1. Introduction
1.1 About this policy
This Cookie Policy explains how SETOR AI Sp. z o.o. (based in Lublin, Poland; KRS 0001202220) uses cookies and similar technologies on https://setor.ai and https://app.setor.ai. The policy outlines cookie categories, legal bases, duration, third-party recipients, and how users can manage consent.
The policy complies with EU Directive 2002/58/EC and Directive 2009/136/EC, the CJEU ruling C-673/17 (Planet49) requiring active consent, the Polish Electronic Communications Law (art. 399–400), and the GDPR (EU 2016/679).
1.2 What are cookies?
Cookies are small text files stored on user devices. Similar technologies include pixel tags, web beacons, localStorage, sessionStorage, and IndexedDB. Consent is required for storing or accessing information on end-user devices, except for strictly necessary cookies.
1.3 IP address and geolocation
Servers automatically record user IP addresses and approximate server-based geolocation (country, city, region, coordinates). This is processed under legitimate interest (art. 6(1)(f) GDPR) for security, fraud prevention, and traffic routing. This does not require cookie consent. Users may object under art. 21(1) GDPR by contacting [email protected].
1.4 Why we use cookies
- Ensuring secure website operation (strictly necessary)
- Remembering cookie consent preferences (strictly necessary)
- Understanding website usage for improvement (analytical - requires consent)
- Measuring advertising effectiveness (marketing - requires consent)
- Recording sessions for usability analysis (requires consent)
2. Cookie categories
2.1 Strictly necessary cookies (no consent required)
These enable core website functionality and cannot be disabled. They are set only in response to user actions.
| Name | Provider | Purpose | Type | Duration |
|---|---|---|---|---|
__session |
Setor | Maintains authenticated session | HTTP cookie | Session |
csrf_token |
Setor | CSRF attack protection | HTTP cookie | Session |
cookie_consent |
Setor | Stores user consent preferences | HTTP / localStorage | 1 year |
2.2 Analytical cookies (requires consent)
Help understand user behavior through pseudonymized data. Legal basis: consent (art. 399 PKE + art. 6(1)(a) GDPR).
| Name | Provider | Purpose | Duration |
|---|---|---|---|
ph_* |
PostHog (EU data residency, Frankfurt) | Tracks interactions, page views, navigation, clicks, errors | Up to 12 months |
Data is stored in the EU (Frankfurt); not shared with third parties for advertising and not used for PostHog’s own advertising. See https://posthog.com/privacy.
2.3 Marketing cookies (requires consent)
Measure advertising campaign effectiveness and conversion attribution. Legal basis: consent (art. 399 PKE + art. 6(1)(a) GDPR).
| Name | Provider | Purpose | Duration |
|---|---|---|---|
_fbp |
Meta Platforms, Inc. (USA) | Browser identification for ad measurement and conversion tracking | 90 days |
_fbc |
Meta Platforms, Inc. (USA) | Stores click identifier for attribution | 90 days |
setor_marketing |
Setor | Records UTM campaign parameters at first visit | 30 days |
By consenting to marketing cookies, users enable Meta to link activity on this website with activity on other Meta Pixel sites and their Meta account for personalized ads. Users can manage ad preferences at https://www.facebook.com/adpreferences.
2.4 Session recording (requires consent)
Records user interactions (cursor movement, scrolling, clicks, screen sequence) for usability analysis via PostHog (EU residency, Frankfurt). Sensitive fields are masked. Users may withdraw consent anytime, stopping future recording immediately.
3. How consent works
On first visit, a consent banner appears requesting active consent before non-essential cookies load. Checkboxes are not pre-selected. No analytical, marketing, recording, pixel, or tracking scripts load until the user consents to the relevant category - including PostHog JavaScript and Meta Pixel.
Users can Accept all, Reject all, or Manage preferences to select individual categories. The “Reject all” and “Accept all” buttons have equal size, weight, and prominence - no dark patterns, misleading labels, pre-checked boxes, or hidden rejection options.
Accepting non-essential cookies is voluntary. Users can reject all non-essential cookies and still access website content and full app functionality. Users may withdraw or modify consent anytime by clicking “Cookie Settings” in the website footer; changes take effect immediately.
4. Consent evidence and record-keeping
Per accountability principles (art. 5(2) GDPR) and consent demonstration (art. 7(1) GDPR), we record the consent timestamp (UTC), the accepted/rejected categories, the policy version, the consent mechanism version, and the user agent string. Consent decisions are logged server-side so evidence survives cookie deletion, and logs are retained for 36 months from the consent date.
Consent is re-requested when this policy is materially updated, when a consent record expires (one year from the last decision), or when technical changes require new consent.
5. Managing cookies
Update preferences anytime by clicking “Cookie Settings” in the website footer. Most browsers also allow cookie management:
- Chrome: Settings → Privacy and Security → Cookies and Site Data
- Firefox: Settings → Privacy & Security → Cookies and Site Data
- Safari: Settings → Privacy → Manage Site Data
- Edge: Settings → Cookies and Site Permissions → Manage Cookies and Site Data
Individual provider opt-out tools include Meta Ad Preferences (https://www.facebook.com/adpreferences) and Your Online Choices (https://www.youronlinechoices.eu). No universal standard exists for Do Not Track signals, so we do not respond to them; our consent management tool provides more precise control.
6. No cookie wall
Website access is not conditional on accepting non-essential cookies. Users can reject all analytical, marketing, and session recording cookies and still browse all setor.ai pages, access all public content, and use app.setor.ai with full functionality. Rejecting non-essential cookies causes no intentional reduction in service quality.
7. Third-party cookies and cross-site tracking
With marketing cookie consent, Meta Platforms, Inc. (USA) may set or read _fbp and _fbc cookies (90 days) that enable cross-site tracking for personalized ads. See https://www.facebook.com/privacy/policy. PostHog cookies (ph_*) are first-party cookies set by Setor; PostHog processes data as a processor in the EU (Frankfurt) with no cross-site tracking. setor_marketing is a first-party cookie used only by Setor.
With marketing cookie consent, Meta Pixel enables Meta to link your website visit to your Meta account, combine it with browsing activity on other Meta Pixel sites, and display personalized ads. Setor does not access Meta’s advertising profiles; we receive only aggregated campaign results. US data transfers are covered by the EU-US Data Privacy Framework (DPF) with Standard Contractual Clauses (SCC, decision 2021/914) as backup.
8. Marketing profiling and identity stitching
Where users consented to marketing cookies or provided data (e.g. email via a form or quiz), Setor may link identifiers from different devices and systems for cohesive marketing attribution. This may combine quiz results, email, CRM records, Meta advertising IDs, and Stripe payment data, and constitutes marketing profiling under GDPR. Via the Conversions API, we may transmit hashed identifiers (e.g. hashed email) to vendors.
We do not make decisions based solely on automated processing (including profiling) that produce legal effects or significantly affect the user under art. 22 GDPR. Material decisions are made by a Setor representative with genuine discretion.
9. Local storage and similar technologies
Beyond HTTP cookies, the website may use localStorage (consent preference backup and attribution values) and sessionStorage (temporary UI state during a session). We do not use device fingerprinting, canvas fingerprinting, font enumeration, WebRTC-based tracking, or other passive tracking requiring consent but not disclosed.
10. Supervisory authorities
GDPR oversight is provided by the President of the Polish Data Protection Office (UODO). Electronic Communications Law oversight is provided by the President of the Office of Electronic Communications (UKE). Users may file complaints with supervisory authorities, particularly UODO (ul. Stawki 2, 00-193 Warsaw).
11. Policy changes
We may update this policy to reflect changes in cookies and technologies, legal changes, regulatory guidance, or operational needs. For material changes we will update the “Last updated” date, re-request consent where applicable, and notify via banner if appropriate.
12. Contact
For questions, concerns, or requests regarding this Cookie Policy, email [email protected]. For GDPR rights requests, see our Privacy Policy.
Administrator: SETOR AI Sp. z o.o., ul. Tomasza Zana 1, 20-601 Lublin, Poland · KRS 0001202220 · NIP 7123502599 · REGON 543088690 · [email protected] · Governing law: Polish law
