Cookie Policy and Privacy Policy

PART I: Cookie Policy

Last updated: 18 February 2026

1. Introduction and Scope

This Cookie Policy applies to afine.com (the "Website"), owned and operated by AFINE sp. z o.o. It explains what cookies and similar tracking technologies are used on the Website, by whom they are set, on what legal basis, and how you can control them. Please read this policy alongside our Privacy Policy (Part II) which sets out how we handle all personal data collected through this Website.

2. What Are Cookies

Cookies are small text files placed on your device when you visit a website. They allow the website to recognise your device, remember your preferences, and function correctly across sessions. Cookies may be session-based (deleted when you close your browser) or persistent (stored for a defined period). Alongside cookies, we use similar technologies such as web beacons, pixels, and scripts embedded via tag management systems. All references to "cookies" in this policy include these analogous technologies unless stated otherwise.

3. How Our Website Uses Cookies

afine.com is built on Webflow and served through Cloudflare's CDN and security infrastructure. We also use Google Tag Manager to deploy analytics and marketing scripts in a controlled manner, and the iClosed scheduling widget to allow visitors to book calls with our team. Together, these tools set the cookies described in Section 4 below.

4. Cookie Inventory

The following lists all cookies and tracking technologies currently active on afine.com. This inventory was verified by a technical audit on 18 February 2026 and is updated whenever new tools are added.

4.1 Strictly Necessary Cookies

These are set automatically and cannot be disabled without breaking core site functionality. No consent is required under applicable e-privacy rules.

  • _cfuvid
    • Set by: Cloudflare   |   Category: Strictly Necessary   |   Duration: Session
    • Purpose: Bot protection and rate-limiting. Required for Cloudflare DDoS mitigation.
  • __cf_bm
    • Set by: Cloudflare   |   Category: Strictly Necessary   |   Duration: 30 minutes
    • Purpose: Distinguishes human visitors from automated bots as part of Cloudflare bot management.
  • cf_clearance
    • Set by: Cloudflare   |   Category: Strictly Necessary   |   Duration: 1 year
    • Purpose: Records that the visitor has passed a Cloudflare browser integrity challenge.
  • wf_csrf
    • Set by: Webflow   |   Category: Strictly Necessary   |   Duration: Session
    • Purpose: Cross-site request forgery protection. Required for contact forms to function securely.
  • webflow-session
    • Set by: Webflow   |   Category: Strictly Necessary   |   Duration: Session
    • Purpose: Maintains session state required for Webflow's hosting infrastructure.
  • CookieConsent
    • Set by: Website (AFINE)   |   Category: Strictly Necessary   |   Duration: 1 year
    • Purpose: Stores the visitor's cookie consent preferences so the banner is not shown on every visit.

4.2 Functional Cookies

Set only with your consent via the cookie consent banner. These cookies are not pre-selected by default - your active choice is required before they are activated.

  • wf_theme
    • Set by: Webflow   |   Category: Functional   |   Duration: 1 year
    • Purpose: Remembers your display preference (e.g. light or dark mode).

4.3 Analytics Cookies

Set only with your consent. These help us understand how visitors use the Website.

  • _ga
    • Set by: Google Analytics (via GTM)   |   Category: Analytics   |   Duration: 2 years
    • Purpose: Distinguishes individual users by assigning a randomly generated client ID.
  • _ga_*
    • Set by: Google Analytics (via GTM)   |   Category: Analytics   |   Duration: 2 years
    • Purpose: Stores and counts page views for a specific GA4 property.
  • _gid
    • Set by: Google Analytics (via GTM)   |   Category: Analytics   |   Duration: 24 hours
    • Purpose: Distinguishes users within a 24-hour window.
  • _gat
    • Set by: Google Analytics (via GTM)   |   Category: Analytics   |   Duration: 1 minute
    • Purpose: Throttles the request rate to Google Analytics.

4.4 Marketing and Scheduling Cookies

Set only with your consent. These are placed by our scheduling tool (iClosed) to manage the booking widget, qualify leads, and track the source of scheduled appointments.

  • iclosed_session
    • Set by: iClosed   |   Category: Marketing / Functional   |   Duration: Session
    • Purpose: Maintains the visitor's session within the iClosed scheduling widget.
  • iclosed_lead_*
    • Set by: iClosed   |   Category: Marketing   |   Duration: Up to 1 year
    • Purpose: Stores qualifying information entered into the scheduler to prevent duplicate submissions and pre-populate returning visitors' details.
  • iclosed_src
    • Set by: iClosed   |   Category: Marketing   |   Duration: 30 days
    • Purpose: Records the traffic source (UTM parameters) at the time the scheduler loaded, enabling attribution of booked calls to marketing channels.
  • _fbp
    • Set by: Meta / Facebook (if active via GTM)   |   Category: Marketing   |   Duration: 3 months
    • Purpose: Used by Meta to deliver advertisements and to track conversions from Facebook ads.
  • _gcl_au
    • Set by: Google Ads (if active via GTM)   |   Category: Marketing   |   Duration: 90 days
    • Purpose: Used by Google Ads to store and track conversions.

4.5 Google Tag Manager and Google Consent Mode v2

We use Google Tag Manager (GTM), a tool for the technical management of scripts and tags on the Website. GTM itself does not set any cookies used for analytics or marketing purposes.

Analytics and marketing tags deployed through GTM are activated only after you have granted the relevant consent category in the cookie banner.

We also use Google Consent Mode v2 to communicate your consent choices to Google services. This mechanism is technical in nature and does not replace the consent required by applicable law.

Loading the GTM script causes a connection to Google's servers and transmits technical data (such as your IP address and browser information) to Google. Further details are available in Part II, Section 2.4 of this document.

5. Third-Party Network Requests

In addition to cookies, the following third-party network requests occur when you visit the Website. Each involves your IP address being transmitted to a third-party server.

  • Google Fonts - web typefaces are loaded from Google's servers. Google may log your IP address and User-Agent string. Google acts as an independent data controller for this data.
  • BunnyCDN (BunnyWay d.o.o., Slovenia) - video content is delivered via BunnyCDN. When a video loads, your IP address, User-Agent, and referrer URL are transmitted to BunnyCDN's infrastructure located within the EU.
  • Google Tag Manager - the GTM script is loaded from googletagmanager.com. Loading the GTM container transmits your IP address and User-Agent to Google's servers, regardless of your cookie consent choices.
  • iClosed - the iClosed scheduling widget loads scripts and resources from iclosed.io servers. Your IP address, browser information, and any data entered into the scheduler (such as name, email address, and phone number) are transmitted to iClosed's servers.

6. Legal Basis for Cookie Processing (EU/EEA/UK Visitors)

Cookie processing operates under two distinct legal layers: (i) the rules on placing cookies and accessing the user's device - governed by Polish telecommunications law (Prawo komunikacji elektronicznej, PKE) and the ePrivacy Directive; and (ii) the processing of personal data generated by those cookies - governed by the GDPR. Where both layers apply, both legal bases are indicated below.

Strictly necessary cookies (Section 4.1): No consent is required under PKE/ePrivacy rules, as these cookies are essential to the service you have requested. Personal data generated by these cookies (e.g. IP address, session identifiers) is processed on the basis of Article 6(1)(f) GDPR - legitimate interest in operating a secure and functional website.

Functional cookies (Section 4.2): Placed on the basis of your consent under PKE/ePrivacy rules (active opt-in required; no pre-selection). Personal data is processed on the basis of Article 6(1)(a) GDPR. You may withdraw consent at any time (see Section 7).

Analytics cookies (Section 4.3): Placed on the basis of your consent under PKE/ePrivacy rules. Personal data is processed on the basis of Article 6(1)(a) GDPR. You may withdraw consent at any time (see Section 7).

Marketing and scheduling cookies (Section 4.4): Placed on the basis of your consent under PKE/ePrivacy rules. Personal data is processed on the basis of Article 6(1)(a) GDPR. You may withdraw consent at any time (see Section 7).

Network requests to Google (Fonts, GTM) and BunnyCDN (Section 5): Processing of personal data (IP address, User-Agent) on the basis of Article 6(1)(f) GDPR - legitimate interest in delivering website content efficiently and securely. Where these mechanisms also involve non-essential tracking, the additional basis is your consent.

Data entered into the iClosed scheduler (Sections 4.4 and 5): Processed on the basis of Article 6(1)(b) GDPR (pre-contractual steps at your request). In B2B contexts and where partially entered data is retained, the basis is Article 6(1)(f) GDPR (legitimate interest). iClosed acts as a data processor under a Data Processing Agreement (DPA) concluded with AFINE.

7. How to Manage Your Cookie Preferences

You can update your cookie preferences at any time using the following methods:

Cookie banner: click the "Cookie Settings" link in the footer of any page on afine.com to reopen the consent management panel. You can withdraw or update your consent for any category.

Browser settings: you can configure your browser to block or delete cookies. Note that disabling strictly necessary cookies will prevent the contact form and other core features from functioning.

Google Analytics opt-out: you can opt out of Google Analytics tracking across all websites by installing the Google Analytics Opt-out Browser Add-on. You can manage your Google Ads preferences at adssettings.google.com.

iClosed scheduler: any data you enter into the iClosed scheduling widget is subject to iClosed's own privacy policy, available at iclosed.io/privacy-policy. You may request deletion of your data directly from iClosed at hello@iclosed.io.

8. Cookies We Do Not Use

We confirm that the following technologies are not present on afine.com unless explicitly added in a future update to this policy: LinkedIn Insight Tag, Microsoft Clarity, Hotjar, and any data broker or lead intelligence pixel. We do not sell, rent, or transfer cookie data to third parties for commercial purposes.

9. Updates to This Cookie Policy

We review and update this Cookie Policy whenever we add, remove, or change any tracking technology on the Website. The effective date at the top of this document will be updated accordingly. Where a change materially affects your rights, we will display a new consent banner.

PART II: Privacy Policy

1. Who We Are

This Privacy Policy is issued by AFINE sp. z o.o., registered in Poland, with its registered office at Al. Jerozolimskie 146C, 02-305 Warsaw, Poland. AFINE is the data controller responsible for personal data collected through this Website. For any questions or to exercise your rights, contact us at: afine@afine.com | +48 662-456-620 | afine.com/contact

2. What Personal Data We Collect and Why

2.1 Contact Form Submissions

We collect: first name, last name, email address, phone number, and message content. Purpose: to respond to your inquiry. Legal basis: Article 6(1)(b) GDPR (steps prior to entering a contract) or Article 6(1)(f) GDPR (legitimate interest in responding to business inquiries). Retention: up to three years from your last interaction, or until you request deletion.

2.2 Newsletter Subscriptions

We collect: email address. Purpose: to send security research updates, CVE disclosures, blog posts, and company news. Legal basis: Article 6(1)(a) GDPR (explicit consent). You may withdraw consent at any time via the unsubscribe link in any email or by writing to afine@afine.com. Retention: until you unsubscribe or request deletion.

2.3 iClosed Scheduling Widget

When you use the scheduling widget on our Website to book a consultation or discovery call, iClosed collects the information you enter - which may include your name, email address, phone number, company name, and answers to qualifying questions we configure in the widget. Purpose: to arrange and manage sales calls, qualify leads, and attribute booked meetings to marketing channels. Legal basis: Article 6(1)(b) GDPR (pre-contractual steps); in B2B contexts and where partially entered data is retained, Article 6(1)(f) GDPR (legitimate interest). AFINE receives the data you submit and uses it to prepare for and follow up on booked calls. iClosed Inc. acts as a data processor on our behalf for the scheduling function, under a Data Processing Agreement (DPA). Retention: three years from the date of your last contact with us or the date of your last booked appointment.

2.4 Analytics Data - Google Analytics 4 (GA4) via Google Tag Manager

After you have consented to analytics cookies, we use Google Analytics 4 (GA4), deployed via Google Tag Manager (GTM), to analyse how visitors use the Website and to improve its content and performance.

In this context, we may process data including: pages viewed, session duration, referring URL, approximate geographic location (city/country level, derived from IP address), device and browser type, and interaction events. IP addresses are anonymised before storage.

Legal basis: Article 6(1)(a) GDPR (consent to analytics cookies). Purpose: statistics, analysis, and improvement of the Website. Retention: in accordance with the GA4 data retention configuration - currently up to 14 months.

We also use Google Consent Mode v2 to technically transmit your consent status to Google services. This mechanism does not replace your consent - it communicates it. Google's tags are only activated after your consent has been granted in the cookie banner.

Google services may involve transfers of personal data outside the EEA. In such cases, appropriate legal safeguards required by the GDPR are applied (see Section 4). Google LLC acts as a data processor under Google's Ads Data Processing Terms. Further information: policies.google.com/privacy.

2.5 Website Hosting - Webflow

Our website is hosted by Webflow, Inc. (USA). Webflow automatically collects IP addresses, browser type, pages visited, referrer URLs, and timestamps in server logs. Legal basis: Article 6(1)(f) GDPR. Retention: approximately 90 days. See webflow.com/legal/privacy.

2.6 Security Infrastructure - Cloudflare

afine.com is protected by Cloudflare, Inc. Cloudflare processes IP addresses, HTTP request headers, and request metadata for security purposes, including DDoS mitigation and bot management. Legal basis: Article 6(1)(f) GDPR. Retention: up to 24 hours for threat intelligence data. See cloudflare.com/privacypolicy.

2.7 Video Delivery - BunnyCDN

Video content is delivered through BunnyCDN (BunnyWay d.o.o., Slovenia, EU). When a video loads, your IP address, User-Agent, and referrer URL are transmitted to BunnyCDN. Legal basis: Article 6(1)(f) GDPR. BunnyWay processes data within the EU; no international transfer mechanism is required.

2.8 Google Fonts

This Website loads typefaces from Google's servers. Each page load sends a network request to Google LLC, which may log your IP address and User-Agent. Google acts as an independent data controller for this processing. Legal basis on our side: Article 6(1)(f) GDPR.

3. Sensitive Personal Data

We do not intentionally collect or process special categories of personal data as defined in Article 9 of the GDPR, including data relating to health, racial or ethnic origin, political opinions, religious beliefs, biometric characteristics, or sexual orientation. We ask that you do not include such information in any contact form submission or email sent to us.

4. How We Share Personal Data and International Transfers

We do not sell, rent, or transfer your personal data to third parties for commercial purposes.

Personal data may be shared exclusively with entities supporting us in operating the Website and delivering its functionality - in particular: providers of hosting, CDN and security services, analytical and technical tools, and the scheduling widget provider - as well as with competent public authorities, where disclosure is required by law.

Depending on the configuration of the Website, we use in particular the following providers: Webflow, Cloudflare, Google (including Google Analytics, Google Tag Manager, and Google Fonts), You Scale LLC (iClosed), and BunnyWay. These providers may act - depending on the nature of the service and its configuration - as data processors acting on our behalf, or as independent data controllers.

In connection with the use of certain services, personal data may be transferred outside the European Economic Area (EEA), in particular to the United States. In such cases, we ensure that the transfer is carried out in compliance with the GDPR, using appropriate legal safeguards, in particular on the basis of:

  • a European Commission adequacy decision (where applicable), or
  • Standard Contractual Clauses (SCCs) adopted by the European Commission (Commission Decision 2021/914).

Where a provider acts as a data processor, processing is carried out on the basis of an appropriate Data Processing Agreement (DPA) concluded in accordance with Article 28 GDPR.

A summary of the safeguards applied for each main provider is set out below:

  • Webflow, Inc. (USA) - data processor for website hosting. Data transfers are covered by Standard Contractual Clauses (SCCs).
  • Cloudflare, Inc. (USA) - data processor for CDN and security. Data transfers are covered by Standard Contractual Clauses (SCCs).
  • Google LLC (USA) - data processor for Google Analytics (via GTM); independent data controller for Google Fonts. Data transfers are covered by Standard Contractual Clauses (SCCs).
  • iClosed / You Scale LLC (USA) - data processor for the scheduling widget. Data processing is governed by iClosed's Data Processing Agreement. Data transfers are covered by Standard Contractual Clauses (SCCs) where required.
  • BunnyWay d.o.o. (Slovenia, EU) - data processor for video delivery. No transfer mechanism required as processing occurs within the EU.

You may request a copy of applicable transfer safeguards by contacting afine@afine.com.

5. How We Protect Your Personal Data

We implement technical and organisational security measures appropriate to the risks of our processing activities. These include: TLS/HTTPS encryption across all pages; Cloudflare WAF and DDoS protection at infrastructure level; internal access controls limiting data access to staff who require it; ISO 27001-aligned information security management practices; and contractual security obligations imposed on all processors. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours (Article 33 GDPR) and affected individuals where required by Article 34 GDPR.

6. Your Rights Under the GDPR

If you are located in the EU, EEA, or UK, the GDPR grants you the following rights:

  • Access (Article 15) - to receive a copy of your personal data and information about how it is processed.
  • Rectification (Article 16) - to request correction of inaccurate or incomplete data.
  • Erasure (Article 17) - to request deletion where data is no longer necessary, subject to legal retention obligations.
  • Restriction (Article 18) - to request that we limit processing in certain circumstances.
  • Data portability (Article 20) - to receive your data in a structured, machine-readable format.
  • Object (Article 21) - to processing based on legitimate interests, including direct marketing.
  • Withdraw consent - at any time where processing is consent-based, without affecting the lawfulness of prior processing.

You also have the right to lodge a complaint with the Polish Data Protection Authority (UODO), ul. Stawki 2, 00-193 Warsaw, uodo.gov.pl, or with the supervisory authority in your country of habitual residence.

To exercise any right, email afine@afine.com with subject line "GDPR Rights Request". We will respond within 30 days.

7. Rights Under US State Privacy Laws (Where Applicable)

If the processing of personal data by AFINE is subject to the law of the US state in which you reside (including in particular the law of the State of California), you may have additional rights regarding your personal data, including in particular the right to:

  • obtain information about the processing of your personal data,
  • access your personal data,
  • correct inaccurate personal data,
  • delete your personal data,
  • object to / opt out of certain forms of processing (including, in cases provided for by law, the "sale" or "sharing" of data for cross-context behavioural advertising purposes).

We do not sell personal data. If we use third-party advertising or analytics tools (e.g. via tags activated after you consent to cookies), you may at any time change your consent settings using the Cookie Settings link in the footer of the Website.

To exercise any applicable rights, please contact us at afine@afine.com (e.g. with the subject line: "Privacy Request"). We will respond within the timeframe required by applicable law, following verification of your identity where required.

The scope of available rights and the response timeframes may vary depending on the law of the applicable US state.

8. Children

This website is not directed at children under the age of 16 and we do not knowingly collect personal data from children under that age. If you believe that a child has submitted personal data to us without appropriate consent, please contact us at afine@afine.com and we will delete that data without undue delay.

9. Changes to This Policy

We may update this Privacy and Cookie Policy from time to time to reflect changes in applicable law, our data processing practices, or the technologies we use. When we make changes, we will update the effective date shown at the top of this document. Where a change is material and affects your rights, we will additionally notify newsletter subscribers by email. Your continued use of this website after any updated policy has been posted constitutes your acknowledgement of the changes.

10. Contact Us

For any questions, requests, or concerns relating to this policy or to the way we handle personal data, please contact us at afine@afine.com.