Legal

Cookie Policy

Last Updated: July 1, 2026

This Cookie Policy describes how Sites may use cookies, pixels, tags, scripts, analytics tools, advertising tools, tag-management tools, forms, checkout tools, session tools, dashboard tools, email tracking, customer-site tracking, and similar technologies in connection with its websites, sales process, onboarding, payment flow, customer account portal, support channels, managed website services, and related operations.

This Policy is written for Sites' business-to-business managed website service model. Customer websites, customer-controlled tools, regulated industries, international users, and consumer-facing workflows may require additional or different cookie notices, consent controls, opt-out paths, disclosures, or review before launch or publication.

1. Scope

1.1 Sites-owned surfaces. This Policy applies to cookies and similar technologies that may be used on Sites-owned marketing websites, pricing pages, onboarding flows, checkout flows, customer dashboards, Help Center pages, forms, support surfaces, and related service operations.

1.2 Customer websites. If Sites builds, migrates, hosts, supports, or manages a customer's website, that customer website may need its own cookie notice, consent controls, vendor disclosures, opt-out paths, and industry-specific review. This Policy does not replace customer-specific cookie notices, customer privacy notices, or customer legal obligations.

1.3 Customer-site tools. If Sites configures analytics, pixels, tags, forms, CRM, booking, menu, email, SMS, dashboard, reporting, or other tools on a customer website, that customer website may need its own disclosure and consent path. Sites' configuration work does not by itself authorize customer-specific tracking, customer-site legal language, or customer-site cookie notices.

1.4 Relationship to Privacy Policy. The Privacy Policy describes broader information collection, use, disclosure, retention, security, rights-request, vendor, and customer-site issues. This Cookie Policy focuses on cookies and similar technologies and should be read together with the Privacy Policy.

1.5 Geography and law scope. Additional federal, state, international, sector-specific, consumer, business-contact, employee, contractor, sale/share, targeted-advertising, or privacy-rights requirements may apply depending on user geography, customer geography, data categories, tool configuration, business thresholds, and customer use case.

2. Cookies And Similar Technologies

Cookies and similar technologies may include:

  • browser cookies;

  • pixels;

  • tags;

  • scripts;

  • software development kits or embedded tools, if used;

  • analytics identifiers;

  • advertising or conversion identifiers;

  • tag-management containers;

  • session identifiers;

  • form, CRM, booking, support, chat, or routing tools;

  • checkout, invoice, billing-portal, or customer-portal tools;

  • email open, click, unsubscribe, or preference technologies where configured;

  • SMS/text tracking technologies only where separately reviewed and configured; and

  • customer-site tracking tools where authorized for a customer website.

The specific tools and technologies used may change over time. Cookie and tracking disclosures should match tools actually enabled, actual tool configuration, actual data flows, user geography, customer geography, customer-site scope, and privacy/security review.

3. Tools Sites May Use

Depending on actual configuration, Sites may use the following tool categories:

Tool category

Examples

Analytics and measurement tools

Traffic measurement, usage analysis, page performance, funnel review, reporting, and service-quality measurement.

Advertising and conversion tools

Campaign measurement, conversion tracking, attribution, retargeting, and advertising performance where configured.

Tag-management tools

Tag, pixel, script, trigger, and consent-mode control tools where configured.

Search and performance tools

Search Console, search-performance records, verification tags, page performance tools, and related search or technical records where configured.

Website platform tools

Website platform sessions, forms, embedded scripts, performance tools, hosting or publishing tools, and form-submission tools where configured.

Form, CRM, booking, and support tools

Inquiry capture, customer intake, onboarding, support, sales, booking, menu, chat, CRM, and routing tools.

Payment and checkout tools

Checkout, invoices, billing portal, customer portal, subscription, payment-method reference, payment status, refund, dispute, chargeback, and payment-record tools.

Tax and invoice-support references

Customer-location, invoice category, tax-document, exemption, reporting, and tax/accounting status references where generated by checkout, invoicing, or billing tools.

Email and communication tools

Email open/click records, unsubscribe or preference controls, support tools, dashboard notifications, and customer communications.

Dashboard and account tools

Account records, support records, project records, service records, analytics events, and reporting outputs.

AI and automation tools

AI, automation, support, analytics, or vendor tools are not treated as cookie tools unless actual cookies, scripts, logs, or integrations are configured; any such use must stay within the applicable customer-work boundary and review path.

Customer-site tools

Analytics, pixels, tags, forms, CRM, booking/menu, email/SMS, dashboard, or reporting tools implemented on customer websites where authorized.

Specific vendors may change. Vendor disclosures should match actual tool use and actual configuration records.

4. Cookie And Tracking Categories

Depending on actual configuration, Sites may use cookies and similar technologies in the following categories:

Category

Purpose

Example surfaces

Necessary or service tools

Site operation, checkout, forms, dashboard login, security, account operations, payment processing, and service delivery.

Website, checkout, dashboard, onboarding, support.

Analytics tools

Traffic measurement, usage analysis, funnel review, reporting, service improvement, and technical performance review.

Marketing site, pricing pages, dashboard, reporting surfaces where configured.

Advertising or measurement tools

Campaign measurement, conversion tracking, attribution, retargeting, and advertising performance where configured.

Marketing site, landing pages, ads-linked pages.

Tag-management tools

Deployment, control, activation, consent-mode routing, and change records for tags, pixels, scripts, and triggers.

Sites-owned surfaces and customer websites where customer authorization, customer-site notice dependency, and consent/control status are addressed.

Product or session tools

Dashboard behavior, onboarding progress, project workflow, support workflow, feature use, service improvement, and session replay where configured.

Dashboard, onboarding, support, Help Center.

Form and CRM tools

Inquiry capture, customer intake, onboarding, support, sales, customer account records, and routing.

Forms, onboarding, CRM, support, booking/menu tools.

Payment and billing tools

Checkout, payment-method handling, invoices, billing portal, payment status, disputes, refunds, subscriptions, and customer portal activity.

Checkout, invoices, billing portal, customer portal.

Email or SMS communication tools

Email opens/clicks, unsubscribe or preference controls, dashboard notifications, and SMS/text only where separately reviewed and configured.

Email provider, support, dashboard, customer-site workflows where configured.

Customer-site tracking tools

Customer website analytics, pixels, tags, forms, CRM, booking/menu, email/SMS, dashboard, and reporting tools where customer authorization and notice dependency are addressed.

Customer-owned websites and customer-controlled accounts.

Advertising, attribution, campaign, lead, conversion, revenue, return-on-ad-spend, retargeting, or performance labels are category and purpose descriptions only. They do not support claims about attribution accuracy, campaign performance, leads, conversions, revenue, return on ad spend, or retargeting effectiveness without evidence, customer permission where applicable, and marketing-claims review.

Tax and invoice-support references, AI workflows, and automation workflows are not separate cookie categories unless they are connected to actual cookies, scripts, tags, logs, or configured vendor integrations. Where relevant, they should be treated under the applicable payment, analytics, support, vendor, or customer-site category.

5. Information These Tools May Collect

Depending on actual configuration, cookies and similar technologies may collect, generate, store, transmit, or reference:

  • IP address;

  • device and browser information;

  • page views;

  • referral source;

  • campaign source;

  • click events;

  • form interactions;

  • checkout events;

  • dashboard usage events;

  • onboarding progress;

  • session identifiers;

  • cookie identifiers;

  • tag, pixel, script, trigger, variable, or configuration identifiers;

  • analytics property, tag-management, search-performance, or verification records where configured;

  • consent, preference, opt-out, browser-signal, Global Privacy Control, consent-mode, or vendor-specific privacy setting status where configured;

  • support interactions;

  • email open/click or unsubscribe/preference status where configured;

  • SMS delivery/click/preference records only if SMS/text tools are separately reviewed and configured;

  • customer-site visitor/contact records if customer-site tracking or forms are configured for a customer website;

  • payment, invoice, billing portal, customer portal, refund, dispute, chargeback, subscription, or payment-status references where applicable;

  • customer-state, billing-location, service-location, invoice-category, exemption/tax-document, and tax/accounting status references where configured for payment, invoicing, or accounting review;

  • approximate location derived from technical signals;

  • analytics, search, or performance records; and

  • incident, support, access, offboarding, or change-record references where applicable.

5.1 Data minimization and payment boundary. Cookie/tracking logs should collect only identifiers, statuses, and configuration references needed for operations, privacy/security review, and accounting/tax review. Analytics, tag-management, advertising, session-replay, or marketing tools should not store full card or bank details, raw tax IDs, exemption certificates, dispute evidence, or other detailed accounting evidence. Marketing and analytics identifiers should be separated from payment, tax, dispute, default, and accounting records.

6. How Sites May Use Cookies And Similar Technologies

Sites may use cookies and similar technologies to:

  • operate the website, checkout, dashboard, forms, onboarding, and support surfaces;

  • keep account, session, and security functions working;

  • process payments and maintain payment records;

  • understand traffic, usage, performance, and service quality;

  • measure marketing and advertising campaigns where configured;

  • improve onboarding, support, dashboard workflows, reporting, and product experience;

  • connect analytics, Search Console, advertising, tags, forms, CRM, booking, email, dashboard, and routing tools;

  • maintain service records, claim substantiation records, customer support records, and incident records; and

  • detect, investigate, and respond to technical, security, payment, platform, credential, privacy, vendor, customer-site, or customer-support issues.

6.1 Public-use permission. Sites must not use customer names, logos, testimonials, case studies, portfolio entries, screenshots, project descriptions, analytics/results, dashboard data, payment data, support data, tracking data, or customer-site performance data for public marketing unless the use is supported by a customer permission/publication record and required claim, privacy, and sensitive-data review.

7. Consent, Preferences, And Controls

7.1 Actual controls. Consent, opt-out, preference, or notice controls should be chosen based on actual tracking configuration, customer/user geography, marketing surfaces, dashboard behavior, customer-site behavior, and privacy/security review.

7.2 Preference controls. If Sites implements a cookie banner, preference center, opt-out link, consent mode, tag-manager control, browser-signal response, unsubscribe link, or vendor-specific privacy setting, the control must match actual tool behavior and records.

7.3 No false control. Sites must not offer a cookie, preference, or opt-out control that does not operate as described.

7.4 Essential tools. Some tools may be necessary for site operation, checkout, security, forms, dashboard, support, or service delivery. Actual classification should be validated against the configuration.

7.5 Sale/share, targeted advertising, and browser-signal review. If advertising pixels, retargeting tags, analytics, session-replay tools, cross-site tracking, or similar technologies are enabled, Sites should review whether the tool creates sale/share, targeted-advertising, cross-context behavioral advertising, Global Privacy Control, opt-out, consent, or vendor-contract obligations under the applicable privacy framework. This Policy does not decide that classification for every tool or geography.

7.6 Geo-sensitive control design. Consent, preference, opt-out, and browser-signal controls may need to vary based on user geography, customer geography, business thresholds, tool type, customer-site versus Sites-owned surface, privacy framework, international scope, and vendor settings.

7.7 Publication and tool-use alignment. A cookie policy, cookie banner, preference center, opt-out link, or customer-site tracking workflow should match the enabled tools, vendor-contract status, sale/share or targeted-advertising classification, browser-signal path, geography-specific consent/opt-out design, and customer-site notice plan.

7.8 Rights and requests. Cookie/tracking requests, opt-outs, browser signals, authorized agents, appeal processes if applicable, verified requester roles, timing, accounting/security holds, and customer-site visitor routing may require separate request-handling procedures.

7.9 Email/SMS controls. If Sites sends marketing emails, unsubscribe or preference controls must match the actual email provider configuration and review. SMS/text marketing or tracking must not be sent, enabled, or described unless a separate SMS/text provider inventory, control workflow, and legal/privacy review exist; any SMS/text controls must match the actual configuration.

8. Third-Party Tools

8.1 Third-party processing. Third-party vendors may process information under their own terms, policies, settings, retention periods, security controls, platform capabilities, and contract limits.

8.2 Vendor records. Tracking and vendor disclosures should match actual vendor and platform configuration. Vendor records may identify tool purpose, data categories, service surface, activation status, test/future/disabled status where relevant, consent/control status, access status, role classification, and retention limits where known.

8.3 Vendor changes. The tools Sites uses may change. Public disclosure should match the tools enabled at the time of publication.

8.4 Vendor and role classification. Tracking and vendor tools can create separate vendor-role, contract, privacy-rights, sale/share, opt-out, browser-signal, retention, incident-response, payment, tax/invoice, dashboard, support, AI, security, and customer-site issues. Sites should classify each vendor and tool based on actual configuration, customer/user geography, data categories, activation surface, and privacy/security review.

8.5 Platform and embedded scripts. Website-platform records may include project ownership, collaborator roles, form submissions, embedded scripts or third-party forms, publishing or custom-domain dependencies, access, export/deletion, handoff, offboarding, and customer acknowledgment information where applicable.

8.6 Integration records. Forms, CRM, booking tools, email, SMS if separately reviewed and configured, support/chat, routing/automation tools, dashboard/database tools, and other integrations may each have records identifying provider, account owner, data categories, submission destination, preference or opt-out controls, customer-site versus Sites-owned surface, retention, deletion/export, and offboarding path.

8.7 Access credentials and secrets. Credentials, keys, tokens, signing secrets, environment variables, and contractor/vendor access should be protected based on sensitivity, limited to needed personnel or tools, and revoked or rotated when no longer needed or after suspected compromise.

9. Google, Tag Manager, And Search Records

9.1 Analytics records. Analytics records may identify the relevant tool owner, activation surface, customer-site versus Sites-owned status, data-retention or control settings, reporting path, access status, and offboarding path where configured.

9.2 Search records. Search Console or similar search records may include access, verification, customer-site versus Sites-owned status, offboarding, and handoff information where applicable. Search tools are not automatically cookie or tag tools unless tied to configured site technologies.

9.3 Tag-management records. Tag-management tools, if used, may affect activation of cookies, analytics, advertising, or other tracking. Tag use should match owner/admin controls, consent/control configuration, customer-site versus Sites-owned surface, customer authorization for customer websites, change records, and offboarding path.

9.4 Tag changes. Tag, pixel, script, consent-mode, or trigger changes should be documented at a level appropriate to the affected surface, tool/vendor, data categories, purpose, customer authorization where applicable, notice/control dependency, testing, rollback path, and post-change check.

10. Payment, Checkout, And Tax Boundaries

10.1 Payment processors. Payment processors and checkout tools may use cookies, scripts, or similar technologies to operate checkout, save payment-method references where authorized, support invoices, support billing portals, process refunds or disputes, and maintain payment records.

10.2 Payment-data boundary. Payment-related records should distinguish records held or controlled by the payment processor from records retained by Sites, including customer, subscription, invoice, payment, saved payment-method reference if used, refund/credit, dispute, chargeback, and tax/accounting records. This Policy does not imply Sites stores full card or bank details if those details are handled by a payment processor.

10.3 Tax and invoice-support records. Customer-location, invoice category, exemption/tax-document, refund, credit, dispute, chargeback, tax/accounting status, and service-period records may need separate retention and integrity controls. Cookie/tracking request handling should not delete or alter records needed for tax/accounting, dispute, default, ownership-transfer, or audit-trail review without the applicable review path.

10.4 Analytics separation. Analytics, advertising, tag-management, session-replay, and marketing tools should not receive full payment-account details, full card or bank details, raw tax IDs, exemption certificates, dispute evidence, or other detailed accounting evidence.

11. Customer Websites And Customer-Specific Tracking

11.1 Customer-site tracking records. If Sites configures analytics, pixels, tags, forms, CRM, booking/menu, email/SMS, dashboard, or other tracking tools on a customer website, the related records should address customer authorization, signed-scope treatment, customer-site notice or cookie-policy dependency, consent/control status, tool owner, data destination, customer admin access, Sites access, and offboarding/deletion path.

11.2 Signed-scope and role allocation. Customer-site tracking responsibility, customer notice responsibility, consent/preference responsibilities, vendor-role labels, and data-rights handling should be addressed in the signed scope or other applicable customer authorization. This Policy does not assign final responsibility for every customer-specific disclosure or customer-site control.

11.3 Customer-specific notice dependency. A customer website may need its own privacy/cookie notice, consent controls, vendor disclosures, rights-request routing, industry-specific disclosures, and content/claim approvals. This Policy does not replace customer-specific privacy notices or customer legal review.

11.4 Customer-site configuration. If Sites helps configure process-based tracking, analytics, Search Console coordination, forms, or reporting, the configuration should match the signed scope, customer authorization, customer-site notice plan, customer-site control plan, and offboarding/deletion path.

12. Records, Retention, And Requests

12.1 Tracking records. Sites may maintain cookie/tracking records sufficient to identify the relevant tool, vendor, category, purpose, data categories, surface, activation status, consent/control or browser-signal status where applicable, sale/share or targeted-advertising classification where applicable, retention or deletion notes, owner, review date, related privacy/cookie notice version, and related incident or support record if applicable.

12.2 Retention purposes. Sites may retain cookie/tracking records as needed for service delivery, support, analytics, measurement, marketing controls, payment records, accounting/tax records, credential/access records, refund/credit/dispute/default records, incident response, claim substantiation, legal or operational needs, and audit trails.

12.3 Retention categories. Sites may maintain retention categories for cookie/tracking records, payment/accounting/tax records, credential/access records, support/project records, analytics/tracking records, AI/vendor records, incident records, customer-site data, and optional marketing/analytics data. Retention records may address purpose, system location, retention/deletion/archive triggers, export feasibility, backup/log handling, hold flags, and minimization.

12.4 Request exceptions. If an access, deletion, restriction, opt-out, or export request is denied, limited, delayed, or routed to an exception, Sites may retain records explaining the reason, affected category, applicable legal/accounting/security/dispute/default hold, processor or record conflict, customer response, and unresolved exception.

13. Security, Incidents, And Offboarding

13.1 Incident records. Tracking, cookie, platform, payment, privacy, security, vendor, credential, customer-site, or claim incidents should be logged, triaged, escalated where appropriate, resolved, and closed with corrective-action records under a privacy, security, and legal response workflow.

13.2 Incident details. Incident records may include incident timing, affected tool/vendor, affected surface, affected data categories, affected customers, containment and remediation steps, vendor, insurance, customer, or regulator notice decisions, communications review, corrective actions, and close/follow-up status.

13.3 Offboarding/deletion/export records. Vendor/tool records may address export feasibility, deletion/archive trigger, backup/log handling, access revocation, token/key cleanup, remaining Sites access, customer admin status, customer acknowledgment where applicable, and unresolved exceptions.

13.4 Customer-controlled account offboarding. Customer-controlled account offboarding should account for customer-owned, Sites-owned, shared, vendor-owned, prior-agency-owned, unknown, or mixed accounts. Offboarding may involve transfer, revocation, reduction, rotation, token removal, ownership updates, platform/project handoff, residual Sites access, export/deletion, and customer acknowledgment.

14. Children, Sensitive, Regulated, And International Tracking

14.1 Children's data. Sites' standard service model is for business customers and is not intended for children or child-directed services. Sites should not knowingly use the standard launch workflow for child-directed services, minor-data workflows, school/education workflows, or customer-site workflows likely to collect children's or minors' data without separate review, customer-site notice review, tracking/tool review, and reviewed intake procedures.

14.2 Sensitive and regulated workflows. Analytics, pixels, session tools, forms, AI/vendor tools, or tracking should not be enabled through a standard workflow for health, wellness, medspa, dental, medical, legal, accounting, financial, real estate, education, child-directed, employment/recruiting, housing, insurance, or other regulated/sensitive customer-site workflows without separate legal/privacy/security review and customer-site notice review.

14.3 International scope. Non-U.S. users, non-U.S. customer-site visitors, vendor/storage regions, cross-border access, customer geography limits, international frameworks, and rollout gating may require separate review before public cookie/tracking language, banners, preference centers, or customer-site tracking are used.

15. Changes To This Cookie Policy

Sites may update this Cookie Policy to reflect tool use, vendor changes, tracking configuration, consent/preference controls, dashboard behavior, checkout behavior, customer geography, changes in law, or service practices.

16. Contact

Questions about this Cookie Policy may be sent through the contact method listed on the Sites website.