Request Demo
Cookies

Cookie policy

Effective · Last updated

This Cookie Policy explains how Navos AI, Inc. ("we," "us," or "our") uses cookies and similar technologies on the navos.ai marketing website. It sits alongside and is incorporated into our Privacy Policy.

What are cookies?

Cookies are small data files a website can place on your device to remember things across page loads — your consent choices, a session identifier, an analytics ID. They are widely used to make sites work and to understand how they are used. Cookies we set ourselves are first-party; cookies set by a third-party script loaded on our site (for example, Google Analytics) are third-party. We also use closely related technologies such as localStorage and sessionStorage, which are covered by the same consent rules under Art. 5(3) of the ePrivacy Directive.

Why we use cookies

On the marketing site we use cookies for three purposes only:

  • To remember your consent choice so you are not asked again on every visit.
  • To measure aggregate site usage (analytics) if you accept.
  • To record UX sessions (session replay) or identify the company you visit from (reverse-IP) if you accept the corresponding categories.

We do not use cookies for advertising, retargeting, or cross-site tracking.

The marketing site is built so that no non-essential cookies or storage are set until you make a choice. We implement Google Consent Mode v2 in advanced mode: before any Google script executes, all consent signals (analytics_storage, ad_storage, ad_user_data, ad_personalization) are set to denied via a synchronous inline script in the HTML head. Tracking scripts (Google Analytics 4, PostHog, Apollo) load but respect the denied state — no cookies set, no identifiers created — until you accept.

Consent banner design. Accept and Decline are presented with equal visual weight, in line with EDPB Guidelines 03/2022 on deceptive design patterns. There is no pre-ticked box.

Proof of consent. Our consent management platform logs your choice (timestamp, categories accepted, user-agent, anonymised identifier) so that we can demonstrate compliance with Art. 7(1) GDPR. The log is retained for the lifetime of the consent plus 12 months.

Cookieless signals. Even when consent is denied, the Google Analytics script may send anonymous, aggregated signals (without cookies or identifiers) for statistical modelling of overall traffic. These signals do not identify you and are not joined to any profile. To prevent them entirely, decline consent and block the google-analytics.com domain at the browser level.

The four consent categories

The banner offers four categories, each with a distinct purpose and legal basis. All categories except strictly necessary default to denied, and you can grant or revoke any category independently.

  1. Strictly necessary — no cookies, but your consent choice itself is stored in localStorage under cc_cookie. Exempt from consent under ePrivacy Art. 5(3).
  2. Analytics — Google Analytics 4 cookies for aggregate measurement.
  3. Session recording — PostHog session replay cookies. Kept separate from analytics per CNIL's February 2026 draft recommendation on session replay tools.
  4. Marketing — Apollo website tracker cookies for company-level (not individual) identification.

Strictly necessary

We do not set any strictly necessary cookies. Your consent choice is remembered between visits using your browser's localStorage (not a cookie) under the key cc_cookie. Storing the consent preference itself is exempt from the consent requirement under ePrivacy Art. 5(3) ("strictly necessary for providing a service explicitly requested by the user").

Analytics (Google Analytics 4, requires consent)

If you accept analytics cookies, Google Analytics 4 sets the following first-party cookies on your device. Names and lifetimes reflect GA4 defaults; the exact set may vary with Google's configuration.

Name: _ga

Purpose: distinguishes unique visitors via a randomly generated client ID. Powers aggregate usage statistics (pages viewed, time on site, referral source).

Provider: .navos.ai (first-party; data recipient: Google Ireland Limited / Google LLC)

Expires in: 2 years

Name: _ga_<container-id> (e.g. _ga_L1TM9SDP3D)

Purpose: persists session state and measurement scope for GA4 across page loads within a visit.

Provider: .navos.ai (first-party; data recipient: Google Ireland Limited / Google LLC)

Expires in: 2 years

Name: _gid

Purpose: distinguishes unique visitors within a single session. May not be set depending on GA configuration.

Provider: .navos.ai (first-party; data recipient: Google Ireland Limited / Google LLC)

Expires in: 24 hours

Name: _gat_gtag_<container-id>

Purpose: throttles the rate of requests sent by the GA script. Does not identify you.

Provider: .navos.ai (first-party; data recipient: Google Ireland Limited / Google LLC)

Expires in: 1 minute

Data transfer. Google Analytics data is sent to Google servers in the United States. The transfer relies on the EU-US Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795). Google LLC is self-certified to the DPF; verify active certification at dataprivacyframework.gov. In the event the DPF is suspended or invalidated, transfers continue under Standard Contractual Clauses.

Data retention. The cookies above have lifetimes of 1 minute to 2 years as noted. Google Analytics retains associated event data on its servers for 2 months (the shortest option available in GA4 Admin).

Session recording (PostHog, separate consent)

If you accept the session recording category (separate from analytics), PostHog session replay records your session for UX diagnostics. PostHog is hosted in the European Union (AWS eu-central-1, Frankfurt) and event data and recordings stay in the EU. All form inputs are masked by default. Recordings are retained for 30 days.

Why a separate category? Under CNIL's February 2026 draft recommendation, session replay requires a distinct consent purpose from general audience measurement. Accepting "analytics" alone does not authorise screen recording.

Residual US touches. PostHog Inc. is a Delaware corporation. Event data and recordings stay in Frankfurt, but billing and support metadata transit US systems under Standard Contractual Clauses. Compliant under post-Schrems II SCC rules. We disclose this rather than claim "zero US transfer."

Marketing (Apollo website tracker, separate consent)

If you accept the marketing category, Apollo's website tracker sets cookies and uses reverse-IP lookup to identify the company you are visiting from (e.g. "a visitor from Acme Corp"). This feeds Apollo.io's CRM so our internal sales prioritisation sees which target accounts are touching the site.

What we do with it: internal prioritisation only. If your company matches our ICP, someone on our team may decide to do warm outreach — but only ever based on another signal (a LinkedIn connection, a referral, a conference conversation), never on the tracker visit itself. "I saw you visited our website" outreach is a dark pattern and we do not use it.

What we do NOT do: individual-level identification. In the EU the tracker is company-level only.

Data transfer. Apollo is US-based; tracker data transits US systems under Standard Contractual Clauses, with DPF as a secondary basis where Apollo is certified.

Withdrawal limitation. Apollo does not provide a way to fully unload its tracker script once loaded. If you grant then revoke this consent mid-session, our consent banner clears Apollo cookies immediately, but the already-loaded tracker script continues running in memory until you reload the page or close the tab.

Cookieless analytics (Ahrefs Web Analytics, no consent required)

We use Ahrefs Web Analytics for aggregate traffic measurement (pageviews, referrers, countries). It is designed to be privacy-friendly and runs without a consent gate: it does not set cookies, does not write to localStorage, and does not use browser fingerprinting. Because it does not place or read information on your device, it falls outside the consent requirement of ePrivacy Directive Art. 5(3) and analogous provisions in Quebec Law 25 and the UK DUAA. We still disclose it here for transparency.

What is collected: the URL visited, referrer, user agent, and truncated/anonymised IP used only to derive country. No persistent identifier links visits to a single user across sessions.

Provider: Ahrefs Pte. Ltd. (Singapore). Transfer mechanism: Standard Contractual Clauses for transfers outside the EEA/UK/Quebec.

Opting out. Because there is no cookie or on-device identifier to toggle, the primary opt-out is a browser-level block of the analytics.ahrefs.com domain (uBlock Origin, a Pi-hole, or equivalent). You can also request that we delete any aggregated records derived from your visits by contacting contact@navos.ai.

Withdrawing or changing consent

You can change your cookie preferences at any time by clicking "Cookie preferences" in the site footer. This reopens the banner so you can toggle any category on or off. Withdrawal takes effect immediately: existing cookies for the withdrawn category are cleared from your device and no further data is sent. Withdrawal does not affect processing that already occurred while consent was in effect.

You can also clear cookies through your browser settings (see below) or use the official Google Analytics opt-out add-on to block GA across all sites.

Browser-level cookie controls

Every major browser lets you see, block, and delete cookies directly. The exact steps vary; the vendor guides are:

Other tracking technologies

We do not use web beacons, tracking pixels, Flash Local Shared Objects, or advertising cookies on this site. We do not serve targeted advertising and do not participate in advertising networks. If this changes we will update this policy and update the consent model accordingly.

Changes to this policy

We may update this policy when we change the cookies we use or when legal requirements change. The "Last updated" date at the top of this page reflects the most recent change. For material changes we will refresh the consent banner so you can review the new categories before continuing.

Contact

Questions about cookies on this site should be directed to contact@navos.ai. Postal address: Navos AI, Inc., 1111B S Governors Ave, Ste 39989, Dover, DE 19904, United States.