Built for Businesses That Want Real Growth

Practical insights on web, branding, marketing, and automation focused on what actually drives results.

Cookie Policy

1. INTRODUCTION

This Cookie Policy (“Policy”) explains how Xora Studio (“we,” “us,” “our,” “Company,” or “Service Provider”) uses cookies and similar tracking technologies on our website (www.xorastudio.com), Client Portal (portal.xorastudio.com), and related services.

What are Cookies?

Cookies are small text files stored on your device (computer, tablet, or mobile phone) when you visit our website. They contain information that helps us recognise you, remember your preferences, and understand how you use our services.

1.1 Scope of This Policy

This Cookie Policy applies to:

  • Our main website: www.xorastudio.com
  • Our Client Portal: portal.xorastudio.com
  • All Xora Studio web properties and services
  • Emails and communications we send

1.2 Related Privacy Information

For complete information on how we collect, use, and protect your data, please see:

  • Privacy Policy: www.xorastudio.com/privacy-policy
  • Terms and Conditions: www.xorastudio.com/terms-and-conditions
  • Disclaimer: www.xorastudio.com/disclaimer

1.3 International Compliance

This Cookie Policy is designed to comply with:

  • GDPR (General Data Protection Regulation) — EU/EEA users
  • ePrivacy Directive — EU Cookie Law
  • CCPA/CPRA (California Consumer Privacy Act / California Privacy Rights Act) — US users
  • CalOPPA (California Online Privacy Protection Act) — US users
  • PIPEDA (Personal Information Protection and Electronic Documents Act) — Canadian users
  • Pakistan Data Protection Laws — Pakistan users
  • LGPD (Lei Geral de Proteção de Dados) — Brazilian users

1.4 Cookie Consent Mechanism

We deliver cookie consent on our WordPress website through a GDPR-compliant cookie consent plugin (such as CookieYes, Complianz, or GDPR Cookie Consent by WebToffee). The consent banner matches exactly the categories and controls described in this policy. If you have questions about the consent mechanism, contact us at contact@xorastudio.com.

2. TYPES OF COOKIES WE USE

2.1 Essential / Necessary Cookies

Purpose: Required for website functionality and security.

These cookies are absolutely necessary for our website to work properly. Without them, you cannot log into your account, access the Client Portal, submit forms, complete transactions, or stay protected from security threats.

Examples:

  • Session cookies (keep you logged in during your visit)
  • CSRF protection tokens (prevent cross-site request forgery attacks)
  • Security verification tokens (protect against malicious attacks)
  • Language preference cookies (website language selection)
  • Server-level hosting cookies (set by Hostinger infrastructure)

User Consent Required: NO – these cookies are set automatically and cannot be disabled. They are strictly necessary for website operation and are exempt from consent requirements under the ePrivacy Directive and GDPR.

Legal Basis: Contract necessity and legitimate interest.

Retention Period: Session duration or until logout. Some security tokens are permanent.

2.2 Performance & Analytics Cookies

Purpose: Understand how users interact with our website so we can improve it.

Tools Used:

Google Analytics 4 (GA4) — Primary Analytics Tool

  • Tracks: Page views, user sessions, bounce rate, conversion events, user flow
  • Data collected: Device type, browser, operating system, approximate location (country/city level – not GPS or street-level), referral source, pages visited, time on site
  • Data is processed by Google under their data processing terms
  • GA4 does not use Universal Analytics (UA-) IDs, which were retired by Google on July 1, 2023

What We Track:

  • Number of visitors and unique users
  • Most popular pages and content
  • Time spent on each page
  • Traffic sources (organic search, direct, referral, social)
  • Device and browser types
  • Approximate user location (country and city only)
  • User navigation patterns
  • Conversion actions (contact form submissions, quote requests, portfolio views)

Who We Share Data With:

  • Google Analytics processes and stores analytics data
  • Data is aggregated and anonymised where possible
  • Google’s full privacy policy: policies.google.com/privacy

User Consent Required: YES — required for GDPR and CCPA compliance. Analytics cookies are only set after you accept them in the consent banner.

Legal Basis: Consent (opt-in).

Opt-Out Options:

  • Decline analytics cookies in our consent banner
  • Google Analytics Opt-Out Browser Extension: tools.google.com/dlpage/gaoptout
  • Your browser settings (see Section 6)

Retention Period: 14 months for all user and event data (GA4 maximum retention setting). Data is automatically deleted after this period.

2.3 Marketing & Conversion Cookies — CURRENTLY ACTIVE

Purpose: Track conversions from our current advertising activity.

At present, Xora Studio runs Google Ads campaigns for conversion tracking and retargeting. The following marketing cookies are currently active on our website.

Google Ads Conversion Tracking

  • Tracks: Ad clicks, website visits from Google Ads, conversion actions (form submissions, quote requests)
  • Data collected: Ad interaction data, conversion events, URL parameters
  • Data shared with: Google Ads for reporting and campaign optimisation
  • Google’s privacy policy: policies.google.com/privacy

Retargeting:

If you visit our website but do not complete a contact or quote form, you may see Xora Studio advertisements on other websites participating in the Google Display Network.

User Consent Required: YES.

Legal Basis: Consent (opt-in).

Opt-Out Options:

  • Decline marketing cookies in our consent banner
  • Google Ads Opt-Out: adssettings.google.com
  • Digital Advertising Alliance: optout.aboutads.info
  • Network Advertising Initiative: optout.networkadvertising.org

Retention Period: 90 days.

2.4 Planned Future Marketing Cookies — NOT YET ACTIVE

The following marketing tools are planned for future use but are not currently deployed on our website. They will not be activated until:

  • This policy is updated to reflect their active status
  • The cookie consent banner is updated to include them
  • Proper consent mechanisms are in place

Meta / Facebook Pixel (Planned)

  • Will track: Website visits, form submissions, conversion events for Facebook and Instagram advertising
  • Cookie names when active: _fbp, _fbc
  • Retention when active: 90 days
  • We will notify existing users and request fresh consent before activating

LinkedIn Ads (Planned)

  • Will track: Professional audience targeting and campaign performance
  • Retention when active: 90 days

TikTok Pixel (Planned)

  • Will track: Campaign performance and audience building
  • Retention when active: 90 days

You will be notified via a website banner and consent prompt before any of these are activated.

2.5 Preference & Functional Cookies

Purpose: Remember your choices and preferences to improve your experience.

These cookies remember settings you have chosen so you do not need to re-enter them on every visit.

What We Track:

  • Preferred website language
  • Cookie consent preferences (saves your accept/reject choices)
  • Notification preferences
  • Session preferences for the Client Portal

User Consent Required: NO for basic functionality. YES for enhanced personalisation beyond what is strictly necessary.

Legal Basis: Legitimate interest. We have conducted a balancing test and determined that our interest in providing a consistent user experience does not override your fundamental rights.

Retention Period: 1 year, or until manually cleared.

2.6 Social Media Cookies — Currently Active Integrations Only

Purpose: Enable social sharing and embedded social content.

We only list social platforms that are currently integrated on our website. If you see a “Share” or embedded social widget on our site, the relevant platform may set cookies when you interact with it.

Currently Active:

  • YouTube — embedded video content on our website. YouTube may set cookies when you play embedded videos. YouTube’s privacy policy: policies.google.com/privacy

Not Currently Active (Planned):

  • Facebook/Instagram share buttons — planned, not yet installed
  • LinkedIn share button — planned, not yet installed
  • Twitter/X embed — planned, not yet installed

User Consent Required: YES for social media cookies beyond essential playback functionality.

Legal Basis: Consent and legitimate interest.

Retention Period: Varies by platform, typically 90 days to 1 year.

3. COOKIES IN THE CLIENT PORTAL

3.1 Portal Security Cookies (Essential)

When you log into the Client Portal (portal.xorastudio.com), the following security cookies are set automatically and cannot be disabled:

  • Session tokens (keep you authenticated during your session)
  • CSRF protection tokens (prevent cross-site request forgery)
  • Multi-factor authentication codes (where enabled)
  • Rate limiting cookies (prevent brute force attacks)

Legal Basis: Contract necessity — these are strictly required to provide the portal service you have engaged us for.

Retention: Session duration.

3.2 Portal Analytics

We collect limited analytics data within the Client Portal to improve its usability and performance. This includes:

  • Pages visited within the portal
  • Features used (downloads, messages, approvals)
  • Session duration and frequency
  • Device and browser type
  • IP address and approximate location for security purposes

Important: Portal analytics that go beyond what is strictly necessary for security and service delivery require a valid legal basis beyond T&C acceptance. We rely on legitimate interest for portal analytics, having conducted a balancing test confirming our interest in improving the portal does not override your rights. You may object to this processing by contacting us at contact@xorastudio.com.

Legal Basis: Legitimate interest.

Retention: 14 months for analytics data. Transaction records retained indefinitely for legal and accounting compliance.

4. THIRD-PARTY SERVICES & DATA SHARING

4.1 Third-Party Services Currently Using Cookies

Service Purpose Privacy Policy
Google Analytics 4 Website analytics policies.google.com/privacy
Google Ads Conversion tracking & retargeting policies.google.com/privacy
Google Fonts Font delivery (no tracking cookies set) policies.google.com/privacy
Google reCAPTCHA Spam and bot prevention policies.google.com/privacy
YouTube Embedded video content policies.google.com/privacy
Hostinger Web hosting infrastructure hostinger.com/privacy-policy
Cloudflare CDN and security cloudflare.com/privacypolicy
Payoneer Payment processing payoneer.com/legal/privacy-policy
EasyPaisa Local payment processing easypaisa.com.pk

4.2 How Data is Shared

We DO share:

  • Aggregated website behaviour data with Google Analytics
  • Conversion event data with Google Ads
  • Payment transaction data with Payoneer and EasyPaisa (only what is required to process your payment)
  • Security-relevant data (IP address) with Cloudflare for DDoS protection

We do NOT share:

  • Your full name, phone number, or address with advertising platforms unless you submit a form
  • Financial account details beyond what payment processors require
  • Passwords or login credentials
  • Health, biometric, or sensitive personal data
  • Your personal data is NEVER sold to any third party for commercial purposes

4.3 Legitimate Interest Statement

Where we rely on legitimate interest as a legal basis for any cookie or data processing activity, we have conducted a Legitimate Interest Assessment (LIA) to confirm that our processing interests do not override your fundamental rights and freedoms. You have the right to object to legitimate interest processing at any time by contacting contact@xorastudio.com.

5. COOKIE CONSENT & MANAGEMENT

5.1 Cookie Consent Banner

When you first visit our website, a cookie consent banner is displayed with the following options:

  1. “Accept All” — Accepts all cookie categories (essential, analytics, marketing, preference, social)
  2. “Reject Non-Essential” — Accepts only essential cookies; no analytics, marketing, or social cookies are set
  3. “Customise Preferences” — Choose exactly which cookie categories you accept
  4. “Manage Preferences” — Access your cookie settings at any time after your initial choice

Essential cookies are always active and cannot be rejected, as they are strictly necessary for the website to function and are legally exempt from consent requirements.

Your consent preferences are saved in a consent record cookie and respected on every subsequent visit for 1 year.

5.2 GDPR Compliance

For users in EU/EEA countries:

  • Non-essential cookies are ONLY set after you give explicit, informed, affirmative consent
  • Consent is never bundled, pre-ticked, or implied from continued browsing
  • Rejecting consent is as easy as accepting it — one click
  • We do not make use of our services conditional on accepting non-essential cookies
  • You can withdraw consent at any time with immediate effect

5.3 CPRA / Global Privacy Control (GPC) — California Residents

We currently do not respond to browser-based Do Not Track (DNT) signals, as DNT has no consistent standard and is not legally mandated. However, we do recognise and respond to Global Privacy Control (GPC) signals as required under the California Privacy Rights Act (CPRA). If your browser sends a GPC signal, we will treat it as a valid opt-out of the sale and sharing of your personal information for targeted advertising purposes.

To enable GPC in your browser, visit: globalprivacycontrol.org

5.4 Changing Your Cookie Preferences

To update your cookie preferences at any time:

  1. Click “Cookie Settings” or “Manage Preferences” in the website footer
  2. Or visit: www.xorastudio.com/cookie-preferences
  3. Select which cookie categories you wish to allow or reject
  4. Click “Save Preferences”
  5. Changes take effect immediately

5.5 Withdrawing Consent

You can withdraw consent to non-essential cookies at any time using any of these methods:

  • Use the Cookie Preference Centre on our website (fastest)
  • Email contact@xorastudio.com with subject line: “Cookie Consent Withdrawal — [Your Name]”

What happens after withdrawal:

  • We will process your request within 5 business days
  • You will receive a written confirmation email
  • Non-essential cookies will no longer be set from that point forward
  • Previously stored non-essential cookies will be deleted from our systems
  • Your withdrawal is recorded and stored as proof of compliance
  • Some website features that rely on optional cookies may become unavailable

Withdrawing consent does not affect the lawfulness of any processing that took place before withdrawal.

6. HOW TO MANAGE COOKIES IN YOUR BROWSER

6.1 Browser Cookie Settings

Google Chrome:

  1. Settings → Privacy and Security → Cookies and other site data
  2. Choose: Allow all cookies, Block third-party cookies, or Block all cookies
  3. To delete cookies: Clear browsing data → Cookies and other site data

Mozilla Firefox:

  1. Preferences → Privacy & Security → Cookies and Site Data
  2. Choose: Accept all, Reject all, or Reject third-party cookies
  3. To delete: Clear Recent History → Cookies

Safari (Mac / iOS):

  1. Safari → Preferences → Privacy
  2. Choose your cookie blocking level
  3. To delete: Develop → Empty Caches, or Settings → Safari → Clear History and Website Data

Microsoft Edge:

  1. Settings → Privacy, search, and services → Clear browsing data
  2. Manage cookie settings in Cookies and site data
  3. To delete: Clear now → Cookies and other site data

Important: Disabling all cookies may prevent you from logging into the Client Portal, completing transactions, or accessing personalised features. We recommend blocking only third-party or marketing cookies rather than all cookies.

6.2 Browser Extensions & Privacy Tools

The following tools can help you control cookies and tracking:

  • uBlock Origin — Blocks ads and trackers (highly recommended)
  • Privacy Badger — Automatically learns to block hidden trackers (eff.org/privacy badger)
  • Ghostery — Blocks ads, trackers, and analytics (ghostery.com)
  • DuckDuckGo Extension — Privacy-focused browsing protection

6.3 Do Not Track (DNT) & Global Privacy Control (GPC)

We do not currently respond to browser Do Not Track (DNT) signals, as there is no legally binding standard for DNT implementation. We do, however, respond to Global Privacy Control (GPC) signals as required under CPRA for California residents (see Section 5.3).

If you are a California resident and wish to opt out of targeted advertising, we recommend enabling GPC in your browser or using our cookie preference centre to decline marketing cookies directly.

7. COOKIE RETENTION & DELETION

7.1 Retention Periods by Cookie Type

Cookie Type Retention Period Notes
Essential / Session Session or until logout Some security tokens are permanent
Analytics (GA4) 14 months GA4 maximum retention; auto-deleted after
Marketing (Google Ads) 90 days Conversion tracking window
Preference / Consent 1 year Refreshed on each visit
Social Media (YouTube) Up to 1 year Set by YouTube on video interaction
Portal Security Session Deleted on logout
Portal Analytics 14 months Aligned with GA4 retention

7.2 How Cookies Are Deleted

Automatic Deletion:

  • Session cookies are deleted when you close your browser
  • Expired cookies are automatically removed when their retention period ends
  • Analytics and marketing cookies are deleted after their specified retention periods

Manual Deletion:

  • You can delete all cookies at any time through your browser settings (see Section 6.1)
  • You can request deletion of associated personal data by emailing contact@xorastudio.com

7.3 Right to Erasure (GDPR)

Under GDPR, you have the right to request deletion of cookies and all associated personal data we hold about you.

To submit an erasure request:

  1. Email: contact@xorastudio.com
  2. Subject line: “Data Erasure Request — [Your Name]”
  3. Include: Your email address and the specific data or cookies you want deleted
  4. We will respond within 30 days with confirmation of deletion or an explanation of any legal retention obligations

Limitations on erasure:

  • Data required for legal or tax compliance may be retained in anonymised form
  • Transaction records may be retained for up to 7 years for accounting purposes
  • Data already shared with third-party analytics or ad platforms is subject to their own deletion policies and timelines

8. SPECIAL SITUATIONS & YOUR RIGHTS

8.1 Minors

Our website and services are not directed at children under the age of 13. We do not knowingly collect personal data from children under 13 (under COPPA) or under 16 (under GDPR, in most EU member states). If you believe a minor has provided personal data through our website, contact us immediately at contact@xorastudio.com and we will delete the data promptly.

Parents and guardians may request review and deletion of any data collected from a minor in their care.

8.2 California Residents (CCPA / CPRA)

California consumers have the following rights:

  • Right to Know: Request disclosure of what personal data we collect, use, and share
  • Right to Delete: Request deletion of personal information we have collected
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Opt-Out: Opt out of the sale or sharing of personal information (we do not sell data)
  • Right to Limit: Limit our use of sensitive personal information
  • Right to Non-Discrimination: We will never treat you differently for exercising your rights
  • Global Privacy Control (GPC): We honour GPC signals as a valid opt-out of targeted advertising

To exercise your California rights:

  • Email: contact@xorastudio.com
  • Subject line: “CCPA Privacy Request — [Your Name]”
  • Response time: Within 45 days (extendable by a further 45 days with notice)

8.3 EU / EEA Residents (GDPR)

EU and EEA users have the following enhanced rights:

  • Right to Opt-In Consent: Non-essential cookies require your explicit prior consent
  • Right to Withdraw Consent: Withdraw at any time with immediate effect (see Section 5.5)
  • Right to Access: Request a copy of all personal data we hold about you
  • Right to Erasure: Request deletion of your data (see Section 7.3)
  • Right to Data Portability: Receive your data in a machine-readable format (CSV or JSON)
  • Right to Object: Object to processing based on legitimate interest
  • Right to Lodge a Complaint: File a complaint with your national data protection authority

Find your country’s Data Protection Authority: edpb.europa.eu/about-edpb/board/members_en

8.4 Canadian Residents (PIPEDA)

Under PIPEDA, Canadian users have the right to:

  • Access personal information we hold about you
  • Request correction of inaccurate information
  • Withdraw consent to data collection (subject to legal limitations)
  • Lodge a complaint with the Office of the Privacy Commissioner of Canada: priv.gc.ca

Contact: contact@xorastudio.com | Subject: “PIPEDA Privacy Request”

8.5 Pakistan Residents

Pakistan residents benefit from applicable data protection rights under Pakistani law. For any privacy concerns or data requests, contact us at contact@xorastudio.com. We will respond within 5–7 business days.

9. SECURITY & DATA PROTECTION

9.1 How We Protect Cookie Data

  • SSL/TLS Encryption: All data transmitted between your browser and our website is encrypted via HTTPS
  • Secure Cookie Flags: All cookies are set with appropriate security attributes (see Section 9.2)
  • Regular Security Audits: We conduct periodic security assessments of our website and cookie implementation
  • Access Controls: Cookie and analytics data is only accessible to authorised team members
  • Firewall & Intrusion Detection: Our hosting infrastructure (Hostinger + Cloudflare) includes active threat protection

9.2 Secure Cookie Attributes

All cookies we set include the following security attributes where applicable:

  • HTTP Only: Prevents JavaScript from accessing the cookie, protecting against cross-site scripting (XSS) attacks
  • Secure: Cookie is only transmitted over HTTPS connections, preventing interception on unsecured networks
  • Same Site (Strict or Lax): Prevents the cookie from being sent in cross-site requests, protecting against CSRF attacks

9.3 Data Breach Response

In the event of a security incident affecting cookie or personal data:

  • We will investigate the incident immediately upon discovery
  • Affected users will be notified within 72 hours where required by applicable law (GDPR Article 33)
  • Relevant supervisory authorities will be informed within 72 hours
  • We will publish a breach notification with full details of what happened, what data was affected, and what steps are being taken
  • Corrective measures will be implemented to prevent recurrence

10. UPDATES & CHANGES TO THIS POLICY

10.1 Cookie Audit Schedule

To ensure accuracy, we conduct a full cookie audit on a regular basis:

  • Last Cookie Audit: May 8, 2026
  • Next Scheduled Audit: August 8, 2026
  • Audit Frequency: Every 90 days, or immediately when new cookies are added or removed

Audits verify that all cookies listed in Section 12 are accurate, that no undisclosed cookies are being set, and that retention periods remain correct.

10.2 Policy Updates

We may update this Cookie Policy at any time for the following reasons:

  • Addition of new cookies or tracking technologies
  • Changes to third-party services we use
  • Legal compliance updates (new regulations or regulatory guidance)
  • Business changes (new services, new markets)
  • Correction of inaccuracies identified during cookie audits

10.3 Notification of Changes

When we make material changes to this policy, we will:

  • Update the “Last Updated” date at the top of this page
  • Display a prominent notice on our website for at least 14 days
  • Email registered users and clients where we hold an email address
  • Re-request consent for any new cookie categories added

Your continued use of our website after changes are posted constitutes acceptance of the updated policy for non-consent-required cookies only. For new consent-required cookies, fresh consent will always be requested.

10.4 Version History

Version Date Summary of Changes
1.0 May 8, 2026 Initial Cookie Policy published
2.0 May 8, 2026 All errors corrected: GA4 retention fixed to 14 months, Facebook Pixel moved to planned section, DNT/GPC language updated, phantom cookies removed, cookie audit schedule added

11. CONTACT & SUPPORT

11.1 General Cookie Questions

XORA STUDIO Email: contact@xorastudio.com Phone: +92 349 4059660 Support Hours: Monday–Friday, 10AM–6PM PKT Website: www.xorastudio.com Address: Xinua Mall, Gullberg III, Lahore, Pakistan

11.2 Privacy Officer

For formal data privacy requests, GDPR/CCPA rights exercises, or cookie consent withdrawals:

  • Email: privacy@xorastudio.com
  • Subject line format: “Privacy Request — [Your Name] — [Type of Request]”
  • Response Time: 5–7 business days for standard requests; 30 days for full GDPR requests

11.3 Complaints & Escalations

If you are not satisfied with how we have handled your privacy or cookie concern:

  • EU/EEA: Contact your national Data Protection Authority (edpb.europa.eu)
  • California: California Attorney General (oag.ca.gov)
  • Canada: Office of the Privacy Commissioner of Canada (priv.gc.ca)
  • Pakistan: Relevant regulatory authority or legal channels

You have the right to escalate to your national authority at any time — you do not need to exhaust our internal complaints process first.

12. COOKIE INVENTORY

Last Verified: May 8, 2026 | Next Audit: August 8, 2026

This is a complete list of cookies currently active on www.xorastudio.com. If you discover a cookie on our website that is not listed below, please report it to contact@xorastudio.com immediately.

12.1 Essential Cookies (Always Active)

Cookie Name Purpose Retention Set By
session_id Maintains your login session Session Xora Studio
csrf_token Prevents cross-site request forgery attacks Session Xora Studio
security_token Security verification and authentication Permanent Xora Studio
language_pref Saves your website language selection 1 year Xora Studio
PHPSESSID PHP server session management (Hostinger) Session Hostinger
cf_clearance Cloudflare bot challenge clearance 30 minutes Cloudflare
__cf_bm Cloudflare bot management 30 minutes Cloudflare
cookie_consent Saves your cookie consent choices 1 year Xora Studio

12.2 Analytics Cookies (Require Consent)

Cookie Name Purpose Retention Set By
_ga Google Analytics unique user identifier 14 months Google
_ga_[ID] Google Analytics session and campaign data 14 months Google
_gid Google Analytics session identifier 24 hours Google
_gat Google Analytics request throttle (limits request rate) 1 minute Google

12.3 Marketing Cookies – Currently Active (Require Consent)

Cookie Name Purpose Retention Set By
_gcl_au Google Ads conversion linker 90 days Google
_gcl_aw Google Ads click tracking 90 days Google

12.4 Marketing Cookies – Planned (NOT YET ACTIVE)

The following cookies will be added when the corresponding platforms are activated. They are not currently set on our website. This policy and the consent banner will be updated before activation.

Cookie Name Platform Purpose Planned Retention
_fbp Meta / Facebook Pixel User identification for ad targeting 90 days
_fbc Meta / Facebook Pixel Click conversion tracking 90 days
li_gc LinkedIn Ads Ad tracking and targeting 90 days

12.5 Social Media Cookies (Require Consent)

Cookie Name Purpose Retention Set By
VISITOR_INFO1_LIVE YouTube video player functionality 6 months YouTube/Google
YSC YouTube session for video tracking Session YouTube/Google
yt-remote-device-id YouTube player preferences Persistent YouTube/Google

12.6 New Cookies

We may add new cookies as we integrate new features, services, or third-party tools. All new cookies will be:

  • Added to this inventory within 7 days of activation
  • Disclosed in an updated consent banner if they require consent
  • Covered by a policy update notice as described in Section 10

13. FREQUENTLY ASKED QUESTIONS

Q: What if I reject all non-essential cookies?

A: The website will still function normally. You won’t be tracked by analytics, you won’t see retargeting ads, and no marketing or social cookies will be set. Essential cookies (login, security, consent record) will still be active as required for the site to work.

Q: Can I be tracked even if I disable cookies?

A: Partially, yes. Some information is collected at the server level regardless of cookie settings. This includes your IP address (recorded in server logs), your browser type and operating system (sent in every HTTP request), and the pages you visit (logged by the web server). However, detailed behavioural tracking, session recording, and cross-site ad targeting all require cookies and will not function if you decline them.

Q: Do you use device fingerprinting?

A: No. We do not use device fingerprinting, canvas fingerprinting, or any similar technique designed to identify you without a cookie. If this changes, it will be disclosed in this policy before implementation.

Q: Does rejecting cookies affect my use of the Client Portal?

A: Only essential cookies are required for the Client Portal to function. Declining analytics or marketing cookies has no impact on your ability to log in, view your projects, download files, or communicate with our team.

Q: Is my payment data stored in cookies?

A: No. Payment information (bank details, card numbers) goes directly and securely to our payment processors (Payoneer, EasyPaisa). We do not store or pass payment data through cookies under any circumstances.

Q: What is the difference between a cookie and a pixel?

A: A cookie is a text file stored on your device by your browser. A pixel is a small piece of code embedded in a webpage or email that sends data to a third-party server when the page or email loads. Both can track behaviour, but they work differently. The Facebook Pixel and Google Ads conversion tag are examples of pixels. We disclose both in this policy.

Q: How do I stop seeing Xora Studio retargeting ads?

A: Decline marketing cookies in our consent banner, or opt out directly through Google Ads Settings (adssettings.google.com). Once opted out, you will no longer see Xora Studio ads served through Google’s ad network.

Q: Do you use cookies to build personal profiles about me?

A: No. We use analytics cookies to understand aggregate user behaviour patterns — not to build individual personal profiles. Your data is grouped with data from all other visitors to generate statistical reports.

Q: Can I get a copy of data collected about me?

A: Yes. Email contact@xorastudio.com with subject “Data Access Request” and we will provide you with a copy of all personal data we hold within 30 days (GDPR) or 45 days (CCPA).

Q: What happens to my cookie data if I am an EU resident?

A: EU residents are protected by full GDPR rights. Non-essential cookies are only set with your prior explicit consent. You can withdraw that consent at any time. Your data is processed on the basis of consent or documented legitimate interest, and you can exercise all rights listed in Section 8.3 at any time.

14. ACKNOWLEDGMENT

By using Xora Studio’s website, you acknowledge that:

  • You have read and understood this Cookie Policy
  • You understand how and why we use cookies
  • You understand your rights and how to manage your cookie preferences
  • You understand that essential cookies are active by default and required for website functionality
  • You understand that non-essential cookies (analytics, marketing, social) are only set with your explicit consent

Cookie consent is managed through our consent banner — not through reading this policy. Reading this policy does not constitute consent to non-essential cookies. Consent is only recorded when you actively make a selection in the consent banner.

If you do not wish to accept any non-essential cookies, click “Reject Non-Essential” in the consent banner or manage your preferences through the Cookie Preference Centre.

15. ADDITIONAL RESOURCES

Xora Studio Legal Documents:

  • Privacy Policy: www.xorastudio.com/privacy-policy
  • Terms and Conditions: www.xorastudio.com/terms-and-conditions
  • Disclaimer: www.xorastudio.com/disclaimer

Third-Party Privacy Policies:

  • Google: policies.google.com/privacy
  • YouTube: policies.google.com/privacy
  • Hostinger: hostinger.com/privacy-policy
  • Cloudflare: cloudflare.com/privacy-policy
  • Payoneer: payoneer.com/legal/privacy-policy
  • Meta/Facebook (for when Pixel is activated): facebook.com/about/privacy

Your Rights & Regulatory Resources:

  • GDPR full text: gdpr-info.eu
  • CCPA/CPRA information: oag.ca.gov/privacy/ccpa
  • PIPEDA information: priv.gc.ca
  • EU Data Protection Authorities: edpb.europa.eu

Opt-Out Tools:

  • Google Analytics Opt-Out: tools.google.com/dlpage/gaoptout
  • Google Ads Settings: adssettings.google.com
  • Facebook Ads Preferences: facebook.com/ads/preferences
  • Network Advertising Initiative: optout.networkadvertising.org
  • Digital Advertising Alliance: optout.aboutads.info
  • Global Privacy Control (GPC): globalprivacycontrol.org

Effective Date: May 8, 2026 Last Updated: May 8, 2026 Document Version: 2.0

This Cookie Policy is customised for Xora Studio’s web properties and services.

Stay Updated With What Matters

Practical insights and updates to help you build, improve, and grow your digital presence.