Cookie Policy
LEGAFLOW
Compliance Platform for Content Creator Agencies
Cookie Policy
Use of Cookies and Similar Technologies
Version 1.0
Effective Date: 15 April 2026 | Last Updated: 15 April 2026
| PUBLISHER OMAZEO SP. Z O.O. Plac Bankowy 2, 00-095 Warszawa, Poland KRS: 0000879770 | NIP: 7842524687 | REGON: 387980205 Share capital: 20,000 PLN (fully paid-up) |
|---|
1. Introduction
This Cookie Policy (the "Policy") is issued by OMAZEO SP. Z O.O., a limited liability company incorporated under the laws of the Republic of Poland, with its registered office at Plac Bankowy 2, 00-095 Warszawa, Poland, registered under KRS 0000879770, NIP 7842524687, REGON 387980205, with a share capital of 20,000 PLN fully paid-up (the "Company", "LegaFlow", "we"). This Policy explains how and why the Company uses cookies and similar technologies on the legaflow.io website, the LegaFlow SaaS platform, and associated subdomains.
Strictly necessary cookies are deployed without prior consent, in reliance on the exemption set out in Article 5(3) of Directive 2002/58/EC (the ePrivacy Directive), as transposed into national laws of the European Economic Area β in Poland by the Act on Telecommunications Law of 16 July 2004 (as amended by the Electronic Communications Law of 12 July 2024). All other cookies are deployed only after explicit, freely given, specific, informed, and unambiguous opt-in consent collected through the cookie banner, in accordance with Article 4(11) and Article 7 of Regulation (EU) 2016/679 (the GDPR) and the European Data Protection Board Guidelines 05/2020 on consent.
The Company does not deploy advertising cookies from third-party networks (such as Meta Pixel, Google Ads Conversion, LinkedIn Insight Tag, TikTok Pixel, X/Twitter Pixel, or equivalent), does not engage in cross-site tracking, does not sell or share personal information for cross-context behavioural advertising, and honours the Global Privacy Control signal.
2. What is a Cookie?
A cookie is a small text file placed on the user's device (computer, tablet, or smartphone) by the website or application being visited. For the purposes of this Policy, references to "cookies" also include pixels, web beacons, local storage, session storage, IndexedDB, software-development kits (SDKs), and any similar technology used to process information on the user's device. Certain cookies are necessary for the functioning of the platform; others are used to enhance functionality, ensure security, or produce aggregated analytics.
3. Categories of Cookies
3.1. Strictly Necessary Cookies
These cookies are essential to the functioning of the platform and the website. Without them, the services cannot be provided. They are deployed without prior consent on the basis of Article 5(3) of the ePrivacy Directive.
| Name | Purpose | Duration | First / Third Party |
|---|---|---|---|
| legaflow_session | User session and authentication | Session | First party |
| legaflow_csrf | Cross-Site Request Forgery protection | Session | First party |
| legaflow_remember | Persistent authentication ("Remember me") | 30 days | First party |
| legaflow_locale | Language preference | 12 months | First party |
| legaflow_consent | Storage of cookie-banner choices | 12 months | First party |
| __cf_bm / __cfruid | Cloudflare bot management and traffic routing | Session / 30 min | Third party (Cloudflare) |
| stripe / __stripe_mid / __stripe_sid | Fraud prevention during payment flow | 1 year / session | Third party (Stripe) |
3.2. Functional Cookies
Functional cookies enable enhanced functionality such as live support chat, preferred-timezone display, or saved interface preferences. They are deployed only with consent.
| Name | Purpose | Duration | Provider |
|---|---|---|---|
| legaflow_tz | Preferred timezone display | 12 months | First party |
| legaflow_theme | Interface-theme preference | 12 months | First party |
3.3. Security Cookies
Security cookies detect and prevent fraudulent activity, credential-stuffing attacks, bot traffic, and account takeovers. These cookies are treated as strictly necessary where their use is indispensable to the security of the service requested by the user; otherwise they are subject to consent.
| Name | Purpose | Duration | Provider |
|---|---|---|---|
| legaflow_rate_limit | Rate-limiting and abuse prevention | 15 min | First party |
| legaflow_device_fp | Device fingerprint (privacy-preserving hash) for anomaly detection | 6 months | First party |
3.4. Analytics Cookies
The Company uses privacy-preserving, self-hosted or EU-tenant analytics (Matomo or Plausible), configured with IP truncation, no cross-site tracking, and no transfer to third parties for advertising. Analytics cookies are deployed only with consent.
| Name | Purpose | Duration | Provider |
|---|---|---|---|
| _pk_id.* | Anonymous visitor identification for aggregated analytics | 13 months | Matomo (self-hosted, EU) |
| _pk_ses.* | Session identification for aggregated analytics | 30 min | Matomo (self-hosted, EU) |
| plausible_ignore | Exclude LegaFlow team members from analytics | 12 months | Plausible (EU) |
3.5. Advertising Cookies β None in Use
The Company does not deploy advertising cookies, cross-site tracking pixels, conversion tags, or retargeting technologies from third-party advertising networks. The Company does not sell or share Personal Information for cross-context behavioural advertising within the meaning of CCPA/CPRA, and does not participate in advertising data-exchange frameworks (such as the IAB Transparency and Consent Framework) as a publisher. If in the future the Company wishes to use any such technology, this Policy and the cookie banner will be updated to request prior, explicit, opt-in consent, and this Section will be revised accordingly.
4. Legal Basis and Consent
The legal basis for deployment of non-strictly-necessary cookies is the user's explicit, freely given, specific, informed, and unambiguous opt-in consent within the meaning of Article 4(11) and Article 7 GDPR, of the ePrivacy Directive, and of the EDPB Guidelines 05/2020 on consent:
- No pre-ticked boxes are used in the cookie banner;
- "Accept" and "Reject" buttons are presented at the same level of prominence;
- Consent is granular: users may accept or reject each category separately;
- Consent may be withdrawn at any time through the "Cookie preferences" link in the website footer, without detriment, with the same ease with which it was granted;
- No cookie wall is deployed β access to the website and to public-facing documentation is not conditioned on acceptance of non-strictly-necessary cookies;
- Consent records are retained for a minimum of six (6) months as proof under Article 7(1) GDPR and are refreshed no less than every twelve (12) months.
5. Global Privacy Control
The Company honours the Global Privacy Control (GPC) signal transmitted by supported browsers. When a GPC signal is detected, the Company treats it as: (a) an instruction to opt out of any "sale" or "sharing" of Personal Information within the meaning of CCPA/CPRA (noting that the Company does not sell or share in any event); and (b) a rejection of all non-strictly-necessary cookies and similar technologies, unless the user subsequently provides explicit consent.
6. Do Not Track
The Do Not Track (DNT) browser signal is not a uniformly implemented standard and is not honoured as a binding instruction by most websites. The Company does not currently treat DNT as a withdrawal of consent, but encourages users to rely on the GPC signal or to manage their preferences through the cookie banner.
7. Managing Cookie Preferences
Users may manage their cookie preferences at any time through:
- The "Cookie preferences" link located in the footer of the website and of the platform;
- Their browser settings (most browsers allow users to refuse, delete, or be notified when cookies are set);
- Third-party opt-out tools (such as YourOnlineChoices for EU-based users);
- For Matomo analytics, a direct opt-out form at legaflow.io/cookies#matomo-optout.
Browser-specific instructions: Google Chrome β Settings > Privacy and security > Cookies and other site data; Mozilla Firefox β Preferences > Privacy & Security > Cookies and Site Data; Microsoft Edge β Settings > Cookies and site permissions; Apple Safari β Preferences > Privacy > Manage Website Data. Blocking strictly necessary cookies will prevent the platform from functioning correctly.
8. Third-Party Services and International Transfers
Some cookies are set by third parties acting as independent Controllers or as Processors of the Company. The privacy and cookie policies of those third parties apply in addition to the present Policy:
- Cloudflare β cloudflare.com/privacypolicy;
- Stripe β stripe.com/privacy;
- Matomo (self-hosted) and Plausible (EU tenant) β matomo.org/privacy-policy; plausible.io/privacy.
Where cookies involve transfer of Personal Data outside the European Economic Area, such transfers are governed by the safeguards described in Section 9 of the Privacy Policy (Standard Contractual Clauses, UK IDTA, adequacy decisions, or other lawful mechanisms under Chapter V GDPR).
9. Retention of Cookie and Consent Data
Cookie lifetimes are indicated in the tables in Section 3. Consent records are retained for a minimum of six (6) months for evidentiary purposes and are refreshed no later than every twelve (12) months, in line with EDPB Guidelines 05/2020.
10. Minors
LEGAFLOW IS STRICTLY RESERVED FOR ADULTS AGED 18 YEARS OR OLDER.
The Company does not knowingly collect Personal Data from individuals under the age of eighteen (18) through cookies or any other means. Where the Company becomes aware that Personal Data of a minor has been collected, it will promptly delete such data.
11. Data-Subject Rights
Rights of access, rectification, erasure, restriction, portability, objection, and withdrawal of consent in respect of Personal Data collected through cookies are described in Section 11 of the Privacy Policy and may be exercised by writing to dpo@legaflow.io. Complaints may be lodged with the competent supervisory authority β as a matter of primary law, the President of the Polish Personal Data Protection Office (UODO, uodo.gov.pl) β or with the supervisory authority of the Data Subject's Member State of habitual residence.
12. Amendments
The Company may amend this Cookie Policy to reflect changes in law, technology, or business practice. Material amendments are notified through the website, through the cookie banner (with a fresh consent prompt where necessary), and through the platform. The date of the most recent version is indicated at the top of this document.
13. Contact
Questions or complaints concerning cookies may be addressed to:
- All enquiries: contact@legaflow.io
- Data protection and DPO: dpo@legaflow.io
- Post: OMAZEO SP. Z O.O., Plac Bankowy 2, 00-095 Warszawa, Poland
14. Acknowledgement and Governing Law
By clicking "Accept All" or by selecting specific categories in the cookie banner, the user provides consent to the deployment of the corresponding cookies. By clicking "Reject All", the user refuses consent to all non-strictly-necessary cookies. Consent may be withdrawn at any time without detriment through the "Cookie preferences" link in the website footer, through the browser settings, or by writing to dpo@legaflow.io.
This Cookie Policy is governed by Polish law and is drafted in English. Where the Company publishes translations, the English version prevails in the event of discrepancy. Mandatory provisions of the data-protection law applicable to a user's habitual residence remain unaffected.