Cookies & Tracking Technologies Policy
For OMLAB DIGITAL LTD (trading as OnlyMonster)
Controller:
OMLAB DIGITAL LTD, Ifigeneias, 14, 3036, Limassol, Cyprus1. Preamble: Scope & Binding Nature
This Policy forms an integral part of the OnlyMonster Terms and Conditions and the OnlyMonster Privacy Policy. It governs the use of cookies, local storage, pixels, beacons, and similar tracking technologies (collectively, "Tracking Technologies") on our public-facing website (onlymonster.ai) and within our software-as-a-service platform (the "Service").
This Policy is drafted in accordance with, and intends to ensure our compliance with Applicable Data Protection Law as defined in our Terms and Conditions and Data Processing Agreement (DPA).
2. The Distinction: Website vs. Service
Understanding this distinction is critical for your rights and our lawful bases:
- Our Public Website (onlymonster.ai): Used for marketing, information, and account registration. Here, we rely on your prior, granular consent for all non-essential Tracking Technologies, obtained via a consent management platform (CMP). This Policy primarily addresses this environment.
- The OnlyMonster Service includes the Web App, Desktop Applications, and Browser Extensions.
3. Your Control & Consent Management
3.1. For Website Visitors
Upon your first visit to onlymonster.ai, a consent banner will appear, allowing you to:
- Accept All: Provide consent for all categories of non-essential Tracking Technologies.
- Reject All: Deny consent for all non-essential Tracking Technologies.
- Preferences / Customize: Granularly manage your consent for each category (Performance, Functional, Marketing).
3.2. Withdrawal of Consent
You may withdraw or modify your consent for non-essential cookies on our website at any time by clicking the "Cookie Settings" link in the website footer. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal. Disabling strictly necessary cookies may prevent access to the Service or limit its functionality.
4. Categories of Tracking Technologies & Lawful Bases
We classify Tracking Technologies based on their purpose and the corresponding legal basis under GDPR.
| Category & Legal Basis | Purpose Description | Impact of Disabling |
|---|---|---|
|
1. Strictly Necessary Art. 6(1)(b) & (f) GDPR |
Essential for core functionality and security. | The Service will not function. You cannot log in or maintain a secure session. This may result in account suspension per our Terms. |
|
2. Performance & Analytics On Website: Art. 6(1)(a) GDPR – CONSENT Within Service: Art. 6(1)(f) GDPR – Legitimate Interest |
On Website: Measure website traffic, user interaction, amplitude (e.g., Google Analytics). Within Service: First-party aggregated error/performance logging for internal operational stability and improvement of the Service. |
On Website: We lose insights to improve site experience. Within Service: No user-facing impact, but our ability to diagnose platform-wide performance issues is impaired. |
|
3. Functional Art. 6(1)(a) GDPR – CONSENT |
Remember non-critical preferences (e.g., chat support session state, UI language choice) on the website. | Certain convenience features on the website may reset on each visit. Live chat may not recall your history. |
|
4. Marketing / Targeting Art. 6(1)(a) GDPR – CONSENT |
Used to build a profile of your interests to deliver relevant advertising on other sites (e.g., Facebook Pixel). | You will see less personalised advertising from us on other platforms. |
5. Detailed Inventory of Tracking Technologies
The table below provides transparent detail on specific technologies we employ.
Updated cookie inventory (based on latest scan report)
| Cookie Name | Provider / Domain | Category | Purpose / Description | Retention | GDPR Legal Basis |
|---|---|---|---|---|---|
| __cf_bm | Cloudflare | Strictly Necessary | Distinguishes humans from bots; protects the website from malicious traffic. | 1 day | Art. 6(1)(f) GDPR |
| _cfuvid | Cloudflare | Strictly Necessary | Load balancing, secure content delivery, and rate-limiting. | Session | Art. 6(1)(f) GDPR |
| CookieConsent | Usercentrics CMP | Strictly Necessary | Stores the user's cookie consent state for the domain. | 1 year | Art. 6(1)(c) GDPR |
| _ga | Google Analytics | Analytics | Tracks website usage and visitor behaviour for statistical purposes. | 2 years | Art. 6(1)(a) GDPR |
| _ga_* | Google Analytics | Analytics | Stores session-related analytics data. | 2 years | Art. 6(1)(a) GDPR |
| _gid | Google Analytics | Analytics | Distinguishes users for analytics purposes. | 24 hours | Art. 6(1)(a) GDPR |
| _fbp | Meta Platforms | Marketing | Delivers targeted advertising and measures ad performance. | 3 months | Art. 6(1)(a) GDPR |
| _gcl_au | Marketing | Measures advertising conversion effectiveness. | 3 months | Art. 6(1)(a) GDPR | |
| _gcl_ls | Google Tag Manager | Marketing | Tracks conversions between ads and user interactions. | Persistent | Art. 6(1)(a) GDPR |
| lastExternalReferrer | Meta Platforms | Marketing | Detects how users reached the website. | Persistent | Art. 6(1)(a) GDPR |
| lastExternalReferrerTime | Meta Platforms | Marketing | Stores timestamp of referral source. | Persistent | Art. 6(1)(a) GDPR |
| pagead/1p-user-list/# | Marketing | Tracks user interest across sites for advertising measurement. | Session | Art. 6(1)(a) GDPR | |
| __clerk_db_jwt | Clerk | Strictly Necessary | Authentication token enabling secure login. | Session | Art. 6(1)(b) GDPR |
| __clerk_db_jwt_* | Clerk | Strictly Necessary | Authentication and session management. | Session | Art. 6(1)(b) GDPR |
| __clerk_environment | Clerk | Strictly Necessary | Identifies authentication environment configuration. | Persistent | Art. 6(1)(b) GDPR |
| __client | Clerk | Strictly Necessary | Client identification for authentication services. | Session / 400 days | Art. 6(1)(b) GDPR |
| __client_uat | Clerk | Strictly Necessary | Authentication testing and environment separation. | 400 days | Art. 6(1)(b) GDPR |
| __initted | Clerk | Strictly Necessary | Initialisation of authentication framework. | Session | Art. 6(1)(b) GDPR |
| test_cookie | DoubleClick | Marketing | Tests whether browser accepts cookies. | 1 day | Art. 6(1)(a) GDPR |
| amplitude_id_* | Amplitude | Analytics | Collects user interaction events and product usage data within the authenticated Service environment, including user identifiers (user ID, email where applicable), account identifiers, organization identifiers, and behavioural event data, for internal product analytics, feature performance monitoring, technical diagnostics, and service improvement. Not used for advertising or external marketing. | Up to 1 year |
Website: Art. 6(1)(a) GDPR (Consent); Service: Art. 6(1)(b) GDPR (Contract) and/or Art. 6(1)(f) GDPR (Legitimate Interest). |
Amplitude Analytics within the Service (Clarification)
Within the authenticated Service environment, Amplitude acts as a product analytics provider. Event-level data may include user identifiers (including user ID and email where applicable), account identifiers, organization identifiers, and behavioural interaction data. Such processing is performed solely to improve product functionality, monitor feature performance, diagnose technical issues, and enhance user experience. Amplitude data is not used for advertising, profiling for external marketing purposes, or automated decision-making producing legal or similarly significant effects.
6. International Data Transfers
Some third-party providers (e.g., Google, Meta) are based outside the European Economic Area (EEA). Any transfer of personal data via their cookies is safeguarded by:
- The EU-U.S. Data Privacy Framework (for certified U.S. providers), or
- Standard Contractual Clauses (SCCs) adopted by the European Commission, complemented by robust technical measures.
Details of these transfers can be provided upon request to our DPO.
7. Data Retention
Cookie data is retained only for the period specified in the table above, necessary to fulfil its purpose. Post-expiry, data is automatically deleted or irreversibly anonymised. This is without prejudice to our Legal Hold rights as described in our Terms and Conditions and Privacy Policy.
8. Profiling & Automated Decision-Making in the Service
Important Notice for Agency Clients and Their Users: The core analytical functions of the OnlyMonster Service (e.g., generation of spending propensity scores, chargeback risk analysis) involve automated processing, including profiling as defined in GDPR Article 4(4).
- Role Clarification: For such processing, our Client is the Data Controller. They determine the purposes and legal basis (e.g., legitimate interest under Article 6(1)(f)). OnlyMonster acts as a Data Processor, executing this processing according to the Client's instructions under our Data Processing Agreement (DPA), which is part of our Terms and Conditions.
- No Significant Automated Decisions by OnlyMonster: We do not make automated decisions producing legal effects or similarly significant effects concerning individuals (Article 22 GDPR). Our analytics provide informational insights to the Controller, who retains human oversight over any consequential decisions.
- Your Rights: If you are a data subject (e.g., a Fan) whose data is profiled via our Service, you should direct any requests to exercise your rights (including rights related to profiling) to the Organization using the Service. We will support our Clients in fulfilling these obligations as per our DPA.
9. Your Rights and How to Exercise Them
Under GDPR, you have the right to access, rectify, erase, restrict processing of, and object to processing of your personal data, and the right to data portability. In the context of Tracking Technologies:
- For data processed based on consent (Performance, Functional, Marketing cookies on our website), you can manage these via our Cookie Settings.
- For data processed under other bases (e.g., strictly necessary cookies), or for other general data protection requests, contact our DPO.
- To exercise your general data protection rights, or if you are a representative of an Agency client with questions about Service-side processing, please contact our Data Protection Officer (DPO): [email protected].
10. Contact & Complaints
Data Protection Officer (DPO): [email protected]
General Inquiries: [email protected]
You have the right to lodge a complaint with a supervisory authority. Our lead authority is the Office of the Commissioner for Personal Data Protection, Cyprus (www.dataprotection.gov.cy). For UK individuals, you may contact the Information Commissioner's Office (ICO) (www.ico.org.uk).
11. Policy Updates
We may update this Policy to reflect changes in technology, law, or our services. We will notify registered users of material changes via email or an in-Service notice, in accordance with our Terms and Conditions, and update the "Effective Date". Continued use of our website or Service after such updates constitutes acceptance of the revised Policy, subject to re-consent where required by law for non-essential cookies.