Cookie Policy
Palazzo, Inc.
Effective Date: 2/27/2026 | Version: v1.0 | Consent Platform: CookieYes
1. What Are Cookies?
Cookies are small text files placed on your device when you visit a website. They allow the site to remember information about your visit, including whether you are logged in, your language preferences, how you arrived at the site, and how you navigated through it.
In addition to traditional cookies, Palazzo and its third-party partners use related tracking technologies. Pixel tags are invisible images embedded in pages that signal when content is viewed or a conversion event occurs, and are used by Meta Pixel and LinkedIn Insight Tag. JavaScript tags are scripts that run in your browser and collect behavioural data, and are used by Google Analytics, Google Tag Manager, and Zoho PageSense. Session storage holds data within a single browser session and expires when the tab is closed. Persistent identifiers are stored in cookies and remain for the durations specified in Section 10.
This policy uses the word “cookies” to cover all of the above technologies. Cookies set directly by Palazzo are first-party cookies. Those set by our partners when their scripts run on our site are third-party cookies.
2. Tracking Tools We Use
The following tools are active on palazzo.ai and its subdomains. Non-essential tools are blocked by CookieYes and load only after you provide consent through the consent banner displayed on your first visit.
2.1 CookieYes (Essential — Consent Management)
Provider: CookieYes Ltd, Dublin, Ireland. CookieYes is our consent management platform. It records your cookie preferences, serves the consent banner, and is configured to block non-essential scripts until consent is given. CookieYes is the first script that loads on each page visit. We work to ensure no other tracking tool activates until CookieYes registers your choice, though you can always verify or change your preferences using the Cookie Preferences link in the site footer.
2.2 Google Analytics 4 (Analytics)
Provider: Google Ireland Ltd, Dublin, Ireland. GA4 provides website analytics including page views, session duration, traffic sources, device type, and user journeys. IP addresses are anonymised before storage. Data is used to understand how visitors navigate the site and to improve content and performance. We have enabled Google's EU data boundary setting to process EU visitor data within the EU where possible.
2.3 Google Tag Manager (Functional)
Provider: Google Ireland Ltd, Dublin, Ireland. GTM is a tag management container that coordinates other tracking scripts including GA4, LinkedIn Insight Tag, and Meta Pixel from a single point. GTM itself collects minimal data. CookieYes controls which GTM tags fire based on your consent — declining a category prevents those scripts from loading in your browser at all.
2.4 Zoho PageSense (Analytics)
Provider: Zoho Corporation. ISO 27001 / SOC 2 Type II certified. Zoho PageSense provides A/B testing, heatmaps, session replay, and conversion funnel analytics. Session replays capture mouse movements, scrolls, and clicks — keystrokes and form field contents are never recorded. All data is covered by Zoho's Master Data Processing Agreement which includes Standard Contractual Clauses for transfers of EU personal data outside the EEA.
2.5 Zoho SalesIQ (Functional)
Provider: Zoho Corporation. SalesIQ provides a live chat widget and visitor intelligence. It enables real-time chat support and shows agents which pages a visitor viewed before starting a conversation. SalesIQ activates when you interact with the chat widget or after you consent to functional cookies.
2.6 Framer Analytics (Analytics)
Provider: Framer B.V., Amsterdam, Netherlands. SOC 2 Type II certified. Framer's built-in analytics tracks page views and referral sources for our Framer-hosted marketing site. Privacy-friendly by design — no cross-site tracking, no individual behavioural profiles, and aggregated data only. Framer uses server-side log aggregation rather than client-side tracking cookies.
2.7 LinkedIn Insight Tag (Marketing)
Provider: LinkedIn Ireland Unlimited Company, Dublin, Ireland. The LinkedIn Insight Tag enables conversion tracking and retargeting for our LinkedIn advertising campaigns. It measures how many visitors who saw our LinkedIn ads visited the site, enables Palazzo to retarget ads to LinkedIn members who visited us, and can provide aggregated demographic data about site visitors. LinkedIn acts as both a data processor on our behalf and as an independent controller for its own advertising platform purposes.
2.8 Meta Pixel (Marketing)
Provider: Meta Platforms Ireland Ltd, Dublin, Ireland. The Meta Pixel enables conversion tracking and retargeting for Meta advertising campaigns on Facebook and Instagram. It tracks page views and conversion events, measures ad effectiveness, and enables retargeting Palazzo ads to people who previously visited our site. Meta acts as both a data processor on our behalf and as an independent controller for its own advertising platform purposes.
Note: LinkedIn and Meta as independent controllers: Both LinkedIn and Meta use data collected through their tags for their own advertising purposes independently of Palazzo's instructions. You can manage your preferences directly with each platform — see Section 6.3 for links.
3. Cookie Categories
We organise all cookies into four categories. In all jurisdictions where consent is required — including the EU, UK, California, and Quebec — only Essential cookies are active by default.
| Category | Default Status | Consent Required | Description |
|---|---|---|---|
| Essential | Always active | No | Required for the website and consent system to function. Includes CookieYes consent storage. Cannot be disabled without breaking core site functionality. |
| Analytics & Performance | Off by default | Yes | Help us understand how visitors use the site. Includes Google Analytics 4, Zoho PageSense, and Framer Analytics. Data used to improve content and experience — not for advertising profiles. |
| Functional | Off by default | Yes | Enable enhanced features such as live chat (Zoho SalesIQ). Also covers Google Tag Manager's operational cookie. Disabling may limit support features. |
| Marketing & Targeting | Off by default | Yes | Enable advertising measurement and retargeting via LinkedIn and Meta platforms. Only ever active with your explicit consent. |
4. Cookie List
4.1 Essential & Consent Management
| Cookie Name | Set By | Purpose | Duration |
|---|---|---|---|
| cookieyes-consent | CookieYes | Stores your full consent state across all categories so you are not prompted again on every visit. | 1 year |
| cookieyes-analytics | CookieYes | Granular record of analytics consent, used to prove consent was collected if required by regulators. | 1 year |
| cookieyes-functional | CookieYes | Granular record of functional cookie consent. | 1 year |
| cookieyes-advertisement | CookieYes | Granular record of marketing cookie consent. | 1 year |
4.2 Analytics Cookies
| Cookie Name | Set By | Purpose | Duration |
|---|---|---|---|
| _ga | Google Analytics | Distinguishes unique users by assigning a randomly generated client identifier. | 2 years |
| _ga_[ID] | Google Analytics 4 | Persists GA4 session state across page loads. | 2 years |
| _gid | Google Analytics | Distinguishes users across a single-day session. | 24 hours |
| _gat | Google Analytics | Throttles request rate on high-traffic pages. | 1 minute |
| zps-zguid | Zoho PageSense | Assigns a persistent visitor ID for heatmap and session replay attribution. | 13 months |
| zpagst | Zoho PageSense | Tracks which A/B test variant was shown to ensure a consistent experience. | Session |
| _zcsr_tmp | Zoho PageSense | Temporary initialisation cookie set during PageSense script startup. | Session |
| zpcs_* | Zoho PageSense | Stores conversion goal data to attribute completed goals to visitor sessions. | 30 days |
| Framer (server-side) | Framer B.V. | Aggregated page view counting via server-side logs. No client-side cookie is set. | Server log — 90 days |
4.3 Functional Cookies
| Cookie Name | Set By | Purpose | Duration |
|---|---|---|---|
| _gtm_* | Google Tag Manager | Container management cookie coordinating tag firing. GTM does not collect analytics data independently. | Session |
| __zsiq_* | Zoho SalesIQ | Maintains live chat session state so your conversation persists as you navigate pages. | Session |
| SalesIQ_* | Zoho SalesIQ | Identifies returning visitors in SalesIQ to provide continuity in chat conversations. | Up to 1 year |
4.4 Marketing & Targeting Cookies
| Cookie Name | Set By | Purpose | Duration |
|---|---|---|---|
| _fbp | Meta | Identifies browsers for Meta ad delivery and conversion tracking across Meta products and partner sites. | 90 days |
| _fbc | Meta | Stores the ad click identifier when a visitor arrives via a Meta ad, used to attribute conversions to campaigns. | 90 days |
| fr | Meta | Used for targeted advertising delivery and frequency capping on Meta's advertising network. | 90 days |
| bcookie | Browser identifier for LinkedIn Insight Tag, enabling retargeting and ad measurement. | 1 year | |
| li_fat_id | First-party LinkedIn member indirect identifier for conversion tracking. | 30 days | |
| lidc | Facilitates data centre selection for LinkedIn analytics and ad serving. | 24 hours | |
| UserMatchHistory | Synchronises LinkedIn ad IDs for retargeting within LinkedIn's advertising network. | 30 days | |
| AnalyticsSyncHistory | Records when synchronisation with the LinkedIn Insight Tag last occurred. | 30 days |
5. Third-Party Providers and Data Transfers
When third-party scripts run on our site, those providers may set cookies and process data under their own privacy policies. We have Data Processing Agreements (DPAs) in place with all providers that process personal data as our data processors.
| Provider | Category | Data Sent | Transfer Safeguards | Privacy Policy |
|---|---|---|---|---|
| CookieYes Ltd (Dublin, IE) | Consent | Consent state, timestamps, page URL, anonymised IP | EU-based processing; DPA in place | cookieyes.com/privacy-policy |
| Google Ireland Ltd (Dublin, IE) | Analytics / Functional | Anonymised page views, events, device type, country/region | Google Ads DPT; SCCs for US transfers; EU data boundary enabled | policies.google.com/privacy |
| Zoho Corporation (SOC 2 / ISO 27001) | Analytics / Functional | Session data, heatmap interactions, chat content you submit | Zoho Master DPA covering all Zoho products; SCCs for EEA transfers | zoho.com/privacy.html |
| Framer B.V. (Amsterdam, NL — SOC 2) | Hosting / Analytics | Aggregated page views, referral sources — no individual tracking | EU-based (Netherlands); Framer DPA in place | framer.com/privacy |
| LinkedIn Ireland Unlimited Co. (Dublin, IE) | Marketing | Browser ID, page URL, conversion events, demographic aggregates; hashed email if matched | LinkedIn Joint Controller Terms; SCCs for US transfers. Also acts as independent controller. | linkedin.com/legal/privacy-policy |
| Meta Platforms Ireland Ltd (Dublin, IE) | Marketing | Page views, conversion events, browser fingerprint signals, hashed contact data if provided | Meta Business Tools DPT; SCCs for US transfers. Also acts as independent controller. | facebook.com/privacy/explanation |
6. Your Choices and How to Opt Out
6.1 CookieYes Consent Banner
When you first visit palazzo.ai, the CookieYes consent banner gives you the choice to accept all categories, reject non-essential cookies, or customize by category. CookieYes is configured to block non-essential scripts from loading until you make a selection. You can change your preferences at any time using the “Cookie Preferences” link in the site footer — your updated choice takes effect immediately and previously set cookies in a revoked category are cleared.
When you decline a category, CookieYes is configured to instruct Google Tag Manager not to fire the corresponding tags, so those scripts are not loaded in your browser. We work to ensure this is applied consistently, though no technical implementation is infallible. If you have concerns about a specific cookie, you can also manage preferences directly through your browser settings or the platform-level opt-outs in Section 6.3.
6.2 Browser-Level Controls
You can block or delete cookies through your browser settings independently of our consent banner. Note that blocking essential cookies may prevent parts of the site from working correctly. Instructions are available in your browser's help centre for Chrome, Firefox, Safari, and Edge.
6.3 Platform-Level Opt-Outs
- Google Analytics: tools.google.com/dlpage/gaoptout (browser add-on)
- Google Ad Settings: adssettings.google.com
- LinkedIn retargeting opt-out: linkedin.com/psettings/guest-controls/retargeting-opt-out
- Meta ad preferences: facebook.com/settings (Ads tab)
- Zoho cookie opt-out: zoho.com/privacy/cookie-policy.html
6.4 Do Not Track (DNT)
Some browsers provide a “Do Not Track” (“DNT”) signal. Because there is no universally accepted standard for how to interpret DNT signals, Palazzo does not respond to DNT signals at this time. You can manage cookie preferences through our consent banner and at any time via the “Cookie Preferences” link in the footer, as well as through your browser settings.
6.5 Global Privacy Control (GPC)
We recognize Global Privacy Control (“GPC”) signals where required by applicable law. For example, for California residents, a GPC signal is treated as a request to opt out of the sale or sharing of personal information for cross-context behavioral advertising. When we detect a valid GPC signal, we will limit the use of marketing cookies and similar technologies as required.
7. GDPR — Rights for EU and UK Visitors
If you are in the European Union, European Economic Area, or United Kingdom, the General Data Protection Regulation (GDPR) or UK GDPR governs our use of cookies. Our lawful basis by category:
| Cookie Category | Lawful Basis | GDPR Article |
|---|---|---|
| Essential cookies | Legitimate interest — operating a secure, functional website | Art. 6(1)(f) |
| Analytics cookies | Consent | Art. 6(1)(a) |
| Functional cookies | Consent | Art. 6(1)(a) |
| Marketing cookies | Consent | Art. 6(1)(a) |
Note: CookieYes is configured to block Analytics, Functional, and Marketing scripts until you explicitly consent. Withdrawing consent stops processing and clears previously set cookies in that category. You can verify or update your consent choices at any time via the Cookie Preferences link.
Your rights as an EU or UK resident in relation to data collected through cookies:
- Right to Access (Art. 15): Request a copy of personal data we hold, including data collected via cookies.
- Right to Erasure (Art. 17): Request deletion of your personal data where we have no overriding ground to retain it.
- Right to Object (Art. 21): Object to processing based on legitimate interests. We will stop unless we can demonstrate compelling grounds.
- Right to Withdraw Consent (Art. 7): Withdraw cookie consent at any time via the Cookie Preferences link. Withdrawal does not affect prior lawful processing.
- Right to Restriction (Art. 18): Request that we restrict processing in certain circumstances while a dispute is resolved.
- Right to Data Portability (Art. 20): Request a copy of your data in a structured, machine-readable format where processing is based on consent.
- Right to Complain (Art. 77): Lodge a complaint with your national supervisory authority — ICO (UK), CNIL (France), DPC (Ireland), or your local authority.
To exercise any right, contact legal@palazzo.ai. We respond within 30 days.
7.1 International Data Transfers
Google, Meta, and LinkedIn transfer EU personal data to the US. All three are covered by Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by data minimisation, anonymisation, and pseudonymisation where available. Zoho and Framer process EU personal data within the EEA or under equivalent safeguards. CookieYes processes consent data in the EU.
8. CCPA — Rights for California Residents
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) applies to our use of cookies and tracking technologies.
8.1 Personal Information Collected via Cookies
| CCPA Category | What We Collect | Sold or Shared? |
|---|---|---|
| Identifiers | Cookie IDs, IP address (anonymised), device identifiers | No |
| Internet / network activity | Page views, clicks, session duration, referral source, conversion events | No |
| Geolocation (coarse) | Country and region derived from IP address | No |
| Commercial information / inferences | Ad audience segments built by LinkedIn and Meta based on site visit data | Shared with LinkedIn and Meta for advertising — opt out via Section 6 |
8.2 Sale or Sharing of Personal Information
Palazzo does not sell personal information for monetary consideration. However, sharing site visitor data with LinkedIn and Meta for cross-context behavioural advertising may constitute “sharing” under CPRA. To opt out:
- Use the Cookie Preferences link to disable Marketing cookies.
- Send a Global Privacy Control (GPC) signal via your browser (treated as a valid opt-out for California residents).
- Email legal@palazzo.ai with the subject line “CCPA Opt-Out.”
8.3 Your California Rights
- Right to Know: Request disclosure of categories and specific pieces of personal information collected about you in the past 12 months.
- Right to Delete: Request deletion of personal information we have collected, subject to legal exceptions.
- Right to Correct: Request correction of inaccurate personal information we hold.
- Right to Opt Out: Opt out of sharing personal information for cross-context behavioural advertising via Cookie Preferences or GPC signal.
- Right to Limit Sensitive Personal Information: We do not collect sensitive PI through cookies.
- No Discrimination: We will never discriminate against you for exercising any CCPA right.
Submit requests to legal@palazzo.ai. We respond within 45 days (extendable by 45 days with notice). Authorised agents may submit requests with written authorisation or power of attorney.
9. Other Regions
Our CookieYes consent banner is displayed to all visitors worldwide — everyone has the opportunity to manage non-essential cookies before they are activated, regardless of location.
9.1 Canada — PIPEDA and Quebec Law 25
Quebec's Law 25 requires opt-in consent for non-essential cookies before they are placed. Our banner satisfies this requirement. Quebec residents have additional rights including the right to be de-indexed and the right to data portability. Contact legal@palazzo.ai.
9.2 Brazil — LGPD
Our consent mechanism satisfies LGPD consent requirements. Brazilian residents have rights to access, correction, deletion, anonymisation, portability, and information about data sharing. Contact legal@palazzo.ai.
9.3 Australia — Privacy Act 1988
We comply with the Australian Privacy Principles. Contact legal@palazzo.ai for access or correction requests. Complaints may be referred to the OAIC at oaic.gov.au.
9.4 Japan — APPI and South Korea — PIPA
Cookie data that identifies individuals constitutes personal information under both the Japanese APPI and Korea's PIPA. Our consent mechanism and transfer safeguards apply to visitors from both jurisdictions. Contact privacy@palazzo.ai to exercise your rights.
10. Cookie Duration
Session cookies expire when you close your browser. Persistent cookies remain until their expiry date or until cleared through your browser or the CookieYes preferences panel.
| Cookie / Tool | Type | Duration |
|---|---|---|
| CookieYes consent cookies (all category records) | Persistent | 1 year from consent date |
| Google Analytics (_ga, _ga_*) | Persistent | 2 years |
| Google Analytics (_gid) | Persistent | 24 hours |
| Google Analytics (_gat) | Persistent | 1 minute |
| Zoho PageSense (zps-zguid) | Persistent | 13 months |
| Zoho PageSense (zpcs_*) | Persistent | 30 days |
| Zoho PageSense session cookies (zpagst, _zcsr_tmp) | Session | Browser close |
| Zoho SalesIQ (SalesIQ_*) | Persistent | Up to 1 year |
| Zoho SalesIQ session cookies (__zsiq_*) | Session | Browser close |
| Meta Pixel (_fbp, _fbc, fr) | Persistent | 90 days |
| LinkedIn (bcookie) | Persistent | 1 year |
| LinkedIn (li_fat_id, UserMatchHistory) | Persistent | 30 days |
| LinkedIn (lidc) | Persistent | 24 hours |
| Framer analytics | Server-side log | Aggregated, 90 days |
| Google Tag Manager (_gtm_*) | Session | Browser close |
11. Changes to This Policy
We review this Cookie Policy at least annually and whenever we add, change, or remove a tracking tool. This Policy is reviewed in conjunction with the Privacy Policy and updated consistently.
For material changes — such as adding a new tracking category or tool — we will update the Effective Date and version number, post a notice on our website, and where required by law present a new consent prompt through CookieYes so you can review and re-confirm your preferences before any new processing begins.
Minor corrections such as updated cookie names or clarified descriptions that do not affect data processing will be made without a formal notice.
12. Contact Us
For questions about this Cookie Policy, to exercise any privacy right, or to update your consent preferences:
- Email: legal@palazzo.ai
- Post: Palazzo, Inc., 167 Madison Ave Suite 205 #643 New York City, NY 10016
- Cookie Preferences: Use the “Cookie Preferences” link in the footer of palazzo.ai, or click the consent banner icon if displayed.
EU and UK residents: if you are not satisfied with our response, you have the right to lodge a complaint with your national data protection supervisory authority.
California residents: you may also contact the California Privacy Protection Agency (CPPA) at cppa.ca.gov.