Cookie Policy
Internal version: v2.0
Last updated: May 9, 2026
Replaces: v1.x (May 6, 2026)
>
Material changes from v1.x: This version reflects the activation of the Google Tag Manager container and of Google's advertising and analytics integrations (Google Analytics 4 and Google Ads, including Enhanced Conversions and server-side upload of Offline Conversions from the Stripe webhook), all conditional on the user's prior consent through a cookie banner with four categories. Rewrites the previous section 5, which claimed not to use analytics cookies — a statement that ceased to be accurate.
Table of Contents
- What are cookies?
- Cookies and storage we use
- Purpose of cookie use
- Technical and essential cookies
- Analytics cookies
- Advertising and conversion measurement cookies
- Consent management
- How to disable or delete cookies
- Browser local storage (localStorage)
- Third-party data and subprocessors
- Changes to this policy
- Contact
1. What are cookies?
Cookies are small text files that are downloaded and stored on the user's device (computer, tablet, mobile phone) when they access a website. These small amounts of data are transmitted between your device and web servers, allowing the website to recognize your presence and store information about your browsing.
Cookies may be designed to:
- Remember user preferences and settings.
- Authenticate the user in secure systems.
- Collect information about website use (analytics).
- Enable advertising conversion measurement.
- Integrate social network functions.
Alongside cookies, websites may use other client-side storage technologies such as localStorage, sessionStorage and pixels that fulfill similar functions and to which this policy applies by extension.
2. Cookies and storage we use
Below is the complete catalog of cookies and storages active on our Platforms, organized by category and consent requirement.
2.1. Strictly necessary cookies (without consent)
| Name | Provider | Purpose | Duration | Type |
|---|
cookie_consent_v2 | Afini (own) | Stores your choice on cookie categories and the version of the policy accepted | 12 months | HTTP cookie, SameSite=Lax, Secure |
__cf_bm | Cloudflare (third-party) | Distinguish human from automated traffic for bot mitigation | 30 minutes | HTTP cookie, HttpOnly |
__cf_clearance | Cloudflare (third-party) | Maintain anti-bot verification passed to avoid repeating the challenge | Up to 1 year | HTTP cookie, HttpOnly |
__stripe_mid | Stripe (third-party) | Identify the browser between payment sessions for fraud prevention | 1 year | HTTP cookie, Secure |
__stripe_sid | Stripe (third-party) | Maintain active payment session | 30 minutes | HTTP cookie, Secure |
2.2. Preference cookies (with optional consent)
We currently do not use additional preference cookies. The language preference is stored in localStorage (see section 9), not in cookies. If we add preference cookies in the future (for example, dark mode persistent across devices), we would add them to this table and request separate consent.
2.3. Analytics cookies (with consent)
These cookies are only set if you have granted consent to the "analytics" category in the cookie banner.
| Name | Provider | Purpose | Duration | Type |
|---|
_ga | Google (Google Analytics 4) | Identify the browser between pages and sessions for aggregated usage analysis | 2 years | HTTP cookie, *first-party* (Afini domain) |
_ga_<container_id> | Google (Google Analytics 4) | Persistence of session state specific to the GA4 container | 2 years | HTTP cookie, *first-party* (Afini domain) |
plausible.io domain with an extension.
2.4. Advertising and conversion measurement cookies (with consent)
These cookies are only set if you have granted consent to the "marketing" category in the cookie banner.
| Name | Provider | Purpose | Duration | Type |
|---|
_gcl_au | Google (Google Ads — Conversion Linker) | Store and transmit information about ad clicks to improve conversion attribution | 90 days | HTTP cookie, *first-party* |
_gcl_aw | Google (Google Ads) | Store advertising click identifier (GCLID) | 90 days | HTTP cookie, *first-party* |
_gcl_dc | Google (Google Ads / DoubleClick) | Store equivalent click identifier for Display inventory | 90 days | HTTP cookie, *first-party* |
_gcl_gb | Google (Google Ads) | Additional attribution persistence | 90 days | HTTP cookie, *first-party* |
_gac_<gclid> | Google (Google Ads) | Campaign information associated with a specific conversion | 90 days | HTTP cookie, *first-party* |
Note: We currently do not run Google Display or YouTube campaigns. If we activate them in the future, additional third-party cookies could be set such asIDE(DoubleClick) orVISITOR_INFO1_LIVE(YouTube). This policy would be updated accordingly and the consent banner would be reopened for affected users.
2.5. AI model provider cookies
Anthropic (LLM provider) does not set cookies on your browser. Communication with the Anthropic API is performed exclusively from our backend, with no direct contact between your browser and Anthropic's servers.3. Purpose of cookie use
Afini uses cookies for the following purposes:
- Service operation: strictly technical cookies that allow the Platforms to function correctly, including management of secure payment sessions with Stripe, bot mitigation with Cloudflare and recording of your consent on cookies.
- Usage analytics: aggregated and *cookie-free* analysis through Plausible (without consent), and detailed analysis through Google Analytics 4 (with consent).
- Advertising conversion measurement: associate purchases made on our Platforms with the Google Ads advertising campaigns that originated them, through Google Ads cookies (with consent) and, additionally, through a server-to-server call from the Stripe webhook to the Google Ads API (Offline Conversions, conditional on the same consent). To improve attribution when the user is identified in Google with the same email address, a SHA-256 hash of the email is transmitted to Google (Enhanced Conversions) — the hash is a derived pseudonymized identifier and is included only when you consent to the "marketing" category.
- We do not use cookies to create advertising profiles based on your personality, your test responses or your scores.
- We do not transmit to Google or any third party your cognitive profile, your scores, your responses or the content of your AI conversations.
- The advertising audiences we use in Google Ads (including *remarketing*, *Customer Match* and *Similar Audiences*) are built exclusively from visit and conversion events, commercial email lists (transmitted in SHA-256 hash format) and standard advertising attributes — never from psychometric profiles.
- We do not integrate social network pixels or SDKs (Meta, TikTok, X/Twitter, LinkedIn, etc.).
- We do not use cookies for browser *fingerprinting*.
4. Technical and essential cookies
The cookies in section 2.1 are necessary for the Platforms to function correctly. They allow:
- Establishing a secure session between your device and our servers.
- Securely processing payments through Stripe.
- Maintaining authentication during your service use (both test.afini.ai and afini.ai).
- Mitigating automated traffic and attacks via Cloudflare.
- Recording your consent on cookies so we don't have to ask you again on each visit.
These cookies are mandatory for service operation and cannot be disabled without the Platforms ceasing to function correctly. For this reason, they are exempt from the prior consent requirement under article 22.2 LSSI-CE and article 5.3 of the ePrivacy Directive.
5. Analytics cookies
We use two analytics services with different treatments:
Plausible Analytics (without consent): Service hosted in the European Union (Estonia) that operates without cookies and without persistent unique identifiers. It only provides aggregated metrics. Its use is exempt from prior consent under EDPB Guidelines 03/2023. Google Analytics 4 (with consent): Service that requires the cookies_ga and _ga_<container_id> to identify the browser between pages and sessions. Only activated if you grant consent to the "analytics" category of the cookie banner. Your IP address is anonymized by default in the European Economic Area (IPv4/IPv6 truncation) before storage by Google. Data retention in GA4 is set to 14 months.
You may revoke consent to analytics cookies at any time by reopening the banner from the "Manage cookies" link in the footer.
6. Advertising and conversion measurement cookies
When you grant consent to the "marketing" category of the cookie banner, the cookies in section 2.4 are activated for the purpose of measuring and attributing advertising conversions generated by our Google Ads campaigns.
Technical operation:- If you arrive at the Platform from an ad, Google associates your visit with an opaque campaign identifier (GCLID — *Google Click Identifier*) stored in
_gcl_aw. - If you complete a purchase, the browser sends a conversion event to the Google Ads pixel (along with the GCLID and the transaction amount).
- Additionally, our backend fires a *server-to-server* call to the Google Ads API (
ConversionUploadService) from thecheckout.session.completedStripe webhook handler, transmitting the same data along with a SHA-256 hash of your email address (Enhanced Conversions). This covers cases where the user's browser does not fire the client-side pixel (rapid tab close, pixel blocker, etc.). An opaque purchase identifier is used to deduplicate against the browser event.
- Remarketing: users who have visited the Platform. Built from
_gcl_*cookies and other standard Google advertising identifiers. - Customer Match: lists of email addresses transmitted to Google in SHA-256 hash format through the
UserDataServiceAPI. Only emails for which there is prior consent to the "marketing" category are used. - Similar Audiences: audiences statistically similar to the previous ones, automatically generated by Google without additional data transfer on our part.
7. Consent management
7.1. Cookie banner
When you first access the Platforms, we show you a banner with four cookie categories:
- Necessary (always active, cannot be disabled)
- Preferences (optional)
- Analytics (optional)
- Marketing (optional)
The banner offers three buttons with the same visual prominence (same size, color and typographic weight):
- Accept all — activates all categories.
- Reject all — disables all categories except necessary ones.
- Configure — opens a panel to activate or deactivate each category individually.
7.2. Google Consent Mode v2
The Google Tag Manager container loads with all consent signals (ad_storage, analytics_storage, ad_user_data, ad_personalization, functionality_storage, personalization_storage, security_storage) at default value denied. Before your consent expression, Google only receives *cookieless pings* without identifiers. When you confirm the banner, we transmit to the container the updated signals (granted or denied per category) and from that moment the corresponding tags are activated.
7.3. Persistence and revocation
- Your consent is stored in the own cookie
cookie_consent_v2for 12 months. - After this period, we will show you the banner again to refresh your consent.
- If we materially modify this Cookie Policy (for example, adding a new category or new advertising provider), we will increment the internal version and show the banner again to affected users.
- You may revoke or modify your consent at any time using the "Manage cookies" link available in the footer of the Platforms. Your new choice will take effect in the next page load cycle, disabling the corresponding signals in Google Consent Mode and suppressing the associated cookies.
- We retain a record of your consent (categories accepted, date and policy version) for 13 months as proof of compliance under article 7 GDPR.
7.4. Users prior to this version
Users whose Platforms had been visited before the entry into force of this policy and who have not yet expressed consent under the new banner will be shown the banner on their next visit.
8. How to disable or delete cookies
From our own banner: It is the fastest way and the one we recommend. Reopen the banner from "Manage cookies" in the footer and uncheck the categories you do not want to authorize. From your browser: Most modern web browsers allow you to control cookies through their settings:- Google Chrome: Settings → Privacy and security → Cookies and other site data.
- Mozilla Firefox: Options → Privacy and security → Cookies and site data.
- Safari: Preferences → Privacy → Cookies and website data.
- Microsoft Edge: Settings → Privacy, search and services → Clear browsing data.
9. Browser local storage (localStorage)
In addition to cookies, the Platforms use browser local storage (localStorage) to store technical information necessary for service operation.
| Key | Platform | Purpose | Duration | Category |
|---|
afini_session_token | test.afini.ai · afini.ai | Session token that allows you to access your test, results or account | Until session close or token expiration | Necessary |
afini_lang | test.afini.ai · afini.ai | Preferred language on the Platform | Persistent | Necessary |
afini_active_profile_label | afini.ai | Label of the active profile in plans with multiple profiles | Persistent | Necessary |
cookie_consent_v2 (mirror) | test.afini.ai · afini.ai | Mirror of the cookie consent for synchronous client access | 12 months | Necessary |
afini_gads_conv_<token> | test.afini.ai | Deduplication mark between conversion fired by the browser and conversion sent server-side, to prevent the same purchase being counted twice in Google Ads | Persistent | Marketing (only set if the "marketing" category is consented to) |
LocalStorage is similar to cookies but with greater storage capacity and, unlike cookies, is not automatically sent with each HTTP request. You may delete localStorage at any time through your browser settings.
10. Third-party data and subprocessors
The cookies and elements described in this policy are set by the following providers. For each one, we link to their privacy policy.
| Provider | Category | Privacy policy |
|---|
| Stripe, Inc. | Necessary (payment processing) | https://stripe.com/privacy |
| Cloudflare, Inc. | Necessary (bot mitigation and infrastructure) | https://www.cloudflare.com/privacy/ |
| Plausible Insights OÜ | Analytics (without consent, *cookie-free*) | https://plausible.io/privacy |
| Google LLC | Analytics and marketing (with consent) | https://policies.google.com/privacy |
Beyond the listed providers, Afini does not integrate any other service that sets tracking, analytics or advertising cookies.
11. Changes to this policy
Afini reserves the right to update this Cookie Policy at any time to reflect changes in the technologies used, applicable legislation or our privacy practices. Significant changes will be clearly communicated through the Platforms, and affected users will see the consent banner again to refresh their choice.
Your continued use of the Platforms after substantial changes will constitute acceptance of the updated version with respect to strictly necessary cookies. For optional cookies, a new consent expressed through the banner will be required.
12. Contact
If you have questions about this Cookie Policy, how to manage your cookie preferences, or wish to exercise your privacy rights, you may contact us:
- Email: info@afini.ai
- Postal address: Bilbao AI S.L. — Calle Diputación 8, floor 4, Department 5, 48008 Bilbao (Bizkaia), Spain
*Last updated: May 9, 2026*