Estrategeos
Legal information · Art. 22.2 LSSI-CE · AEPD Guide

Cookies policy

Detailed information about the cookies used on estrategeos.com: typology, purposes, duration and third parties, together with the mechanism to grant, configure and withdraw consent in accordance with applicable law.

Last updated: 24 April 2026 Art. 22.2 LSSI-CE · GDPR · AEPD Guide Version: 19.0

What cookies are

Cookies are small text files that a website stores on the user's device (computer, tablet or mobile) when visited. They allow the site to remember information about the visit, such as preferred language, session credentials or cookie preferences, and to facilitate later navigation.

Alongside cookies in the strict sense, this policy covers equivalent technologies that store or access information on the user's device: localStorage, sessionStorage, pixels, web beacons and digital fingerprinting. The legal treatment is the same under Article 22.2 of Spanish Law 34/2002 (LSSI-CE).

Legal basis and consent

The use of non-strictly-necessary cookies requires prior, informed, specific and unambiguous consent from the user under Article 22.2 LSSI-CE and Article 6.1.a GDPR. Consent is obtained via the banner shown on the first visit and can be granted globally (accept all), granularly (accept by category) or denied in full (reject all).

Strictly necessary technical cookies required to deliver the service requested by the user are exempt from the consent requirement, as provided for in Article 22.2 LSSI-CE itself and in the AEPD Guide on the use of cookies in its current version.

Consent logging

The user's decision is stored in the technical cookie cookie_consent_v1 with a duration of 365 days. Upon expiry, the banner will be displayed again to renew consent. The user may revoke consent at any time via the Cookie settings link in the site footer.

Typology by purpose

Under the AEPD Guide, cookies are classified into three categories according to their purpose. Estrategeos uses all three, with only technical cookies exempt from consent:

  • Technical or strictly necessary: enable navigation and basic functionality (authenticated session, language preferences, consent logging, bot and attack protection).
  • Analytics or measurement: allow quantification of users, page views, navigation paths and traffic sources for statistical analysis and service improvement.
  • Marketing and personalisation: allow tracking of user interaction for campaign attribution, remarketing and personalised commercial content.

Technical and necessary cookies

Installed without prior consent as they are strictly necessary for the operation of the site and the client portal. Rejecting them prevents access or degrades essential functionality.

CookieProviderPurposeDuration
cookie_consent_v1estrategeos.comStores the user's decision about accepted or rejected cookie categories.365 days
cf_clearanceCloudflare, Inc.Protection against bots and denial-of-service (Turnstile / Bot Management).30 days
__cf_bmCloudflare, Inc.Distinguishes human from automated traffic to protect the origin.30 minutes
sb-*-auth-tokenSupabase (client portal)Authenticated session in the client portal. Only installed after login.Session
__stripe_mid, __stripe_sidStripe Payments Europe Ltd.Payment fraud prevention. Only installed if a payment flow starts.1 year / session
calendly_sessionCalendly LLCMaintains scheduling state. Only if the booking widget is opened.Session
hs-messages-*HubSpot, Inc.Commercial chat widget. Keeps the conversation thread open.30 days

Analytical cookies

Installed only with user consent in the Analytics category. We use Google Analytics 4 with IP anonymisation (anonymize_ip) and with advertising signals and personalisation disabled.

CookieProviderPurposeDuration
_gaGoogle Ireland Ltd.Distinguishes unique users via a random identifier.24 months
_ga_G57LR64ZHRJGoogle Ireland Ltd.Persists GA4 session state per property.24 months
_gidGoogle Ireland Ltd.Distinguishes users within a 24-hour window.24 hours
_gat, _gat_gtag_*Google Ireland Ltd.Throttles the rate of requests to the service.1 minute

The legal basis of processing is consent (Art. 6.1.a GDPR). The recipient is Google Ireland Ltd. (Gordon House, Barrow Street, Dublin, Ireland). Google LLC (the US parent) is certified under the EU–US Data Privacy Framework (Adequacy Decision of 10 July 2023).

Marketing and third-party cookies

Installed only with user consent in the Marketing category. Used for campaign attribution, remarketing and personalisation of commercial content in the lead-capture form.

CookieProviderPurposeDuration
hubspotutkHubSpot, Inc.Unique visitor identifier for cross-session tracking and attribution.13 months
__hstcHubSpot, Inc.Records first visit, last visit, current visit and session count.13 months
__hsscHubSpot, Inc.Records the current session and number of page views in it.30 minutes
__hssrcHubSpot, Inc.Indicates whether the session is new or resumed (value always 1).Session

The recipient is HubSpot, Inc. (United States), certified under the EU–US Data Privacy Framework. The legal basis of processing is user consent (Art. 6.1.a GDPR).

Duration and expiry

Cookies are classified by persistence into two groups:

  • Session: automatically deleted when the browser is closed.
  • Persistent: stored until they reach their expiry date or the user deletes them manually.

Durations shown in the tables above are those declared by each provider at the time of publication. Estrategeos S.L. has no control over unilateral changes that third parties may make; information is updated on the annual review if variations are detected.

How to configure or withdraw consent

The user may, at any time and as easily as consent was granted, revoke it or amend preferences:

  • By clicking the Cookie settings link available in the footer of every page.
  • By deleting the cookie_consent_v1 cookie from browser settings; on the next visit, the banner will be shown again.
  • By writing to admin@estrategeos.com for assistance.

On consent withdrawal, cookies previously installed under that consent are deleted in the same session and no new cookies in the affected category will be installed until the user grants express consent again.

Browser-level blocking

In addition, the user may configure the browser to reject all cookies, accept them selectively or receive a warning before storage. Instructions vary by browser:

  • Google Chrome: Settings → Privacy and security → Cookies and other site data.
  • Mozilla Firefox: Settings → Privacy & Security → Cookies and Site Data.
  • Safari: Preferences → Privacy → Manage Website Data.
  • Microsoft Edge: Settings → Cookies and site permissions.

Total cookie blocking may affect operation of the client portal, booking widget or evaluation form, which rely on technical cookies to work.

International transfers

Some providers (Google, HubSpot, Stripe, Calendly, Cloudflare) are US-based companies or operate global infrastructure. Adequate safeguards under Chapter V GDPR apply in all cases:

  • European Commission Adequacy Decision under the EU–US Data Privacy Framework, where the provider is certified.
  • Standard Contractual Clauses approved by Decision (EU) 2021/914, as supplement or alternative.
  • Additional technical and organisational measures (encryption in transit and at rest, pseudonymisation, minimisation).

Per-processor details are in the recipients table of the Privacy Policy.

Amendments

This policy is reviewed and updated when new technologies are introduced, providers change or the regulatory framework evolves. The version in force will be the one published on this page with indication of the last update date. Substantial changes affecting legal basis or cookie categories will be communicated to the user by re-displaying the consent banner.