QEHSQEHS
Book a demo

Privacy

Cookie Policy

What cookies and similar technologies we use, why, and how to control them. Aligned with GDPR, UK PECR, CCPA / CPRA, and LGPD.

Version
1.1
Effective
2026-05-14
Slug
/legal/cookies

Status

Status: Version 1.1 effective 2026-05-14. These revisions are an internal editorial pass intended to make the document complete and accurate. The text remains under outside-counsel review. Material legal positions (entity definition, liability cap carve-outs, AI Article 22 disclosures, Transfer Impact Assessment) are flagged for counsel and may change before final publication.

What cookies are and how we use them

A cookie is a small text file stored on your device by your browser when you visit a website. We use cookies, similar technologies (local storage, session storage), and server-side analytics to operate the marketing site (qehsethos.com) and the product application (app.qehsethos.com).

We group cookies into four categories: strictly necessary, functional, analytics, and marketing. Each category is described below.

Categories

Strictly necessary: required to operate the site and the product. These cannot be disabled. Examples: session cookies, CSRF tokens, load-balancer affinity.

Functional: remember preferences. Off by default; enabled on acceptance. Examples: language preference, dismissed-banner state, theme preference.

Analytics: aggregate usage measurement. Off by default; enabled on acceptance.

Marketing: attribution and retargeting. At launch we do not use marketing cookies; if we add them, the consent banner will offer them as a separate opt-in and this policy will be updated.

Named cookies in use

Strictly necessary — qehs_session (QEHS, session cookie, expires on logout or after 30 days of inactivity, purpose: authenticated session token).

Strictly necessary — qehs_csrf (QEHS, session cookie, expires on logout, purpose: CSRF token to prevent cross-site request forgery).

Strictly necessary — qehs_lb (QEHS, session cookie, expires at end of browser session, purpose: load-balancer affinity).

Functional — qehs_locale (QEHS, persistent cookie, expires after 365 days, purpose: remembers selected language).

Functional — qehs_consent (QEHS, persistent cookie, expires after 365 days, purpose: records your cookie consent choices so we do not re-prompt you).

Analytics — at launch, analytics are collected server-side by SigNoz (a self-hosted observability platform operated by QEHS). No analytics cookies are set in your browser. If we add a browser-side analytics provider, we will list it here and in the consent banner before deploying it.

Marketing — none in use at launch.

Third-party cookies

At launch, the marketing site and the product application do not set third-party cookies. We use Stripe for payment processing, but Stripe cookies are only set on the Stripe-hosted checkout page, not on qehsethos.com.

If we add embedded third-party services (chat widget, video embeds, marketing automation pixels) that set their own cookies, we will identify the provider and the purpose in this section and offer the cookie under the appropriate consent category.

Consent

We display a consent banner on your first visit. You can accept all, reject all (other than strictly necessary), or customise your selection. You can change your selection at any time via the "Cookie preferences" link in the footer.

In the European Economic Area, United Kingdom, and other regions requiring prior consent for non-essential cookies, no functional, analytics, or marketing cookies are set before you give consent.

Do Not Track and Global Privacy Control

We honour the Global Privacy Control (GPC) signal as a legally binding opt-out of sale or sharing of personal information under California law (CPRA). When the GPC header is present in your request, we treat your visit as opted-out of marketing and analytics cookies in addition to opted-out of sale or sharing.

The legacy Do Not Track (DNT) header is no longer a meaningful standard and is not treated as a binding signal. Use the consent banner or GPC instead.

Retention

Session cookies expire when you close your browser or log out.

Persistent cookies (functional category) expire 365 days after they are set.

When you reject a category, the corresponding cookies are deleted from your browser at the next page load and we do not set them again until you change your selection.

Withdrawing consent

You can withdraw consent at any time using the "Cookie preferences" link in the footer of qehsethos.com.

You can also clear cookies in your browser settings; doing so will cause the banner to appear again on your next visit.

Changes

We will update this policy whenever we add, remove, or change the purpose of a cookie. Material changes will be highlighted in the consent banner.

Version history

  • Version 1.0, Initial publication.
    Effective 2026-04-15
  • Version 1.1, Editorial revisions to address findings from the internal first-pass legal review: removed inaccurate data-residency claim, added GDPR Article 28(3) mandatory content to the DPA with Annexes I/II/III populated inline, added termination + survival + severability clauses across all contract documents, added IP ownership clause, added AI-output-liability disclaimer, added insurance schedule placeholder, added credit-claim mechanism to the SLA, added CCPA/CPRA disclosures, aligned plan-tier naming (Starter / Business / Enterprise) across SLA and ToS, and replaced unearned audit-certification references with the actual current state.
    Effective 2026-05-14

Questions? Email hello@qehsethos.com or return to the legal index.