GDPR ePrivacy CCPA LGPD
1. What are Cookies?
Cookies are small text files stored on your device (computer, tablet, mobile phone) when you visit a website. They allow the website to remember information about your visit, such as language preferences, user session, and browsing patterns.
In addition to traditional cookies, we also use localStorage, sessionStorage, IndexedDB, tracking pixels, and web beacons.
2. Why do we use Cookies?
Essential Functionality
- Authentication: Keep you logged in
- Security: Protect against CSRF, XSS attacks
- Preferences: Remember language, currency, theme
Performance and Analytics
- Usage metrics: Understand how the platform is used
- Optimization: Improve performance and speed
- Error detection: Identify and fix issues
Personalization
- Personalized experience: Adapt content to your needs
- Recommendations: Suggest relevant features
3. Types of Cookies We Use
REQUIRED Strictly Necessary Cookies
Consent Required: β No (exempt under GDPR/ePrivacy)
Legal Basis: Legitimate Interest (GDPR Art. 6.1.f)
These cookies are essential for functionality and CANNOT be disabled:
| Cookie | Purpose | Duration |
|---|---|---|
| xplus_cookie_consent | Stores your cookie preferences | 1 year |
| xplus_visitor_id | Unique anonymous visitor identifier | 1 year |
| xplus_session_id | Browsing session identifier | Session |
| auth_token | JWT authentication token | Session / 30 days |
| refresh_token | Token to renew authentication | 7 days |
| csrf_token | CSRF attack protection | Session |
| xplus_device_id | Device identifier for 2FA | 90 days |
OPTIONAL Functional/Preference Cookies
Consent Required: β Yes
Legal Basis: Consent (GDPR Art. 6.1.a)
These cookies enhance your experience by remembering your preferences:
| Cookie | Purpose | Duration |
|---|---|---|
| user_language | User's preferred language | 1 year |
| user_currency | Preferred currency | 1 year |
| theme_preference | Visual theme (dark/light) | 1 year |
| timezone | User's timezone | 1 year |
| dashboard_layout | Custom dashboard configuration | 1 year |
| notification_settings | Notification configuration | 1 year |
OPTIONAL Analytics Cookies
Consent Required: β Yes
Legal Basis: Consent (GDPR Art. 6.1.a)
β’ We use our own analytics system (NOT Google Analytics)
β’ We do NOT share analytics data with third parties
β’ Data is anonymized (last IP octet removed)
β’ We do NOT track across websites
| Cookie | Purpose | Duration |
|---|---|---|
| analytics_session | Analytics session | Session |
| page_views | Page view counter | 24 hours |
| last_visit | Last visit timestamp | 2 years |
| referrer_source | Referral source (how you arrived) | 30 days |
| feature_usage | Most used features | 30 days |
4. Third-Party Cookies
Some service providers set cookies when you use XPlus Finance:
Plaid (Bank Connection)
- Purpose: Securely connect bank accounts
- Policy: https://plaid.com/legal/#privacy-policy
- Control: Necessary for banking functionality
Stripe (Payment Processing)
- Purpose: Securely process subscription payments
- Policy: https://stripe.com/privacy
- Control: Necessary to process payments
OpenAI (AI Assistant)
- Purpose: Provide AI financial assistant
- Policy: https://openai.com/policies/privacy-policy
- Control: You can use the platform without the AI assistant
5. How to Manage Cookies
Cookie Preference Panel (Recommended)
On the Platform:
- Go to Settings β Privacy β Cookies
- Select which types of cookies you want to allow
- Save your preferences
Browser Settings
- Chrome: Settings β Privacy and security β Cookies
- Firefox: Settings β Privacy & Security β Cookies
- Safari: Preferences β Privacy β Cookies
- Edge: Settings β Cookies and site permissions
Incognito/Private Mode
- Chrome: Ctrl+Shift+N (Cmd+Shift+N on Mac)
- Firefox: Ctrl+Shift+P (Cmd+Shift+P on Mac)
- Safari: Cmd+Shift+N
- Edge: Ctrl+Shift+N
Do Not Track (DNT)
We respect the browser's Do Not Track signal. If you have DNT enabled, we will NOT set analytics or marketing cookies.
6. Consequences of Blocking Cookies
| Type Blocked | Consequences |
|---|---|
| Strictly Necessary | β οΈ The platform will NOT work correctly. You won't be able to log in. |
| Functional/Preferences | β οΈ Your preferences won't be remembered (language, currency, theme). |
| Analytics | β No functional impact. You just won't contribute to statistics. |
7. Legal Basis
GDPR (Art. 6.1.f): Legitimate interest for strictly necessary cookies
GDPR (Art. 6.1.a): Consent for functional and analytics cookies
ePrivacy Directive: Cookie banner, prior consent for non-essentials
CCPA: Right to know, delete, and opt-out (we do NOT sell data)
LGPD: Clear legal basis, specific consent when required
8. Contact
Email: [email protected]
DPO: [email protected]
Data Protection Authorities
- Spain (AEPD): https://www.aepd.es
- EU (EDPB): https://edpb.europa.eu
- California (CCPA): https://oag.ca.gov/privacy/ccpa
- Brazil (ANPD): https://www.gov.br/anpd