Cookies

This page explains what cookies and similar technologies halyxa.com uses, why, how long they last, and how you control them. It supplements the main privacy policy at /privacy.

If you've landed here from the consent banner, the controls you want are in section 5.

1. What is a cookie

A cookie is a small text file a website stores in your browser. It can hold a session identifier, a preference setting, a measurement token, or other small pieces of state. Some cookies are strictly necessary for the site to function. Others enable analytics or features that are useful but not essential.

This page uses "cookie" as shorthand for cookies plus similar technologies — localStorage, sessionStorage, pixels, web beacons, fingerprinting techniques. Where any of these apply, the disclosures here cover them.

2. Legal basis

Under Portuguese law (Lei das Comunicações Eletrónicas, Lei n.º 41/2004, transposing the ePrivacy Directive 2002/58/EC) and the GDPR:

• Strictly necessary cookies can be set without consent. These are cookies the site cannot function without.
• All other cookies require your prior, informed, freely given, specific consent. This includes analytics cookies.

halyxa.com follows this distinction strictly. No optional cookies are set before consent. There are no "essential analytics" or "vital marketing" categories used to justify pre-consent tracking.

3. Cookies used on halyxa.com

3.1 Strictly necessary

These cookies are set automatically and cannot be refused without breaking site functionality.

3.2 Analytics (consent required)

These cookies are only set if you accept analytics in the consent banner. They can be withdrawn at any time.

PostHog's analytics cookies do not contain personal data. The source IP is dropped at the SDK level before transmission via the ip: false client configuration. No cross-site tracking. No data sharing with third-party advertising platforms.

3.3 What halyxa.com does not use

For clarity, the following are not present anywhere on the site:

• No Meta Pixel
• No LinkedIn Insight Tag
• No Google Ads remarketing tag
• No TikTok Pixel
• No Reddit Pixel
• No X/Twitter conversion tracking
• No Google Analytics (replaced by self-hosted-style PostHog EU)
• No third-party advertising cookies of any kind
• No fingerprinting beyond what is needed for bot detection
• No tracking pixels in transactional emails sent through Resend (open and click tracking are disabled)

If you find evidence to the contrary, email privacy@halyxa.com — that is a bug, not policy.

4. Similar technologies

4.1 localStorage

The site uses browser localStorage for:

• Theme preference (light/dark, if applicable)
• Form draft state on /apply (so partial submissions are not lost on page reload)

localStorage entries are not transmitted to any server. They live in your browser only and are cleared when you clear site data.

4.2 Sentry error monitoring

If you encounter a JavaScript error, Sentry (EU region) captures a stack trace and limited context. This uses no cookies; events are sent over HTTPS without identifiers. Form values, authorization headers, and cookies are stripped by a server-side redactor before transmission.

4.3 Sanity content delivery

Pages are content-managed via Sanity. Sanity's CDN may set short-lived performance cookies for cache validation. These are not stored beyond the request lifecycle and do not identify the visitor.

5. How to control cookies

5.1 On halyxa.com

The consent banner appears on your first visit and on any visit where your stored consent is older than 12 months. You can change your choice at any time:

• Footer link: "Cookie settings" in the footer reopens the consent banner
• Direct: /cookies#settings (this page has a "Manage your consent" section once the consent banner UI ships)

Withdrawing consent for analytics clears existing PostHog cookies within the session and stops any new analytics events from being recorded.

5.2 In your browser

All modern browsers let you view, block, or delete cookies. Instructions:

• Chrome: Settings → Privacy and security → Cookies and other site data
• Firefox: Settings → Privacy & Security → Cookies and Site Data
• Safari: Settings → Privacy → Manage Website Data
• Brave: Settings → Shields & privacy → Site and Shields Settings → Cookies
• Edge: Settings → Cookies and site permissions → Manage and delete cookies

Blocking all cookies will break the site's bot protection and may cause Cloudflare to challenge every page load. Blocking only third-party cookies has no effect on halyxa.com because the site does not use third-party advertising cookies.

5.3 Do Not Track and Global Privacy Control

halyxa.com honors the Global Privacy Control (GPC) signal. If your browser sends a GPC signal, analytics consent is treated as withdrawn regardless of any prior choice, and the consent banner reflects this.

The older "Do Not Track" (DNT) header is also respected for analytics consent. The site treats DNT and GPC as equivalent for consent purposes.

6. International transfers

Strictly necessary cookies set by Cloudflare may involve data transfer to non-EU regions for edge processing. Cloudflare operates under Standard Contractual Clauses and is certified under the EU-US Data Privacy Framework.

Analytics cookies set by PostHog are processed exclusively in the EU (Frankfurt region) and do not involve transfers outside the EEA.

7. Changes to this policy

If cookies on the site change — new categories added, new providers introduced, retention periods adjusted — this page is updated and the "Last updated" date moves. Material changes that affect existing consents trigger a reset of the consent banner so visitors are prompted to make a fresh choice.

8. Contact

For questions about cookies on halyxa.com or about your stored consent choice:

privacy@halyxa.com

For questions about your rights under GDPR (access, erasure, restriction, portability), see /privacy section 6.