Cookie Policy
Effective Date: January 21, 2026
Last Updated: January 21, 2026
Version: 2.1
1. Introduction
This Cookie Policy explains how Settel ("we," "us," or "our") uses cookies and similar tracking technologies on www.settel.io. By using Settel, you consent to essential cookies and can choose whether to accept optional cookies.
Quick links: What Are Cookies? | Why We Use Cookies | Types of Cookies | Your Choices | Update Cookie Preferences.
2. What Are Cookies?
Cookies are small text files stored on your device when you visit a website. They help remember preferences, recognize return visits, and improve experience.
Cookie Components: name, value, domain, expiration, path.
Similar Technologies: local storage, session storage, pixels/web beacons, JavaScript. "Cookies" here includes all of these.
3. Why Settel Uses Cookies
We use cookies to:
- Keep you securely logged in
- Remember preferences (language, theme, dashboard layout)
- Protect against security threats (CSRF, fraud)
- Understand how you use Settel to improve features
- Show relevant information
- Measure performance
Cookies do NOT contain financial data. See Section 9.
4. Types of Cookies We Use
4.1 Essential Cookies (Always On)
Strictly necessary for Settel to function; cannot be disabled.
| Cookie Name | Purpose | Duration | Justification |
|---|---|---|---|
| session_id | Keeps you logged in securely | Session | Needed for account security |
| csrf_token | Protects against CSRF | Session | Essential security |
| auth_token | MFA session | 15 minutes | Used only during login verification |
| user_preferences | Remembers settings (theme, language, layout) | 1 year | Improves UX without re-asking |
| cookie_consent_choice | Remembers your cookie choices | 13 months | Required to honor consent |
Legal basis: contract performance and legitimate interests.
4.2 Analytics and Performance Cookies (Optional)
Require your consent; off by default.
Google Analytics (GA4): _ga (2 years), _gid (24 hours), _gat (1 minute). Purpose: traffic analysis and behavior. Tracks pages visited, time on page, features used, navigation, device type, approximate location (country/city). Does NOT track financial data. Uses Google Consent Mode v2. We do not use Hotjar or Segment.
4.3 Marketing Cookies (Currently Not Used)
We do not run LinkedIn Ads, Google Ads tracking, or other marketing pixels at this time. If we introduce marketing cookies, we will request your explicit consent before they are set and will update this policy with the specific cookies, purposes, and durations.
4.4 Functional Cookies (Optional)
Enable additional features; optional.
Stripe: **stripe_mid (1 year), **stripe_sid (30 minutes). Purpose: fraud prevention and checkout session integrity. Stripe handles card data; Settel never sees card numbers. Support is provided via email (support@settel.io), not via live chat widgets.
5. Third-Party Cookies
Some cookies are set by third parties (Google Analytics for analytics, Stripe for payments). Review their privacy policies. They may use cookies for their own purposes.
6. Cookie Lifespan and Expiration
- Session cookies: deleted when browser closes
- Persistent cookies: remain until expiration (24 hours to 2 years)
- Essential: session to 1 year
- Analytics: 24 hours to 2 years
- Marketing: not in use today (if added, durations will be disclosed)
- Functional: session to 1 year
7. Consent Renewal and Versioning
Cookie consent expires after 13 months. After expiry, the banner reappears so you can review/update choices. If material changes occur (new partners, new purposes, changed retention), we request fresh consent immediately. We log consent choices (timestamp, categories accepted/rejected, hashed IP, user agent, consent version, country) for 7 years; logs are encrypted, immutable, access-restricted.
8. Your Choices and Control
- Use the "Privacy settings" or Cookie Preference Center to accept all, reject all, or toggle Analytics/Marketing/Functional individually. EU/UK defaults to opt-in.
- Browser controls: Chrome, Firefox, Safari, Edge allow blocking/clearing cookies. Blocking essential cookies may break login/security.
- Do Not Track (DNT): if your browser sends DNT, we reject non-essential cookies and keep only essential; banner may be suppressed.
- Global Privacy Control (GPC): treated as opt-out of marketing cookies and sale/sharing for applicable US state laws. Supported on browsers/extensions listed at globalprivacycontrol.org.
- Opt-out tools: Google Analytics Opt-Out Add-on, NAI/DAA/EDAA tools for ads.
9. What Cookies Do NOT Contain
Cookies never contain:
- Bank account numbers or credentials
- Investment holdings or portfolio values
- Tax calculations or return data
- Uploaded documents (never stored)
- Transaction history or payment details
- Sensitive IDs or biometrics
Financial data is stored separately, encrypted (AES-256), protected by MFA, strict access controls, and zero document retention.
10. Cookies and Security
- Essential cookies marked Secure and HttpOnly where applicable; SameSite=Lax/Strict to prevent CSRF.
- IPs in consent logs are hashed. Logs are encrypted and access-restricted.
- Your part: never share passwords, use strong unique passwords, enable MFA, and clear cookies on shared devices.
11. International Data Transfers
Some providers are in the US. For EU/UK users, transfers rely on Standard Contractual Clauses (SCCs), UK addenda, and provider safeguards (for example, Google Data Transfer Framework). Providers commit to GDPR-level protection regardless of location.
12. Cookies and Children
Settel is not for individuals under 18. We do not knowingly collect cookie data from children. If under 18, do not use Settel.
13. Changes to This Cookie Policy
We may update this policy. For significant changes, we will email notice, post on-site, and request fresh consent if needed. Continued use after changes means acceptance.
14. Contact Us
Privacy team: privacy@settel.io (5 business days).
Update preferences anytime in Settings -> Privacy and Cookies or via the Cookie Preference Center.
ICO Registration: ZC039135 (https://ico.org.uk/ESDWebPages/Search).
15. Legal Basis for Cookie Use
- Essential: legitimate interests (security/functionality)
- Analytics/Marketing/Functional: consent (GDPR/UK GDPR Article 6(1)(a))
- ePrivacy: explicit consent before non-essential cookies
- CCPA/CPRA: marketing cookies may be "sharing"; opt-out via footer link or GPC; we honor GPC as valid opt-out.
16. Cookie Audit Log
We log timestamp, categories accepted/rejected, hashed IP, user agent, consent version, and country for 7 years to prove compliance. Logs are encrypted, immutable, and access-restricted.
Appendix: Complete Cookie List
Essential
- session_id (Settel) - session - secure login
- csrf_token (Settel) - session - CSRF protection
- auth_token (Settel) - 15 minutes - MFA verification
- user_preferences (Settel) - 1 year - UI preferences
- cookie_consent_choice (Settel) - 13 months - consent record
Analytics (optional)
- _ga (Google) - 2 years - user identification for analytics
- _gid (Google) - 24 hours - short-term session stats
- _gat (Google) - 1 minute - request throttling
Marketing (optional)
- Not in use. If introduced, we will list specific cookies, durations, and purposes and seek consent first.
Functional (optional)
- __stripe_mid (Stripe) - 1 year - fraud detection patterns
- __stripe_sid (Stripe) - 30 minutes - checkout session security
Summary: Settel uses cookies to provide essential functionality, improve experience, and measure performance. Optional cookies require your consent. Financial data is never stored in cookies. We recognize DNT and GPC signals. Update preferences any time.
Last Updated: January 21, 2026
Version: 2.1
Next Review: April 2026