Cookie Policy
Last Updated: April 2026 · v2.2
This Cookie Policy explains how Mango Technologies Ltd. (DIFC CL5222) uses cookies on maiviswealth.com. maivis uses cookies for authentication, analytics (opt-in), and conversion measurement (opt-in). We do not use retargeting cookies, lookalike audience technology, or cross-site behavioural advertising.
Note: maivis also uses PostHog (self-hosted on GCP) for in-product analytics. PostHog does not set browser cookies on maiviswealth.com. It operates server-side within maivis infrastructure. This Cookie Policy covers only the browser cookies set by maiviswealth.com.
1. What Are Cookies
Cookies are small text files stored on your device when you visit a website. Under the EU ePrivacy Directive (2002/58/EC, as amended by 2009/136/EC) and UK PECR, certain cookies require explicit consent; others are exempt as strictly necessary.
2. Cookies We Use
2.1 Firebase Auth Session Token
Category: Strictly Necessary
Maintains authenticated session after FIDO2/passkey or TOTP sign-in. HttpOnly, Secure, SameSite=Strict. 30-day expiry with refresh; 30-minute idle timeout. Exempt from consent under ePrivacy Article 5(3) (Article 29 Working Party Opinion 04/2012).
2.2 Firebase Analytics (GA4)
Category: Analytics (Optional), Consent Required
Tracks anonymised page views, scroll depth, CTA clicks, and conversion funnels on the maiviswealth.com landing page. IP anonymisation enabled. Google processes data within the EEA under a GDPR-compliant DPA. 2-year cookie persistence. Analytics cookies do not qualify for the strictly necessary exemption (confirmed by ICO and CNIL). For EU/UK members, GA4 cookies are blocked until explicit opt-in consent.
2.3 Meta Pixel (_fbp, _fbc)
Category: Analytics (Optional), Consent Required
Tracks anonymised conversion events (score completion, registration) on the maiviswealth.com landing page for Meta advertising campaign measurement. Blocked until explicit opt-in consent. No data is transmitted to Meta before consent. 90-day cookie persistence. Meta processes data under its Data Processing Terms with EU Standard Contractual Clauses.
2.4 Stripe Payment Cookies
Category: Functional
Session-only cookies active exclusively on checkout pages for fraud detection and payment processing. Stripe is PCI DSS Level 1 compliant. Payment processing cookies directly related to a user-initiated transaction are likely exempt; Stripe fraud detection cookies are assessed individually.
2.5 CSRF Protection Token
Category: Strictly Necessary
Session-only security token preventing cross-site request forgery. Exempt from consent as strictly necessary for security.
3. Cookie Categories Summary
| Cookie | Provider | Category | Purpose | Duration | Consent? |
|---|---|---|---|---|---|
| __session | Firebase Auth | Strictly Necessary | Auth session (HttpOnly, Secure, SameSite=Strict) | 30 days | No, exempt ePrivacy Art. 5(3) |
| ph_* | PostHog | Analytics (Optional) | In-app product analytics: feature usage, conversion funnels. Stored in localStorage (not a browser cookie). Opt-in only; not set until consent accepted. | localStorage (1 year) | Yes, opt-in (DIFC DPL 2020) |
| _ga, _ga_* | Firebase Analytics (GA4) | Analytics (Optional) | Page views, scroll, CTA clicks (landing page only) | 2 years | Yes, opt-in (EU/UK) |
| _fbp, _fbc | Meta Pixel | Analytics (Optional) | Conversion tracking (score completion, registration) | 90 days | Yes, opt-in |
| __stripe_* | Stripe | Functional | Payment fraud detection (checkout only) | Session | Exempt for payment; assess fraud cookies |
| _csrf | maivis | Strictly Necessary | CSRF prevention | Session | No, exempt as security |
4. Third-Party Cookies
Firebase Analytics (GA4): Google-hosted with EEA data processing. GDPR-compliant DPA with Google LLC (via GCP CDPA). IP anonymisation enabled.
Stripe: US-hosted. PCI DSS Level 1. EU-US adequacy decision + SCCs. Active during payment flow only.
Meta Pixel: US-hosted. Conversion tracking only (score_completion, register). Consent-gated: blocked until explicit opt-in. No retargeting or lookalike audience building. Meta Data Processing Terms with EU SCCs.
Google Search Grounding (AI market data): No cookies are set. Google Search Grounding is used server-side only, via the Gemini Enterprise Agent Platform (Google Cloud global endpoint, US/EU data centers with Zero Data Retention), to retrieve real-time market information (e.g. FX rates, central bank rates, regulatory updates). Only anonymised query text is sent — never family data, names, account numbers, or asset values. No data is stored or used for training by Google under the ZDR agreement. Governed by Google Cloud DPA. See the DPA for full sub-processor terms.
maivis does not use retargeting cookies, lookalike audience technology, or cross-site behavioural advertising. Meta Pixel is used solely for conversion measurement (score completion, registration) and is blocked until you explicitly accept marketing cookies via our consent banner.
5. Jurisdiction-Specific Requirements
5.1 EU/UK (GDPR + ePrivacy + PECR)
Opt-in model: GA4 cookies blocked until explicit consent. Banner offers "Accept All", "Reject All", and "Customise" with equal visual prominence. No pre-checked boxes, no cookie walls. Consent documented with timestamps and version. Renewal: 12-month cycle (CNIL recommends 6 months, German DPAs 6-12, Spanish AEPD 24).
5.2 US/California (CCPA/CPRA)
Opt-out model. maivis does not sell/share PI via cookies. GPC browser signals honoured automatically.
5.3 DIFC/UAE
DIFC DP Law does not impose specific cookie consent requirements. We apply the EU/UK opt-in standard as best practice.
5.4 India (DPDPA 2023)
No specific cookie provisions. We apply the EU/UK consent mechanism for Indian members.
6. Consent Storage
When you interact with our cookie banner, your consent preference is stored in your browser’s localStorage under the key maivis_consent as a JSON object containing your choice and a timestamp. This preference persists for 365 days, after which the banner reappears for renewed consent.
PostHog analytics is initialised with opt_out_capturing_by_default: true. No PostHog analytics data is collected until you explicitly accept via the cookie banner, at which point PostHog opt-in is activated. Rejecting or dismissing the banner keeps PostHog opted out. This ensures compliance with DIFC DPL 2020 Article 11.
7. How to Manage Cookies
Cookie banner on first visit: Accept All, Reject All, or Customise. Browser settings: Chrome (chrome://settings/cookies), Safari (Preferences > Privacy), Firefox (about:preferences#privacy). GA4 opt-out: decline on banner, email privacy@maiviswealth.com, or enable DNT/GPC.
8. Do Not Track and Global Privacy Control
maivis respects DNT and GPC signals. When detected, GA4 analytics cookies are not set and no usage data is collected. Strictly necessary and functional cookies are unaffected. GPC signals are treated as valid CCPA opt-out requests.
9. Changes
Reviewed annually or when new cookies are added. Material changes notified via site banner. Consent renewal requested at least every 12 months for EU/UK members.
10. Contact
- Privacy:
- privacy@maiviswealth.com
- DPO:
- dpo@maiviswealth.com
- Postal:
- Mango Technologies Ltd., DIFC Innovation Hub, Gate Avenue, Dubai, UAE