Cookie Policy
**Controller:** ‹controller_name›, ‹registered_address› **Contact:** ‹contact_email› **Data Protection Officer:** ‹dpo_name› — ‹dpo_email› **Effective date:** ‹effective_date›
{% if eu_representative %} **EU Representative (Art. 27 GDPR):** ‹eu_representative› has been designated as the representative of ‹controller_name› in the European Union for the purposes of Article 27 of Regulation (EU) 2016/679. Data subjects and supervisory authorities in the EU may contact ‹eu_representative› in addition to, or instead of, the controller on all matters relating to the processing of personal data and the exercise of rights under the GDPR. {% endif %}
---
1. What Are Cookies?
Cookies are small text files that a website places on your device (computer, tablet, or mobile phone) when you visit it. They are widely used to make websites function correctly, operate efficiently, and to provide information to the website operator.
Cookies may be **session cookies** (deleted when you close your browser) or **persistent cookies** (retained on your device for a defined period or until you delete them). They may be set by the website you are visiting (**first-party cookies**) or by third-party services operating on that website's behalf (**third-party cookies**).
This Cookie Policy explains what cookies WAW365 uses, why we use them, and how you can control them.
---
2. Who Sets Cookies on WAW365?
Cookies on the WAW365 platform (`waw365.com` and any regional subdomains — collectively, the "Platform") are set by:
- **‹controller_name›** (first-party cookies), as controller; and
- **Third-party processors** acting on our documented instructions (see Section 4 below).
For full details of how we process personal data, including the lawful bases, your rights, and our contact details, please read our **[Privacy Policy](./privacy.en.md)**.
---
3. Categories of Cookies We Use
We group cookies into three categories based on their purpose and the legal basis on which they are used.
3.1 Strictly Necessary Cookies
**Legal basis:** These cookies are technically essential for the Platform to function. They do not require your consent under Article 5(3) of the ePrivacy Directive (2002/58/EC, as implemented in applicable national law) because their sole purpose is to carry out the transmission of a communication or to provide a service explicitly requested by the user.
**Under GDPR, processing of any personal data these cookies may carry is based on Article 6(1)(b) (performance of a contract) or, for security-oriented cookies, Article 6(1)(f) (legitimate interest in securing the Platform and preventing abuse).**
Strictly necessary cookies include:
| Function | Description | |---|---| | **Session management** | Maintains your authenticated session across page requests. Without this cookie, you would be logged out on every page load. | | **CSRF protection** | Carries an anti-cross-site-request-forgery token that prevents malicious third-party sites from submitting forms on your behalf. | | **Rate-limiting / anti-abuse** | Used by the Platform's infrastructure to identify and throttle abusive request patterns without processing unnecessary personal data. | | **Load-balancing / affinity** | Ensures requests from the same session are routed consistently within the server cluster. | | **Cookie-consent state** | Stores your cookie-preference decision so we do not ask again on subsequent visits within the applicable retention window. |
You cannot opt out of strictly necessary cookies while continuing to use the Platform. You may delete them at any time via your browser settings; doing so will terminate your session.
3.2 Analytics Cookies
**Legal basis:** Consent — Article 6(1)(a) GDPR in conjunction with Article 5(3) ePrivacy. We only place analytics cookies after you have given informed, freely given, specific, and unambiguous consent via the cookie-consent banner.
**Status: PENDING.** Analytics cookies (Google Analytics 4 — "GA4") are not yet active on the Platform. They will be enabled only after the consent-management infrastructure described in Section 6 has been deployed and this policy updated with the specific cookie table required by Section 4 below.
When active, analytics cookies will collect information about how visitors use the Platform — which pages are visited, how long users spend on each page, how users navigate between pages, and similar aggregated usage statistics. This data helps us understand Platform performance and improve user experience. No data collected via analytics cookies is used to identify individual users for marketing purposes.
**Processor and international transfer:** GA4 is operated by Google LLC (United States). Data processed through GA4 may be transferred to and stored on servers in the United States. ⚠ confirm applicable transfer mechanism — Standard Contractual Clauses (SCCs) under GDPR Art. 46(2)(c), EU-US Data Privacy Framework adequacy, or other — and update this clause accordingly before GA4 is activated. Google processes data under a Data Processing Addendum incorporating SCCs where applicable; refer to Google's privacy documentation for current transfer safeguard details.
You may withdraw consent at any time; see Section 6.
3.3 Marketing and Advertising Cookies
**Legal basis:** Consent — Article 6(1)(a) GDPR in conjunction with Article 5(3) ePrivacy. Marketing cookies are placed only after explicit consent.
**Status: PENDING.** Marketing cookies (Google Ads conversion tracking and remarketing) are not yet active on the Platform. They will be enabled only after the consent-management infrastructure has been deployed and this policy updated.
When active, marketing cookies will allow us to:
- measure the effectiveness of advertising campaigns by tracking conversions (e.g., registrations, orders) that follow an advertisement click; and
- show relevant Platform advertisements to users who have previously visited the Platform when they browse other websites in the Google Display Network.
**Processor and international transfer:** Google Ads is operated by Google LLC (United States). The same transfer-safeguard considerations described under Section 3.2 apply. ⚠ confirm applicable SCCs/DPF basis before Google Ads activation.
You may withdraw consent at any time; see Section 6.
---
4. Cookie Table
⚠ Enumerate all specific cookie names, durations, and purposes once the consent-management banner and associated cookies are finalised and deployed. At minimum, document: (a) each strictly necessary cookie name, set-by party, duration, and purpose; (b) each GA4 cookie (_ga, _ga_*, _gid, etc.) with name, duration, and purpose; (c) each Google Ads cookie (IDE, _gcl_au, etc.) with name, duration, and purpose. Retain this table in the next policy version.
The full cookie table will be published here prior to the activation of any non-essential cookies.
---
5. Cookies Set by Third-Party Services
Beyond the processors named in Sections 3.2 and 3.3, the following third parties may set cookies or access information stored by cookies when you interact with features they power on the Platform:
| Third Party | Category | Data location | Transfer safeguard | |---|---|---|---| | **Google LLC** (GA4, Ads, Search Console) | Analytics / Marketing | United States | ⚠ SCCs / DPF — confirm |
⚠ Review and extend this table to cover any embedded maps, payment iframes, support-chat widgets, CDN scripts, or other third-party integrations that may set cookies at the time of policy publication.
The Platform does **not** send end-user personal data to AI-model gateways (including Abacus or OpenAI-compatible endpoints) used for automated catalog-text enrichment. Those services operate solely on structured product data, not on cookies or user-identifying information.
---
6. How to Manage and Withdraw Consent
6.1 Consent Banner
When you first visit the Platform (or after clearing your cookies), a **consent banner** will appear. You may:
- **Accept all** — enable strictly necessary, analytics, and marketing cookies;
- **Accept necessary only** — enable only strictly necessary cookies; or
- **Customise** — select individual cookie categories.
**Status: PENDING.** The consent banner is under development. Until it is deployed, no non-essential cookies are placed on your device.
6.2 Changing or Withdrawing Consent
You may change or withdraw your consent at any time, without detriment, by:
1. **Cookie Preferences Centre** — accessible via the "Cookie Settings" link in the Platform footer. Your updated preference takes effect immediately for future page loads. 2. **Browser settings** — every major browser allows you to view, block, or delete cookies. Common instructions: - **Chrome:** Settings → Privacy and security → Cookies and other site data - **Firefox:** Settings → Privacy & Security → Cookies and Site Data - **Safari:** Preferences → Privacy - **Edge:** Settings → Cookies and site permissions 3. **Google opt-out tools:** - Google Analytics opt-out browser add-on: <https://tools.google.com/dlpage/gaoptout> - Google Ads personalisation settings: <https://adssettings.google.com>
Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
Blocking or deleting strictly necessary cookies will impair or prevent use of the Platform.
6.3 Do Not Track
The Platform currently does not respond to browser "Do Not Track" signals, because there is no common industry standard for how such signals should be interpreted. We rely instead on the consent mechanism described in this section.
---
7. Legal Basis Summary
| Cookie category | Legal basis (ePrivacy) | Legal basis (GDPR) | |---|---|---| | Strictly necessary | No consent required — exempted as essential to service delivery | Art. 6(1)(b) (contract) and/or Art. 6(1)(f) (legitimate interest — security) | | Analytics (GA4) | Consent required | Art. 6(1)(a) (consent) | | Marketing (Google Ads) | Consent required | Art. 6(1)(a) (consent) |
**Legitimate-interest balancing (strictly necessary — security):** The controller's interest in protecting the Platform and its users from abuse, unauthorised access, and fraud is not overridden by data-subject interests, given that rate-limiting and anti-abuse cookies carry minimal personal data and are strictly proportionate to the security objective. ⚠ Confirm LIA is documented in the ROPA prior to go-live.
---
8. Retention of Cookie-Derived Data
Personal data collected through cookies is retained only as long as necessary for the purpose for which it was collected, subject to applicable legal retention obligations.
⚠ Specify exact retention periods for each cookie and any server-side data derived from cookies (e.g., GA4 data-retention window set in the GA4 property; server-side session record lifetime; consent-log retention period required by applicable law) before activating non-essential cookies.
---
9. Your Rights
9.1 Rights Under GDPR (EEA, EU, and applicable jurisdictions)
Where the GDPR applies to our processing of your personal data via cookies, you have the following rights:
- **Right of access (Art. 15):** You may request confirmation of whether we process personal data about you derived from cookies, and obtain a copy of that data.
- **Right to rectification (Art. 16):** You may request correction of inaccurate personal data we hold about you.
- **Right to erasure ("right to be forgotten", Art. 17):** You may request deletion of your personal data where, for example, it is no longer necessary for the purpose it was collected, or you withdraw consent and there is no other lawful basis.
- **Right to restriction of processing (Art. 18):** You may request that we restrict processing of your data in defined circumstances.
- **Right to data portability (Art. 20):** Where processing is based on consent or contract and carried out by automated means, you may receive your personal data in a structured, commonly used, machine-readable format.
- **Right to object (Art. 21):** You may object at any time to processing based on legitimate interests (Art. 6(1)(f)). We will cease processing unless we demonstrate compelling legitimate grounds which override your interests, or the processing is necessary for legal claims.
- **Right to withdraw consent (Art. 7(3)):** Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing (see Section 6).
- **Right to lodge a complaint:** You have the right to lodge a complaint with a supervisory authority, in particular in the EU/EEA Member State of your habitual residence, place of work, or place of the alleged infringement. Our lead supervisory authority is: **‹supervisory_authority›**. ⚠ Confirm the identity of the competent lead supervisory authority under the one-stop-shop mechanism (Art. 56 GDPR), and list any additional competent authorities for Poland and Norway.
To exercise any of these rights, contact us at **‹contact_email›** or our DPO at **‹dpo_email›**.
9.2 Rights Under Ukrainian Law
For users in Ukraine, the processing of personal data is additionally governed by the Law of Ukraine "On Personal Data Protection" (Закон України «Про захист персональних даних»), as amended.
Under Ukrainian law, you have the right to:
- know the location of the database containing your personal data, its purpose, and the name and address of the controller;
- receive information about the conditions under which your personal data is disclosed, including to third parties;
- access your personal data and receive a copy;
- request rectification of inaccurate, incomplete, or outdated personal data;
- request destruction of your personal data where it was processed unlawfully or is no longer necessary;
- object to the processing of your personal data;
- file a complaint with the **Verkhovna Rada Commissioner for Human Rights** (Уповноважений Верховної Ради України з прав людини), which acts as the supervisory authority for personal data protection in Ukraine ⚠ confirm the competent body and contact details as at the effective date, given ongoing legislative developments; and
- seek judicial protection of your rights.
To exercise these rights, contact us at **‹contact_email›**.
---
10. Changes to This Cookie Policy
We may update this Cookie Policy from time to time to reflect changes in the cookies we use, changes in applicable law, or for other operational reasons. When we make material changes, we will update the **Effective date** at the top of this document and, where required by law, seek fresh consent.
We encourage you to review this Cookie Policy periodically. The current version is always available at `[URL of this page]` ⚠ insert canonical public URL.
---
11. Contact and Further Information
For any questions or concerns about this Cookie Policy or the handling of your personal data:
- **Controller:** ‹controller_name›, ‹registered_address›
- **General contact:** ‹contact_email›
- **Data Protection Officer:** ‹dpo_name›, ‹dpo_email›
For EU/EEA users, our competent supervisory authority is **‹supervisory_authority›**. ⚠ confirm.
For a complete description of how we collect, use, and protect your personal data beyond cookies, please read our **[Privacy Policy](./privacy.en.md)**.