDPB). 

3.1 Strictly Necessary Cookies 

These cookies are essential for the website or application to function. They enable core features such as page navigation, secure login, and session management. Without these cookies, the Service cannot operate. Strictly necessary cookies do not require your consent under Article 5(3) of the ePrivacy Directive and Article 4(5) of Romanian Law No. 506/2004, because they are strictly necessary for the provision of the service you have explicitly requested. 

3.2 Functional Cookies 

These cookies enable enhanced functionality and personalisation, such as remembering your language preference or your cookie consent choice. They do not track you across websites and are not used for advertising. Functional cookies that are strictly necessary to provide a feature you have explicitly requested (such as authentication data) do not require consent. Where a functional cookie goes beyond what is strictly necessary, we will request your consent. 

3.3 Analytics Cookies 

These cookies help us understand how visitors interact with the marketing website — which pages are visited, how long visitors stay, where they come from, and where they drop off. This information is used to improve the website and the Service. Analytics cookies are not deployed until you provide explicit consent via the cookie banner. We do not use analytics cookies in the authenticated web application (app.aliat.io). However, we do collect product usage data in the application using cookieless and server-side tracking that does not store any information on your device. See Section 4.2 for details. 

4. Cookie Inventory 

The tables below list all cookies used on each domain. We update this inventory when cookies change; the “Last updated” date at the top of this policy reflects the most recent review. 

4.1 Marketing Website — aliat.io 

Strictly Necessary 

Functional 

Analytics 

4.2 Web Application — app.aliat.io 

Strictly necessary cookies only. No analytics, functional, or marketing cookies are stored on your device in the authenticated web application. No cookie banner is displayed in the web application. Product usage data is collected via cookieless and server-side tracking as described below. 

We collect product usage data (such as pages visited, features used, and session duration) to improve the Service. This data is collected using cookieless tracking (in-memory only, with no data stored on your device) and server-side event tracking, processed by PostHog on EU infrastructure (Frankfurt, Germany). Because no information is stored on or accessed from your device for this purpose, no consent is required under Article 5(3) of the ePrivacy Directive. The legal basis for this processing is legitimate interest (Article 6(1)(f) GDPR) — our interest in understanding how the application is used in order to improve it. You can learn more about how we process your data in our Privacy Policy at https://aliat.io/privacy. 

5. How We Obtain Your Consent 

5.1 Cookie Banner 

When you first visit aliat.io, a cookie banner is displayed. The banner: 

• Clearly describes the categories of cookies we wish to use. 

• Provides three equally prominent options: “Accept all”, “Reject all”, and “Manage preferences”. 

• Does not use pre-ticked boxes, dark patterns, nudging techniques, or manipulative design to encourage acceptance. 

• Does not bundle consent for different purposes into a single “Accept” action. If additional cookie categories are introduced in the future (such as marketing), each will require separate consent. 

• Does not restrict access to the website or degrade the experience if you reject non-essential cookies. 

• Is displayed with equal visual prominence for all options. The “Reject all” button has the same size, colour weight, and position as the “Accept all” button. Neither option is visually de-emphasised, hidden behind an extra click, or styled as a text link while the other is a button. This requirement reflects ANSPDCP guidance and recent Romanian enforcement decisions. 

5.2 Manage Preferences 

Clicking “Manage preferences” opens a detailed panel where you can toggle the Analytics cookie category on or off.  Strictly necessary cookies, including authentication and security cookies set by our identity provider via a custom domain, do not require consent and are always enabled, as they are essential to provide the Service you have explicitly requested. 

5.3 Changing Your Preferences 

You can change your cookie preferences at any time by: 

• Clicking the “Cookie settings” link in the website footer, which re-opens the cookie banner. 

• Clearing your cookies through your browser settings (this will reset your consent and the banner will appear again on your next visit). 

When you change your preferences from Accept to Reject for a category, we will stop setting new cookies in that category and will delete existing cookies in that category effective on the next page load. 

5.4 Browser Settings 

Most web browsers allow you to control cookies through their settings. You can typically: 

• View which cookies are stored on your device. 

• Delete some or all cookies. 

• Block cookies from specific sites or all sites. 

• Set your browser to notify you when a cookie is being set. 

Please note that blocking strictly necessary cookies may prevent the website or application from functioning correctly. 

For instructions on managing cookies in your browser: 

• Chrome: chrome://settings/cookies 

• Firefox: about:preferences#privacy 

• Safari: Preferences → Privacy 

• Edge: edge://settings/content/cookies 

5.5 Do Not Track 

Some browsers send a “Do Not Track” (DNT) signal. There is no universally accepted standard for how websites should respond to DNT signals. We do not currently alter our practices in response to DNT signals, but we respect your cookie consent choices made through our cookie banner, which provides a more reliable and granular mechanism for expressing your preferences. 

6. Third-Party Cookies and Data Transfers 

We use PostHog EU Cloud for analytics on the marketing website (with your consent) and for cookieless product usage tracking in the web application (under legitimate interest). While PostHog cookies on aliat.io are first-party (set by the PostHog JS SDK), PostHog Inc. acts as a sub-processor for all analytics data. Analytics data is stored on PostHog’s EU infrastructure in Frankfurt, Germany, and is not transferred outside the European Economic Area. 

PostHog: Analytics data (from both the marketing website and the web application) is processed by PostHog Inc. on EU infrastructure (Frankfurt, Germany) under a Data Processing Agreement incorporating Standard Contractual Clauses (SCCs). PostHog participates in the EU-U.S. Data Privacy Framework as an additional safeguard. PostHog’s privacy policy is available at https://posthog.com/privacy. PostHog’s DPA is available at https://posthog.com/dpa. 

Auth0 (Identity and Access Management): Authentication and authorization for the web application are provided by Auth0. Auth0 acts as a data processor on our behalf and processes authentication‑related data (such as user identifiers, technical identifiers, and login metadata) solely for the purpose of providing secure identity and access management. 

Authentication cookies are set via a custom domain under our control and are therefore treated as first‑party cookies. These cookies are strictly necessary and do not require user consent. 

Auth0 processes data in accordance with a Data Processing Agreement incorporating the European Commission’s Standard Contractual Clauses. Data is processed exclusively on EU infrastructure. Further information is available in Auth0’s privacy documentation at https://auth0.com/privacy. 

For more information about how we handle international data transfers generally, see Section 8 of our Privacy Policy at https://aliat.io/privacy. 

7. Cookies and Personal Data 

Some cookies contain or are linked to Personal Data (as defined in the GDPR). For example, the authentication cookie identifies a logged-in user, and the PostHog analytics cookies assign a pseudonymous visitor identifier that may constitute Personal Data. Authentication cookies, including those set via our identity provider using a custom domain, may be linked to Personal Data insofar as they enable secure identification of a logged‑in user and protection of their account.  Product usage data collected via cookieless tracking in the web application is also linked to your user account. 

Where cookies involve the processing of Personal Data, such processing is governed by our Privacy Policy (https://aliat.io/privacy). The legal bases for processing are: 

• Strictly necessary cookies: Legitimate interest (Article 6(1)(f) GDPR) — our interest in operating a functional and secure website — and performance of a contract (Article 6(1)(b) GDPR) for the authenticated application. 

• Functional cookies (language preference): Legitimate interest (Article 6(1)(f) GDPR) — our interest in providing the website in your preferred language, based on your explicit selection. 

• Analytics cookies: Consent (Article 6(1)(a) GDPR), obtained via the cookie banner. You may withdraw consent at any time as described in Section 5.3, without affecting the lawfulness of processing based on consent before its withdrawal. 

• Product usage data (app.aliat.io): Legitimate interest (Article 6(1)(f) GDPR) — our interest in understanding how the application is used to improve the Service. No cookies or device storage are involved; data is collected via cookieless and server-side tracking only. 

8. How Long We Keep Cookie Data 

Cookie retention periods are specified in the cookie inventory tables in Section 4. Server-side data associated with cookies is retained as follows: 

• Session data (linked to session cookies): deleted when the session expires or the cookie is cleared. 

• Authentication data (linked to authentication cookies): retained for the duration of the user session; session records are purged after 90 days of inactivity. 

• Analytics data (linked to analytics cookies on aliat.io and cookieless tracking on app.aliat.io): retained in pseudonymised form for up to 24 months, then permanently deleted or further aggregated so that individual users can no longer be distinguished. 

9. Children 

The Aliat marketing website is not directed at children. We do not knowingly use cookies to collect Personal Data from children under 16 (the age of digital consent in Romania under GDPR Article 8 and Romanian Law No. 190/2018 Article 2). If you believe a child under 16 has interacted with our website and been subject to non-essential cookies, please contact us at privacy@aliat.io and we will take appropriate steps. 

10. Romanian Legal Framework 

This Cookie Policy is designed to comply with: 

• Directive 2002/58/EC (ePrivacy Directive), Article 5(3), as transposed into Romanian law by Law No. 506/2004, Article 4(5), which requires prior informed consent before storing or accessing information on a user’s terminal equipment, except where the cookie is strictly necessary to provide the service the user has explicitly requested. 

• Regulation (EU) 2016/679 (GDPR), which governs the processing of Personal Data associated with cookies. 

• Romanian Law No. 190/2018, which implements the GDPR in Romania. 

• ANSPDCP guidance on cookie consent, including the requirement that consent be freely given, specific, informed, and unambiguous, and that rejection must be as easy as acceptance. 

• EDPB Guidelines 05/2020 on consent, which clarify that scrolling or continued browsing does not constitute valid consent, that cookie walls (blocking access unless all cookies are accepted) are not permitted, and that consent must be granular (per purpose, not bundled). 

11. Changes to This Policy 

We may update this Cookie Policy from time to time. For material changes (such as the addition of a new cookie category, the introduction of a new third-party tracking tool, or a change in how we obtain consent), we will provide at least 30 days’ advance notice by updating the cookie banner and, where appropriate, notifying registered users by email. The “Last updated” date at the top of this page reflects the most recent revision. 

If we add new cookie categories (such as marketing cookies) or change our analytics provider, we will update this policy and reset the cookie banner so that you are asked for consent again for any new category. 

12. Contact 

If you have questions about this Cookie Policy, about the cookies we use, or about how to manage your preferences: 

For your broader data protection rights, including access, rectification, erasure, and objection, please see our Privacy Policy at https://aliat.io/privacy.