This policy describes how cookies and similar technologies are used on Conformaze public sites (conformaze.com, conformaze.app) and within the authenticated platform. It complements our privacy policy and meets the requirements of article 8.1 of Law 25 (no cookies set by default) and European Data Protection Board guidelines.
Current posture (May 2026): Conformaze stores no non-essential cookie on its public sites or in the authenticated workspace. No audience-measurement tool (Plausible, Google Analytics, Hotjar, Mixpanel, etc.) is loaded. This posture was approved by the Privacy Officer (DPO) on May 1st, 2026 (see section 7 “DPO decision and commitment”).
1. What is a cookie?
A cookie is a small file your browser stores when you visit a website. It can be used to remember your preferences (language, session) or measure audience.
2. Cookies actually used today
Only strictly necessary cookies are stored to operate the service. They are exempt from prior consent under article 8.1 of Law 25 and recital 32 of the GDPR. Conformaze stores no preferences, audience-measurement or marketing cookie at the time this policy is published.
| Category | Purpose | Consent | Duration |
|---|---|---|---|
| Strictly necessary | Authentication, security (CSRF), load balancing, session. | Not required (Law 25 art. 8.1 exemption) | Session or up to 30 days |
3. Information banner
On your first visit, a banner informs you that only strictly necessary cookies are stored. Consistent with the principle of transparency, this banner does not display an “Accept / Reject” button: there is in fact nothing to consent to as long as no non-essential cookie is in use. You can re-read the message at any time:
4. Cookies set by subprocessors
Application Insights (Microsoft) is used by Conformaze solely for technical monitoring (JavaScript error tracking, exceptions, AJAX calls, performance, frontend/backend correlation). The SDK is configured withdisableCookiesUsage enabled: no cookie is stored by Application Insights, on either the public site or the authenticated workspace, and no audience measurement (page views, visit duration) is collected.
Stripe, when invoked to process a payment, may set its own technical cookies on its payment interfaces (for example an embedded checkout module). Those cookies are governed by Stripe’s privacy policy. The full list of subprocessors is available on our Subprocessors page.
5. Future cookies (preferences, audience measurement, marketing)
When a new cookie category (preferences, cookieless or cookie-based audience measurement, marketing, etc.) is enabled, this policy will be updated before any cookie is stored, and the information banner will be replaced by a full consent banner offering an explicit per-category choice and server-side logging of your decision. No non-essential cookie will be stored until that mechanism ships.
6. Browser configuration
You can also configure your browser to block or delete cookies. Note that disabling strictly necessary cookies may prevent the platform from working (you may be unable to sign in, for example).
7. DPO decision and commitment
On May 1st, 2026, the Conformaze Privacy Officer (DPO) formally confirmed that the “strictly necessary cookies only” posture described above complies with article 8.1 of Law 25 and recital 32 of the GDPR, and that no user consent mechanism is required as long as this posture is maintained. The detailed decision note is archived under docs/pre-prod-2026-05/signatures/CM-R1-plan-b-dpo.md.
Conformaze commits to re-opening the full consent project (server -side consent_logs table, banner with per-category choice) before re-activating any non-essential cookie, with an internal target date of May 12, 2026 to resume the work.
8. Your rights and contacting us
For any question about cookies or to exercise your rights: dpo@conformaze.com.