1) What cookies are

Cookies are small files stored on your device. Similar tech includes local storage, pixels, SDKs, and tags.

2) Why we use them

• Ensure site security and core functions
• Remember preferences
• Measure usage to improve content
• If enabled, personalize content or measure ads

3) Cookie categories

We only set non-essential cookies after your consent.

• Strictly Necessary (always on; cannot be switched off) — Purpose: core site functionality, security, load balancing, consent logging. Legal basis: legitimate interest/strictly necessary.
• Functional (optional): Purpose: remember settings like language, forms.
• Analytics (optional): Purpose: understand site usage (aggregated metrics).
• Advertising/Measurement (optional): Purpose: measure campaigns, prevent fraud, or personalize ads.

Under GDPR/UK law, consent is required for non-essential cookies and must be freely given, specific, informed, and unambiguous. “Accept” and “Reject” must be equally easy, and no pre-ticked boxes or nudging. (edpb.europa.eu)

4) Your choices on first layer

Accept all — Accept necessary (no non-essential cookies) — Manage preferences (open granular controls). No access gates or dark patterns. Equal prominence for options. (ICO)

5) Manage preferences (granular)

Toggles: Functional / Analytics / Advertising. Off by default. Strictly necessary is locked “On.” “Confirm choices” saves consent. You can change choices any time via Cookies Settings in the footer.

6) Third-party cookies we may use

7) Retention

We keep consent records for 13 months and re-prompt after expiry or material changes.

8) Withdrawal of consent

You can withdraw at any time in Cookies Settings. This will not affect lawfully set necessary cookies but will disable non-essential ones going forward.

9) Browser controls and “Do Not Track”

You can block cookies via browser settings. If your browser sends a Global Privacy Control signal and you are in a covered jurisdiction, we honour it as an opt-out for sale/share. (California DOJ)

10) Updates

We may update this policy. Check “Effective date.”

Consent UX and Engineering Specification

The following describes how cookies consent must be designed, implemented, and maintained:

A) First-layer banner

“We use cookies to run the site and to improve it. Choose ‘Accept all’ or ‘Accept necessary’. Manage preferences anytime.” Buttons: Accept all | Accept necessary | Manage preferences. Equal prominence. (edpb.europa.eu)

B) Preferences modal

Functional / Analytics / Advertising toggles, off by default except strictly necessary (locked “On”). Buttons: Confirm choices, Accept all, Cancel.

C) Consent state machine

• No decision: only necessary cookies load.
• Accept necessary: persist only necessary.
• Granular: only selected categories load.
• Accept all: all categories load.
• Re-prompt after 13 months or major policy changes.

D) Blocking and release

All non-essential tags blocked until consent. Example: defer GA/Meta/Hotjar until consent.analytics === true.

E) Consent logging

Store anonymized records server-side with fields: consent_id, timestamps, ip_hash, choices, legal_basis_region, and policy_version. Retain for 13 months. (ICO)

F) Regional logic

• EEA/UK: prior opt-in and equal reject path.
• California: show “Do Not Sell or Share My Personal Information”.
• India: follow DPDP + SPDI frameworks; publish Grievance Officer details.

Deployment checklist

• Legal: maintain a register of cookies and update policy tables.
• UX: first-layer banner, equal buttons, no dark patterns.
• Engineering: block non-essential cookies until consent, log securely.
• Governance: quarterly cookie scan, annual DPIA/LIAs.

Notes on Indian law status

The DPDP Act, 2023 is enacted; enforcement to be phased. IRA aligns with DPDP readiness and continues IT/SPDI compliance until full notification. (meity.gov.in)