Cookie Policy

Cookies are small text files stored on your device when you visit a website. Under the EU ePrivacy Directive (2002/58/EC, as amended by 2009/136/EC) and UK PECR, certain cookies require explicit consent; others are exempt as strictly necessary.

2.1 Firebase Auth Session Token

Category: Strictly Necessary

Maintains authenticated session after FIDO2/passkey or TOTP sign-in. HttpOnly, Secure, SameSite=Strict. 30-day expiry with refresh; 30-minute idle timeout. Exempt from consent under ePrivacy Article 5(3) (Article 29 Working Party Opinion 04/2012).

2.2 Firebase Analytics (GA4)

Category: Analytics (Optional), Consent Required

Tracks anonymized page views, scroll depth, CTA clicks, and conversion funnels on the maiviswealth.com landing page. IP anonymisation enabled. Google processes data within the EEA under a GDPR-compliant DPA. 2-year cookie persistence. Analytics cookies do not qualify for the strictly necessary exemption (confirmed by ICO and CNIL). For EU/UK members, GA4 cookies are blocked until explicit opt-in consent.

2.3 Stripe Payment Cookies

Category: Functional

Session-only cookies active exclusively on checkout pages for fraud detection and payment processing. Stripe is PCI DSS Level 1 compliant. Payment processing cookies directly related to a user-initiated transaction are likely exempt; Stripe fraud detection cookies are assessed individually.

2.4 CSRF Protection Token

Category: Strictly Necessary

Session-only security token preventing cross-site request forgery. Exempt from consent as strictly necessary for security.

Firebase Analytics (GA4): Google-hosted with EEA data processing. GDPR-compliant DPA with Google LLC (via GCP CDPA). IP anonymisation enabled.

Stripe: US-hosted. PCI DSS Level 1. EU-US adequacy decision + SCCs. Active during payment flow only.

Google Search Grounding (AI market data): No cookies are set. Google Search Grounding is used server-side only, via the Gemini Enterprise Agent Platform (Google Cloud global endpoint, US/EU data centers with Zero Data Retention), to retrieve real-time market information (e.g. FX rates, central bank rates, regulatory updates). Only anonymized query text is sent. Never family data, names, account numbers, or asset values. No data is stored or used for training by Google under the ZDR agreement. Governed by Google Cloud DPA. See the DPA for full sub-processor terms.

maivis does not use retargeting cookies, lookalike audience technology, cross-site behavioral advertising, or any third-party advertising pixels. Analytics are limited to PostHog and Firebase Analytics, both opt-in only and blocked until you explicitly accept analytics cookies via our consent banner.

5.1 EU/UK (GDPR + ePrivacy + PECR)

Opt-in model: GA4 cookies blocked until explicit consent. Banner offers "Accept All", "Reject All", and "Customise" with equal visual prominence. No pre-checked boxes, no cookie walls. Consent documented with timestamps and version. Renewal: 12-month cycle (CNIL recommends 6 months, German DPAs 6-12, Spanish AEPD 24).

5.2 US/California (CCPA/CPRA)

Opt-out model. maivis does not sell/share PI via cookies. GPC browser signals honored automatically.

5.3 DIFC/UAE

DIFC DP Law does not impose specific cookie consent requirements. We apply the EU/UK opt-in standard as best practice.

5.4 India (DPDPA 2023)

No specific cookie provisions. We apply the EU/UK consent mechanism for Indian members.

When you interact with our cookie banner, your consent preference is stored in your browser’s localStorage under the key maivis_consent as a JSON object containing your choice and a timestamp. This preference persists for 365 days, after which the banner reappears for renewed consent.

PostHog analytics is initialized with opt_out_capturing_by_default: true. No PostHog analytics data is collected until you explicitly accept via the cookie banner, at which point PostHog opt-in is activated. Rejecting or dismissing the banner keeps PostHog opted out. This ensures compliance with DIFC DPL 2020 Article 11.

Cookie banner on first visit: Accept All, Reject All, or Customise. Browser settings: Chrome (chrome://settings/cookies), Safari (Preferences > Privacy), Firefox (about:preferences#privacy). GA4 opt-out: decline on banner, email privacy@maiviswealth.com, or enable DNT/GPC.

maivis respects DNT and GPC signals. When detected, GA4 analytics cookies are not set and no usage data is collected. Strictly necessary and functional cookies are unaffected. GPC signals are treated as valid CCPA opt-out requests.

Reviewed annually or when new cookies are added. Material changes notified via site banner. Consent renewal requested at least every 12 months for EU/UK members.

Privacy:

privacy@maiviswealth.com

DPO:

dpo@maiviswealth.com

Postal:

Mango Technologies Ltd., DIFC Innovation Hub, Gate Avenue, Dubai, UAE