Attorney-review draft — not legal advice; placeholders in [BRACKETS] must be completed before use.
GaugeTrace Cookie Policy
Applies to: the GaugeTrace marketing website ([gaugetrace.com] / [domain]) and the GaugeTrace web dashboard (the "Website" and "Services"). It explains how we use cookies and similar technologies, the choices you have, and how to change them.
| Document | Public Cookie Policy (UK PECR + UK GDPR + US-aware) |
| Version | v1.0 |
| Effective date | [Effective date — DD Month 2026] |
| Last updated | [DD Month 2026] |
| Owner | [GaugeTrace Ltd] — Data Protection lead |
| Related documents | Privacy Policy, Data Processing Agreement (DPA), Terms of Service, EULA, Hardware & Calibration Terms |
This Cookie Policy forms part of, and should be read together with, our Privacy Policy. Defined terms (e.g. "controller", "processor", "sub-processor", "Services") have the meaning given there. Where the two documents describe the same provider (Supabase, Stripe, Sentry, PostHog, the CRM, the transactional email provider), they are intended to be consistent; the canonical sub-processor list is in Section 7 of the Privacy Policy.
1. Who we are
The Website is operated by [GaugeTrace Ltd], a private company limited by shares incorporated in England and Wales (company number [company number]), registered office [registered office address], ICO registration number [ICO registration number]. For cookies and similar technologies on our Website, GaugeTrace is the controller. You can contact us about cookies at [privacy@gaugetrace.com].
Scope note — evidence data is out of scope here. This Cookie Policy is about the small data files placed on your browser/device when you visit our Website or dashboard. It does not govern the pressure-test evidence, end-customer PII, GPS, signatures or calibration records our business customers put into the platform — for that data GaugeTrace is a processor and the relevant terms are in the Privacy Policy (Section 3) and the DPA.
2. What are cookies and similar technologies?
A cookie is a small text file that a website places on your browser or device, which can be read back on later visits. We also use technologies that behave like cookies for the purpose of this policy and the law, including:
- Local storage / session storage — browser storage used to keep you signed in and remember app state (heavily used by the web dashboard);
- Pixels / tags / SDKs — small scripts that load analytics or error-monitoring code;
- Device / software identifiers — set by our authentication, analytics and error-monitoring providers.
In this policy we refer to all of these collectively as "cookies". The UK rules in the Privacy and Electronic Communications Regulations (PECR) treat the act of storing or reading information on your device the same way regardless of the underlying technology.
First-party vs third-party. First-party cookies are set by the GaugeTrace domain. Third-party cookies are set by our providers (e.g. PostHog, Sentry, Stripe) whose code runs on our pages. Third-party providers are listed as sub-processors in the Privacy Policy.
3. The categories of cookies we use
We group cookies into four categories. The first is exempt from consent; the other three are non-essential and are only set with your consent.
3.1 Strictly necessary (always on)
These are essential to provide the Website and Services you have asked for — you cannot turn them off through our banner because the site will not work properly without them. They do not require consent under PECR (the "strictly necessary" exemption). They include cookies and storage that:
- keep you signed in and maintain your session (including OAuth, Microsoft/Azure SSO/SAML and magic-link authentication flows handled via Supabase Auth);
- provide security (CSRF protection, abuse/fraud prevention, bot mitigation);
- remember your cookie-consent choices so we do not re-ask on every page;
- enable core billing/checkout functions and fraud screening during payment (Stripe);
- support load balancing and basic site operation.
We rely on these on the legal basis of our legitimate interests / the strictly necessary exemption; no consent is required, but we still tell you about them here.
3.2 Analytics / product (PostHog) — consent required
We use PostHog to understand how visitors use our Website and dashboard — which pages and features are used, navigation paths, and aggregate trends — so we can improve the product. PostHog sets cookies/storage to recognise returning sessions using pseudonymous identifiers. We configure PostHog to minimise personal data and, where available, enable IP minimisation/anonymisation. These cookies are set only if you accept analytics cookies.
3.3 Error / performance monitoring (Sentry) — consent required
We use Sentry to detect, diagnose and fix crashes and errors so the Services stay reliable. Sentry may set storage and collect diagnostic/session context (e.g. a session identifier, browser and device data, error stack context), with PII scrubbed where feasible. We treat Sentry's browser-side telemetry as non-essential and load it only with consent. (Server-side error logging that does not store/read information on your device is covered by the Privacy Policy, not this banner.)
3.4 Marketing / functional (consent required)
If and where we run them, marketing/functional cookies support our CRM and outreach — for example recognising a known contact, attributing a demo request, or remembering non-essential preferences. These may be set by our CRM ([HubSpot]) or our transactional email provider ([Postmark / Resend]) when you interact with tracked links or embedded forms. We do not currently run cross-context behavioural advertising cookies and we do not sell or "share" personal information (see Section 9 of the Privacy Policy). If we ever add advertising/retargeting cookies, we will update this policy, add them to the table below, place them behind consent, and — where any cookie is deemed a "sale"/"share" under US state law — provide a working opt-out and honour Global Privacy Control (see Section 8). These cookies are set only with consent.
At-a-glance: Strictly necessary = always on. PostHog (analytics), Sentry (error monitoring) and any marketing cookies = off until you opt in.
4. Cookie table
The table below lists the cookies and similar technologies we use or expect to use. Names, providers, durations and exact behaviour can change as providers update their software; we keep this table current and re-confirm it at each release. [Engineering / privacy to verify the live cookie inventory against this table before publication and update the bracketed values.]
| Name / pattern | Provider | Purpose | Category | Type | Duration |
|---|---|---|---|---|---|
sb-[project]-auth-token (+ local storage) | Supabase Auth (first-party) | Maintains your authenticated session / keeps you signed in | Strictly necessary | First-party (HTTP + local storage) | Session / [up to 7 days] (refresh) |
[gt_session] | GaugeTrace (first-party) | Session continuity and app state | Strictly necessary | First-party (HTTP) | Session |
[__cf_bm] / [bot-mitigation] | [CDN/WAF provider] | Bot mitigation and security | Strictly necessary | Third-party (HTTP) | [30 minutes] |
[csrf_token] | GaugeTrace (first-party) | Cross-site request forgery protection | Strictly necessary | First-party (HTTP) | Session |
gt_cookie_consent | GaugeTrace (first-party) | Stores your cookie-consent choices | Strictly necessary | First-party (HTTP / local storage) | [12 months] |
__stripe_mid | Stripe | Fraud prevention during checkout/billing | Strictly necessary | Third-party (HTTP) | [1 year] |
__stripe_sid | Stripe | Fraud prevention during checkout/billing (session) | Strictly necessary | Third-party (HTTP) | [30 minutes] |
ph_[project]_posthog (+ local storage) | PostHog | Product/website analytics; recognises pseudonymous sessions | Analytics | First-party/third-party (cookie + local storage) | [12 months] |
[sentry_session] / replay context | Sentry | Error/crash monitoring and diagnostics | Error monitoring | Third-party (storage) | [Session – 90 days] |
[hubspotutk] | [HubSpot] (CRM) | Recognises a known contact; attributes form/demo activity | Marketing/functional | Third-party (HTTP) | [13 months] |
[__hssc] / [__hstc] / [__hssrc] | [HubSpot] (CRM) | Marketing analytics for our outreach forms/pages | Marketing/functional | Third-party (HTTP) | [Session – 13 months] |
[email-tracking pixel] | [Postmark / Resend] | Open/click tracking on transactional/marketing email links | Marketing/functional | Third-party (pixel) | N/A (no persistent cookie) |
Where a value is shown in [brackets] it is a placeholder/indicative figure to be confirmed against the live deployment. The maximum lifetime of any non-essential cookie we set is [13 months], consistent with regulator guidance; consent itself is re-sought at least every [12 months].
5. How we obtain consent (the banner)
When you first visit our Website (and again if your choices expire or you clear cookies), you will see a cookie consent banner. Our consent approach is designed to meet PECR and the UK GDPR standard of consent — a clear, affirmative, freely given, specific and informed action:
- No non-essential cookies fire before consent. Analytics (PostHog), error-monitoring (Sentry) and marketing cookies are blocked until you opt in. Strictly necessary cookies load regardless, as the law permits.
- Granular choice. You can Accept all, Reject all, or Manage preferences to toggle each non-essential category (Analytics / Error monitoring / Marketing) on or off independently.
- Reject is as easy as Accept. The "Reject all" option is presented with equal prominence to "Accept all". We do not use pre-ticked boxes, and we do not treat continued scrolling or browsing as consent.
- No cookie walls. Access to the Website is not conditional on accepting non-essential cookies.
- Informed. The banner links to this Cookie Policy so you can review the details before choosing.
We record your choice (date, version, and categories accepted) so we can demonstrate consent and respect it on later visits.
6. How to change or withdraw your consent
You are in control and can change your mind at any time:
- Cookie settings link. Use the "Cookie settings" / "Manage cookies" link in our Website footer (and via the dashboard settings) to reopen the preference centre, change category toggles, or withdraw consent. Withdrawing is as easy as giving consent.
- Effect of withdrawal. Withdrawing consent stops further use of that category going forward; it does not undo processing already carried out lawfully before withdrawal. After you withdraw, we will stop setting the relevant cookies and will treat the corresponding stored identifiers as no longer consented.
- Browser controls. You can also block or delete cookies through your browser settings (and clear local storage). Most browsers let you refuse some or all cookies or alert you when one is set. Blocking strictly necessary cookies may break sign-in, billing or security features and stop parts of the Services working.
- Provider opt-outs. Some providers offer their own controls — e.g. you can manage analytics participation via our preference centre, which instructs PostHog/Sentry not to load.
Helpful general guidance on managing cookies is available at [aboutcookies.org] / [allaboutcookies.org] and the ICO's website (https://ico.org.uk). [Confirm chosen consent-management platform / banner vendor and the exact "Cookie settings" link before publication.]
7. Cookies in the mobile / offline app
Our PoolGauge IQ mobile app is offline-capable and uses on-device storage (e.g. a local database and secure storage) to hold authentication tokens, queued test evidence awaiting sync, and app settings. This on-device storage is strictly necessary to deliver the offline-first experience you have asked for and is not used for tracking or advertising. The app may also include Sentry (error monitoring) and PostHog (analytics) SDKs; where these are non-essential, the app will seek the equivalent in-app consent and let you opt out in the app's privacy settings. [Confirm the mobile SDK consent mechanism and default state before publication.]
8. Do Not Track and Global Privacy Control (GPC)
- Do Not Track (DNT). Most browsers offer a "Do Not Track" signal. Because there is no consistent industry standard for how DNT should be interpreted, our Website does not currently respond to DNT signals. You can still control non-essential cookies through our banner and preference centre.
- Global Privacy Control (GPC). GPC is a browser/extension signal that communicates an opt-out of "sale"/"sharing" of personal information. We do not sell or "share" personal information for cross-context behavioural advertising (see Privacy Policy Section 9), so there is currently nothing for GPC to opt you out of. [If we later deploy any cookie that constitutes a "sale"/"share" under US state law (e.g. California, Colorado, Connecticut), we will treat a detected GPC signal as a valid opt-out for that browser and add a "Do Not Sell or Share My Personal Information" link here.] Where required by applicable US state law, we will honour GPC as an opt-out preference signal.
9. US-customer posture (business vs consumer)
Our customer base is primarily in the US Sun Belt, while our Services are governed by the laws of England and Wales. GaugeTrace is a business-to-business service; most Website visitors interact with us in a business capacity. Some US state privacy laws (e.g. California's CCPA/CPRA, and Colorado/Connecticut/Virginia/etc.) regulate certain analytics and advertising technologies and recognise opt-out preference signals such as GPC. Where you interact with us as a consumer and the thresholds of an applicable state law are met, the relevant rights and the GPC handling described in Section 8 apply. We monitor these laws and update our practices accordingly. [Confirm current state-law applicability and thresholds with counsel.]
10. Personal data, retention and your rights
Some cookie data is personal data under the UK GDPR (e.g. online identifiers). How we use, share, retain and protect that data — including transfers to providers in the United States (notably Supabase's default US region) under the UK IDTA / EU SCCs + UK Addendum, our sub-processor list, retention periods, and your data-subject rights (access, erasure, objection, withdrawal of consent, California rights) — is set out in the Privacy Policy. Website analytics/cookie data is typically retained per the cookie lifetimes in Section 4 (generally [up to 13 months]).
To exercise any data protection right, or to ask a question about cookies, email [privacy@gaugetrace.com]. You also have the right to complain to the Information Commissioner's Office (ICO) (https://ico.org.uk); California residents may contact the California Privacy Protection Agency.
11. Changes to this Cookie Policy
We may update this Cookie Policy as our Website, providers or the law change. We will post the updated version with a new effective date and version number, and re-seek consent through the banner where the changes require it (for example, adding a new non-essential cookie category). Please check this page periodically.
12. Contact
Questions about this Cookie Policy or our use of cookies:
[GaugeTrace Ltd] — Data Protection Email: [privacy@gaugetrace.com] Post: [registered office address], marked "Data Protection"
End of Cookie Policy v1.0 — [Effective date]. Attorney-review draft — not legal advice; placeholders in [BRACKETS] must be completed before use.