Cookie Policy

This Cookie Policy explains how ITLOX Inc. ("RadMah AI," "we," "our," or "us") uses cookies and similar tracking technologies on our marketing website (www.radmah.ai) and, where indicated, our client application (app.radmah.ai). It should be read alongside our Privacy Policy (www.radmah.ai/legal/privacy) and Terms of Service (www.radmah.ai/legal/terms), which together govern your use of our services. This policy applies to all visitors to our marketing website and all registered users of the platform.

Cookies are small text files that a website places on your device (computer, tablet, or mobile phone) when you visit it. They allow the website to recognise your device and remember certain information about your preferences or actions over time. Similar technologies include: Local Storage and Session Storage: Browser-side key-value stores used for client-side state that does not need to be transmitted to servers. Pixel tags / web beacons: Small transparent images embedded in web pages or emails that allow us to record that a page has been viewed. We collectively refer to all of these as "cookies" in this policy for simplicity. Cookies can be "session" cookies (deleted when you close your browser) or "persistent" cookies (remaining on your device for a set period or until you delete them). They can be set by us ("first-party cookies") or by third parties whose services we embed ("third-party cookies").

We classify cookies into the following categories based on their purpose: ────────────────────────────────────────── Category 1: Strictly Necessary Cookies ────────────────────────────────────────── These cookies are essential for the website and platform to function. They cannot be disabled without breaking core functionality. No consent is required to set these cookies. | Cookie Name | Purpose | Duration | Type | |---|---|---|---| | __session | Authenticated session token — identifies logged-in users. Set as httpOnly, Secure, SameSite=Strict. | Session | First-party | | __csrf | Cross-Site Request Forgery protection token. Prevents unauthorised form submissions. | Session | First-party | | __lb | Load balancer affinity cookie. Ensures requests route to the same backend instance during a session. | Session | First-party | | cookieconsent_status | Records whether you have accepted, rejected, or customised cookie preferences. | 12 months | First-party | ────────────────────────────────────────── Category 2: Analytics and Performance Cookies ────────────────────────────────────────── These cookies help us understand how visitors use our website so we can improve performance and content. All analytics data is aggregated and anonymised before analysis. Consent is required in applicable jurisdictions. | Cookie Name | Provider | Purpose | Duration | Type | |---|---|---|---|---| | _analytics_id | RadMah AI (first-party) | Tracks aggregated, anonymised page visit counts, referrer source, and navigation paths. IP addresses are anonymised before storage. No cross-site tracking. | 12 months | First-party | We do NOT use Google Analytics, Meta Pixel, LinkedIn Insight Tag, or any other third-party behavioural advertising or retargeting technology. ────────────────────────────────────────── Category 3: Functional Cookies ────────────────────────────────────────── These cookies enable enhanced functionality and personalisation. They may be set by us or by third-party providers whose services appear on our pages. | Cookie Name | Purpose | Duration | Type | |---|---|---|---| | ui_preferences | Remembers your UI preferences (e.g., collapsed navigation, theme). | 90 days | First-party | ────────────────────────────────────────── Category 4: Advertising and Targeting Cookies ────────────────────────────────────────── We do NOT currently use advertising, retargeting, or social media tracking cookies of any kind. We do not share user data with advertising networks. If this changes, we will update this Cookie Policy and obtain fresh consent before deploying advertising cookies.

In limited circumstances, third-party services integrated into our platform may set their own cookies. These services operate independently under their own privacy and cookie policies, and we do not control those technologies. Stripe (Payment Processing): Stripe may set cookies on checkout and billing pages to prevent fraud and remember payment state. Stripe operates under its own cookie and privacy policies available at stripe.com/privacy. Sentry (Error Monitoring, if active): Sentry may set a session identifier to correlate error reports with a user session. No personally identifiable information beyond a session token is shared. See sentry.io/privacy. We do not embed social media share buttons, advertising pixels, or third-party analytics on our marketing website. If we introduce any additional third-party cookie, this table will be updated and (where required) fresh consent obtained.

For visitors in the European Economic Area (EEA), the United Kingdom, and other jurisdictions governed by equivalent ePrivacy legislation: Strictly Necessary Cookies: Set on the basis of legitimate interests and the necessity to deliver a functioning service. No consent is required. Analytics, Functional, and Advertising Cookies: Set only with your prior, freely given, specific, informed, and unambiguous consent, obtained through our cookie consent banner on first visit. For visitors in jurisdictions not subject to ePrivacy-style consent requirements, analytics cookies may be set without explicit consent but remain subject to our Privacy Policy obligations regarding data minimisation and anonymisation. You have the right to withdraw cookie consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.

You can manage your cookie preferences at any time through the following methods: Our Cookie Settings Banner: Click the "Cookie Settings" link in the site footer to open our consent management tool. From there you can accept, reject, or customise cookies by category. Your selection will be saved in the cookieconsent_status cookie for 12 months. Browser Settings: Most browsers allow you to view, block, and delete cookies through the browser's settings. Note that blocking strictly necessary cookies will prevent core site functionality from working. Common browser cookie management links: — Google Chrome: Settings → Privacy and Security → Cookies and other site data — Mozilla Firefox: Settings → Privacy & Security → Cookies and Site Data — Safari: Preferences → Privacy → Manage Website Data — Microsoft Edge: Settings → Cookies and site permissions → Cookies and site data Browser Opt-Out Tools: You may use global privacy signals such as the Global Privacy Control (GPC) signal or similar mechanisms where we have implemented support for them. Device Opt-Outs (Mobile): — iOS: Settings → Privacy → Tracking — Android: Settings → Privacy → Ads Opting out of analytics cookies does not opt you out of strictly necessary cookies, and it does not stop us processing personal data that we collect for other lawful purposes described in our Privacy Policy.

Our client application (app.radmah.ai) uses strictly necessary session and CSRF cookies as described in Category 1. Analytics cookies in the client application are limited to aggregated, anonymised feature interaction telemetry that does not rely on browser cookies; this telemetry is governed by the Privacy Policy and the Terms of Service, not this Cookie Policy. API requests made to api.radmah.ai do not use cookies — they use bearer token (API key) authentication.

Some browsers include a "Do Not Track" (DNT) setting that signals to websites that you do not wish to be tracked. There is currently no universal standard for how websites must respond to DNT signals. We currently do not change our practices in response to DNT signals alone. However, as noted above, we do not engage in cross-site behavioural tracking, social media tracking, or advertising targeting irrespective of DNT status. We do support the Global Privacy Control (GPC) signal where applicable.

Data collected through analytics cookies is retained in aggregated, anonymised form for up to 24 months before being deleted or further anonymised. Individual-level data points (such as session IDs used for analytics deduplication) are anonymised within 90 days. Consent records (recording what cookie choices you made and when) are retained for 3 years as evidence of compliance.

We may update this Cookie Policy at any time to reflect changes in the cookies we use, changes in applicable law, or updates to our technology stack. The "Last Updated" date at the top of this page reflects the most recent revision. If we introduce new categories of non-essential cookies, we will obtain fresh consent before deploying them. For minor changes (such as adding a new strictly necessary cookie or updating a cookie description), we will update this policy without requiring fresh consent. We encourage you to review this policy periodically.

For questions about this Cookie Policy or our use of cookies: Privacy team: privacy@radmah.ai Legal inquiries: legal@radmah.ai We aim to respond to all cookie-related queries within 5 business days.