Skip to content
TopAdsROI
Legal

Cookie Policy

Which cookies we use, why, and how to control them.

Last updated: · Version 1.0

1. What are cookies

Cookies are small text files placed on your device by websites you visit. They are widely used to make websites work and to provide analytics or marketing functionality. We also use similar technologies (localStorage, sessionStorage) — this policy applies equally.

2. Cookies we use

Strictly necessary (always on)

  • topadsroi_cookie_consent_v2 (version 2, supersedes the legacy v1 format) — stores your consent decision (essential / analytics / marketing flags + detected jurisdiction bucket + GPC flag + policy version + timestamp) in a JSON-encoded SameSite=Lax HTTP cookie. Set server-side via Set-Cookie HTTP header to bypass Safari ITP's 7-day client-write cap. Lifetime: 400 days for "Accept all" (browser-enforced maximum per RFC 6265bis §5.5; Chrome 104+ / Safari / Firefox); 365 days for "Reject" or GPC opt-out. Rolling refresh: each visit, the endpoint /api/cookie-jurisdiction re-issues the cookie with a new 400-day Max-Age — for returning visitors with Accept-all, the consent effectively never expires unless you stop visiting for 400 consecutive days.
  • /beacon.js — small JavaScript file loaded on every page; reads only your stored cookie-consent preference to decide whether to send the analytics beacon (see Analytics section). No data is sent without your analytics consent. ePrivacy Directive Art. 5(3) strictly-necessary exemption applies because reading your own consent state is required to honour your choice.
  • Cloudflare bot-protection cookies — short-lived, set automatically when traffic is challenged.

Analytics (only with consent)

We do not currently set any third-party analytics cookies — no Google Analytics / GA4, no Plausible, no Fathom. The only analytics mechanism is our own first-party visit beacon, which sets no cookie at all:

  • Marketing visit beacon — when analytics consent is granted, a small POST to /api/visit-beacon on each navigation records hashed IP + path + locale + referrer for aggregate reporting. No cookie is set; the beacon reads your consent state from topadsroi_cookie_consent_v2. Triple defense: the server independently checks (a) client body claims granted, (b) cookie analytics flag set + GPC flag NOT set, (c) request Sec-GPC header NOT present — any one failing drops the event silently. Retention 30 days. See Privacy Policy §5b for the full disclosure.

Default-on security telemetry (not a cookie, no consent required)

Strictly speaking this is not a cookie at all — it sets nothing in your browser — but we mention it here because some readers expect to see every tracking call disclosed in one place.

  • Default-on security telemetry — separate from the consent-gated marketing beacon above, a POST to /api/anon-ping fires on every page load. It records timestamp + path + locale + host + your IP address (raw) + User-Agent + country/region/city + ISP (ASN) + Cloudflare data-center + Ray ID. It does not read cookies, localStorage, fingerprint, or free-text input. Lawful basis is legitimate interest in site security, fraud prevention, and abuse mitigation — recognised across all 14 of our markets (APAC + North America + UK) and the EU under GDPR Art. 6(1)(f) + Recital 49, US state privacy laws (legitimate-interest carve-outs in CCPA/CPRA §1798.140 and VCDPA §59.1-575), and PIPEDA s.5(3) reasonable-purpose provisions. Retention 365 days; access restricted to super-admin role with full audit log of every query. To suppress: block /api/anon-ping in uBlock Origin / NextDNS, or email [email protected] for retroactive purge. See Privacy Policy §5c for the full disclosure including per-jurisdiction lawful basis citations.

Marketing

We do not currently deploy any advertising or retargeting cookies or pixels on this website — no Meta Pixel (_fbp / _fbc), no LinkedIn Insight Tag, no TikTok Pixel. (TopAdsROI builds an ad-measurement product; it does not run third-party ad pixels on its own marketing site.) If this ever changes, each cookie will be listed here and gated behind your explicit marketing consent before it is set.

The first time you visit, our endpoint /api/cookie-jurisdiction classifies your detected country/state into one of three buckets (see Privacy Policy §8a for the full country list and legal-basis citations):

  • Strict (EU/UK/EEA + JP/TH/VN/ID/PH/AU/NZ/CA-Quebec/KR + default): two-button "Accept all" + "Reject all" with equal prominence (GDPR Art. 7(3) requirement)
  • Opt-out (~20 US states with a comprehensive privacy law + Singapore + CA non-Quebec): two-button "Accept" + "Reject" with GPC honoring
  • Minimal (TW/HK/MY/MX/US no-state-law): single "Accept" button

If your browser sends Sec-GPC: 1 (Brave default-on, Firefox in settings, DuckDuckGo) and you are in Strict or Opt-out bucket, we automatically opt you out of marketing analytics and skip the banner entirely. We honour Google Consent Mode v2 — analytics and marketing cookies remain dormant until you grant consent.

4. Change your preferences

Reopen the cookie banner via the "Cookie preferences" link in the footer at any time. Clearing the topadsroi_cookie_consent_v2 entry from your browser's storage will trigger the banner on next page load. The endpoint also auto-migrates legacy topadsroi_cookie_consent_v1 cookies to the v2 schema on first visit.

5. Browser controls

You can also control cookies directly:

Blocking strictly-necessary cookies will break the cookie consent banner itself; please use our preferences UI instead.