Cookie Policy

1. Introduction

This Cookie Policy explains how Illumate UI, operated by Patrik Duch s.r.o., IČO: 24091090, registered in the Czech Republic, European Union ("we", "us", or "our"), uses cookies and similar technologies when you visit our website and use our services.

We use only strictly necessary and functional cookies. We do not use analytics, advertising, profiling, or tracking cookies of any kind.

Strictly necessary cookies are required for the core operation and security of the Service (such as authentication and session management). Functional cookies remember basic preferences to provide a consistent experience across sessions and contain no personal data. We also use Local Storage within the editor mode to maintain temporary editor and preview state on your device.

2. What Are Cookies

Cookies are small text files that are placed on your computer, smartphone, or other device when you visit a website. They are widely used to:

• Make websites work properly and securely
• Remember your preferences and settings
• Improve your browsing experience

Cookies can be "session cookies" (deleted when you close your browser) or "persistent cookies" (remain on your device for a set period or until you delete them).

3. Types of Cookies and Storage We Use

3.1 Strictly Necessary Cookies

These cookies are essential for the website and the Service to function properly. Without them, you cannot use basic features such as secure login and session management. These cookies cannot be disabled. All authentication cookies are set as HttpOnly and Secure, and use the SameSite=Lax attribute to protect against cross-site request forgery (CSRF).

Legal basis: Article 6(1)(b) GDPR — performance of a contract (authentication and session management are necessary to provide the Service you requested) and Article 6(1)(f) GDPR — legitimate interest in ensuring the secure functioning of the Service. These cookies fall within the strictly necessary exemption under Article 5(3) ePrivacy Directive 2002/58/EC (ePrivacy Directive).

3.2 Local Storage

We use Local Storage technology in your browser to support the operation of the Service. Local Storage data is stored exclusively on your device and is not transmitted to or accessed by our servers. We do not use Local Storage for tracking, profiling, or advertising purposes.

Any content you enter into auto-fill fields during tour configuration is stored locally on your device at your direction and automatically removed when the preview completes. You may also clear this data manually at any time through your browser's developer tools (Application > Local Storage).

3.3 Functional Cookies

Functional cookies remember basic preferences to improve your experience across sessions. They contain no personal data and are not used for tracking, analytics, or advertising.

Legal basis: Article 6(1)(f) GDPR — legitimate interest in providing a consistent user experience across sessions. This cookie can be cleared through your browser settings at any time.

3.4 Device Identification and Security

To protect user accounts, prevent abuse of the Service, and enforce plan-based device limits, we use server-side device identification techniques. These rely solely on passive technical signals routinely transmitted by your browser with every HTTP request — we do not run client-side JavaScript fingerprinting in your browser. For full technical details, see our Privacy Policy (Section 2.3).

Important: Device identification is used for account security, anti-abuse, and plan enforcement. We do not use these techniques for:

• Tracking users across other websites
• Advertising, profiling, or behavioral analysis
• Building user profiles for marketing or commercial purposes

We do not employ invasive fingerprinting methods (such as canvas fingerprinting, WebGL rendering, audio context, or font enumeration) and do not run client-side JavaScript-based device fingerprinting. We do not collect screen resolution, timezone, hardware specifications, installed fonts, or plugins. Our approach is limited, proportionate, and based exclusively on signals your browser already transmits in standard HTTP headers.

Legal basis: Article 6(1)(f) GDPR — legitimate interest in account security, fraud and abuse prevention, and enforcing fair use of subscription tiers, as also recognized under Article 32 GDPR (security of processing). We have conducted a balancing assessment and determined that this processing is proportionate to the benefits provided and does not unreasonably override your rights and freedoms.

4. Third-Party Services

Some functionality of the Service relies on trusted third-party providers.

Stripe cookies are set only when you interact with payment features (such as entering the checkout or billing portal). Visitors who never engage with payment functionality are not subject to Stripe cookies. Where set, they are treated as strictly necessary for secure payment processing and fraud prevention.

5. Cookies and Storage in Tours

5.1 Editor Environment (Tour Builder)

When you use the Illumate UI editor to create tours on websites:

• The editor provides a preview environment that allows you to visually design and configure tours
• Illumate UI does not act as a proxy for user authentication sessions and does not access content behind login or authentication barriers.
• The preview environment is used solely for rendering website content for configuration purposes and does not modify, interact with, or perform any state-changing operations on the target website beyond what is strictly necessary for visual rendering.
• The Service does not trigger form submissions, user actions, or any automated interactions with third-party websites.
• Local Storage may be used where necessary depending on the features you interact with, such as the editor mode, to support core functionality of the Service
• Illumate UI does not store or make accessible third-party website cookies within the editor environment

5.2 Tour Preview Mode

When previewing tours within the Illumate UI editor:

• Local Storage may be used to preserve preview state within your authenticated session (see Section 3.2 for details on data stored and retention)
• Preview state data is stored locally in your browser and is not transmitted to our servers
• Tour auto-fill actions may temporarily populate form fields within the loaded preview for demonstration purposes; no form data is automatically submitted or stored by Illumate UI
• All preview state data is automatically cleared when the tour preview ends (via Finish or Cancel), or on page reload or navigation

5.3 Embeddable Snippet (Future)

If we provide embeddable tour scripts for third-party websites in the future:

• The snippet will not set any cookies on the host website
• The snippet may use the host website's Local Storage for tour progress tracking
• You will be responsible for disclosing the use of the Illumate UI snippet in your own privacy and cookie policies where required by law
• We will provide documentation on what data the snippet stores and processes

6. Your Rights

Under GDPR and applicable data protection laws, you have the following rights in relation to device identification and any personal data processed through cookies and similar technologies:

• Right to be informed — this policy serves as our notification to you about how and why we process your data
• Right of access — you may request information about device data associated with your account
• Right to erasure — you may request deletion of device identification data by contacting us at privacy@illumateui.app. You may also remove device data at any time by signing out of your current session or by logging out of all other active sessions through your account settings; session device data is deleted automatically upon session termination
• Right to object — you may object to the processing of device identification data; however, this may affect the security features available to you
• Right to lodge a complaint — you may file a complaint with your local supervisory authority (for Czech Republic: ÚOOÚ, https://uoou.gov.cz)

To exercise any of these rights, please contact us at privacy@illumateui.app. We will respond without undue delay and in any event within one month, as required by Article 12(3) GDPR.

7. Your Choices

You can control cookies through your browser settings. Most browsers allow you to:

• View what cookies are stored and delete them individually
• Block third-party cookies
• Block all cookies from specific sites
• Block all cookies from all sites
• Delete all cookies when you close your browser

You can also clear Local Storage through your browser's developer tools (Application > Local Storage).

You can manage your active sessions in your account settings. You can sign out of all other active sessions (keeping your current one) through the "Log out of other sessions" option. To end your current session, use the standard sign-out action. Device identification data associated with a session is automatically removed when the session is terminated.

For instructions on managing cookies, please refer to your browser's official help documentation:

• Google Chrome
• Mozilla Firefox
• Safari
• Microsoft Edge

8. Do Not Track

Some browsers have a "Do Not Track" (DNT) feature that signals to websites that you do not want to be tracked. We do not use cookies or similar technologies for cross-site tracking, advertising, or profiling. Our use of device identification is limited to account security, fraud and abuse prevention, and plan enforcement as described in Section 3.4 above.

9. International Data Transfers

Cookies and Local Storage data are stored on your device. Cookie values are transmitted to our servers, which are hosted within the European Union. Device identification hashes and session security data are processed and stored on infrastructure operated by our EU-based service providers, in accordance with applicable data protection laws and appropriate safeguards.

Certain transactional data involving payment processing may additionally be transmitted to Stripe, Inc. (United States) under appropriate data transfer safeguards, including Standard Contractual Clauses (SCCs). Where other third-party services process data, they do so in accordance with their own privacy policies and applicable data transfer mechanisms.

A detailed list of our sub-processors is available upon request at privacy@illumateui.app.

10. Data Retention

We retain data from cookies and similar technologies as follows:

You may request earlier deletion of device identification data by contacting us at privacy@illumateui.app or by signing out of the corresponding session through your account settings.

11. Children's Privacy

Our Service is not directed at children under the age of 18 (or the applicable age in your jurisdiction). We do not knowingly set cookies for or collect data from children. If you believe a child has provided us with personal data, please contact us at privacy@illumateui.app and we will take steps to delete such data promptly.

12. Updates to This Policy

We may update this Cookie Policy from time to time to reflect changes in technology, legal requirements, or our data practices. Any changes will be posted on this page with an updated "Last updated" date. If we introduce new cookie categories (such as analytics, advertising, or profiling cookies), or expand our use of device identification beyond the purposes described in Section 3.4, we will notify you and, where required by applicable law, obtain your consent before deployment.

13. Contact Us

If you have any questions about our use of cookies, device identification, or this Cookie Policy, please contact us: