ERMITS ADVISORY SERVICES - COOKIE & PORTAL POLICY

Advisory Services Website:

• Public marketing site at https://www.ermits-advisory.com/ (services, how it works, sample report, Cyber Exposure Brief, intake)
• Contact and inquiry forms (for example Talk to an advisor)
• Google Analytics 4 on pages that load our analytics script

Client Portal:

• Secure client portal for engagement management (where ERMITS provides portal access; may be hosted separately from the static marketing site)
• Document sharing and collaboration platform
• Project status tracking and communications
• Deliverable access and review

Essential Cookies (Always Active):

Required for basic website and portal functionality:

• Authentication and session management (client portal)
• Security and fraud prevention
• Load balancing and performance
• User preference storage (language, theme selection)
• Form submission and inquiry handling

Performance Cookies (Optional):

Help us improve service performance (may vary by site or application):

• Page load time measurement
• Error tracking and debugging on some applications (for example Sentry)—not loaded on the static www.ermits-advisory.com pages by default
• Feature usage analytics
• Service optimization

Analytics Cookies (Optional):

Help us understand how visitors use our website. On https://www.ermits-advisory.com/, we use Google Analytics 4 (G-VEQXJHYNHG) with IP anonymization. Other ERMITS web properties may use additional tools (for example PostHog).

• Page views and navigation patterns
• Time spent on pages
• Popular content and resources
• Popular features and pages
• User journey analysis
• Conversion tracking

Functional Cookies (Optional):

Enable enhanced functionality:

• Remember your preferences and settings
• Remember form field entries (for convenience)
• Enable resource downloads and content access
• Personalize user experience
• Enable integrations with third-party services

Marketing Cookies (Opt-In Required):

Used for marketing and advertising (with your consent):

• Track conversions from marketing campaigns
• Measure effectiveness of advertising
• Enable targeted content recommendations
• Support retargeting campaigns

What We Log:

• Timestamp of access
• IP address (anonymized after 90 days)
• HTTP method and requested URL
• HTTP response status code
• User agent (browser and operating system)
• Referrer (previous page)
• Error messages and stack traces (for debugging)

Log Retention:

• Active logs: 90 days
• Archived logs (anonymized): 1 year
• Access restricted to security and engineering teams

Use of Logs:

• Security monitoring and threat detection
• Performance optimization
• Error debugging and troubleshooting
• Usage statistics (anonymized)
• Fraud prevention

On ERMITS Website:

• Access cookie preferences anytime via footer link
• Navigate to: Cookie Settings or Preferences
• Toggle cookie categories on/off (except essential)
• Save changes (takes effect immediately)

Browser Controls:

Most browsers allow cookie management:

Supabase (Authentication & Database):

• Purpose: User authentication and session management
• Privacy: Essential for service functionality
• Control: Required for service use; cannot be disabled
• Data Collected: Email, encrypted client data, session information
• Location: US or EU (client choice for portal data residency)
• Privacy Policy: https://supabase.com/privacy

Google Analytics:

• Purpose: Website traffic analysis and visitor behavior
• Data Collected: Page views, sessions, demographics, interests, device info
• Privacy: IP anonymization enabled, data retention set to 26 months
• Opt-Out: Use Google Analytics Opt-out Browser Add-on or disable analytics cookies
• Privacy Policy: https://policies.google.com/privacy

PostHog (Analytics):

• Purpose: Anonymous usage analytics with differential privacy on some ERMITS web properties (not used on the default static pages of www.ermits-advisory.com)
• Privacy: Cannot identify individual users
• Control: Can be disabled in privacy settings (opt-out)
• Privacy Policy: https://posthog.com/privacy

Sentry (Error Tracking):

• Purpose: Monitor application errors and performance on some applications (not loaded on the default static www.ermits-advisory.com pages)
• Privacy: Automatically scrubs PII from error reports
• Control: Can be disabled in privacy settings
• Data Collected: Error messages (PII automatically scrubbed), user actions leading to errors
• Data Retention: 90 days
• Privacy Policy: https://sentry.io/privacy/

Stripe (Payment Processing):

• Purpose: Payment processing and fraud prevention where ERMITS collects payment through Stripe (not used for standard form-only intake on the static marketing site)
• Privacy: Handles payment information securely
• Control: Required for payment functionality
• Privacy Policy: https://stripe.com/privacy

HubSpot (Marketing Automation):

• Purpose: Lead management, form submissions, marketing campaigns where deployed
• Data Collected: Contact information (name, email, company), form submissions, page views
• Privacy: GDPR-compliant, data processing agreement in place
• Opt-Out: Disable marketing cookies, unsubscribe from emails
• Privacy Policy: https://legal.hubspot.com/privacy-policy

Vercel (Hosting & CDN):

• Purpose: Content delivery and performance optimization
• Privacy: Standard web server logs
• Control: Required for service delivery
• Privacy Policy: https://vercel.com/legal/privacy-policy

We Contractually Require Third Parties To:

• Use data only for specified purposes (supporting our services)
• Implement appropriate security measures
• Comply with applicable privacy laws (GDPR, CCPA)
• Respect user opt-out preferences
• Delete data when no longer needed

You Can Control Third-Party Cookies:

• Use browser settings to block third-party cookies
• Use privacy-focused browser extensions (Privacy Badger, uBlock Origin)
• Opt out via Digital Advertising Alliance: http://optout.aboutads.info
• Opt out via Network Advertising Initiative: http://optout.networkadvertising.org

ERMITS Respects DNT Signals:

• When browser DNT is enabled, we disable optional analytics and marketing cookies
• Essential cookies remain active (required for portal functionality)
• No behavioral tracking or profiling when DNT enabled

Enabling DNT:

• Firefox: Settings → Privacy & Security → Send websites a "Do Not Track" signal
• Safari: Preferences → Privacy → Prevent cross-site tracking (enabled by default)
• Edge: Settings → Privacy, Search, and Services → Send "Do Not Track" requests
• Chrome: Not supported (use cookie controls instead)

GPC Support:

• We honor Global Privacy Control signals as an opt-out preference under CCPA
• GPC automatically disables non-essential cookies
• Available via browser extensions or privacy-focused browsers

Enabling GPC:

• Install GPC browser extension: https://globalprivacycontrol.org
• Use privacy-focused browsers with built-in GPC (Brave, DuckDuckGo, Firefox with extension)

What We Track (Client Portal):

• Login/logout events and timestamps
• Document access and downloads
• Page views within portal
• Feature usage (anonymized)
• Error events and performance issues

Purpose:

• Security monitoring and anomaly detection
• Audit trail for compliance
• Portal performance optimization
• User support and troubleshooting

Privacy Protections:

• Tracking limited to portal activity only
• No cross-site tracking or profiling
• Data used only for security and support
• Client administrators may review access logs

Privacy-First Local Storage:

ERMITS products extensively use browser local storage (localStorage, IndexedDB) for Privacy-First Architecture:

Website:

• Anonymous browsing supported (no account required)
• Contact forms collect only necessary information
• No tracking of individual browsing behavior for marketing
• Resource downloads do not require email (for public content)

Client Portal:

• Data collection limited to engagement-related activities
• No unnecessary profiling or behavioral tracking
• Client controls data retention and deletion
• Export all portal data anytime (JSON, CSV)

We Do NOT Collect:

• Browsing history across other websites
• Granular location data (only country-level for analytics)
• Personal data from cookies (authentication tokens only)
• Sensitive personal information via website forms
• PII in cookies (names, emails, addresses not stored in cookies)
• Sensitive data in cookies (passwords, financial info, CUI/FCI)

We Do Collect (Minimally):

• Contact information you provide via forms (name, email, company, phone)
• Aggregated website analytics (page views, popular content)
• Client portal activity for security and audit purposes
• Technical information (browser, OS, device type) for support
• Session tokens only for authentication
• Hashed identifiers for analytics (cannot be reverse-engineered)

Cookie Consent:

• Explicit consent required before setting non-essential cookies
• Granular control over cookie categories
• Easy withdrawal of consent anytime
• Pre-checked boxes prohibited (opt-in required)

Legal Basis for Cookies:

• Essential Cookies: Necessary for service provision (GDPR Art. 6(1)(b))
• Analytics Cookies: Legitimate interests (GDPR Art. 6(1)(f)) or consent
• Marketing Cookies: Explicit consent (GDPR Art. 6(1)(a))

Rights:

• Access cookie data collected about you
• Request deletion of cookie data
• Object to cookie-based processing
• Lodge complaint with supervisory authority

Data Protection Authority:

• Contact your local DPA: https://edpb.europa.eu/about-edpb/board/members_en
• ERMITS DPO: privacy@ermits.com

Right to Know:

• Categories of personal information collected via cookies
• Categories of third parties with whom we share cookie data
• Business purposes for cookie use

Right to Opt-Out:

• Opt out of "sale" of personal information (we do not sell)
• Opt out of sharing for targeted advertising (disable marketing cookies)
• Use GPC to automatically signal opt-out preference

Right to Limit:

Limit use of sensitive personal information (none collected via cookies)

Non-Discrimination:

• Equal service regardless of cookie preferences
• No penalty for disabling optional cookies

Submit Requests:

• Email: privacy@ermits.com (Subject: "CCPA Request - Cookies")
• Online: Cookie Settings → Exercise Your Rights

What We Track:

• Page Views: Which pages are visited and how often
• Traffic Sources: How visitors find our website (search, referral, direct)
• Demographics: Country, language, browser, device type (aggregated)
• User Flow: Navigation patterns through website
• Conversions: Form submissions, resource downloads, contact requests
• Performance: Page load times, errors, bounce rates

Privacy Protections:

• IP Anonymization: Last octet removed before storage
• Data Minimization: No granular personal data collected
• Aggregation: Reports show aggregate trends, not individual behavior
• Retention Limits: Analytics data retained 26 months maximum

Website Optimization:

• Improve user experience and navigation
• Identify popular content and resources
• Fix broken links and errors
• Optimize page performance and load times

Content Strategy:

• Understand which topics are most valuable to visitors
• Develop new resources based on interest
• Tailor messaging to audience needs

Marketing Effectiveness:

• Measure campaign performance
• Understand lead sources and quality
• Optimize marketing spend and strategy

We Do NOT Use Analytics For:

Technical Safeguards:

• HTTPS Only: All cookies transmitted over encrypted connections
• Secure Flag: Cookies sent only over HTTPS
• HTTP-Only Flag: Authentication cookies inaccessible to JavaScript (prevents XSS)
• SameSite Attribute: Cookies sent only to same-site requests (prevents CSRF)
• Short Expiration: Session cookies expire quickly (1-4 hours)
• Encrypted Values: Sensitive cookie values are encrypted

Cookie Security Risks:

Be aware of cookie-related security risks:

• Session Hijacking: Attackers stealing session cookies
• XSS Attacks: Malicious scripts accessing cookies
• CSRF Attacks: Unauthorized actions using your cookies

Protect Yourself:

• Use strong, unique passwords for client portal
• Enable multi-factor authentication (MFA)
• Log out when finished (especially on shared devices)
• Clear cookies on public/shared computers
• Keep browser and OS updated
• Use antivirus and security software
• Be cautious of phishing emails

Infrastructure Security:

• SOC 2 Type II compliant hosting (Supabase)
• DDoS protection and Web Application Firewall (WAF)
• Regular vulnerability scanning and penetration testing
• 24/7 security monitoring and alerting
• Intrusion detection and prevention (IDS/IPS)

Application Security:

• Secure coding practices (OWASP Top 10)
• Input validation and output encoding
• SQL injection prevention (parameterized queries)
• XSS protection (Content Security Policy)
• CSRF protection (anti-CSRF tokens)
• Regular security updates and patches

Material Changes:

• 30 days' advance notice via website banner
• Email notification to active clients
• Updated cookie consent banner on first visit
• Opportunity to review and adjust preferences

Non-Material Changes:

• Update "Last Updated" date
• Effective immediately upon posting
• Notice in footer of website