Cookie Policy

A cookie is a small text file a website asks your browser to store on your device. Cookies let a site remember your sign-in, your language preference, or the fact that you have already dismissed a banner. We use the term “cookies” in this Policy to also cover similar technologies — local storage, session storage, web beacons, and server-set tracking pixels.

Different laws set different defaults for non-essential cookies. We honour the rule that applies where you are reading this from:

• EU, EEA, UK, Switzerland — GDPR-strict. No analytics or marketing cookies are set until you explicitly opt in through the banner. Strictly-necessary cookies are set unconditionally because they are required for the site to work. You can decline non-essential cookies and still use the site.
• United States — opt-out-default. Analytics and marketing cookies are set on first visit; the banner offers a single click to withdraw. California residents have a CCPA right to opt out of the “sale or sharing” of personal information; we do not sell or share, and the opt-out is honoured by default.
• Canada and other jurisdictions — opt-out-default unless local law requires opt-in. Quebec residents under Law 25 see a strict-by-default banner consistent with EU treatment.

The jurisdiction is determined from the country your IP address resolves to at first visit, written to a short-lived first-party cookie (aria_jurisdiction) for the rest of the session, and never shared with third parties. If you would like to override the default for any reason, change your preference below.

You can change your preferences at any time on this page. The settings are stored in aria_cookie_consent on your browser; clearing your browser storage resets the banner.

Some embedded content — for example a YouTube product video or a public Loom recording — sets its own cookies. We try to use privacy-respecting embeds (no-cookie YouTube, anonymised players) where possible, and we list any third-party tracker that could be set on our public pages here:

• Vercel Analytics (first-party, IP-anonymised at edge before storage). Disabled if you decline analytics in your jurisdiction.
• Google Tag Manager + Google Analytics 4 — only loaded if the customer organisation has provided container IDs in production env and you have consented (where consent is required).
• Cloudflare bot-management tokens — strictly necessary for DDoS-protection and the security of the site.

We use cookies to make ARIA work.

Strictly-necessary cookies sign you in and remember your language; those load whatever you choose. Analytics and marketing cookies help us improve the product and measure campaigns — they only load if you accept. You can change your mind any time on the Cookie Policy page.

[Accept all] [Essentials only] [Manage]

This site uses cookies.

We use strictly-necessary cookies to sign you in, plus analytics and marketing cookies to improve the product. We do not sell or share your personal information. You can withdraw consent any time on the Cookie Policy page.

[OK] [Withdraw]

When you interact with the ARIA chat widget on a customer-facing surface, the widget computes a short browser fingerprint so we can continue your conversation if you open a second tab or refresh the page. The fingerprint is:

• Hash function: djb2 (a fast non-cryptographic hash; we do not use this value for anything that requires collision resistance).
• Inputs: User-Agent header content, screen width, screen height, screen colour depth, and your IANA timezone name (e.g. America/Winnipeg).
• Storage: the resulting hash is held in your browser’s sessionStorage — that means it is ephemeral and is cleared the moment you close the tab.
• Purpose: cross-tab session continuity within the same browsing session. Nothing else.
• Legal basis: GDPR Art. 6(1)(f) legitimate interest. The fingerprint is necessary and proportionate to providing the chat experience you initiated; it is not used for advertising or profiling.

Note: sessionStorage is technically not a cookie but a browser storage API. We disclose it here so the full picture is in one place.

When you visit a page that has one of our public forms (waitlist, contact us, data-subject access request, early access), we set a strictly-necessary cookie called aria_fv so we can tell legitimate first-time visitors apart from automated abuse traffic. This cookie helps your form actually go through.

• Lifetime: 30 days, then your browser discards it.
• Attributes: Secure, HttpOnly, SameSite=Strict; no Domain attribute (the cookie is scoped to the specific host that set it).
• Contents: a random server-issued nonce plus a timestamp, both protected by an HMAC-SHA256 signature so we can detect tampering. We do not store anything about you in this cookie — it is opaque randomness, server-signed.
• Purpose: one input to a per-visitor anti-abuse counter that prevents a single source from monopolising a shared rate-limit bucket. The other inputs are your network address (as the edge sees it) and a hash of your User-Agent header content fingerprint.
• Legal basis: GDPR Art. 6(1)(f) legitimate interest — necessary and proportionate to protect the availability of our public forms for everyone else.

The cookie has no analytics or marketing role. If your browser blocks the cookie (privacy mode, cookie-blocker extension), our forms still work — you will just share a slightly looser rate-limit bucket with other anonymous visitors on the same network.

We will update this Policy whenever we add, remove, or change a cookie category. Material changes are notified at the top of the banner the next time you visit. Prior versions are accessible through the “View previous versions” link at the top of this page.

For cookie or privacy questions, email privacy@simplification.io. For complaints we cannot resolve, EU/EEA/UK residents may contact their local data protection authority; California residents may contact the California Privacy Protection Agency.