Cookie Policy

1. Who we are

Flexabits LLC (“Flexabits”, “we”, “us”, or “our”)
30 N Gould St Ste N, Sheridan, WY 82801, USA
Read this policy together with our Privacy Policy and Terms of Use.

2. What are Cookies?

Cookies are small text files placed on your device by your browser at a website’s request. Related technologies include localStorage, sessionStorage, pixels, tags, SDKs, and server-side signals. They help keep a site working securely, remember settings, improve user experience, and support measurement. Some of these technologies may involve identifiers that can be Personal Data under laws like the GDPR when they relate to an identified or identifiable individual.

Session vs. persistent:
Session cookies expire when you close your browser. Persistent cookies remain until their stated expiry (or until you delete them).

First-party vs. third-party:
First-party cookies are set by our domain. Third-party cookies come from our service providers (e.g., embeds or measurement) and are disclosed in the live inventory on this page.

3. How we use Cookies

Like most online services, we use first-party and third-party technologies for different purposes:

• First-party items are set by us to operate the site (e.g., security, login, checkout, load balancing, error tracking) and to remember preferences. They generally don’t track you across other sites.
• Third-party items (set by our service providers) help us operate and protect the Services, and where you allow it, enable optional features and measurement (such as analytics, performance, or functional embeds). Advertising technologies remain off by default and are only enabled where permitted and, where required, with your consent. In opt-in regions, non-essential items are off by default until you choose a category, and rejecting them does not prevent purchases.
• No respawning and no ad fingerprinting: We do not use “respawning” or “evercookies,” and we do not use device/browser fingerprinting for advertising. Our security and fraud-prevention providers may process technical signals (e.g., device or network characteristics) strictly for Necessary purposes such as abuse prevention and service protection.

We design our stack to be privacy-preserving by default. Non-essential technologies are off by default in jurisdictions that require prior consent.

4. Categories we use

To keep the taxonomy consistent across the website and our Consent Management Platform (CMP), we use the following categories:

• Necessary (always active): Required to provide the website, secure it, prevent fraud, and enable core functionality (e.g., page navigation, checkout, account access). These cannot be switched off.
• Functional: Improve or customize your experience (e.g., remembering preferences, enabling embedded media players).
• Analytics: Help us understand site performance and usage (pages visited, events, errors).
• Performance: Used to understand and analyze key performance indicators of the website, which help deliver a better user experience.
• Advertising: Enables or measures advertising, including cross-context behavioral advertising/retargeting. We do not run advertising/retargeting technologies on our Site by default. If we enable any advertising technologies in the future, they will be activated only where permitted and, where required, with your consent. In U.S. states, enabling certain advertising technologies may constitute a “sale” or “sharing” under CPRA and similar laws. You can manage these preferences at any time via the persistent footer link “Your Privacy Choices” and via “Cookie Settings”.
• Uncategorized: Items under review that have not yet been assigned to a category. These are treated as non-essential and kept OFF by default everywhere until classified.

Non-essential third-party technologies are OFF by default where required by law.
Refusing non-essential categories does not block purchases.

5. Types of Cookies we use

Live Inventory:
Our consent platform CookieYes embeds a live, automated inventory below. If the table does not load, use Cookie Settings in the footer to view and manage categories in real time.

Inventory Disclaimer and Variability:
The live cookie/technology table is provided for informational purposes and reflects our best knowledge at the time of publication. Actual items may vary due to security updates, provider changes, regional requirements, or technical conditions. This inventory does not constitute a warranty or guarantee of completeness.

Controlling Effect:
If there is any discrepancy between this documentation and live behavior, your consent choices as expressed through Cookie Settings control the outcome. We honor your choices and do not attempt to bypass them.

Uncategorized Items:
We treat “Uncategorized“ items as non-essential and keep them off by default where feasible. New items may be introduced by vendors or updates. We aim to review and classify newly detected items promptly and, when identified as non-essential, keep them disabled until classification. This target is non-binding and does not create a service-level commitment.

Strictly Necessary Operational Technologies

The items below are manually documented because they are set only during security or payment flows or at the network edge and therefore may not appear in every automated scan by CookieYes. They are used solely to deliver the requested service (authentication, security, fraud prevention, checkout) and are not used for advertising or profiling.

Our technology stack consists of:

• WordPress with WooCommerce for e-commerce.
• WooPayments (powered by Stripe) for payment processing.
• Cloudflare for security and CDN services.
• CookieYes for consent management.

WordPress and WooCommerce (first-party on our domain):
Core and checkout cookies may appear on our domain to maintain sessions and carts; they are strictly necessary for requested functionality and not used for advertising.

CAPTCHA:
Some forms, checkout steps, or access attempts may trigger security challenges (CAPTCHAs or similar challenge pages), including server-level challenges (e.g., hosting and/or CDN bot verification) and third-party challenge tools (such as Turnstile or reCAPTCHA if enabled). These measures process limited technical signals (e.g., IP address, browser/device information, and challenge outcomes) strictly to prevent spam, abuse, fraud, and unauthorized access, and they may be presented more often when traffic appears technically risky (for example, certain VPN/proxy patterns). They are treated as Necessary for security/abuse prevention and are not used by us for advertising or cross-site profiling. Where required by law, we apply appropriate consent controls or alternative measures for any non-essential components.

Cloudflare (security/CDN on our domain):
We use Cloudflare on our domain for availability, DDoS mitigation, bot management and caching. These technologies are Necessary (always active) and not used for advertising. Cloudflare acts as our service provider for security and CDN services. Where required, we rely on a data processing addendum and appropriate safeguards as described in our Privacy Policy. We do not repurpose Cloudflare telemetry for profiling or cross-site advertising.

Cloudflare Web Analytics:
We use CWA to measure site performance. It does not set cookies, nor use advertising identifiers or cross-site tracking. It is currently disabled in the EEA/UK/CH. Outside those regions, it runs as Analytics subject to this Policy. Because CWA does not set cookies, it may not appear in the live cookie table.

• Learn more:
  • WordPress: Cookies – Cookies (WP.org) – Privacy – Terms
  • WooCommerce: WooCommerce Cookies (Docs) – Cookies – Privacy – Terms
  • Cloudflare: Cookies – Cookies (Docs) – Privacy – Terms – Turnstile – Customer DPA
  • Google: Cookies – Privacy – Terms – reCAPTCHA (Docs)

Representative examples (not exhaustive):
The items below may appear only in certain flows, configurations, regions, or technical conditions, and therefore may not be present for every user or in every scan.

WordPress

Cloudflare

Payment providers operating on their own domains

During authentication and checkout, some payment providers operate on their own domains (e.g., stripe.com). Cookies and similar technologies set on those domains support security, authentication, risk checks, and transaction integrity. They are not controlled by our CMP on this site and are governed by the provider’s own terms and notices.

Classification note:
Items on provider domains may include functional or analytical elements determined by the provider. Any categorization shown here is informational and does not override the provider’s own legal basis or notices.

Lawful basis reference:
For technologies on provider domains, please refer to each provider’s privacy/cookie notices for the applicable legal basis and retention controls.

• Load-on-intent: We aim to load third-party payment SDKs only after you select that payment method or open the payment step. Where required earlier for security or checkout integrity, scripts are limited to what is necessary.
• Scope and responsibility: For technologies set on provider domains (e.g., stripe.com), the provider may act as an independent controller for its own domain-level cookies, storage, and processing under its own Terms/Privacy/Cookies. This clarification does not limit any non-waivable rights you have under applicable law. We cannot set, read, or delete cookies placed by third parties on their own domains.
• No ads: We do not use these technologies for advertising purposes.
• Learn more:
  • WooPayments: Terms of Service
  • Stripe: Services Agreement – Legal – Privacy Policy – Cookie Policy – Cookie Settings

Strictly necessary technologies (operational and legal notes)

• Payment and security technologies used for checkout, authentication, fraud prevention, and service protection are treated as strictly necessary where they are required to provide the service requested by the user or to protect the Services against abuse. Card data is handled by our payment processor; we do not store full card numbers on our servers.
• For technologies that run on provider domains (such as stripe.com), the provider’s own notices govern legal bases, retention, and user rights. Cookie names, formats, and durations may change based on provider updates, security controls, or region. We review and update this Policy when material changes are identified.

6. Manage Cookie Preferences

You can change your cookie preferences at any time using the button. This lets you revisit the consent banner and change your choices or withdraw consent immediately.

7. How to Manage Your Preferences

• Cookie banner and preferences: Access Cookie Settings from the footer or Manage Cookie Preferences in-page. Where required by law, our CMP is configured to provide clear and accessible choices (including options such as Accept All, Reject All, and Save Preferences) with appropriate prominence.
• EU/UK/CH (and other opt-in jurisdictions): Non-essential cookies/technologies are off by default until you provide consent.
• Browser controls: You can block or delete cookies in your browser, but blocking all cookies may break core functions such as checkout or login.
• Change or withdraw: You can change or withdraw your choices at any time through Cookie Settings (and, where applicable, Your Privacy Choices). Changes apply to the specific browser/device you use.
• Note: For U.S. state opt-outs and Global Privacy Control (GPC), see Sale/Share and Targeted Advertising.

8. Consent Logs and Retention

We keep verifiable consent records to demonstrate compliance and for audit purposes. At a minimum, the record includes the consented domain, timestamp (UTC), consent ID, category-wise consent status (granted/denied per category), and limited technical metadata (which may include a truncated or hashed IP address, depending on CMP configuration). The country/region field may not always be available in the CMP export. Where implemented, we may also keep limited technical metadata (e.g., banner/CMP identifier or policy version) in separate audit logs; such metadata is not used for marketing or profiling. Access to consent logs is restricted (RBAC/MFA).

Legal bases:

• EEA/UK/CH: GDPR Art. 5(2) (accountability), Art. 7(1) (ability to demonstrate consent), and, where applicable, Art. 6(1)(f) (legitimate interests to establish, exercise, or defend legal claims).
• Similar opt-in regions: comparable legal requirements relating to accountability, the ability to demonstrate consent, and legal claims defense under applicable law.
• United States: Compliance with applicable state privacy laws (including CPRA) and legitimate interests in audit/defense.
• Other jurisdictions: Regulatory compliance and legal claims defense under applicable law.

Retention of consent logs:

• We retain consent logs for 3 years, unless a shorter or longer period is required by law or necessary to establish, exercise, or defend legal claims. We apply data-minimization and security controls appropriate to risk.

Remembering your preferences (browser-side):

• We currently remember cookie choices for about 6 months in regions where we apply opt-in defaults for non-essential technologies, and for about 12 months in the United States. These periods may vary by region, applicable law, and our consent-tool settings.

You may change or withdraw consent at any time via Cookie Settings / Your Privacy Choices, or Manage Cookie Preferences. If you clear cookies or switch browsers/devices, you may need to set your preferences again.

Deleting browser preferences does not delete our server-side consent record kept for compliance.

9. Regional Rules and Legal Bases

EEA/UK/CH

• Non-essential cookies and similar technologies require prior consent (opt-in) where required under applicable law.
• Where required by law, “Reject All” is presented as clearly and is as easy to use as “Accept All.”
• Withdrawal is simple and immediate via Cookie Settings.

United States

• We honor Global Privacy Control (GPC) as described in Sale/Share and Targeted Advertising.
• We provide a persistent footer link labeled “Your Privacy Choices” (Do Not Sell or Share My Personal Information) that enables users to exercise opt-out choices for activities that may constitute a “sale” or “sharing,” including cross-context behavioral advertising, where applicable.
  • For convenience, “Your Privacy Choices” and “Cookie Settings” may open the same preference center.
• We do not use Sensitive Personal Information to infer characteristics. We use it only for permitted purposes. If our practices change, we will update this notice and provide any required mechanisms.
• For information about the categories of Personal Information we collect, the purposes, our retention practices, and your rights, please see our Privacy Policy.

Other regions

• Outside the regions specifically addressed above, we apply consent, choice, and disclosure practices based on applicable law, our consent-tool settings, and the technologies enabled at the time.
• Where required, non-essential technologies remain off until you provide consent, and you may exercise available choices through Cookie Settings and other methods described in our Privacy Policy.

Regional compliance and consent controls

• To meet jurisdiction-specific requirements, we may determine a visitor’s region using available country information from WooCommerce and, if unavailable, IP-based geolocation. This determination is server-side only and used solely to render the appropriate compliance interface, apply consent defaults, and prevent the injection of non-essential scripts in opt-in regions. We do not retain the raw IP for this purpose beyond minimal technical logs.
• The footer link itself is not a cookie and does not store information; it is a user-interface element that opens our Preference Center (CookieYes) to grant, deny, or withdraw consent at any time. If scripts are blocked or JavaScript is disabled, the link may redirect to our Privacy Policy with alternative instructions for exercising rights.
• Where applicable, we rely on legitimate interests to perform limited server-side geolocation solely to render jurisdiction-specific compliance UI, apply consent defaults, and protect against abuse. IP-based geolocation can be imprecise; any inaccuracy does not affect your rights, which we continue to honor.
• We use a consent management platform (CookieYes) to manage cookies and similar technologies on our domain. Where analytics, attribution, advertising, or other non-essential tags are enabled, we configure them to respect your Cookie Settings and, where applicable, Global Privacy Control (GPC). If we introduce additional consent or vendor frameworks in the future, we will update this Policy and our CMP disclosures accordingly.

10. Payments, Authentication, and Fraud Prevention

WooPayments/Stripe, Cloudflare, WooCommerce (Strictly Necessary):
Technologies related to WooPayments (powered by Stripe), Cloudflare, and our WooCommerce checkout are strictly necessary for tokenization, risk checks, authentication, and checkout security. Where implemented, card numbers are transmitted directly to the payment processor via its SDKs/hosted fields; our servers receive only a token (e.g., a payment method ID) and limited metadata (e.g., card brand and last4, where applicable). We do not store card numbers; payment card data is handled by our payment processor in compliance with PCI DSS.

Load-on-Intent:
We aim to load third-party payment SDKs only when you reach the payment step or when necessary to complete checkout securely. Where required earlier for security or checkout integrity, scripts are limited to what is necessary.

Cross-Border Transfers:
Some providers may process data outside your country. We rely on appropriate safeguards (e.g., EU Standard Contractual Clauses (2021/914), UK IDTA/Addendum, and appropriate safeguards under the Swiss FADP), as detailed in our Privacy Policy.

Provider Domains and Roles:
When payment providers operate on their own domains (e.g., stripe.com), they may act as independent controllers for their domain-level cookies, storage, and processing under their own Terms/Privacy/Cookies (see links in Types of Cookies we use). Our cookie consent mechanisms apply exclusively to cookies/technologies set on flexabits.com (and subdomains). We do not control, set, read, or delete cookies placed by third parties on their own domains, and our consent tools do not govern those domains. We remain responsible for honoring your choices on our domain (consent) and for providing secure integrations.

Responsibility Boundary:
For provider-domain cookies and processing activities outside our control, please refer to the provider’s notices for lawful bases, retention, and user rights. Nothing in this Section limits any non-waivable rights you have under applicable law. Questions or concerns about provider-domain cookies should be addressed to the relevant provider identified in Types of Cookies we use. Interpretation, remedies, and venue are governed by our Terms of Use.

Cloudflare:
We use Cloudflare for availability, DDoS mitigation, bot management, and caching. These technologies are Necessary (always active) and are not used for advertising. This security/CDN stack is distinct from Cloudflare Web Analytics in Types of Cookies we use.

Inventory Maintenance:
We periodically re-scan and update the classification, names, and approximate TTLs of payment and security technologies (e.g., Stripe via WooPayments, Cloudflare). Items on provider domains operate under their providers’ notices and may vary by security updates or region. Our local inventory is informational and does not alter the provider’s legal basis.

11. Third-party Services

Cloudflare (security)

• Cloudflare may set strictly necessary cookies or similar identifiers on our domain to support security, bot/abuse prevention, and service availability.

Security challenges (anti-bot)

• Security challenges may be presented in certain flows, including Cloudflare Turnstile and Google reCAPTCHA. Related technologies may be set on our domain or on the providers’ domains; third-party domain technologies are governed by the provider’s notices and are not controlled by our CMP.

CookieYes (consent management)

• CookieYes sets a consent cookie on our domain to remember your cookie category choices and maintain consent records.

Tag management and measurement tools

• We may use tag management and similar deployment tools to manage the activation of analytics, advertising, consent, and other website technologies on our domain.

Analytics and attribution providers

• Where enabled, these providers may set or support cookies and similar technologies used to understand Site usage, measure performance, analyze events, and improve the Services, subject to applicable law and your choices.

Advertising and social media partners

• Where enabled, these providers may set or support cookies and similar technologies used to measure campaign performance, understand conversions, support audience analysis, and measure or support marketing activities, subject to applicable law and your privacy choices.

Postmark (transactional email delivery)

• We use Postmark to send transactional emails. This service operates server-side and does not set cookies on our website. We have disabled email open tracking and link tracking.

YouTube (embeds)

• Features provided by third parties that set non-essential cookies/storage are blocked until you consent to the relevant category in EEA/UK/CH. Clicking to enable such content will load the third party, which may set its own cookies subject to its notices.

Sign-In (OAuth 2.0 – Authentication via “Continue with Google”)

• Google may set strictly necessary cookies or similar storage on its own domains (accounts.google.com) to complete authentication, prevent abuse, and maintain session integrity. These items are essential for the requested service and are governed by Google’s notices, our CMP does not control third-party cookies on third-party domains. A temporary URL parameter (nsl_bypass_cache) may appear during sign-in to complete the flow; it is automatically removed and not used for tracking.

For how Personal Data is processed with these services, see the Third-Party Services section of our Privacy Policy.

12. Sale/Share and Targeted Advertising

Current Status:
We do not sell Personal Information for money. Depending on the technologies enabled on the Site and applicable law, certain online identifiers and similar data may be disclosed in ways that may be treated as “sharing” or targeted advertising under some U.S. state privacy laws.

Opt-Out Signals (Global Privacy Control):
Global Privacy Control (GPC) is a browser-level opt-out signal. Where required by applicable law, when we detect a valid GPC signal, we treat it as a request to opt out of “sale”/“sharing” and targeted advertising (as those terms are defined under applicable U.S. state privacy laws). This does not disable strictly necessary cookies/technologies required to operate and secure the Services. Your opt-out preference (including via GPC) applies automatically for the browser/device that sends the signal.

Future Changes or Expanded Use (Notice and Controls):
If we later introduce or expand processing that could be deemed a “sale,” “sharing,” or targeted advertising, we will:

• (i) Update this Policy and user interfaces in advance and provide any required notice,
• (ii) obtain opt-in consent where required (e.g., certain jurisdictions or age groups), and
• (iii) otherwise make such processing subject to your opt-out rights under applicable law.

Regional Alignment:
In EEA/UK/CH, non-essential advertising technologies require prior consent and remain OFF by default unless and until you consent. For provider-domain technologies (such as payment-provider technologies operating on stripe.com), see Types of Cookies we use and Payments, Authentication, and Fraud Prevention.

13. Third-Party Blocking and Technical Interference

• Some browsers, extensions, privacy tools, network filters, device settings, or enterprise policies may block or alter cookies, scripts, or consent signals. This may interfere with the display or operation of our consent tools and certain non-essential features.
• If technical interference prevents us from properly recording or honoring consent, we default to no consent for non-essential categories. Strictly necessary technologies required for security, authentication, fraud prevention, and core site functionality remain operational.
• Some features may not work properly if consent tools or essential scripts are blocked. If scripts are blocked or JavaScript is disabled, Cookie Settings may not function as intended. In that case, you may contact [email protected] for assistance. This does not limit any non-waivable rights you have under applicable law.

14. Browser Controls

Most web browsers let you block, clear, or manage cookies and other local storage. You may:

• Block all cookies or only third-party cookies,
• Clear cookies and site data,
• Set site-specific exceptions,
• Use tracking-prevention or private-browsing modes.

You can typically find these options under:

• Settings > Privacy and Security > Cookies and Site Data,
• Preferences > Privacy > Block/Manage Website Data,
• Settings > Cookies and site permissions > Manage and delete cookies and site data.

Help pages:

• Google Chrome: Help Center: Manage cookies in Chrome
• Apple Safari (macOS): Manage cookies and website data in Safari
• Apple Safari (iOS): Block or remove cookies in Safari on iPhone/iPad
• Mozilla Firefox: Clear cookies and site data in Firefox
• Microsoft Edge: Manage and delete cookies in Microsoft Edge

If you use another browser or device, please refer to its official support documentation.

Blocking all cookies may prevent core features from working properly. For on-site, granular choices, use Cookie Settings / Your Privacy Choices in the footer or Manage Cookie Preferences.

15. Updates

We may update this Cookie Policy from time to time to reflect changes in our practices, technologies, or applicable law. When we do, we will post the updated version here, revise the “Last Updated” date at the top and, where appropriate, update our Cookie Policy Log. Unless stated otherwise, the updated Policy will apply on a going-forward basis and will not retroactively change how we previously used cookies and similar technologies. Where required by law or where changes are material (for example, introducing new non-essential technologies or changing their purposes), we will provide additional notice (for example, via the Site or by email) and, where applicable, request your consent again.

16. Contact us

Exercising your privacy rights:
Access, deletion, correction, portability, or questions about this policy. We may need to verify your identity before acting on a request.

• Privacy officer: [email protected]
• Contact form: flexabits.com/contact-us
• Support hours: 9:00 AM – 5:00 PM ET (New York time), Monday to Friday.
• Typical response time: 1-2 business days. Closed on weekends and US holidays.