Important: This Cookie Policy explains how CRA Evidence uses cookies and similar tracking technologies when you visit our website and use our services.
1. What Are Cookies?
Cookies are small text files that are stored on your device (computer, tablet, or mobile) when you visit a website. They help the website remember your preferences and understand how you use the site.
Cookies can be:
- First-party cookies: Set by CRA Evidence directly
- Third-party cookies: Set by external services we use (e.g., analytics providers)
- Session cookies: Deleted when you close your browser
- Persistent cookies: Remain on your device for a set period
2. Legal Basis and Compliance
This Cookie Policy is designed to comply with:
- GDPR (General Data Protection Regulation) - For users in the European Union
- ePrivacy Directive (2002/58/EC) - EU cookie consent requirements
- UK GDPR - For users in the United Kingdom
- CCPA (California Consumer Privacy Act) - For California residents
Under GDPR Article 6 and the ePrivacy Directive, we rely on:
- Legitimate interest for essential cookies necessary for website operation
- Consent for analytics and preference cookies
3. Cookie Consent
We use a cookie preference system to obtain your consent before placing non-essential cookies. You can access and modify your preferences at any time by clicking "Cookie Preferences" in the website footer.
For users in the European Economic Area (EEA), United Kingdom, or other jurisdictions requiring consent, non-essential cookies will only be placed after you have provided explicit consent. Essential cookies do not require consent as they are necessary for the website to function.
3.1 How to Manage Consent
- On first visit: You will see a cookie banner asking for your preferences
- Change preferences: Click "Cookie Preferences" in the footer at any time
- Withdraw consent: You can withdraw consent at any time through the preference center
4. Cookie Categories
We organize cookies into the following categories:
4.1 Essential Cookies (Always Active)
These cookies are strictly necessary for the website to function and cannot be switched off. They are usually only set in response to actions you take, such as logging in or filling in forms.
| Cookie Name | Provider | Purpose | Duration |
|---|---|---|---|
cra_session |
CRA Evidence | Session management - keeps you logged in | Session |
csrf_token |
CRA Evidence | Security - prevents cross-site request forgery attacks | Session |
lang |
CRA Evidence | Stores your language preference | 1 year |
cookie_consent |
CRA Evidence | Remembers your cookie preferences | 1 year |
4.2 Analytics Cookies (Require Consent)
These cookies help us understand how visitors interact with our website by collecting and reporting information anonymously. This helps us improve our services.
| Cookie Name | Provider | Purpose | Duration |
|---|---|---|---|
ph_* |
PostHog (EU Cloud) | Anonymous analytics identifier | 1 year |
Note: On public pages, PostHog operates in cookieless mode and sets no cookies or localStorage entries.
4.3 Preference Cookies (Require Consent)
These cookies remember your settings and preferences to enhance your experience:
| Cookie Name | Provider | Purpose | Duration |
|---|---|---|---|
theme |
CRA Evidence | Stores dark/light mode preference | 1 year |
dashboard_layout |
CRA Evidence | Remembers your dashboard customizations | 1 year |
table_preferences |
CRA Evidence | Stores table column and filter settings | 1 year |
sidebar_state |
CRA Evidence | Remembers sidebar collapsed/expanded state | 1 year |
4.4 Marketing Cookies (Require Consent)
We currently do not use marketing or advertising cookies. If this changes, we will update this policy and request your consent.
5. Third-Party Cookies and Services
We use the following third-party services that may place cookies on your device:
5.1 Analytics
| Provider | Purpose | Privacy Policy |
|---|---|---|
| PostHog (EU Cloud, Frankfurt) | Website usage analytics and product analytics | PostHog Privacy Policy |
PostHog: We use PostHog EU Cloud hosted in Frankfurt, Germany. IP anonymization is enabled. No session recordings are captured. Data is processed in the EU in accordance with GDPR.
5.2 Infrastructure and Security
| Provider | Purpose | Privacy Policy |
|---|---|---|
| Cloudflare | CDN, security protection, and performance optimization | Cloudflare Cookie Policy |
Cloudflare Cookies: Cloudflare may set the following cookies for security purposes:
__cf_bm: Bot management cookie (30 minutes)cf_clearance: Security clearance cookie (30 minutes to 1 day)
5.3 Payment Processing
| Provider | Purpose | Privacy Policy |
|---|---|---|
| Stripe | Secure payment processing | Stripe Cookie Policy |
Stripe: When you access payment pages, Stripe may set cookies for fraud prevention and secure transactions. Stripe cookies are considered essential for payment functionality.
5.4 Support and Communication
| Provider | Purpose | Privacy Policy |
|---|---|---|
| Intercom (if enabled) | Customer support chat | Intercom Privacy Policy |
Each third-party provider operates under their own privacy policy. We recommend reviewing their policies to understand how they process your data.
6. Other Tracking Technologies
In addition to cookies, we may use:
6.1 Web Beacons (Pixel Tags)
Small transparent images embedded in web pages or emails to track whether content has been viewed. We use these to:
- Measure email open rates
- Understand which pages are visited
6.2 Local Storage
HTML5 local storage may be used to store preferences locally on your device. Unlike cookies, local storage data is not automatically sent to our servers with each request.
| Storage Key | Purpose | Duration |
|---|---|---|
user_preferences |
UI preferences | Persistent |
draft_content |
Auto-saved form drafts | Session |
6.3 Session Storage
Similar to local storage but cleared when you close your browser tab. Used for temporary data during your session.
7. Browser Privacy Signals
We recognize and honor the following browser privacy signals:
7.1 Global Privacy Control (GPC)
If your browser sends a GPC signal, we will treat this as a request to:
- Opt out of non-essential cookies
- Opt out of any sale or sharing of personal information (though we do not sell personal information)
To enable GPC in your browser, visit: Global Privacy Control
7.2 Do Not Track (DNT)
We acknowledge Do Not Track signals. When DNT is enabled:
- We will not place analytics cookies without explicit consent
- Third-party services may have their own DNT policies
Learn more: All About DNT
8. Managing Your Cookie Preferences
8.1 On Our Website
Click "Cookie Preferences" in the footer to:
- View which cookie categories are enabled
- Enable or disable non-essential cookies
- Update your preferences at any time
8.2 In Your Browser
You can manage cookies through your browser settings:
| Browser | Instructions |
|---|---|
| Chrome | Manage cookies in Chrome |
| Firefox | Clear cookies in Firefox |
| Safari | Manage cookies in Safari |
| Edge | Delete cookies in Edge |
8.3 Third-Party Opt-Out Tools
You can opt out of interest-based advertising through:
- Your Online Choices (EU)
- Network Advertising Initiative (US)
- Digital Advertising Alliance (US)
- Google Ads Settings
8.4 Mobile Devices
For mobile devices:
- iOS: Settings > Privacy > Tracking
- Android: Settings > Privacy > Ads
Important Note: Blocking essential cookies may prevent the website from functioning properly. Some features may be unavailable if you disable functional or preference cookies.
9. Cookie Retention
| Cookie Category | Retention Period |
|---|---|
| Essential (Session) | Deleted when you close your browser |
| Essential (Persistent) | Up to 1 year |
| Analytics | Up to 1 year (PostHog) |
| Preferences | Up to 1 year |
| Consent Record | Up to 1 year |
We periodically review our cookie usage and remove cookies that are no longer necessary.
10. Children's Privacy
Our website is not intended for children under 16 years of age. We do not knowingly collect data from children. If you believe we have inadvertently collected data from a child, please contact us immediately.
11. International Data Transfers
Some third-party cookie providers may transfer data outside the European Economic Area. We ensure appropriate safeguards are in place:
- PostHog: Data processed exclusively in the EU (Frankfurt, Germany). No international transfers.
- Cloudflare: Standard Contractual Clauses
- Stripe: EU-U.S. Data Privacy Framework certified
12. Updates to This Policy
We may update this Cookie Policy from time to time to reflect changes in:
- Our practices or technologies
- Legal or regulatory requirements
- Third-party services we use
Changes will be posted on this page with an updated "Last updated" date. For significant changes, we may notify you via email or a prominent notice on our website.
Last updated: February 14, 2026
13. Contact Us
For questions about our use of cookies or this policy, contact us at:
CRA Evidence Team Email: privacy@craevidence.com
You can also contact our Privacy Contact at: privacy@craevidence.com
For more information about how we handle your personal data, please see our Privacy Policy.