Legal

Cookie Policy

Last updated: April 25, 2026 · Effective date: April 25, 2026

This Cookie Policy explains how Alterion Labs, Inc. ("Alterion Labs", "we", "us", "our") uses cookies and similar technologies in two distinct contexts:

  1. On alterionlabs.com and inside the product UI, where we are the controller. This is covered in Sections 1–6.
  2. On our customers' websites, where the Customer ("Customer") deploys our affiliate-marketing agent or other tracking script and we act as a processor. This is covered in Section 7.

This Cookie Policy supplements the Privacy Policy.

1. What cookies are

A cookie is a small text file stored on your device when you visit a website. Cookies and similar technologies — including local storage, session storage, pixel tags, web beacons, SDKs, server-to-server (S2S) postbacks, URL-parameter identifiers (e.g. ?via=, ?ref=), coupon-code attribution, and device fingerprinting (a hashed combination of IP address and User-Agent) — let a site recognize a returning visitor, attribute a conversion to a referral source, remember preferences, measure performance, and operate features that depend on state.

We use both session cookies (which expire when you close the browser) and persistent cookies (which stay until they expire or you delete them). Some are set by us (first-party); some are set by third parties acting on our behalf (third-party). Affiliate-tracking cookies set by our script on a Customer's website are technically first-party to that Customer's domain — see Section 7.

2. Categories of cookies we use on alterionlabs.com and in the product UI

  • Strictly necessary. Required to operate the Services — authentication, security, fraud prevention, load balancing, CSRF protection, and remembering items in a flow you initiated. These cannot be turned off through our consent banner.
  • Functional. Remember preferences such as language, theme, and layout. These improve the experience but are not essential.
  • Analytics / performance. Help us understand how visitors use the Services so we can fix what is broken and improve what works. We use providers such as Google Analytics 4 and a self-hosted analytics tool. Where required, we collect prior consent and configure analytics with IP truncation and limited retention.
  • Marketing. Help us measure the effectiveness of our campaigns and reach relevant audiences. These are set only with your prior consent in regions where consent is required.

A full, current list of cookies used on alterionlabs.com — name, purpose, provider, type, and duration — is available through the "Cookie settings" link in the footer of every page.

3. Your choices on alterionlabs.com

  • Consent banner. When you first visit the site from a region requiring prior consent (the EEA, UK, Switzerland, and others), a banner lets you accept all, reject all non-essential, or customize your selection. You can change your choice at any time through "Cookie settings" in the footer.
  • Browser controls. All major browsers let you block or delete cookies through their settings. Blocking strictly necessary cookies will break parts of the Services.
  • Global Privacy Control. We honour the Global Privacy Control (GPC) signal as an opt-out of sale/share under the CCPA/CPRA.
  • Do Not Track. There is no agreed standard for "Do Not Track". We do not respond to DNT signals.

In the EEA, the UK, and Switzerland we rely on:

  • Strictly necessary cookies — exempt from consent under the ePrivacy Directive.
  • All other cookies — set only with your prior, freely given, specific, informed, and unambiguous consent.

You can withdraw consent at any time through the cookie settings, with no effect on the lawfulness of prior processing.

5. International transfers

Some cookie providers may transfer data outside the EEA, the UK, or Switzerland. Where they do, we rely on the European Commission's Standard Contractual Clauses (2021/914) and equivalent safeguards as described in the Privacy Policy.

6. Changes to this Policy

We may update this Cookie Policy from time to time. The "last updated" date at the top of this page will always reflect the latest revision. Material changes affecting consent will trigger a fresh consent prompt where required by law.

7. Cookies and similar identifiers we set on our Customers' websites (affiliate tracking)

When a Customer installs our affiliate-marketing agent on its own website, our script sets cookies and similar identifiers on the Customer's domain, not on alterionlabs.com. Those identifiers are technically first-party to the Customer's site, but they are written and read by Alterion Labs infrastructure to support affiliate attribution, fraud prevention, and commission calculation.

This Section 7 describes what those identifiers are and how they work. The Customer is the controller for this processing and is responsible for the cookie banner, the consent flow, and the privacy notice that the end user actually sees on the Customer's site. See Section 11 of the Privacy Policy.

7.1 Identifiers and signals we deploy

  • Affiliate referral cookie / local-storage value. Stores the affiliate identifier captured from a URL parameter such as ?via=, ?ref=, or ?aff= when a visitor arrives via an affiliate link. Default duration is the cookie window the Customer configures (typically 30, 60, or 90 days). Used to attribute a later conversion to the originating affiliate.
  • Click identifier. A short opaque ID written when the visitor first lands. Used to deduplicate clicks, detect self-referrals, and support multi-touch attribution where the Customer has enabled it.
  • Conversion / event tracking script. JavaScript on the Customer's checkout, signup, or thank-you page that fires a conversion event back to our servers.
  • Server-to-server (S2S) postback. Conversion event sent from the Customer's server (or from the Customer's billing platform such as Stripe, Paddle, Chargebee, Shopify, WooCommerce, BigCommerce) to our servers, matched to the originating click using the referral identifier or Stripe client_reference_id. S2S does not require a cookie on the user's device for the conversion step itself.
  • Coupon-code attribution (cookieless). When a referred customer redeems an affiliate-specific coupon code at checkout, attribution is performed from the code itself with no cookie or fingerprint required.
  • Cross-device and recurring-commission linkage. When the Customer's billing platform reports a recurring charge, we link it back to the originating affiliate using the stored billing-platform customer ID. No new cookie is set on the end user.
  • Fingerprint fallback (optional, Customer-enabled). Where cookies and storage are blocked and the Customer has explicitly enabled it, we may compute a short-lived hashed combination of IP address and User-Agent as a fallback attribution signal. The Customer is responsible for disclosing this in its own cookie / privacy notice and for obtaining any required consent before the fallback runs.
  • Fraud-detection signals. IP address, autonomous-system number, country, language, and User-Agent are inspected at the point of click and conversion to detect duplicate, self-, or otherwise abusive referrals. These signals are stored hashed wherever possible and only as long as needed to validate the conversion.

7.2 Classification

  • Strictly necessary for the affiliate program? No. Affiliate-tracking cookies and identifiers are deployed for the commercial benefit of the Customer, not at the request of the end user. Under the ePrivacy Directive and most EEA / UK supervisory-authority guidance, they are classified as marketing / advertising and require the end user's prior consent before being set.
  • GPC and "do not sell / share". Where the end user signals an opt-out via the Global Privacy Control or where the Customer's banner records a rejection, our script must not set the affiliate cookie, must not write the local-storage value, and must not run fingerprint fallback. Customers are responsible for wiring the consent signal into our script as documented.
  • Coupon attribution and S2S do not require a cookie on the end user's device and may continue to function in cookie-rejected sessions, subject to the Customer's own legal review.

7.3 Customer responsibility

The Customer is solely responsible for: (i) deploying a compliant cookie banner on its own site; (ii) gating our tracking script behind the consent decision; (iii) honouring the GPC signal; (iv) listing our cookies and identifiers in the Customer's own cookie notice with name, purpose, provider, and duration; (v) responding to data-subject requests; and (vi) communicating with end users and supervisory authorities. We provide configuration, documentation, and support, but the cookie-consent obligations under the ePrivacy Directive, the GDPR, the CCPA/CPRA, and any other applicable law sit with the Customer as controller.

7.4 Data covered by the affiliate-tracking layer

For the categories of personal data captured through the identifiers described above, the purposes, recipients, retention periods, and the Customer-vs-Alterion-Labs role allocation, see Section 11 of the Privacy Policy.

8. Contact

Questions about cookies on alterionlabs.com or about how our affiliate-tracking layer behaves: privacy@alterionlabs.com.

Disclaimer. Alterion Labs is not responsible for cookies set by third-party platforms you connect to the Services or by sites you reach through external links. Alterion Labs is also not responsible for the cookie-consent posture of a Customer's own website, including whether the Customer's banner is configured correctly, whether end users have actually consented before our script runs, or whether the Customer has accurately disclosed our identifiers and the fingerprint-fallback option in its own notice. The Customer assumes all liability for non-compliant deployment of our tracking layer on its own properties. See the Terms of Service for the full liability framework.