This Cookie Notice explains how Exchester Ltd (a company incorporated in England and Wales with company number 12601661, whose registered office is at 2nd Floor College House, 17 King Edwards Road, Ruislip, London, HA4 7AE, United Kingdom), trading as GATA AI ("GATA", "we", "us", "our"), uses cookies and similar technologies on the GATA AI website at https://gata.ai (the "Website") and the GATA AI software-as-a-service platform (the "Service").
This Cookie Notice forms part of our Privacy Notice and supplements the GATA AI Terms of Service. Capitalised terms used but not defined in this Cookie Notice have the meanings given in the Terms of Service.
This Cookie Notice describes the practices that apply to the Website and the Service as operated for users in the United Kingdom and the wider European Economic Area. We do not target users outside the United Kingdom for marketing purposes; however, the same cookie practices apply globally to anyone who visits the Website or the Service.
1. What cookies and similar technologies are
A "cookie" is a small text file that a website places on your device when you visit. Cookies are widely used to make websites work, to make them work more efficiently, and to provide information to the operator of the site.
We also use other browser-storage technologies that do not, strictly speaking, involve a cookie — for example, HTML local storage and session storage. These technologies are not regulated under the same regime as cookies in every jurisdiction, but for transparency we treat all of them equivalently in this Cookie Notice. References to "cookies" in this Cookie Notice include local storage, session storage and any similar device-based identifier we set or read on your device.
We do not currently use:
- web beacons / tracking pixels (e.g. Meta Pixel, LinkedIn Insight Tag, Google Floodlight);
- device fingerprinting as an identifier;
- session-replay or behavioural-recording tools (e.g. Hotjar, FullStory, LogRocket); or
- advertising or retargeting cookies of any kind.
If we introduce any of these in the future we will update this Cookie Notice and, where required, obtain your prior consent before they run.
2. The legal basis on which we set cookies
We are based in the United Kingdom, and the relevant laws are:
- the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR"), in particular regulation 6, which requires that — apart from cookies that are "strictly necessary" — we obtain your consent before storing or accessing information on your device; and
- the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018, where any cookie processes personal data (including online identifiers such as IP addresses or pseudonymous identifiers).
In summary:
| Cookie category | Consent required? | Our legal basis |
|---|---|---|
| Strictly necessary | No (PECR reg 6(4)(b)) | Necessary for the Service requested by you |
| Functional / preference | Yes — opt-in, except where set only after authenticated sign-in for an account-bound preference | Consent (PECR reg 6(1) and UK GDPR Art. 6(1)(a)) |
| Analytics / measurement | Yes — opt-in | Consent (PECR reg 6(1) and UK GDPR Art. 6(1)(a)) |
| Marketing / advertising | Yes — opt-in | Consent (PECR reg 6(1) and UK GDPR Art. 6(1)(a)) |
We do not rely on "legitimate interests" under UK GDPR Article 6(1)(f) to set non-essential cookies. The PECR consent rule applies regardless of whether the cookie processes personal data, so legitimate interests cannot substitute for consent at the cookie-setting stage.
We do not rely on pre-ticked boxes, "implied consent" derived from continued browsing, or cookie walls that condition access on acceptance. Where we ask for consent, the choice will be unambiguous, granular and as easy to withdraw as to give.
3. Cookies we use today
The following inventory reflects the cookies and similar technologies we set as at the "Last updated" date at the top of this Cookie Notice. We review the inventory periodically and will update this section when it changes.
3.1 Strictly necessary
These cookies are essential for the Service to function. Without them you cannot sign in, your session cannot be kept active across page loads, and we cannot protect your account against cross-site request forgery. They do not require consent under PECR regulation 6(4)(b).
| Name | Provider | Type | Purpose | Duration |
|---|---|---|---|---|
gata_refresh | First-party (gata.ai) | HTTP cookie — HttpOnly, Secure (in production), SameSite per environment, Path=/api/auth | Holds the encrypted refresh token used to keep an Authorised User signed in across visits and to obtain new short-lived access tokens from the GATA backend. Set only after a successful login or sign-up email-verification step. | 7 days from issue, refreshed on use; cleared on logout |
gata_csrf | First-party (gata.ai) | HTTP cookie — Secure (in production), SameSite per environment, Path=/, readable by JavaScript by design | The web application reads this cookie value and echoes it back to the GATA backend in the x-csrf-token request header. The backend rejects state-changing requests where the header and cookie do not match. This is the standard "double-submit" defence against cross-site request forgery and is required for the Service to be safe to use. | 7 days from issue, refreshed on use; cleared on logout |
We may, in addition, set short-lived cookies that are required to operate specific account flows (for example, an anti-fraud cookie issued by our payment processor when you enter the Stripe-hosted checkout — see clause 3.4 below).
3.2 Functional / preference
These items remember preferences you set inside the Service so that the user interface behaves the way you left it. They are stored on your device, not on our servers.
| Name | Provider | Type | Purpose | Duration |
|---|---|---|---|---|
gata.leftRail.collapsed | First-party (gata.ai) | HTML localStorage | Remembers whether you have collapsed the left navigation rail in the in-product workspace, so that your preference persists across visits. | Persistent, until you clear browser storage |
gata.museRail.collapsed | First-party (gata.ai) | HTML localStorage | Remembers whether you have collapsed the "muse" rail in the workspace, so that your preference persists across visits. | Persistent, until you clear browser storage |
These items are written only after you have signed in to the Service and have actively interacted with the relevant control. They are not set on the public-facing marketing pages of the Website. We treat them as legitimately set on the basis of your continuing use of an account that is already governed by the Terms of Service; if you object, you can clear them at any time using your browser's site-data controls or by signing out and clearing site data.
3.3 Analytics
We use Google Analytics 4 ("GA4", measurement ID G-NFPBEF1HB4), supplied by Google LLC and (for UK / EEA users) Google Ireland Limited, to understand how visitors and signed-in Authorised Users interact with the Website and the Service. GA4 cookies are non-essential and are set only after you have given prior opt-in consent through the cookie consent banner described in clause 5.2.
| Name | Provider | Type | Purpose | Duration |
|---|---|---|---|---|
_ga | Google (1st-party set on gata.ai) | HTTP cookie | Distinguishes unique users for measurement. | 2 years from set/refresh |
_ga_<container-id> | Google (1st-party set on gata.ai) | HTTP cookie | Persists session state for the GA4 property identified by <container-id>. | 2 years from set/refresh |
GA4 is configured with send_page_view: false; page views are sent only after consent and from authenticated routes that pass through the in-app analytics module. Once an Authorised User signs in, GA4 receives a stable internal user_id (not the user's email or name) and a small set of user_properties describing the Account context (account type, plan, admin role) so that aggregated product metrics can be segmented. Sensitive query-string parameters are stripped before transmission.
We do not run Plausible, Fathom, PostHog, Mixpanel, Amplitude, Segment, Heap or Matomo. Google acts as an independent controller for GA4 measurement (under Google's Measurement Controller-to-Controller Data Protection Terms); it is not a processor on our behalf. Google's processing is governed by Google's own privacy notices: https://policies.google.com/privacy and https://business.safety.google/adsservices/.
You can withdraw consent to GA4 at any time via the "Manage cookies" link in the Website footer (see clause 5.2). On withdrawal, the GA4 script is no longer loaded on subsequent page loads and the GA4 cookies are cleared.
3.4 Marketing and advertising
We do not set any marketing, advertising or retargeting cookies. We do not run Meta Pixel, LinkedIn Insight Tag, Google Ads conversion tags, X / TikTok pixels, HubSpot tracking, Intercom messenger cookies, or any equivalent product.
The Website does not embed advertising third-party content of any kind. The marketing pages do not embed YouTube, Vimeo, Wistia, Loom or other third-party video players that would set cookies.
3.5 Third-party services we redirect you to
When you choose to subscribe, top up Credits, manage your subscription or update payment details, we redirect you to a checkout or billing-management page hosted by Stripe Payments Europe, Limited ("Stripe") at checkout.stripe.com and billing.stripe.com. Stripe sets its own cookies on its own domain, including session and anti-fraud cookies that are necessary to process the payment. Those cookies are set by Stripe in its capacity as a third-party data controller and are governed by Stripe's own cookie disclosures:
- Stripe Cookie Policy: https://stripe.com/cookies-policy/legal
- Stripe Privacy Policy: https://stripe.com/privacy
We do not have access to Stripe's cookies, do not control their content or duration, and do not embed Stripe scripts on the Website outside the redirect to the Stripe-hosted pages.
3.6 Web fonts
The Website loads two web fonts from third-party content-delivery networks ("CDNs"):
- the "Geist" typeface family from
cdn.jsdelivr.net(jsDelivr, an open-source npm-package CDN operated by Prospect One sp. z o.o. and fronted by Cloudflare and Fastly infrastructure); and - the "JetBrains Mono" typeface from
fonts.googleapis.com(Google's font CDN, operated by Google LLC).
Loading each font causes your browser to make a network request to the relevant CDN, which exposes your IP address to that CDN operator. No cookie is set on the gata.ai domain by either request and, on current CDN behaviour, no cookie is set on the cdn.jsdelivr.net or fonts.googleapis.com domains either. The IP-address transfers are nevertheless processing activities under UK GDPR.
The font CDNs are required for the Website to render in the intended typography. They are loaded on every page (including before any consent banner is shown). You can prevent each request by blocking the corresponding domain in your browser; the Website will then fall back to your operating-system default sans-serif and monospace fonts.
4. Cookies we may set in the future
If we add any of the following, we will update this Cookie Notice and, where required by PECR, ensure that a consent banner offers a clear opt-in before the relevant cookie is set:
- error-monitoring or crash-reporting tools (for example, a self-hosted error tracker scoped to the authenticated workspace only, with personal data minimised);
- marketing-page A/B testing for the public Website; and
- load-balancer "stickiness" cookies issued by AWS Elastic Load Balancing if we change our infrastructure to require them. We do not currently use them.
We will not introduce advertising or cross-site retargeting cookies on the gata.ai domain.
5. How to manage and withdraw consent
5.1 Browser controls
Most browsers let you view, manage and delete cookies on a per-site basis. The relevant settings are typically found under "Privacy" or "Site settings". The Information Commissioner's Office maintains an up-to-date guide at https://ico.org.uk/for-the-public/online/cookies/.
Blocking the strictly necessary cookies described in clause 3.1 will prevent you from signing in to the Service or, after signing in, will cause your session to be rejected as cross-site-request-forged. We do not consider this an acceptable trade-off for using a paid B2B SaaS product, but the choice is yours.
Clearing site data for gata.ai will sign you out and reset the user-interface preferences described in clause 3.2.
5.2 Consent banner
Because we set non-essential cookies (the Google Analytics 4 cookies described in clause 3.3), the Website displays a cookie consent banner the first time you visit. The banner is implemented in line with the Information Commissioner's Office's "Cookie Pledge" expectations and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) regulation 6. It offers:
- a "Reject all non-essential" option presented with the same visual prominence as "Accept all" — the two buttons are the same size, colour weight and position;
- granular per-category controls so you can accept or reject categories independently (today the only non-essential category is "analytics");
- no pre-ticked boxes and no "by continuing to browse you accept" patterns — non-essential cookies are not set unless you actively opt in;
- no "cookie wall" — declining the banner does not prevent you from accessing the Website or the Service; and
- the ability to withdraw or change your consent at any time, as easily as you gave it, via the "Manage cookies" link in the Website footer. Withdrawal removes the GA4 script from subsequent page loads and clears the GA4 cookies described in clause 3.3.
Your consent decision is remembered locally in your browser under a key named gata.cookieConsent.v1. We re-prompt at least every twelve (12) months from the date of your previous decision so that consent stays current.
5.3 Do Not Track and Global Privacy Control
We respect the Global Privacy Control ("GPC") signal as a valid expression of an opt-out. Browsers transmitting a Sec-GPC: 1 request header are treated as having declined consent to all non-essential categories (including GA4); the consent banner is not shown to those browsers, no GA4 script is loaded, and no GA4 cookie is set.
The legacy "Do Not Track" header (DNT) is no longer maintained as a standard, but where present we treat it the same way as GPC.
6. International transfers
Where a cookie or third-party request causes personal data (including your IP address) to be transferred outside the United Kingdom:
- the Google Analytics 4 measurement described in clause 3.3 transfers personal data (online identifiers, GA4 cookie identifiers, IP address, the internal
user_idanduser_propertiesafter sign-in, and event metadata) to Google LLC in the United States. Google operates the transfer under the EU Standard Contractual Clauses and the UK Addendum / UK IDTA that form part of Google's Measurement Controller-to-Controller Data Protection Terms, and additionally relies on Google LLC's certification under the EU–US Data Privacy Framework and the UK Extension where in force. GA4 is loaded only after you have given consent through the banner described in clause 5.2; - the Stripe redirects described in clause 3.5 transfer payment-flow personal data to Stripe Payments Europe, Limited (Ireland) and, in some cases, onward to Stripe, Inc. (United States), under transfer mechanisms maintained by Stripe (currently the UK Addendum to the EU Standard Contractual Clauses and Stripe's certification under the UK Extension to the EU–US Data Privacy Framework where applicable);
- the Geist font CDN request described in clause 3.6(a) transmits your IP address to jsDelivr infrastructure (operated by Prospect One sp. z o.o., Poland) and to its underlying CDN providers (Cloudflare, Inc. and Fastly, Inc., both United States), under transfer mechanisms maintained by jsDelivr and those providers; and
- the JetBrains Mono font CDN request described in clause 3.6(b) transmits your IP address to Google LLC infrastructure (United States), under transfer mechanisms maintained by Google.
7. Children
The Service is a B2B SaaS product and is not directed at children. We do not knowingly set cookies for, or otherwise process the personal data of, individuals under the age of 18. Authorised Users of the Service must be at least 18 years old (see clause 2 of the Terms of Service).
8. Updates to this Cookie Notice
We may update this Cookie Notice from time to time, including to reflect new cookies we deploy, removals of cookies we no longer set, or changes in law and regulatory guidance (including ICO guidance under PECR).
The date at the top of this Cookie Notice indicates when it was last revised. Material changes (including the introduction of any new non-essential cookie category) will be notified by reasonable means before they take effect, which may include a banner on the Website, an in-Service notice, or an email to the primary contact on the Customer's Account. Your continued use of the Website or the Service after the effective date of an update constitutes acceptance of the updated Cookie Notice; this clause does not override your separate right to grant or withhold consent under clause 5.
9. Contact
If you have any questions about this Cookie Notice, or wish to exercise any right you have under UK GDPR or other Data Protection Laws in relation to cookies or similar technologies we operate, please contact us at:
Registered in England and Wales, company number 12601661.
Registered office: 2nd Floor College House, 17 King Edwards Road, Ruislip, London, HA4 7AE, United Kingdom.
You also have the right to lodge a complaint with the Information Commissioner's Office (the UK supervisory authority for data protection and PECR), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom — https://ico.org.uk/make-a-complaint/.