Cookie Policy
The complete inventory of cookies and similar technologies used on the OllieSafe marketing site, with category, provider, retention, and a per-cookie purpose. Mirrors the user-facing controls in our Consent Management Platform.
TEMPLATE — REQUIRES LEGAL REVIEW BEFORE PUBLICATION.
This page publishes the OllieSafe cookie inventory derived mechanically from the marketing-site source tree as of the last-updated date below. Categorization (necessary vs. analytics vs. advertising), retention windows, and the legal characterization (EDPB / CCPA) require sign-off from OllieSafe legal before this page is treated as the binding cookie notice. Adding or removing a cookie on the marketing surface must be paired with a matching update here in the same change.
What cookies are
Cookies are small data files stored on your device by your browser. We also use related browser-storage technologies (localStorage, sessionStorage) for the same general purposes. Throughout this page, “cookie” covers all of these unless we specify otherwise.
How we categorize cookies
- Necessary. Required for the site to function (security, your consent record itself, theme, chat continuity). Cannot be disabled from the CMP.
- Analytics. Helps OllieSafe measure aggregate site usage so we can improve the experience. Off by default. The user controls this via the CMP analytics toggle.
- Advertising. Helps OllieSafe measure marketing performance and reach in-market audiences. Off by default. Disabled and locked when the Global Privacy Control (GPC) signal is detected.
Your controls
You can change your category choices any time via the Cookie preferences link in the site footer, which re-opens the OllieSafe Consent Management Platform banner. The same surface honors the Global Privacy Control (GPC) signal: when your browser exposes navigator.globalPrivacyControl, advertising stays off and cannot be re-enabled from the banner, per California Civil Code §1798.135 and the CCPARegulations.
You can also clear cookies and similar storage directly from your browser settings. Doing so will reset your consent record and the banner will re-appear on your next visit.
Cookie inventory
| Name | Purpose | Category | Provider | Retention | Storage |
|---|---|---|---|---|---|
olliesafe_consent | Stores the user's per-category cookie-consent decision (analytics, advertising), the source of the decision (user, GPC, default), and an ISO timestamp. Read by the OllieSafe CMP on every page load. | Necessary | OllieSafe | 13 months (per CNIL Délibération n° 2020-091 and EDPB Guidelines 03/2022 on consent record retention) | Cookie |
olliesafe_ads_consent | Legacy single-flag mirror of the advertising portion of olliesafe_consent. Retained for cross-tab signaling because the `storage` event fires for localStorage, not cookies. | Necessary | OllieSafe | Persistent (until cleared by the user or the CMP) | localStorage |
olliesafe-theme | Records the user's chosen color scheme (dark / light / system) so the no-FOUC inline script can match the first paint to the user's preference. Classified as 'preferences' under EDPB cookie guidance and necessary for the requested service. | Necessary | OllieSafe | Persistent (until cleared by the user) | localStorage |
ollie-marketing-chat | Records the in-progress chat-widget conversation (conversation ID, messages, question count, lead-captured flag) so the conversation survives reloads within a 24-hour window. | Necessary | OllieSafe | 24 hours from last activity | localStorage |
ollie-fab-teaser-shown | Marks that the chat-widget floating-action-button teaser has already been shown so it is not shown again on subsequent visits. | Necessary | OllieSafe | Persistent (until cleared by the user) | localStorage |
csrf_token | CSRF double-submit token used by the OllieSafe API to protect POST / PUT / PATCH / DELETE requests against cross-site request forgery. Set when the marketing surface posts a form (lead capture, newsletter, contact). | Necessary | OllieSafe | Session | Cookie |
_ga | Google Analytics 4 user identifier used to distinguish unique users for aggregate site-usage reporting. Set only after the user opts in via the CMP analytics category. | Analytics | Google LLC | 2 years | Cookie |
_ga_<container-id> | Google Analytics 4 session-state cookie used to persist session ID and engagement metrics. Set only after analytics opt-in. | Analytics | Google LLC | 2 years | Cookie |
_gid | Google Analytics user identifier used to distinguish users on a 24-hour basis. Set only after analytics opt-in. | Analytics | Google LLC | 24 hours | Cookie |
_gat / _gat_<container-id> | Google Analytics throttling cookie used to limit the rate at which hits are recorded on high-traffic pages. Set only after analytics opt-in. | Analytics | Google LLC | 1 minute | Cookie |
_gcl_au | Google Ads conversion linker used to attribute conversions across pages when the user navigates with auto-tagged URL parameters. Set only after the user opts in via the CMP advertising category. Suppressed when the Global Privacy Control signal is detected. | Advertising | Google LLC | 90 days | Cookie |
_gcl_aw | Google Ads click identifier used to record the ad click that brought the user to the site. Set only after advertising opt-in. Suppressed when GPC is detected. | Advertising | Google LLC | 90 days | Cookie |
_gcl_dc | Google Display & Video 360 / Campaign Manager click identifier. Set only after advertising opt-in. Suppressed when GPC is detected. | Advertising | Google LLC | 90 days | Cookie |
Google Tag Manager container response | GTM serves its container script from https://www.googletagmanager.com/gtm.js. The container itself is treated as necessary infrastructure under Consent Mode v2 — tags inside the container observe the user's per-category consent decision and only fire when granted. | Necessary | Google LLC | Session (no persistent cookie set by the container loader itself) | Cookie |
Third-party cookies and processors
The third-party cookies above are set by Google LLC when the corresponding category is opted in. Google's data handling for those cookies is described in Google's privacy policy and cookie policy. OllieSafe maintains a list of sub-processors at /legal/subprocessors.
Do Not Track
The legacy DNT browser header is not a recognized opt-out signal under CCPA / CPRA. OllieSafe instead honors the newer Global Privacy Control (GPC) signal, which has been ruled binding by the California AttorneyGeneral. See the Your controls section above.
Changes to this page
When OllieSafe adds, removes, or materially re-categorizes a cookie on the marketing site, this inventory is updated in the same code change. Material changes are also reflected in the privacy policy changelog.
Contact
Questions about a listed cookie or our cookie practices: privacy@olliesafe.com. Subscribe to sub-processor change notifications: security@olliesafe.com.
Last updated
May 2026.