Cookie Policy

This Policy applies to every natural or legal person (a “User” or “you”) who accesses, loads, renders, caches, or otherwise interacts with the Services, whether from a web browser, mobile browser, embedded web view, application runtime, or third-party integration. It explains (a) what Cookies are; (b) which categories of Cookies and similar technologies we deploy on the Services; (c) the legal bases on which we rely to deploy them; (d) the purposes for which we, and parties acting on our behalf, use Cookie-derived data; and (e) the rights and mechanisms available to you to control and withdraw consent.

This Policy is a disclosure instrument. It is not a standalone contract and does not create independent contractual rights or obligations. To the extent information collected via Cookies constitutes “personal data,” “personal information,” or an analogous category of regulated data under Applicable Law, the processing of such information is additionally governed by our Privacy Policy, any applicable Data Processing Addendum, and the data-subject-rights procedures described therein. In the event of conflict between this Policy and the Privacy Policy, the Privacy Policy shall control.

This Policy is drafted to satisfy, and should be read in conformity with, the disclosure and consent obligations imposed by the following laws, regulations, and binding guidance of competent supervisory authorities, each as amended from time to time (collectively, “Applicable Cookie Law”):

Where Applicable Cookie Law imposes obligations more stringent than those described herein, we shall comply with the stricter standard. Nothing in this Policy shall be construed to waive, diminish, or limit any right afforded to you under Applicable Cookie Law.

A “cookie” is a small text file that is deposited by a website into the browser storage of the device from which the website is accessed. When the device subsequently communicates with the website (or with another website that can read the cookie), the cookie’s contents are transmitted back to the server, enabling the website to recognize the device, recall prior state, and associate activity across requests. Cookies are limited in size, are not capable of executing code on the device, and cannot read arbitrary files on the device outside of browser-provided storage.

In this Policy, “Cookies” is used broadly to include traditional HTTP cookies and the Similar Tracking Technologies described in Section 6.

We classify the Cookies deployed on the Services into the following four non-overlapping categories. The legal basis for processing differs by category, as noted.

The following table provides a representative (non-exhaustive) inventory of Cookies that may be set on your device when you use the Services. The definitive, real-time list of Cookies in use is surfaced in the consent management interface. Cookie names, providers, and durations may change from time to time as vendors update their products.

Cookie names prefixed with _vendor_ in the table above are placeholder references used solely for illustration; the authoritative list of vendors and cookie names is exposed in the consent management interface accessible from the site footer.

In addition to conventional HTTP cookies, the Services may deploy the following technologies that achieve functionally similar outcomes and that, where they result in the storage of information on, or access to information stored on, User devices, are subject to the same consent obligations under Applicable Cookie Law:

• Pixel tags and web beacons: transparent 1×1 images or equivalent resources embedded in pages or emails that signal a load event to a tracking server;
• Local storage and session storage: browser-side key-value stores used to retain UI state, preference flags, and cached values across page loads;
• IndexedDB: client-side structured storage used for offline-capable features;
• Device and browser fingerprinting: passive collection of device- and browser-provided attributes (user-agent, screen dimensions, installed fonts, time zone) which, in aggregate, may distinguish a device. Orno employs fingerprinting only for fraud-prevention and abuse-detection purposes consistent with our legitimate interest;
• SDK identifiers: where Orno operates a mobile application, platform-provided advertising or app-instance identifiers may be accessed subject to operating-system permission frameworks (App Tracking Transparency on iOS, Advertising ID controls on Android);
• Server-side event forwarding: in certain cases, events captured on-device are forwarded server-to-server to analytics or marketing vendors; such forwarding is subject to the same consent category as the originating Cookie.

On first access to the Services from a device or browsing context in which consent has not previously been recorded, we present a consent banner that (a) identifies Orno as the controller, (b) summarizes the categories of Cookies in use, (c) links to this Policy, and (d) provides granular, equally-prominent affirmative controls to accept, reject, or selectively configure non-essential Cookies.

Where we process Cookie-derived data on the basis of legitimate interest rather than consent (e.g., fraud-prevention fingerprinting), we balance that interest against your reasonable expectations and afford an object-and-restrict mechanism consistent with Article 21 of the GDPR.

You may withdraw or change your Cookie consent at any time. Withdrawal takes effect prospectively and does not affect the lawfulness of processing conducted prior to withdrawal.

Where you withdraw consent to a category of Cookies, associated client-side storage is cleared on the next page load and server-side forwarding to the corresponding vendors is discontinued within a commercially reasonable period not to exceed thirty (30) days.

Independent of the in-site consent banner, you may exercise the following browser-level and device-level controls:

• Browser cookie controls: every major browser (Chrome, Firefox, Safari, Edge, Brave, Arc) allows you to block all cookies, block third-party cookies, clear cookies on exit, or delete cookies on demand. Blocking all cookies may impair or prevent core functionality of the Services;
• Global Privacy Control (GPC): where your browser or a browser extension transmits a valid GPC signal, we will treat that signal as an opt-out of “sale” and “sharing” of personal information within the meaning of the CCPA/CPRA and analogous state statutes, and we will suppress non-essential Cookies accordingly, consistent with California Civil Code § 1798.135(b) and its implementing regulations;
• Do Not Track (DNT): Orno recognizes the limitations and lack of industry consensus around the legacy DNT header and does not currently rely on it as a substitute for GPC or explicit consent;
• Mobile operating-system controls: iOS App Tracking Transparency and Android’s “Reset advertising ID / Delete advertising ID” controls govern platform-level advertising identifiers and are honored by Orno’s mobile surfaces;
• Industry opt-out pages: the Digital Advertising Alliance (optout.aboutads.info), the Network Advertising Initiative (optout.networkadvertising.org), and the European Digital Advertising Alliance (youronlinechoices.eu) offer programmatic opt-outs from participating ad networks.

Where third-party Cookies are deployed on the Services, the third party is the controller, or joint controller, of the resulting processing and is independently responsible for the lawfulness of its use. Orno maintains contractual arrangements with third-party vendors that restrict their use of Cookie-derived data to the purposes authorized by Orno and the User.

The industry is in a multi-year transition away from third-party cookies. Apple Safari has blocked third-party cookies by default since 2020 under Intelligent Tracking Prevention; Mozilla Firefox applies similar restrictions under Enhanced Tracking Protection. Google Chrome has announced, rolled back, and re-sequenced its third-party cookie deprecation plan on multiple occasions through 2024 and 2025. Orno is progressively migrating analytics and marketing measurement to server-side, first-party, and aggregated-measurement approaches (including the Privacy Sandbox APIs where appropriate) and will update this Policy as those migrations proceed.

Cookie-derived data may be transferred to, processed in, and stored in jurisdictions other than the jurisdiction in which you reside, including the United States. Where personal data of individuals in the European Economic Area, the United Kingdom, or Switzerland is transferred to a jurisdiction that has not been the subject of an adequacy decision, Orno relies on the European Commission’s Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), the UK International Data Transfer Addendum, and supplementary technical and organizational measures, as described in our Data Processing Addendum. Where applicable, Orno participates in the EU-US Data Privacy Framework and its UK Extension to the extent of any self-certification in force.

The Services are not directed to children under the age of thirteen (13). Orno does not knowingly use Cookies or Similar Tracking Technologies to collect personal information from children under the age of thirteen (13) within the meaning of the Children’s Online Privacy Protection Act of 1998 (15 U.S.C. §§ 6501–6506), nor from children under the age of sixteen (16) where a higher age of digital consent applies under Applicable Law. If we become aware that such information has been collected inadvertently, we will delete it from our systems and terminate any associated Cookie in accordance with Applicable Law.

Retention periods vary by Cookie category and individual Cookie purpose, as reflected in the inventory at Section 5. As general principles:

• Strictly necessary session Cookies are retained only for the duration of the active browsing session;
• Strictly necessary persistent Cookies (including consent records) are retained for up to twelve (12) months;
• Functional Cookies are retained for up to twelve (12) months;
• Analytics Cookies are retained for up to thirteen (13) months for first-party pseudonymous identifiers and up to twenty-four (24) months for processor-managed identifiers, whichever is shorter given the underlying purpose;
• Marketing Cookies are retained for up to thirteen (13) months;
• Consent records are retained for at least the period required to demonstrate consent to supervisory authorities under Applicable Cookie Law.

Retention periods are reviewed on an annual basis and may be shortened (never lengthened beyond the above maxima without a corresponding update to this Policy) where consistent with the underlying purpose.

Orno may update this Policy from time to time to reflect changes in our Cookie practices, to align with updated guidance from supervisory authorities, or to incorporate new legal requirements. The “Updated” badge at the top of this page reflects the date of the most recent revision. Material changes will be prominently notified in-product and, where required, will trigger re-solicitation of consent. Continued use of the Services following publication of a revised Policy constitutes acknowledgement of the revised terms, but does not substitute for any consent that must be separately obtained.

Questions regarding this Policy, requests to withdraw or modify consent, and data-subject rights requests relating to Cookie-derived data may be directed to:

By continuing to use the Services following your review of the consent banner and this Policy, you acknowledge that you have been informed of our Cookie practices consistent with Applicable Cookie Law.