Cookie Policy
1. What Are Cookies
Cookies are small text files placed on your device when you visit a website. In this Policy, "cookies" is used broadly to also cover equivalent client-side storage technologies – localStorage, sessionStorage, and first-party cache – to the extent they read from or write to your device, in line with Article 5(3) of Directive 2002/58/EC (as amended).
2. Legal Basis
This Policy is drafted with reference to the EU ePrivacy Directive (2002/58/EC, as amended by 2009/136/EC), the GDPR (Regulation (EU) 2016/679), the UK GDPR and PECR 2003, and the CCPA/CPRA to the extent it applies to us. Strictly-necessary cookies are placed without consent because they are essential to deliver a service you have explicitly requested. Non-essential cookies (analytics, marketing attribution, persistent referral attribution) are placed only after your explicit, informed, freely given consent.
How we collect consent. On your first visit we present a first-party, in-house consent banner (no third-party consent-management vendor). The first layer of the banner offers "Accept all", "Reject all", and "Manage preferences" as equally prominent and equally easy choices; "Reject all" is no harder to use than "Accept all". No non-essential cookie (Analytics, Marketing, or Referral Attribution) is set until you make an active choice – there are no pre-ticked boxes and no implied consent from continued browsing or scrolling. We mirror your consent record server-side (timestamp, the categories you accepted or rejected, and the policy version in force) so that we can demonstrate a valid grant of consent under Article 7(1) GDPR. Withdrawal of consent is given the same weight as the original grant and is as easy to perform.
3. Cookies We Use
We operate a three-category consent model: Strictly Necessary, Analytics, and Marketing / Referral Attribution. Strictly Necessary cookies are set without consent; Analytics and Marketing cookies load only after you accept the relevant category. Your display currency (USD/EUR/GBP) is derived per request from network/geo signals (the Cloudflare country header, with an Accept-Language fallback) and is not stored on your device, so it is not a cookie and belongs to no category. We do not sell personal information, and we do not share data with third-party advertising networks for cross-site behavioural profiling.
- 3.1 Strictly Necessary. Cookies required for authentication, payment processing, security/bot mitigation, and recording your consent state. These cannot be switched off without breaking core functionality (sign-in, checkout, credit purchases, security).
- 3.2 Analytics (consent only). Aggregate usage and funnel measurement – which pages convert, where users drop off across the Ideation → Validation → Traffic funnel. Loaded only after you accept the Analytics category. Website measurement uses cookieless Cloudflare Web Analytics (no cookie, no device storage); product and funnel analytics use PostHog (EU Cloud), which loads only after you accept this category and then stores an anonymous identifier in your browser's local storage (no advertising cookie). See Section 4.
- 3.3 Marketing Attribution (consent only). First-party attribution of our own marketing campaigns, so we can understand which of our channels bring visitors. We record the first-touch source once (the
utm_*parameters, ad click identifiers, the referring site's host, and the landing page) in a first-partyewpire_srccookie. It is set (for 90 days) only after you accept this category; if you do not accept it, no such cookie is stored on your device at all. We do not place third-party advertising or retargeting pixels (see 3.5). - 3.4 Referral Attribution (persistent, first-party, consent only). When you arrive through a partner referral link (
?ref=<partner_code>), we set a persistent first-party referral cookie to credit the referring partner for our referral programme. Details:- Cookie name:
ewpire_ref. - Type: first-party cookie (not cross-site readable, not shared with any third party).
- Duration: 30 days from the click.
- Contents: only the partner referral code. No personal data, no browsing history, no cross-site identifier.
- Purpose: to attribute a subsequent qualifying signup to the referring partner so that the partner can be credited with the referral commission of 20% of the referred user's first deposit (their first paid credit purchase or first subscription payment), one-time, subject to the terms and clawback rules described in our Referral Programme Terms.
- Consent: this cookie is consent-gated. It is set only after you accept the Marketing / Referral Attribution category. Same-visit referral works without this cookie because the referral code is carried in the page URL through to signup; the cookie only extends attribution to 30 days and is optional. If you decline, referral attribution still works for the same visit – only the persistent 30-day extension is lost.
- Cookie name:
- 3.5 Advertising / Tracking. We do not use advertising or tracking cookies. No targeted advertising, no retargeting pixels, no ad-network data sharing, no real-time bidding, and no cross-site behavioural profiling.
4. Cookie Reference Table
| Name | Provider | Purpose | Type | Duration |
|---|---|---|---|---|
| ewpire-consent | ewpire | your saved category choices | localStorage | Persistent |
| ewpire_consent | ewpire | record of which non-essential categories you accepted; gates the persistent referral/acquisition cookies (also mirrored server-side with timestamp + policy version, see Section 2) | Cookie (first-party) | ~1 year (strictly necessary) |
| ewpire_consent_ref | ewpire | random local identifier linking your browser to our server-side consent log | localStorage | Persistent |
| ewpire_session | ewpire | authenticated session / sign-in | Cookie | Session |
| __cf_bm | Cloudflare | bot management | Cookie | 30 min |
| cf_clearance | Cloudflare | security challenge passed | Cookie | 30 min |
| __stripe_mid | Stripe | fraud prevention (machine id) | Cookie | 1 year |
| __stripe_sid | Stripe | fraud prevention (session id) | Cookie | 30 min |
| ewpire_ref | ewpire | partner referral code for commission attribution (set only after Marketing consent) | Cookie (first-party) | 30 days |
| ewpire_src | ewpire | first-touch marketing attribution (utm/click-id/referrer/landing page; set only after Marketing consent) | Cookie (first-party) | 90 days |
| ph_*_posthog | PostHog (EU Cloud) | anonymous product/funnel analytics identifier + event queue; set only after Analytics consent | localStorage | Persistent (until consent withdrawn) |
Our website measurement uses cookieless Cloudflare Web Analytics, which stores nothing on your device (see below). Product and funnel analytics use PostHog (EU Cloud), which loads only after you accept the Analytics category and then stores an anonymous identifier in your browser's local storage (no cookie, no advertising identifier). The ewpire_ref and ewpire_src cookies are set only after you accept the Marketing / Referral Attribution category; if you do not accept it, no such cookie is stored on your device at all. Same-visit referral attribution still works without any cookie, because the referral code is carried in the page URL through to signup, not stored on your device.
The Stripe (__stripe_mid, __stripe_sid) and Cloudflare (__cf_bm, cf_clearance) cookies are classified here as strictly necessary for fraud prevention and security/bot mitigation.
5. Third-Party Providers (Cookie-Setting)
The following third parties may set or read cookies through our website:
- Stripe Payments Europe Limited and/or other Stripe entities as applicable (billing, Connect payouts; payment and fraud cookies).
- Cloudflare (security, bot/DDoS mitigation, CDN/edge for ewpire.com and our application; strictly-necessary).
We use Cloudflare Web Analytics, a privacy-preserving, cookieless measurement tool: it counts page views and aggregate traffic without setting any cookie, storing anything on your device, using a cross-site identifier, or fingerprinting you. Because it stores and reads nothing on your device, it falls outside the consent requirement of Article 5(3) of the ePrivacy Directive and needs no banner opt-in. For product and funnel analytics we use PostHog (EU Cloud), loaded only after you accept the Analytics category; it stores an anonymous identifier in your browser's local storage (no advertising cookie) and we disable session recording and autocapture. We use no other website-analytics provider.
This list covers only providers that set cookies on your device. A full list of the sub-processors that process your personal data server-side (including the consensus LLM providers, the sandboxed build runtime, hosting, and email) is maintained in our Privacy Policy and Data Processing Agreement. Persistent personal data is stored on EEA infrastructure (Cloudflare EU and Hetzner Germany). Non-EEA providers operate under Standard Contractual Clauses (Module 2) with transfer-impact assessments; China-based inference providers receive a heightened transfer-impact assessment.
6. What We Do NOT Store on Your Device
Certain sensitive material is never stored in a browser cookie or other client-side storage. It is held server-side, encrypted at rest, and used only as needed:
- Authentication and provider credentials. Any platform or sub-processor API credentials are held in a server-side secrets store, encrypted at rest, and are never written to a cookie, to client-side storage, or to logs.
- Your idea text, interview answers, brand/site content, and generated code. These are processed and stored server-side, never in a browser cookie. (How this content is handled, including transmission to multiple frontier LLM providers for inference and our no-training commitment, is described in the Privacy Policy.)
- Support chat content. Held server-side and retained for a limited period, then deleted; any support widget uses short-lived sessionStorage identifiers only, never persistent personal data.
7. How to Manage Cookies
- Cookie Settings. Re-open the consent panel at any time to change your choices. You can withdraw consent for each non-essential category (Analytics, Marketing, Referral Attribution) individually – withdrawal is as easy as acceptance and takes effect immediately; cookies in newly disallowed categories are cleared on the next page load.
- Browser settings. You can block or delete cookies in your browser. Blocking strictly-necessary cookies will break sign-in, checkout, and security functions; declining the Marketing / Referral Attribution category will prevent persistent referral attribution.
- Clear local/session storage. In your browser's developer tools (Application → Local Storage / Session Storage → ewpire.com), you can clear stored values.
- Contact us. Email [email protected]; we reply within 30 days.
8. Changes
This Policy is reviewed on any material change and at least annually. We will notify you of any material change to our cookies – including a new non-essential cookie or cookie category – at least 30 days in advance (aligned with our Privacy Policy), and we will re-prompt for consent before activating any new non-essential category. Where we add a new sub-processor that sets or reads cookies within a category you have already consented to, that addition is reflected in our published sub-processor list with notice, and does not change the categories you have already accepted or rejected.
9. Contact
LeMans Labs OÜ · Estonian registry 16872044 · Valukoja 8/1, 11415 Tallinn, Estonia. General support: [email protected] · Privacy and data-subject requests: [email protected] · Legal notices: [email protected].
This Policy is governed by Estonian law; disputes fall under the jurisdiction of the courts of Tallinn, Estonia. See also our Privacy Policy and Data Processing Agreement.