Cookie Policy
Alva Intelligence LLC
Effective Date: Nov, 2025
Version: 1.0
We operate the websites A-Leads.co & joinalva.ai (the “Site”), as well as any other related products and services that refer or link to these legal terms (the “Legal Terms”) (collectively, the “Services”).
This Cookie Policy explains how Alva Intelligence LLC, a Wyoming limited liability company with principal offices at 30 N Gould Street, Suite R, Sheridan, WY 82801, uses cookies and similar technologies on our websites, web applications, mobile applications, and other online properties (collectively the Sites). The purpose of this document is to provide transparent, practical information so that visitors and users understand what tracking technologies we use, why we use them, and how a user may exercise choices regarding cookies. This Cookie Policy supplements the Alva Intelligence Privacy Policy and the Do Not Sell or Share My Personal Information Notice. Where there is any inconsistency between those instruments and this Cookie Policy, this Cookie Policy governs with respect to cookie use and choices.
Alva Intelligence provides artificial intelligence enabled analytics, lead generation, and related business tools for enterprise customers and business users. Our platforms and services depend on accurate measurement of usage, performance, and interactions. Cookies and similar technologies allow us to provide secure, stable, and personalized services. At the same time we recognize that the use of cookies implicates individual privacy. We therefore adopt a consent and transparency forward approach to cookie deployment and management. This policy describes the types of cookies we use, the purpose of each category, the third parties that may install cookies on our Sites, retention periods, mechanisms for consent and withdrawal, and the technical and organizational measures we employ to protect cookie data.
We implement cookies only where there is a lawful basis to do so. For European Union data subjects this includes consent where required under the ePrivacy Directive and the General Data Protection Regulation. For California residents we treat certain cookie-based activities as sharing under the California Privacy Rights Act and we provide opt-out mechanisms consistent with that law. Where cookies support strictly necessary service functions we deploy those cookies subject to minimal data collection and robust security.
This Cookie Policy addresses both browser level controls and in product consent management tools. It explains how consent is recorded, how consent records are retained for audit purposes, and how cookie settings are synchronized across our systems and with third-party processors. It also sets out the circumstances in which cookies will not be used or will be restricted, such as tracking minors or processing sensitive personal information.
The sections that follow provide definitions, legal bases for processing, scope, and a full explanation of cookie categories and user controls. If you have any questions about this Cookie Policy or wish to exercise a privacy preference, contact our Data Protection Officer at dpo@joinalva.ai or privacy@joinalva.ai
The central purpose of this Cookie Policy is to:
This policy enables Alva Intelligence to meet legal obligations arising from international privacy laws including the General Data Protection Regulation, the ePrivacy Directive, the California Privacy Rights Act, and other applicable national or state laws. It also supports our contractual obligations to enterprise clients who require evidence of privacy by design, documented consent records, and integration with Data Processing Agreements.
For clarity and legal precision the principal terms used in this policy are defined as follows:
These definitions are used throughout this Cookie Policy to ensure consistent interpretation.
Alva Intelligence relies on one or more lawful bases to set and read cookies, depending on the cookie category, the user’s jurisdiction, and the sensitivity of the data involved. The principal legal bases include:
For European users we follow the requirements of the ePrivacy Directive and implement a prior consent regime for non essential cookies. For California residents we treat cookie driven cross context behavioural advertising as sharing and provide opt-out pathways consistent with the Do Not Sell or Share My Personal Information Notice.
Where consent is the lawful basis we will present an affirmative request to the user prior to placing the cookie. Consent is granular across categories and recorded in a consent ledger. We will not use pre toggled consents or implicit consent models.
This Cookie Policy applies to:
The policy is global in scope. Where local law imposes stricter requirements for particular jurisdictions we will comply with the highest standard. For example European visitors receive a privacy banner requiring active consent for analytics and advertising cookies. California residents are provided explicit mechanisms to opt out of sharing and to review the Notice of Financial Incentive where applicable.
This policy does not govern cookies set by third parties outside our control. We provide details of common third party cookies and links to third party privacy resources; however the third party’s own privacy policy governs their use. Where we use third parties we require contractual commitments to limit use, prevent resale, and to implement appropriate technical and organizational measures consistent with our Data Processing Agreements and vendor security standards.
This Cookie Policy is intended to be read alongside the Alva Intelligence Privacy Policy and the Do Not Sell or Share My Personal Information Notice.
The Privacy Policy explains broader data collection, use, retention, international transfers, and individual rights. The Cookie Policy focuses specifically on browser and client side tracking technologies and their management. Where cookie data is combined with other identifiers in a manner that results in personal data as defined by law the combined processing is described in the Privacy Policy and, where applicable, the Data Processing Agreement.
If a user elects to participate in the Leads-for-Data Program the interplay between cookie usage and that program will be governed by the financial-incentive notice and by the opt-in consent the participant provides. Where cookie data contributes to program eligibility or processing we will make that clear at the time of opt-in.
Alva Intelligence’s Data Protection Officer is responsible for the governance of this Cookie Policy, including the maintenance of the consent ledger, vendor assessments, and annual review of cookie inventories. The Security team implements technical controls to enforce cookie preferences across systems and data flows. The Product team ensures that no cookies are placed without integration through the consent management framework.
We maintain a Cookie Inventory and a Consent Audit Log that records the cookie name, purpose, category, retention period, third party recipient, legal basis, and the timestamped consent decision. These records are retained for audit purposes in accordance with our retention schedule. The Cookie Inventory is reviewed quarterly and updated whenever new tags are added or removed.
Changes to cookie technology, regulatory developments, or business decisions may require amendment of this Cookie Policy. Material changes will be published on the Sites with an updated effective date and a summary of key changes. Users will be offered the opportunity to review and, where required by law, re-consent to changes that alter the scope of non-essential cookie processing.
This Cookie Policy applies to every website, platform, product, or digital environment operated or controlled by Alva Intelligence LLC (“Alva Intelligence,” “we,” “our,” or “us”) where cookies, web beacons, pixels, or comparable tracking technologies are used.
It covers all forms of access including desktop, mobile, tablet, and connected devices whether accessed directly by an end user or indirectly through integrated systems, application programming interfaces (APIs), or third-party service providers.
The scope of this policy extends to the collection, storage, retrieval, and transfer of information obtained through cookies, regardless of whether such information is personally identifiable. This includes pseudonymous identifiers, device IDs, session keys, preference settings, and aggregated analytics data that, when combined with other datasets, may constitute personal information under applicable law.
The purpose of this broad applicability is to ensure consistent treatment of all cookie-related data, whether it is processed by Alva Intelligence directly or on its behalf by authorized vendors.
This policy governs all online assets and technology environments operated or controlled by Alva Intelligence, including but not limited to:
This policy also applies to any new website, application, or online service that Alva Intelligence may introduce in the future, unless superseded by a more specific notice or contract provision.
This Cookie Policy applies to all individuals who access or interact with our Sites, including but not limited to:
For all these categories, cookies may collect data such as device type, browser settings, IP address, referrer URL, session duration, and activity logs. When combined with other identifiers, this data may constitute personal information. Alva Intelligence treats all such data with the same level of confidentiality and protection as personal data under applicable privacy laws.
Because Alva Intelligence serves users globally, this Cookie Policy incorporates multi-jurisdictional compliance standards. Specifically, it applies to:
Where different jurisdictions impose conflicting standards, Alva Intelligence applies the most privacy-protective standard reasonably achievable across its digital assets.
The Sites may integrate third-party tools or content, such as analytics services, advertising networks, video-hosting platforms, or social-media widgets. These integrations may allow third parties to set or access cookies on the user’s device.
To mitigate risk and preserve user choice, Alva Intelligence:
Third-party cookies are subject to the user’s consent preferences. Where consent is withheld or withdrawn, Alva Intelligence enforces that choice using a consent-management platform (CMP) that blocks non-approved cookies from loading.
This policy applies to all data processing activities involving cookies under Alva Intelligence’s control. It does not apply to:
However, to the extent cookies or similar identifiers from the Sites are accessible to or integrated with such environments, those data flows remain within this policy’s scope.
Cookies covered under this policy include:
The same governance principles apply to all these technologies. They are treated collectively as “cookies” for policy purposes even where the technical implementation differs.
Alva Intelligence limits cookie data collection to the minimal scope necessary for legitimate business and operational purposes. We do not use cookies to capture sensitive categories of personal data such as health, biometric, racial, or financial information. Cookie identifiers are never used for automated decision-making that produces legal or similarly significant effects on individuals.
Analytics cookies are configured to truncate or anonymize IP addresses wherever feasible, and geolocation data derived from cookies is generalized to regional levels. Access to raw cookie logs is strictly limited to authorized personnel under confidentiality agreements.
Cookies set by Alva Intelligence may operate across multiple devices or sessions associated with the same user or organization. This occurs only when a registered user logs in using identical credentials across devices or when an enterprise client enables analytics integrations that span multiple domains. Cross-device tracking is designed to enhance legitimate functions such as security verification, fraud prevention, and analytics consistency, and never to expand advertising reach without consent.
Where cookie data may qualify as “cross-context behavioral advertising” under CPRA definitions, users are clearly informed and may exercise the right to opt out through the Do Not Sell or Share My Information link available on every page.
This Cookie Policy remains effective for as long as the Sites are operational and cookies are deployed. Users’ cookie preferences remain in force until they are modified or withdrawn.
When material updates are made to cookie functionality or categories, users are prompted to review new disclosures and, where applicable, to provide updated consent.
Each version of the Cookie Policy includes its effective date and version number. Older versions remain archived for a minimum of five years for compliance verification and recordkeeping.
By defining a clear scope that includes digital assets, user categories, jurisdictions, and third-party integrations, Alva Intelligence ensures that this Cookie Policy covers every conceivable use of tracking technologies under its control. This comprehensive approach reflects our commitment to transparency, accountability, and consistent protection of personal information regardless of where or how it is processed.
Alva Intelligence LLC (“Alva Intelligence,” “we,” “our,” or “us”) uses a structured and standardized classification of cookies and tracking technologies to ensure transparency, user control, and compliance with applicable data-protection laws. Cookies serve various purposes ranging from security and essential service delivery to advanced analytics, functional personalization, and limited marketing integrations.
Each category described below has been assessed for necessity, proportionality, and legal justification. The classification enables users to make informed consent decisions using our Cookie Preference Center and ensures that non-essential cookies are deployed only after consent has been explicitly granted where required.
Strictly necessary cookies enable the core functionality of Alva Intelligence websites and applications. Without these cookies, essential services such as account login, secure session maintenance, shopping cart functionality (where applicable), and preference retention cannot function properly.
These cookies also assist in fraud prevention, network security, and load balancing, ensuring stable service delivery across distributed systems.
Strictly necessary cookies do not store personally identifiable information beyond what is required for the operation of the site or application session.
Processing of strictly necessary cookies is based on contract performance (where they are required to deliver a user-requested service) or legitimate interest in ensuring platform security and stability. Consent is not required for these cookies, though their existence is disclosed for transparency.
Most strictly necessary cookies expire when the session ends or after a short duration (usually 24 hours). Some preference cookies may persist longer solely to record compliance preferences.
Performance and analytics cookies collect aggregated, pseudonymized information about how users interact with the Sites. The purpose is to understand usage trends, identify performance bottlenecks, measure content effectiveness, and optimize design and navigation.
These cookies support business operations by providing statistical insight rather than personal profiling.
No precise geolocation, personal identifiers, or behavioral profiles are created from this data.
In jurisdictions governed by GDPR or the ePrivacy Directive, processing of analytics cookies is based on consent obtained through the Cookie Preference Center.
In jurisdictions applying CPRA or equivalent frameworks, analytics cookies that do not constitute “sharing” may be used under legitimate interest, provided users have an opportunity to opt out.
Analytics cookies typically persist for 12–24 months, depending on configuration. Data collected is anonymized and aggregated within 90 days. All analytics logs are subject to strict access control and audit trails.
Functional cookies enhance user experience by remembering preferences, such as selected language, region, display settings, and customized dashboards. They allow personalization that improves usability but are not strictly required for the system to operate.
Where personalization involves user behavior or inferred preferences, consent will be required before activation.
Processing of functional cookies may rely on consent or legitimate interest depending on the jurisdiction and whether the data creates identifiable behavioral patterns. For European users, explicit consent is generally required before setting such cookies.
Functional cookies are persistent for a defined duration, typically six to twelve months, or until the user deletes them manually. Retention ensures that returning visitors enjoy consistent and customized interactions without reconfiguration.
Advertising and targeting cookies are used to deliver relevant marketing content, limit repetitive advertising, and measure campaign effectiveness. They help Alva Intelligence understand which promotions and product offerings are of interest to users and provide metrics to improve advertising strategy.
Where these cookies are placed by third-party advertising networks, they may track user activity across different websites. Such practices qualify as “sharing” under the California Privacy Rights Act and require clear opt-out options.
No sensitive data categories (such as health, financial, or biometric data) are collected through advertising cookies.
Advertising and targeting cookies are set only with explicit, opt-in consent under GDPR, ePrivacy Directive, and similar frameworks.
Under CPRA, these cookies fall under the definition of “sale” or “sharing” of personal information for cross-context behavioral advertising. Users have the right to opt out of such practices via the Do Not Sell or Share My Information link or by adjusting their cookie preferences.
Advertising cookies typically persist from 30 days to one year, depending on campaign duration. Data is periodically purged or re-anonymized once it is no longer required for the stated purpose.
Social media cookies facilitate interaction with third-party platforms, such as enabling content sharing, embedding social feeds, or supporting single sign-on (SSO) login through platforms like LinkedIn, Google, or Facebook. These cookies are primarily controlled by the respective third parties and are subject to their own privacy and cookie policies.
Processing relies on user consent, which is collected through the Cookie Preference Center prior to activation. Alva Intelligence ensures that no social media tracking is enabled until consent has been granted.
Users are encouraged to review the cookie and privacy policies of third-party social media networks for further details on their independent practices.
Social media cookies remain active only during the user’s session unless the third-party provider uses persistent cookies to maintain preferences. Users can delete these cookies at any time through their browser or the third-party account settings.
Preference cookies store a user’s privacy and consent settings. They are critical for ensuring compliance with cookie laws and for honoring user choices consistently across sessions.
These cookies record whether a user has accepted, rejected, or customized cookie categories and prevent consent banners from reappearing unnecessarily.
Processing is based on legal obligation and legitimate interest to comply with CPRA, GDPR, and ePrivacy requirements. These cookies are considered strictly necessary for compliance and therefore do not require additional consent.
Consent records are retained for up to five years for audit and regulatory verification. The cookies themselves typically persist for one year to ensure continuity of preference recognition.
| Cookie Category | Purpose | Lawful Basis | Consent Required | Typical Retention |
|---|---|---|---|---|
| Strictly Necessary | Enable website functionality and security | Contract / Legitimate Interest | No | Session / 24 hrs |
| Performance & Analytics | Understand usage and improve service | Consent / Legitimate Interest | Yes (EU/EEA) | 12–24 months |
| Functional | Personalize experience and remember preferences | Consent / Legitimate Interest | Yes (EU/EEA) | 6–12 months |
| Advertising & Targeting | Deliver relevant ads and measure campaigns | Consent | Yes | 30 days–1 year |
| Social Media | Enable integrations and social features | Consent | Yes | Session–6 months |
| Preference Management | Store consent choices | Legal Obligation / Legitimate Interest | No | 1 year |
Alva Intelligence reviews the categories of cookies used across all digital properties at least once every quarter. The review includes:
Changes to cookie categories or legal bases trigger updates to this policy and to the Cookie Inventory (Exhibit A). Such updates are documented in the Cookie Governance Register and reflected in the Privacy Compliance Reports submitted annually for SOC 2 Type 2 and GDPR audits.
The Cookie Inventory is a comprehensive record of all cookies and comparable tracking technologies deployed across the Alva Intelligence digital environment.
It serves three functions:
This inventory is reviewed and certified by the Data Protection Officer (DPO) and the Information Security team every quarter, or more frequently when new integrations or vendors are introduced. Each cookie entry includes its name, provider, category, purpose, type, duration, lawful basis, and opt-out mechanism.
The inventory is divided into six principal categories corresponding to Section 4 of this policy:
For ease of review, the inventory table below uses a consistent column layout. Cookies marked with an asterisk (*) may be set by trusted third-party processors operating under written Data Processing Agreements.
| Cookie Name | Provider / Domain | Category | Purpose / Description | Type | Duration | Lawful Basis | Opt-Out / Control Mechanism |
|---|---|---|---|---|---|---|---|
| auth_session_id | alvaintelligence.com | Strictly Necessary | Maintains active login session for authenticated users. Prevents unauthorized reuse of session tokens. | First-party, HTTP | Session | Contract performance | None (essential) |
| csrftoken | alvaintelligence.com | Strictly Necessary | Provides cross-site request-forgery protection for web forms. | First-party, HTTP | 24 hours | Legal obligation / Security | None (essential) |
| cookieConsentStatus | alvaintelligence.com | Preference Mgmt | Records user consent decisions to prevent repeated banner displays. | First-party, persistent | 1 year | Legitimate interest | Adjustable via Cookie Preference Center |
| _ga * | Google Analytics | Performance Analytics | Generates anonymous statistics on website traffic and usage. | Third-party, persistent | 24 months | Consent (EU) / Legitimate interest (US) | Google Analytics Opt-Out Add-on |
| _gid * | Google Analytics | Performance Analytics | Distinguishes unique users for analytics session counting. | Third-party, persistent | 24 hours | Consent | Google Analytics Opt-Out Add-on |
| _gat * | Google Analytics | Performance Analytics | Throttles request rate to prevent server overload. | Third-party, persistent | 1 minute | Consent | Browser add-on or Preference Center |
| ahoy_visit / ahoy_visitor | alvaintelligence.com | Performance Analytics | Tracks visit and visitor IDs for internal analytics system. | First-party, persistent | 12 months | Legitimate interest | In-site Preference Center |
| lang_pref | alvaintelligence.com | Functional | Saves user language preference across sessions. | First-party, persistent | 6 months | Consent | Browser settings |
| ui_theme_mode | alvaintelligence.com | Functional | Stores preferred display theme (light/dark). | First-party, persistent | 6 months | Legitimate interest | Browser settings |
| user_region | alvaintelligence.com | Functional | Remembers region for localized content and currency. | First-party, persistent | 12 months | Consent | Preference Center |
| _fbp * | Meta Platforms | Advertising Targeting | Tracks visits for Facebook ad attribution and remarketing. | Third-party, persistent | 90 days | Consent | Facebook Ad Preferences / Do Not Sell Link |
| _gcl_au * | Google Ads | Advertising Targeting | Links ad-click data with conversions on our site. | Third-party, persistent | 90 days | Consent | Google Ads Settings |
| hubspotutk * | HubSpot | Advertising Targeting | Tracks engagement with marketing emails and landing pages. | Third-party, persistent | 13 months | Consent | HubSpot Opt-Out Page |
| linkedin_oauth_ * | Social Media | Supports LinkedIn single sign-on and job-application features. | Third-party, persistent | Session | Consent | LinkedIn Privacy Settings | |
| yt_remote_session_app * | YouTube | Social Media | Maintains user video playback preferences on embedded players. | Third-party, persistent | Session | Consent | YouTube Cookie Settings |
| cmp_consent_id | alvaintelligence.com | Preference Mgmt | Assigns unique ID for consent transaction and audit trail. | First-party, persistent | 1 year | Legal obligation | None (required for audit) |
| policy_version_recorded | alvaintelligence.com | Preference Mgmt | Logs the Cookie Policy version accepted by user. | First-party, persistent | 1 year | Legitimate interest | None |
(Table continues on next page for internal documentation and new integrations)
Each cookie is tagged with metadata in Alva Intelligence’s internal Cookie Registry. Metadata includes deployment environment (production, staging, testing), responsible system owner, and change-control reference. The registry feeds automatically into the consent-management platform to ensure consistent disclosures across web properties.
When a user submits cookie preferences, the Consent Management Platform (CMP) assigns a unique consent ID stored both locally (cmp_consent_id) and in a secure, encrypted database. This allows Alva Intelligence to produce auditable proof of consent upon regulatory request.
The CMP synchronizes preferences across browsers and devices whenever users authenticate through their accounts.
All analytics identifiers are pseudonymized using randomized alphanumeric strings. Where IP addresses are collected for analytics, they are truncated to the first two octets before storage.
Advertising and targeting cookies are configured to use aggregation mode whenever possible to reduce exposure of personal identifiers.
Each third-party cookie provider is subject to a Vendor Risk Assessment and must execute a Data Processing Agreement with Alva Intelligence. Vendors undergo annual privacy and security audits to confirm compliance with GDPR Article 28 obligations and SOC 2 criteria.
Cookies from vendors that fail re-certification are removed or replaced within thirty days.
Cookie data retention follows the schedule defined in Section 17 of the Privacy Policy. Automated scripts execute nightly to identify cookies exceeding their declared lifespan and purge them from the database.
Expired consent records are flagged for deletion during the next quarterly compliance cycle.
All new cookies or tracking scripts undergo technical testing in a controlled staging environment. The test confirms correct categorization, banner integration, and respect for user consent before public deployment. Test results are logged in the Cookie Deployment Change Record maintained by the Security team.
For domains and subdomains under Alva Intelligence’s control, a shared cookie namespace is used to maintain consistency. Cross-domain cookies are configured with the “SameSite=Lax” attribute unless functionality requires broader access, in which case justification is documented and approved by the DPO.
All cookies are set with the Secure and HttpOnly attributes whenever technically feasible to protect against interception or client-side manipulation. Sensitive cookies employ the SameSite=Strict attribute to prevent cross-site request attacks.
Transport occurs exclusively over HTTPS connections, verified through automated TLS scanning.
Alva Intelligence employs automated scanning tools to detect new or changed cookies. Scans run weekly and feed results into the Cookie Registry for human verification. Discrepancies trigger review by the Privacy Engineering team. Each confirmed change generates a Cookie Inventory Update Record which is appended to the quarterly compliance report.
The Cookie Inventory is version-controlled using internal document-management systems. Each published version includes:
Historical versions are archived for a minimum of five years. Users may request a copy of prior inventories by contacting privacy@joinalva.ai.
For public display on the website, a summarized inventory derived from this master table is presented in human-readable form under the heading “Cookie Details” in the Cookie Preference Center.
This summary omits internal identifiers and technical attributes while maintaining transparency about providers, purposes, and durations. The publicly displayed inventory is automatically refreshed when internal updates are approved.
Alva Intelligence affirms that all cookies deployed across its Sites have been reviewed for necessity, legality, and proportionality. Each cookie serves a defined and documented purpose, aligned with business need and user expectation.
The DPO, assisted by the Compliance and Security teams, certifies the accuracy of this inventory as of the effective date and confirms that no undeclared or unapproved tracking technologies are active.
Ongoing governance ensures that cookie usage remains limited, auditable, and consistent with the highest standards of corporate compliance and consumer privacy protection.
Alva Intelligence LLC (“Alva Intelligence,” “we,” or “our”) uses cookies and related tracking technologies as integral components of our website and application architecture.
Cookies allow us to provide secure, efficient, and personalized services by enabling functionality that cannot operate without short-term data persistence.
They also support our analytics framework, optimize system performance, and enhance the overall experience of users and enterprise clients interacting with our digital ecosystem.
Each cookie deployed serves a documented business purpose, subject to pre-deployment review, privacy risk assessment, and ongoing monitoring.
No cookie is used arbitrarily or beyond its declared purpose.
The functions covered under this section fall into the following operational domains:
These domains collectively ensure that cookies enhance and not compromise the privacy, transparency, and functionality of the Alva Intelligence platform.
Authentication cookies establish and maintain secure sessions between users and Alva Intelligence applications. When a user logs in to an account or accesses restricted content, a unique encrypted session identifier is generated and stored in a cookie. This cookie confirms the user’s identity to the server and authorizes access without requiring repeated logins.
Secure, HttpOnly, and SameSite=Strict prevent the cookie from being intercepted or modified.Authentication cookies are essential for contract performance; they enable users to access their accounts and licensed content. Therefore, consent is not required for these cookies under GDPR Article 6(1)(b) and CPRA guidelines, though their operation is disclosed for transparency. Audit records of authentication sessions are retained securely in compliance with SOC 2 Type 2 standards.
Cookies play a critical role in maintaining the integrity and security of Alva Intelligence’s digital infrastructure. They help prevent unauthorized access, detect suspicious activity, and enforce consistent security settings across all sessions and browsers.
Security cookies contain no personal identifiers beyond pseudonymous session tokens. Data collected is used only for real-time protection and is deleted automatically after session closure or short retention intervals.
Use of security cookies aligns with the principle of data minimization under GDPR Article 5(1)(c) and the reasonable security measures standard under CPRA Section 1798.100(e).
The Information Security team reviews cookie-based security mechanisms quarterly to confirm that they remain necessary, proportionate, and current with emerging cybersecurity best practices.
Performance cookies measure how our Sites and applications function under actual user conditions. They allow us to evaluate load times, page responsiveness, content rendering, and user flow efficiency.
Performance cookies collect pseudonymous metrics and environmental data only; they do not contain names, contact information, or identifiable personal details.
These cookies assist in aggregate analysis to ensure a consistent, reliable user experience.
Where required by law (e.g., under the ePrivacy Directive), performance cookies are enabled only after consent. Otherwise, they operate under legitimate interest in maintaining service quality. Data is anonymized within 30 days and retained in aggregate for trend analysis for up to 12 months.
Analytics cookies help Alva Intelligence improve its products through insights about usage patterns, feature engagement, and navigation trends.
The goal is to understand what aspects of our services users value and where usability improvements are needed.
Analytics cookies measure:
To ensure privacy, IP addresses are truncated or anonymized, and user IDs are hashed. Data collected is aggregated before analysis.
Alva Intelligence uses privacy-compliant analytics tools such as Google Analytics (configured for IP anonymization) and internal event-tracking systems. No analytics data is shared with third parties for advertising purposes. All third-party processors are bound by Data Processing Agreements limiting their use of data solely to statistical reporting.
Under GDPR, analytics cookies require consent. Under CPRA, their use is permissible as a legitimate business function provided no personal information is sold or shared.
Users may opt out of analytics cookies at any time through the Cookie Preference Center.
Functional cookies provide enhanced usability and customization across the Alva Intelligence platform. They remember user preferences, store interface settings, and ensure that returning users experience consistent functionality.
Functional cookies contain limited configuration data and never store sensitive personal information. They are encrypted at rest and subject to the same retention controls as analytics data. Users can disable these cookies at any time, though doing so may reduce usability.
In the EU/EEA, consent is required before setting non-essential functional cookies. In other jurisdictions, use is permissible based on legitimate interest where personalization is expected and minimally intrusive. Functional cookies are reviewed annually to ensure their continued relevance.
Advertising cookies help measure the performance of marketing campaigns and support limited remarketing to business prospects who have shown legitimate interest in Alva Intelligence products. These cookies allow attribution of marketing spend and inform strategic planning but are never used to build individual consumer profiles.
Under CPRA, advertising cookies constitute “sharing” of personal information if they link cross-context behavior. Users can opt out at any time via the Do Not Sell or Share My Information link. Under GDPR, advertising cookies require explicit prior consent. Once denied, Alva Intelligence’s systems automatically block third-party tracking pixels.
Cookies also serve a compliance function by storing user preferences, consent records, and policy version identifiers. This ensures that user decisions are respected across sessions and that Alva Intelligence can produce audit evidence for regulators.
These cookies are classified as strictly necessary for compliance under both GDPR and CPRA, as they document consent and prevent non-compliant cookie deployment. They do not require separate consent.
Consent records are stored for up to five years for audit purposes. Users may request confirmation of their consent status or deletion of consent records by contacting privacy@joinalva.ai.
Alva Intelligence incorporates privacy-by-design and data-minimization principles in every aspect of cookie use. Before introducing any new tracking technology, the Product and Legal teams jointly assess whether the same function can be achieved through less intrusive means.
No cookie is implemented unless its necessity, proportionality, and compliance profile are documented and approved.
Alva Intelligence also conducts annual privacy impact assessments (PIAs) for all cookies and related technologies. These assessments evaluate:
Only cookies that pass this review remain active.
Cookie use is not static. As technologies evolve, Alva Intelligence continuously refines its cookie architecture to align with evolving privacy standards, including guidance from the California Privacy Protection Agency, the European Data Protection Board, and industry best practices.
The Data Protection Officer, General Counsel, and Information Security teams jointly oversee this process through the Privacy Governance Framework.
Quarterly reports are issued to executive management summarizing cookie activity, opt-out metrics, vendor status, and upcoming regulatory changes.
This ongoing commitment ensures that every cookie deployed by Alva Intelligence continues to support legitimate business goals while preserving transparency, fairness, and the highest level of privacy protection for every user.
Alva Intelligence LLC (“Alva Intelligence,” “we,” or “our”) partners with selected third-party service providers to support certain technical and functional aspects of our websites and online applications.
These providers may set or access cookies on user devices as part of their service delivery.
Third-party cookies are used only where they are necessary to operate, maintain, or improve platform performance, and they are deployed in compliance with this policy, the Privacy Policy, and applicable data-protection laws.
The purpose of this section is to explain who these third parties are, the scope of their participation, how we control and monitor their actions, and what rights users have in relation to cookies set by these providers.
Alva Intelligence engages with four main categories of third-party cookie providers:
Each third-party relationship is evaluated to determine whether cookies placed by the provider qualify as first-party (operated through Alva Intelligence’s domain) or third-party (operated independently).
Regardless of classification, every third-party cookie is subject to legal, contractual, and technical control mechanisms described in this section.
Before authorizing any third-party cookie or tracking tool, Alva Intelligence executes a Data Processing Agreement (DPA) with the vendor.
The DPA includes, at a minimum:
These agreements ensure that cookie-related data remains under contractual control throughout its lifecycle.
If a third-party provider processes cookie data outside the United States or European Economic Area, Alva Intelligence uses approved transfer mechanisms such as Standard Contractual Clauses (SCCs) under GDPR Article 46 or equivalent safeguards.
Where applicable, Transfer Impact Assessments (TIAs) are conducted to evaluate privacy risks associated with cross-border data movement.
Before integration, each provider undergoes a Privacy and Security Due Diligence Assessment that evaluates:
Providers that fail to meet Alva Intelligence’s privacy and security benchmarks are not approved for deployment.
Approved vendors are monitored continuously through:
If a third-party provider is found to be setting unapproved cookies or deviating from contractual terms, Alva Intelligence immediately suspends integration and initiates remediation or termination procedures.
| Provider | Primary Function | Cookie or Identifier Examples | Data Category | Lawful Basis | Retention |
|---|---|---|---|---|---|
| Google LLC (Google Analytics) | Performance analytics and usage reporting | _ga, _gid, _gat | Pseudonymous usage data | Consent (EU), Legitimate Interest (US) | 24 months |
| Meta Platforms, Inc. | Advertising attribution and conversion tracking | _fbp | Marketing, ad performance metrics | Consent | 90 days |
| HubSpot, Inc. | Marketing automation and lead tracking | hubspotutk | Engagement data | Consent | 13 months |
| LinkedIn Corporation | Single sign-on, job posting, and audience insights | li_oatml, bcookie | Social media interaction data | Consent | 6 months |
| YouTube (Google Ireland Ltd.) | Embedded video playback and performance | YSC, VISITOR_INFO1_LIVE | Multimedia playback metrics | Consent | Session–6 months |
| Cloudflare, Inc. | Network security, load balancing | __cf_bm | Technical data only | Legitimate Interest | 24 hours |
This list represents typical third-party relationships as of the effective date. A full, current list is available in the Cookie Inventory (Exhibit A) and updated quarterly.
Users can control or disable third-party cookies through the Cookie Preference Center, which operates via a certified Consent Management Platform.
When a user selects “Reject All” or disables a category of cookies, the CMP automatically prevents the associated third-party scripts from loading on the website.
Preferences are stored and honored across sessions, unless the user clears browser cookies or revisits after a policy update.
Alva Intelligence honors recognized browser-based privacy signals, including Global Privacy Control (GPC).
When a GPC signal is detected, all non-essential third-party cookies are automatically disabled, and data sharing for cross-context behavioral advertising is halted in accordance with CPRA Section 1798.135.
In addition to internal controls, users may exercise opt-outs directly through provider tools, such as:
These independent mechanisms operate outside Alva Intelligence’s systems but complement our own consent framework.
All third-party data processing is governed by the principle of data minimization.
Only the information necessary to fulfill the service’s technical or analytical purpose is transmitted.
For example:
Third-party providers are required to confirm deletion of temporary datasets after analytical processing.
Some third-party providers operate across multiple websites or applications.
When Alva Intelligence integrates with such networks, we configure them to operate in restricted scope meaning they cannot use data collected from our domain to profile users on unrelated websites.
We enforce this restriction through:
Under CPRA, any remaining cross-context activity is treated as “sharing,” subject to opt-out rights.
To meet regulatory and contractual accountability requirements, Alva Intelligence maintains a Third-Party Cookie Register, which includes:
The register is maintained by the DPO and reviewed quarterly. Records are retained for at least five (5) years as evidence of compliance with GDPR Article 30 and CPRA Section 1798.130(a)(6)(C).
If any third-party provider violates contractual or regulatory requirements related to cookie data, Alva Intelligence will:
Alva Intelligence has never sold personal data and will not authorize any third-party provider to use cookie-collected data for resale, profiling, or any form of secondary marketing.
Users may contact privacy@joinalva.ai to obtain a current list of active third-party providers and their respective data-processing activities. Requests are typically fulfilled within 30 days, consistent with CPRA and GDPR timelines. Alva Intelligence will also cooperate with any lawful requests from regulatory authorities concerning third-party cookie disclosures and compliance documentation.
Through robust due diligence, contractual restrictions, technical enforcement, and transparent reporting, Alva Intelligence ensures that third-party cookies operate solely within authorized parameters and that no external entity may process personal information obtained through our Sites for its own purposes.
This disciplined vendor-management program reflects Alva Intelligence’s commitment to ethical data stewardship, accountability, and compliance with the highest global privacy standards.
Alva Intelligence LLC (“Alva Intelligence,” “we,” or “our”) employs cookies and comparable tracking technologies not only to deliver core platform functionality but also to enhance the intelligence, accuracy, and personalization of its products and services.
This section describes how cookie-collected data supports artificial intelligence (AI) models, user personalization, and feature optimization, while ensuring compliance with data-protection laws such as the California Privacy Rights Act (CPRA), the General Data Protection Regulation (GDPR), and recognized ethical AI frameworks.
AI enhancement through cookie data operates exclusively within a privacy-by-design and data-minimization framework. All data used for model training or personalization is aggregated, pseudonymized, and processed under strict internal governance protocols that ensure no personal data is used for automated decision-making that produces legal or similarly significant effects.
The processing of cookie-derived data for personalization and AI improvement is conducted under the following principles:
The lawful bases for processing include consent (for EU/EEA users and where CPRA defines the use as “sharing”) and legitimate interest (for aggregated analytics that improve service performance without personal profiling).
The data derived from cookies that may be used to enhance personalization or AI systems includes:
At all times, this data remains pseudonymous and is decoupled from direct personal identifiers.
Where cookie identifiers are linked to authenticated users for account continuity, the data is subject to strict role-based access controls and encrypted both in transit and at rest.
Alva Intelligence uses aggregated cookie-based telemetry to refine internal AI models that power features such as lead-generation intelligence, search result ranking, predictive analytics dashboards, and content relevance optimization. These models rely on de-identified behavioral data, not raw personal data. Data pipelines are configured to anonymize identifiers prior to ingestion into machine-learning environments.
The AI systems process metrics such as page loading efficiency, feature adoption rates, and anonymized engagement sequences to predict how users interact with content. This feedback loop allows Alva Intelligence to improve product performance and deliver relevant insights to enterprise clients without profiling individuals.
Each AI model trained with cookie-related data includes documentation of:
This documentation is reviewed semiannually by the Data Protection Officer (DPO) and the AI Governance Committee, ensuring accountability and compliance with emerging AI regulatory standards.
Cookies are also used to personalize the individual user experience in ways that are transparent, non-intrusive, and user-controlled. Personalization aims to make navigation intuitive, reduce redundant steps, and ensure that the interface adapts to a user’s known preferences or past interactions.
Personalization cookies are not used to infer sensitive traits or behavioral profiles. They enhance usability and operational efficiency while preserving privacy.
Users can opt out of personalization at any time through the Cookie Preference Center or by disabling functional and analytics cookies in their browser. When personalization is disabled, Alva Intelligence defaults to a neutral configuration that functions identically for all users.
Before cookie data is used in analytics or AI training, it undergoes a rigorous anonymization process that includes:
These methods ensure that cookie-derived data cannot be re-linked to identifiable individuals, even within internal systems.
All cookie data used for personalization or AI purposes is protected through multiple layers of security:
Any access to AI or personalization data is logged, reviewed, and periodically audited under SOC 2 Type 2 controls.
Alva Intelligence obtains consent for cookies used in personalization or AI functions through a layered consent interface that includes:
Consent is collected prior to setting non-essential cookies and may be withdrawn at any time without affecting access to core services.
Whenever a new AI-driven feature uses cookie data, Alva Intelligence provides a transparent disclosure in the product interface or policy updates.
We also maintain a “Personalization and AI Practices” page that explains which features rely on cookie-based analytics and what safeguards apply.
Alva Intelligence expressly prohibits the use of cookie-derived data for:
All cookie-based personalization remains contextual, operational, and user-centric.
AI enhancement operates within defined ethical and legal constraints that prioritize fairness, explainability, and accountability.
Cookie-derived datasets used in AI systems are retained only as long as necessary to achieve the training or testing objective. Retention periods are documented in the Data Retention and Deletion Policy and follow the principles outlined in Section 17 of the Privacy Policy.
When a dataset is retired:
This ensures that data lifecycle management extends beyond cookies to all derivative uses.
The AI Governance Committee, composed of the Data Protection Officer, General Counsel, and Chief Technology Officer, reviews all personalization and AI activities that rely on cookie data.
Audits verify that:
Findings are documented in the Annual Privacy and AI Compliance Report, which forms part of Alva Intelligence’s SOC 2 Type 2 and GDPR accountability evidence.
By combining robust anonymization, strict consent controls, and ethical governance, Alva Intelligence ensures that the use of cookie-derived data for personalization and AI development remains both responsible and transparent.
Our goal is to improve efficiency, relevance, and user experience without ever compromising individual privacy or autonomy.
This integration of compliance, security, and innovation represents the core of Alva Intelligence’s approach to trustworthy artificial intelligence.
The management of cookie duration and retention is central to Alva Intelligence LLC’s (“Alva Intelligence,” “we,” or “our”) data-protection governance. Cookies are not retained indefinitely; each category has a predetermined expiration period aligned with its operational necessity and legal requirements. This section outlines how we define, monitor, and enforce these lifecycles to maintain transparency, accountability, and compliance.
Alva Intelligence distinguishes between cookie duration (the time a cookie remains on a user’s device) and data retention (the time related records remain stored on Alva Intelligence’s servers or with approved processors).
Both are governed by clear schedules and automated controls to ensure data is held no longer than necessary.
Session cookies are temporary identifiers created when a user visits our website or accesses our platform. They enable essential functions such as authentication, page navigation, and secure transmission of form data. These cookies are deleted automatically once the browser is closed or the session expires.
Duration: Active only during the user’s browsing session (typically less than 24 hours).
Examples: auth_session_id, csrftoken, session_id.
Persistent cookies remain stored on the user’s device beyond the current browsing session.
They are used to remember login preferences, language settings, and consent choices or to provide long-term analytics insights in aggregated form.
Each persistent cookie is configured with a defined expiration date.
Once expired, the cookie becomes inactive and is automatically deleted by the browser or upon a user’s manual clearing of cookies.
Duration: Typically 30 days to 24 months, depending on purpose and consent type.
Examples: _ga, _fbp, cookieConsentStatus, policy_version_recorded.
Third-party cookies are deployed by external service providers integrated into Alva Intelligence’s systems, such as analytics or marketing tools. These cookies are subject to the provider’s retention policies, but Alva Intelligence imposes additional limits through contractual terms and periodic audits.
Duration: Governed by provider settings (commonly 30–90 days).
Examples: hubspotutk, _gcl_au, li_oatml.
| Cookie Category | Typical Duration | Expiration Trigger | Data Retention (Server Side) | Automatic Deletion |
|---|---|---|---|---|
| Strictly Necessary | Session / ≤24 hrs | Session termination | None beyond operational log | Immediate (end of session) |
| Functional | 6–12 months | User preference change / expiration date | Up to 12 months | Yes, via browser or user opt-out |
| Analytics | 12–24 months | Time limit / withdrawal of consent | Aggregated after 90 days | Automated deletion post-expiry |
| Advertising | 30–365 days | Campaign end / opt-out signal | Aggregated metrics retained 90 days | Yes, per campaign lifecycle |
| Social Media | Session–6 months | Logout or cookie expiry | Not retained by Alva Intelligence | Automatic per third party |
| Preference Management | 1 year | New policy version / preference reset | 5 years (audit log only) | Browser deletion or expiry |
This matrix reflects the default retention plan across all web properties managed by Alva Intelligence as of the effective date. All durations are subject to review and update in response to changes in regulatory or operational requirements.
Cookie-derived data refers to information collected or generated from cookies that is processed and stored within Alva Intelligence’s systems or secure cloud infrastructure.
The retention of this data follows the same minimization principle applied to cookies themselves.
Alva Intelligence uses automated expiration mechanisms to enforce cookie lifecycles. Each cookie set by our systems includes a max-age attribute, which instructs browsers to delete the cookie automatically after a defined period. Server-side systems monitor and flag expired cookies for deletion.
Every 24 hours, automated purge jobs run within Alva Intelligence’s analytics and marketing databases to remove expired or deactivated cookie records. A retention-control dashboard alerts administrators to anomalies or missed deletions.
When a user withdraws consent or opts out of a cookie category, the system immediately triggers the deletion of corresponding cookies and disables related scripts. If withdrawal affects stored analytics data, identifiers associated with that user’s records are pseudonymized or purged.
The Data Protection Officer (DPO) and the Security Compliance Team conduct quarterly reviews to verify that expiration controls are functioning as designed.
Audit logs record all deletions, with sample testing to ensure proper execution.
Alva Intelligence adheres to the storage limitation principle of GDPR Article 5(1)(e) and the data retention restriction under CPRA Section 1798.100(a)(3). Data collected through cookies is kept only for as long as necessary to fulfill the purpose for which it was collected.
When retention periods expire, data is securely erased or permanently anonymized in accordance with the Data Deletion and Disposal Policy.
Where applicable, data destruction processes comply with NIST SP 800-88 Rev. 1 media sanitization guidelines, ensuring irreversible deletion.
In limited cases, certain cookie-derived records may be retained beyond standard periods for compliance, legal defense, or audit obligations.
Such retention occurs only under the following conditions:
Once such obligations expire, the retained data is deleted immediately under supervision of the Legal and Security departments.
Alva Intelligence operates multiple systems (marketing, analytics, and application environments). To maintain consistency, retention and expiration settings are synchronized across all platforms via the Central Data Governance Engine. This automation ensures that expiration schedules are uniformly applied regardless of where data resides.
If a cookie or identifier is deleted in one system, references in associated systems are flagged and purged in the next scheduled cycle.
All deletion events are logged with:
Logs are retained for five years for audit purposes and reviewed annually as part of the SOC 2 Type 2 and GDPR accountability framework. Alva Intelligence’s privacy team maintains the authority to validate that data destruction processes are technically effective and compliant.
Users have the right to:
Requests can be submitted through the Privacy Rights Portal or by email to privacy@joinalva.ai.
Responses are provided within 30 days, extendable under statutory allowances.
These rights are honored without prejudice or discrimination against the requester.
The retention and expiration controls defined herein are reviewed annually or whenever there is a material change in data processing, technology, or applicable law. Alva Intelligence maintains an internal Data Retention Register documenting all categories of cookies, their respective durations, and deletion mechanisms. This register is approved and signed by the DPO and General Counsel during the annual compliance cycle.
Periodic revalidation of cookie lifecycles ensures continuing compliance, operational integrity, and alignment with evolving privacy standards worldwide.
Alva Intelligence LLC (“Alva Intelligence,” “we,” or “our”) believes that privacy begins with informed choice. The collection and use of cookies and similar technologies on our websites and applications operate on a foundation of user consent clear, affirmative, and fully revocable at any time. This section outlines how we obtain, record, and respect consent, as well as how users can modify or withdraw it through accessible tools and standardized privacy controls.
Consent management is not a formality but a fundamental compliance requirement.
Under the General Data Protection Regulation (GDPR) and the California Privacy Rights Act (CPRA), organizations must ensure that users are both informed about and in control of non-essential cookies.
Alva Intelligence implements consent in accordance with these principles to guarantee that our users can make autonomous, transparent, and privacy-protective decisions.
Explicit consent is obtained where required by law before setting any cookie that is not strictly necessary for service operation.
This includes analytics, advertising, and personalization cookies. Explicit consent is collected through the Cookie Banner and Cookie Preference Center, which allow users to make granular selections by category.
A cookie is not deployed until the user takes affirmative action, such as clicking “Accept All” or toggling specific categories to “Enabled.” No cookie banner employs pre-ticked boxes or implied acceptance.
For cookies essential to core functionality (authentication, security, or network performance), Alva Intelligence relies on legitimate interest or contract necessity rather than explicit consent. These cookies are disclosed for transparency, but no user action is required to enable them.
The rationale for legitimate interest is documented in the Legitimate Interest Assessment Register, maintained by the Data Protection Officer (DPO).
When a user first visits any Alva Intelligence digital property, a Cookie Banner appears, presenting:
The banner remains visible until the user makes a selection. Refusing cookies has no impact on access to core site functions, but certain features may operate in a limited manner.
The Cookie Preference Center allows users to fine-tune their preferences at any time.
It presents cookies grouped by category Strictly Necessary, Functional, Analytics, Advertising, Social Media, and Preference Management with toggles for activation or deactivation.
Once the user submits their choice, a consent confirmation message appears and a consent record is stored locally (via the cmp_consent_id cookie) and within Alva Intelligence’s compliance system for audit purposes.
Alva Intelligence uses a layered consent framework that separates essential notices from optional detail. The first layer provides essential information in concise form, while secondary layers include full legal explanations, provider lists, and retention timelines. This structure ensures that consent remains informed yet accessible.
Every consent action is logged with the following attributes:
These records are stored securely in the Consent Management Database for a minimum of five years. Records enable Alva Intelligence to demonstrate compliance with GDPR Article 7(1) and CPRA Section 1798.100(d).
If a user is logged into their Alva Intelligence account, consent preferences synchronize across all devices and browsers. This ensures consistent enforcement regardless of access point or platform. Synchronization is achieved using encrypted tokens stored in both local cookies and secure cloud storage.
Each version of the Cookie Policy is assigned a unique identifier and effective date.
When substantive changes occur, all users are prompted to reconfirm consent.
If users do not respond within a reasonable period (typically 30 days), only strictly necessary cookies remain active.
Users may withdraw consent at any time through any of the following methods:
Withdrawal of consent results in immediate deactivation of all non-essential cookies and associated processing.
When a withdrawal request is received:
This ensures that consent withdrawal is both effective and technically verifiable.
Users may selectively withdraw consent for specific categories (e.g., advertising or analytics) without affecting others. The Cookie Preference Center supports granular toggling for this purpose. Systems respond dynamically to such changes in real time.
Alva Intelligence supports Global Privacy Control (GPC), Do Not Track (DNT), and similar recognized privacy signals. When a supported signal is detected, our systems automatically interpret it as a universal opt-out request for all non-essential cookies, including advertising and cross-context tracking.
The system then:
This functionality ensures compliance with CPRA Section 1798.135 and similar global frameworks.
Users may also manage cookies directly through browser settings.
Most browsers allow blocking, deletion, or notification prior to cookie placement.
Instructions are available on the official support pages for:
For mobile applications, operating systems provide settings under “Privacy” or “Tracking” that allow users to disable identifiers and cookies used for analytics or advertising.
Alva Intelligence’s platform detects these preferences and automatically honors them.
Upon lawful request by a data protection authority or user, Alva Intelligence can produce verifiable proof of consent or withdrawal, including:
These records are digitally signed and stored in compliance with SOC 2 Type 2 requirements for integrity and authenticity.
Alva Intelligence cooperates fully with privacy regulators, including the California Privacy Protection Agency (CPPA), the European Data Protection Board (EDPB), and national data-protection authorities. If a complaint or inquiry arises regarding cookie consent, Alva Intelligence provides documentation within 15 business days, along with an explanation of the consent collection process.
Consent mechanisms are reviewed semiannually as part of the Privacy Program Oversight Cycle.
The review includes:
Revisions to consent processes are documented in the Consent Management Register and approved by the DPO and General Counsel prior to implementation.
Alva Intelligence ensures that users remain at the center of consent management.
Every cookie placement or withdrawal honors the user’s choices, supported by verifiable technical enforcement, transparent documentation, and continuous accountability.
No form of consent manipulation such as dark patterns, pre-ticked options, or forced acceptance is tolerated.
Through layered consent, accessible tools, and global privacy compliance, Alva Intelligence guarantees that cookie usage is always guided by user intention and aligned with our foundational principle: data control belongs to the user.
Alva Intelligence LLC (“Alva Intelligence,” “we,” or “our”) recognizes the importance of protecting the privacy of children and young users.
Our cookie practices are designed to ensure that no data collected through cookies or similar tracking technologies is used to identify, track, or profile minors.
This section outlines our policy for handling cookies in connection with users under the age of 16, the mechanisms used to obtain verifiable parental consent when required, and the controls we maintain to prevent inadvertent data collection from minors.
We adhere strictly to the principles set forth in:
Our systems, procedures, and contractual arrangements are designed to uphold these standards across all jurisdictions in which we operate.
This section applies to:
Alva Intelligence’s services are not directed to children under the age of 13, and we do not knowingly allow registration or account creation by such individuals. In the rare event that data is inadvertently collected from a minor, Alva Intelligence acts promptly to delete such data in accordance with Section 11.8 below.
To minimize the risk of data collection from minors, Alva Intelligence employs age-gating mechanisms on all platforms where user input or account creation is required.
Visitors may be asked to confirm their age or acknowledge that they are over the minimum digital consent age before accessing certain features.
Cookies are not deployed beyond strictly necessary session cookies until this age verification step is completed.
If a user self-identifies as under the applicable age threshold (under 16 in the EU, under 13 in the US), Alva Intelligence requires verifiable parental consent before enabling any cookies beyond those strictly necessary for security and functionality.
Verification may involve one or more of the following methods:
Until consent is verified, non-essential cookies (analytics, advertising, or personalization) remain fully disabled.
For users identified as minors:
Alva Intelligence strictly prohibits the use of cookies for cross-context behavioral advertising involving minors. No cookie or identifier associated with a minor’s device is used for remarketing, retargeting, or data enrichment in any marketing database.
In accordance with CPRA Section 1798.120(c), Alva Intelligence does not sell or share the personal information of minors under 16. This restriction is enforced at both technical and policy levels, and it applies equally to all affiliates, subprocessors, and marketing partners.
Parents or legal guardians of minors whose data may be collected in limited circumstances retain full rights to:
Requests may be made via the Parental Consent Portal or by contacting privacy@joinalva.ai. Verification of parental identity is required before any action is taken to protect against unauthorized access.
Each parental consent record includes:
Records are stored securely and encrypted in accordance with COPPA Section 312.5(d) and retained for five years to demonstrate compliance.
Under GDPR Article 8, member states may set a digital consent age between 13 and 16.
Alva Intelligence maintains a dynamic age matrix based on IP-derived jurisdiction, ensuring the correct threshold is applied automatically. If parental consent is required, the system restricts all non-essential cookies until confirmation is received.
Under COPPA, the default digital consent age is 13. Alva Intelligence does not knowingly collect personal information from children under 13, and all cookie-related data collection mechanisms are disabled for such users unless parental consent is obtained through a COPPA-compliant process.
In the United Kingdom, the consent age is 13 under the Data Protection Act 2018.
In Canada, under PIPEDA guidance, meaningful consent requires understanding by the user, typically presumed at 13 or older. Accordingly, Alva Intelligence aligns its cookie behavior and parental-consent standards with these thresholds.
To ensure enforcement of these restrictions, Alva Intelligence integrates the following controls:
All technical safeguards are documented in the Children’s Data Compliance Manual, which forms part of Alva Intelligence’s SOC 2 and GDPR accountability documentation.
If Alva Intelligence discovers that cookie data or related personal information has been collected from a minor without proper consent:
Deletion is completed within 72 hours of verification unless extended for legal or forensic reasons. This protocol aligns with the COPPA Rule (16 C.F.R. § 312.10) and GDPR’s right to erasure.
Alva Intelligence promotes awareness among parents and young users regarding online privacy and responsible data practices.
Educational materials are made available on our website under the “Privacy for Families” section, explaining:
This initiative reflects our belief that informed participation strengthens privacy protection and compliance integrity.
Compliance with this section is monitored by the Data Protection Officer (DPO) and the Child Data Oversight Committee, which reports to the General Counsel and Chief Compliance Officer.
Their responsibilities include:
Alva Intelligence also participates in third-party privacy-certification programs where available, reaffirming its commitment to protecting children’s data and maintaining global compliance.
Alva Intelligence reaffirms that it does not, and will not, intentionally use cookies or related technologies to collect personal data from children for commercial purposes.
Our objective is to provide a secure, privacy-respecting environment for all users while ensuring compliance with the world’s most rigorous child data-protection standards.
This section explains how Alva Intelligence LLC (“Alva Intelligence,” “we,” or “our”) manages the transfer and processing of cookie-related data across national borders.
Because Alva Intelligence operates globally, certain cookie data may be processed, transmitted, or accessed from jurisdictions outside the user’s country of residence.
These transfers occur in accordance with strict legal safeguards, approved transfer mechanisms, and documented internal procedures that ensure equivalent levels of privacy protection regardless of where the data resides.
The principles governing cross-border cookie data handling apply to all cookies and similar technologies deployed on Alva Intelligence’s websites, applications, and third-party integrations, including those used for analytics, personalization, and compliance management.
Alva Intelligence transfers cookie-derived data internationally only when one of the following lawful bases applies:
Transfers under any of these bases are documented in the International Data Transfer Register maintained by the Data Protection Officer (DPO).
The types of cookie-related data that may be transmitted internationally include:
No sensitive categories of data such as racial, biometric, financial, or health information are transferred through cookies. All data involved in transfers is anonymized or pseudonymized prior to export whenever technically feasible.
When Alva Intelligence transmits cookie data to vendors or affiliates located in jurisdictions without an adequacy decision, SCCs are executed to ensure lawful transfer.
The SCCs establish contractual obligations for recipients, including:
Supplemental measures such as encryption, pseudonymization, and network isolation are applied in accordance with EDPB Recommendations 01/2020 to guarantee an equivalent level of protection.
For transfers to U.S. service providers certified under the EU-U.S. Data Privacy Framework (and UK extension), Alva Intelligence confirms certification status annually and maintains contractual commitments aligned with the DPF Principles of Notice, Choice, Accountability, Security, and Recourse.
Internal transfers among Alva Intelligence’s subsidiaries and affiliated entities are governed by Binding Corporate Rules approved by relevant supervisory authorities.
These rules require all group members to adhere to uniform privacy standards and provide enforceable rights for data subjects.
All international transfers of cookie-derived data are protected by layered technical and organizational safeguards designed to ensure confidentiality, integrity, and availability.
Technical Controls:
Organizational Controls:
These measures are validated as part of Alva Intelligence’s SOC 2 Type 2 certification and reviewed annually under its GDPR compliance audit program.
Before initiating any new data transfer outside the EEA, UK, or Switzerland, Alva Intelligence performs a Transfer Impact Assessment evaluating:
TIAs are retained for five years and updated whenever a transfer scope changes or new guidance is issued by supervisory authorities. If risks cannot be mitigated to an acceptable level, the transfer is halted or an alternative hosting arrangement is implemented.
Third-party vendors, such as analytics or advertising partners, may process cookie data outside the user’s country of residence.
To ensure compliance:
No third-party vendor is permitted to conduct onward transfers without prior authorization and equivalent safeguards.
To minimize unnecessary cross-border flow, Alva Intelligence practices data localization wherever feasible:
Replication or backup of cookie data across regions is restricted to anonymized or aggregated form only.
Users retain the same rights over cookie-derived data regardless of where it is processed.
These include the right to:
Requests may be submitted via the Privacy Rights Portal or by email to privacy@joinalva.ai.
Responses are provided within 30 days consistent with GDPR Articles 12–15 and CPRA Section 1798.130.
Alva Intelligence maintains the following documentation to demonstrate compliance with international transfer obligations:
All records are retained for at least five years and are available to supervisory authorities upon lawful request.
If a user believes that cookie data concerning them has been transferred in violation of applicable laws, they may contact Alva Intelligence’s DPO or file a complaint with the relevant supervisory authority. For EU users, complaints may be directed to their local Data Protection Authority. For U.S. users covered under the Data Privacy Framework, complaints may be lodged directly with the U.S. Department of Commerce or through the independent recourse mechanism designated by Alva Intelligence.
Alva Intelligence cooperates fully with all oversight authorities and commits to remedying substantiated non-compliance promptly.
International transfer procedures are reviewed annually by the Privacy, Legal, and Information Security teams as part of the Global Data Governance Program.
The review ensures:
Findings are summarized in the Annual Cross-Border Compliance Report, signed by the DPO and presented to executive management for oversight and accountability.
Alva Intelligence affirms that cross-border cookie data transfers occur only under lawful, controlled, and auditable conditions. Every transfer is evaluated, justified, documented, and monitored to ensure consistent protection for all data subjects worldwide. By combining legal safeguards, technical security, and transparent user communication, Alva Intelligence upholds the highest international standards of privacy, security, and trust.
Alva Intelligence LLC (“Alva Intelligence,” “we,” or “our”) employs comprehensive data security measures to protect all information collected, processed, or derived through cookies and related tracking technologies. These measures ensure that personal and pseudonymous data remains secure, confidential, and available only to authorized parties.
Security controls apply throughout the entire data lifecycle from initial collection and transmission to storage, processing, and eventual deletion. This section describes the administrative, technical, and physical safeguards that govern cookie data within Alva Intelligence’s infrastructure and through its approved third-party processors.
Alva Intelligence’s security posture is based on defense-in-depth, least privilege, and privacy-by-design principles, ensuring layered protection against unauthorized access, misuse, alteration, or loss.
Data security oversight is the joint responsibility of:
These entities are accountable for developing, implementing, and maintaining the Cookie Data Security Program (CDSP). Policies and procedures are reviewed annually and updated to reflect regulatory and technological changes.
The CDSP operates under the umbrella of the Information Security Management System (ISMS) certified to ISO/IEC 27001 standards.
Specific sub-policies relevant to cookie data include:
Each policy defines roles, responsibilities, and enforcement mechanisms consistent with SOC 2 Type 2 trust principles of Security, Availability, and Confidentiality.
All cookie data and derived identifiers are encrypted both in transit and at rest:
Encryption keys are rotated every 12 months or sooner if compromise is suspected.
Third-party providers are required to implement equivalent encryption standards.
The Alva Intelligence network is protected through multiple security layers, including:
Regular penetration testing and vulnerability scanning ensure that cookie-handling endpoints remain hardened against threats.
Access to cookie-related systems and data is restricted to authorized personnel with legitimate business needs:
User access termination occurs automatically upon role change, termination, or inactivity beyond defined thresholds.
Cookie data is logically segregated by region and purpose:
This segmentation minimizes risk of unauthorized correlation or re-identification.
All systems managing cookies and consent data are developed under a Secure Development Lifecycle.
Each development phase includes:
New cookie-related functions or integrations undergo privacy impact assessments (PIAs) and data protection impact assessments (DPIAs) before production release.
Session cookies employ short lifetimes, cryptographic signing, and secure attributes:
HttpOnly, Secure, and SameSite=Strict attributes are set by default.Authentication and session management comply with OWASP Application Security Verification Standard (ASVS) Level 2.
Cookie data access and network traffic are monitored 24/7 by the Security Operations Center (SOC) using advanced detection platforms. Logs capture user interactions, consent events, and API calls involving cookie data.
Monitoring systems use machine learning to detect anomalies such as:
All cookie data events creation, modification, deletion, or access are recorded in immutable audit logs. Logs are retained for five years and stored securely in write-once, read-many (WORM) systems for regulatory and forensic use. Audit logs are reviewed monthly and during internal or external compliance audits.
Security incidents involving cookie data are handled according to Alva Intelligence’s Incident Response Plan (IRP):
Post-incident reviews ensure continuous improvement and risk mitigation.
Third-party processors handling cookie data must meet or exceed Alva Intelligence’s security standards.
Each vendor is required to:
Vendor contracts include:
Non-compliant vendors are subject to immediate suspension and remediation under the Vendor Security Enforcement Policy.
Alva Intelligence uses Tier III or higher data centers operated by certified providers.
Each facility implements:
Physical access logs are retained for a minimum of one year. Server racks containing cookie data systems are locked and accessible only to authorized personnel.
To ensure the integrity and availability of cookie-related data:
Quarterly backup recovery tests confirm operational resilience.
All employees, contractors, and developers undergo mandatory data-protection and security awareness training upon onboarding and annually thereafter.
Training includes:
Completion is monitored through the Learning Management System, with non-compliance resulting in access suspension.
Alva Intelligence’s security controls are independently validated through:
The DPO and CISO jointly review cookie security annually to:
Results are documented in the Annual Security Assurance Report available upon lawful request.
Alva Intelligence guarantees that cookie data and associated identifiers are processed in a manner that ensures:
Our multi-layered approach reflects industry-leading security practice and embodies the company’s core principle:
data protection is an obligation, not an option.
Alva Intelligence LLC (“Alva Intelligence,” “we,” or “our”) recognizes that control over personal information is a fundamental element of privacy. Every individual whose data may be collected through cookies or similar technologies retains enforceable rights to access, correct, delete, restrict, and object to the processing of such data. This section defines those rights, the procedures for exercising them, and the measures Alva Intelligence undertakes to ensure transparent, timely, and lawful responses.
These rights apply to all users, irrespective of residence, with enhanced protections for those located within the European Union, United Kingdom, and jurisdictions that have enacted comprehensive privacy laws such as California, Colorado, and Virginia.
Under applicable law, individuals may exercise the following rights in connection with cookie-derived data:
Users may submit requests through any of the following methods:
To protect confidentiality, Alva Intelligence verifies each requester’s identity before disclosing or deleting data. Verification may include confirmation of browser identifiers, account credentials, or a code sent to the user’s registered email.
All communications are delivered securely and in the user’s preferred format.
Requests involving deletion or data portability undergo enhanced verification to prevent unauthorized access or manipulation. If verification cannot be achieved, the request is denied with notice and an opportunity to resubmit with additional proof of identity.
When a valid access request is received, Alva Intelligence provides:
Access requests for anonymized analytics data are fulfilled through aggregated metrics only, ensuring individual privacy is preserved.
Users may request correction of cookie-derived records that are inaccurate or incomplete. Because most cookie identifiers are pseudonymous, rectification typically involves replacement or regeneration of identifiers rather than alteration of stored values. Rectification is completed within fifteen days unless legal or technical constraints apply.
Upon receiving a valid deletion request, Alva Intelligence will:
Deletion is executed within thirty days unless extended under lawful exceptions.
Deletion may be denied or delayed where retention is necessary to:
Where exceptions apply, users receive a detailed explanation of the lawful basis for continued retention.
Users may request restriction of cookie processing under the following conditions:
During restriction, processing ceases except for storage and minimal integrity verification.
When objecting to processing for marketing or profiling, Alva Intelligence disables all related cookies immediately and records the objection in the consent register.
Where technically feasible, users may request export of cookie-related data that they provided or generated through interactions with our services. Exports include pseudonymous identifiers, consent records, and aggregated session metadata. Files are delivered securely using encrypted download links valid for seven days. Transfers to another controller occur only upon verified request and with equivalent security guarantees.
Users can withdraw consent for non-essential cookies at any time:
Withdrawal takes effect immediately and disables future tracking.
Historical data associated with the withdrawn category is pseudonymized or erased within thirty days. Records of withdrawal are maintained for compliance documentation.
Alva Intelligence never denies goods, services, discounts, or functionality because a user exercises privacy rights. Certain optional features that rely on analytics or personalization cookies may become unavailable, but essential access remains unaffected. This policy satisfies CPRA Section 1798.125 prohibiting discriminatory treatment of consumers asserting their rights.
California and certain other jurisdictions permit individuals to designate authorized agents to submit requests on their behalf. Agents must provide written authorization signed by the data subject or other proof of legal authority. Alva Intelligence verifies both the agent’s and the principal’s identities before processing any request.
All rights requests are logged in the Data Subject Request Register, recording:
Logs are retained for five years to demonstrate compliance with accountability obligations under GDPR Article 5(2) and SOC 2 audit criteria.
Periodic reviews ensure timeliness and accuracy of responses.
If a request is denied in whole or in part, the user may appeal within thirty days by contacting the DPO at dpo@joinalva.ai.
Appeals are reviewed by senior privacy counsel not involved in the initial decision.
Users may also lodge a complaint with their supervisory authority:
Alva Intelligence cooperates fully with any regulatory inquiry or mediation process.
To maintain accountability, Alva Intelligence publishes annual transparency metrics summarizing:
Metrics are anonymized and included in the Annual Privacy Compliance Report reviewed by executive leadership.
This continuous feedback loop ensures that user rights are not only respected but continually strengthened as privacy expectations evolve.
Alva Intelligence affirms its dedication to ensuring that every individual can exercise meaningful control over cookie-related data. Through verified rights procedures, prompt responses, and robust recordkeeping, we uphold our obligations under global privacy frameworks and reinforce user trust in every digital interaction.
Alva Intelligence LLC (“Alva Intelligence,” “we,” or “our”) integrates multiple layers of privacy control into its cookie management framework to give users genuine and enforceable control over their personal data. These mechanisms include the Cookie Preference Center, browser-level privacy settings, and automated opt-out signals such as the Global Privacy Control (GPC).
This section explains how these controls interact, the technical sequence by which consent or opt-out preferences are detected and enforced, and how Alva Intelligence harmonizes them to ensure continuous compliance with applicable data protection laws including the California Privacy Rights Act (CPRA), General Data Protection Regulation (GDPR), and ePrivacy Directive.
Alva Intelligence’s objective is to guarantee that once a user expresses a privacy preference whether through its own interface or through a recognized technical signal those choices are respected across all systems and data flows.
To ensure consistency, Alva Intelligence applies a defined hierarchy of privacy controls determining which mechanism governs when multiple inputs are received simultaneously.
(a) Global Privacy Control (GPC) and Browser Signals:
If a GPC signal or equivalent opt-out header is detected from a user’s browser, that signal takes highest precedence. All non-essential cookies including advertising, analytics, and social media cookies are immediately disabled regardless of prior consent given through the site interface.
(b) Cookie Preference Center Settings:
When no GPC or similar signal is detected, the most recent selection made in the Cookie Preference Center governs. Preferences are stored in a consent record linked to a pseudonymous user identifier and synchronized across sessions for logged-in users.
(c) Regional Legal Overrides:
If a jurisdiction imposes stricter legal requirements (for example, prior opt-in under GDPR for non-essential cookies), that standard automatically overrides less restrictive preferences, ensuring compliance with local law.
(d) Browser-Level Blockers or Private Mode:
Browser settings that block third-party cookies or scripts are respected automatically. Alva Intelligence does not attempt to bypass or override such controls.
The Global Privacy Control (GPC) is a browser- or extension-based mechanism enabling users to send a standardized opt-out signal to websites, indicating that they do not consent to the sale or sharing of their personal information. Under CPRA Section 1798.135(b), businesses are required to honor such signals as valid requests to opt out of “sharing” for cross-context behavioral advertising.
Alva Intelligence actively listens for GPC signals through HTTP headers (Sec-GPC or equivalent). Once detected, the system automatically interprets the signal as a universal opt-out for all non-essential cookies, regardless of region or user login status.
Upon receipt of a valid GPC signal:
The GPC signal remains active for the duration of the browsing session unless overridden by an explicit subsequent user choice.
Each detected GPC event is recorded in the Privacy Signal Log, capturing:
These records are retained for five years to demonstrate compliance with CPRA and EU equivalent frameworks.
The Cookie Preference Center remains a core mechanism for granular control.
When a user accesses it after sending a GPC signal, the system automatically pre-selects “off” for all non-essential categories. If the user explicitly re-enables categories (e.g., enables analytics cookies for performance evaluation), that choice is honored for that session and recorded as a superseding consent action.
Conversely, if a user opts out via the Preference Center without enabling a GPC signal, the system stores that choice and transmits an internal equivalent of a GPC header to ensure downstream vendors also honor it.
This synchronization ensures both on-site and off-site processing respect the same user intent, closing gaps between local and network-level privacy controls.
Most modern browsers Google Chrome, Mozilla Firefox, Safari, Microsoft Edge offer users the ability to manage or block cookies through built-in privacy settings. Alva Intelligence’s cookie management platform recognizes and adapts to these configurations automatically.
Users who manage preferences through browser settings are advised that those controls may not synchronize across devices; however, Alva Intelligence’s internal consent log ensures that account-linked users experience consistent enforcement.
Alva Intelligence’s systems link cookie preferences and GPC signals directly with formal privacy rights processes described in Section 14.
For example:
The integration of rights workflows and consent technology ensures uniform compliance across manual and automated channels.
When a user’s opt-out or GPC signal is received, Alva Intelligence transmits the corresponding suppression instruction to its third-party vendors via secure APIs or webhook notifications. This ensures that third-party advertising networks, analytics providers, or integration partners also disable cookie placement and cease data sharing for that user.
Each vendor contractually commits to implement these suppression commands within 72 hours of receipt and to confirm completion via audit logs.
Failure to comply constitutes a material breach under the vendor’s Data Processing Agreement (DPA).
Periodic validation tests are performed to verify that external vendors honor user preferences consistently across their systems.
The technical design supporting this framework consists of the following components:
All modules run within Alva Intelligence’s privacy orchestration platform and are subject to continuous monitoring by the Data Governance and Security teams.
When a privacy signal or preference change occurs, users receive an on-screen confirmation message or visual indicator in the site footer confirming that their choice has been applied.
Alva Intelligence does not obscure or delay such confirmations.
Additionally, users can view their current status, active categories, GPC detection status, and last updated timestamp through the Privacy Settings Dashboard, accessible from every page.
Annual privacy reports summarize the percentage of sessions where GPC signals were detected and honored, demonstrating Alva Intelligence’s commitment to measurable compliance and transparency.
While GPC originates in U.S. privacy law, Alva Intelligence treats it as an internationally recognized signal consistent with the GDPR right to object and ePrivacy opt-out principle.
This ensures that users from any jurisdiction benefit from equivalent control, even where formal recognition of GPC has not yet been codified.
The platform’s global enforcement logic treats opt-out signals as binding “objections” to processing for marketing and profiling purposes under GDPR Article 21, ensuring harmonized compliance across all regions.
All GPC and preference-based opt-outs are recorded in the Consent and Signal Audit Log, capturing:
Logs are maintained for five years and reviewed quarterly by the DPO to confirm proper synchronization with third-party systems.
This log serves as proof of compliance under CPRA Section 1798.135(c) and GDPR Article 30(1)(g).
The privacy signal and cookie preference system undergoes annual evaluation under the SOC 2 Type 2 audit framework and the GDPR accountability review cycle.
Tests include:
Results are compiled in the Annual Privacy Controls Validation Report presented to executive management and made available to regulators upon lawful request.
Alva Intelligence reaffirms that user autonomy governs all cookie processing and tracking activity. The company’s technology, legal governance, and operational procedures are designed to ensure that every preference, consent withdrawal, or GPC signal is recognized, honored, and documented in a consistent and auditable manner.
Through this multi-layered privacy framework, Alva Intelligence upholds its commitment to transparency, fairness, and legal compliance while empowering users to control how their data is collected and shared.
Alva Intelligence LLC (“Alva Intelligence,” “we,” or “our”) recognizes that users increasingly interact with our services across multiple devices and platforms: desktop browsers, mobile applications, tablets, and integrated third-party systems. This section defines our position, limitations, and safeguards regarding the correlation of cookie-based data across those devices.
Cross-device tracking can be beneficial when implemented responsibly, as it allows users to maintain consistent preferences and seamless functionality. However, it also introduces elevated privacy risks, particularly regarding the potential for re-identification or behavioral profiling.
Alva Intelligence’s approach is therefore grounded in data minimization, pseudonymization, and purpose limitation, ensuring that cross-device linkage occurs only when essential, fully disclosed, and technically safeguarded.
This section applies to all operations where cookie identifiers, device identifiers, or similar signals could be correlated between two or more environments.
Typical scenarios include:
Alva Intelligence does not use cross-device correlation for advertising, profiling, or behavioral targeting purposes.
All cross-device data linkage is carried out under one of the following lawful bases:
Where cross-device correlation extends beyond operational necessity, explicit consent is always required under GDPR Article 6(1)(a) and CPRA Section 1798.100(a).
Each browser or application instance interacting with Alva Intelligence receives a unique pseudonymous token.
Tokens are cryptographically random and contain no personal attributes.
They are rotated periodically to prevent long-term tracking.
When users sign in, separate device tokens are mapped to a single account ID through a secure hash function. The mapping table is encrypted and stored in an isolated environment accessible only to the Authentication Services Team. No device fingerprinting or hidden identifiers are employed.
Analytics systems rely exclusively on anonymized session data. IP addresses are truncated at the network edge, and user-agent strings are generalized to category level (browser type, operating system, region). No individual device record can be reconstructed from analytics outputs.
Alva Intelligence maintains strict technical and organizational barriers against unauthorized linkage of cookie data across devices or with external datasets.
Violation of these prohibitions constitutes a disciplinary and contractual breach under the Information Security and Privacy Policy.
When a user gives or withdraws cookie consent on one device while logged in, Alva Intelligence synchronizes that preference across all linked sessions.
Synchronization occurs through encrypted API calls using the Consent Synchronization Service (CSS), which performs the following:
If a user is not logged in, preferences remain device-specific until authentication occurs.
At login, the system reconciles conflicting preferences, defaulting to the most restrictive setting.
Users can manage cross-device functionality through their account dashboard, which provides:
These settings empower users to determine whether, and to what extent, cross-device operations occur.
Third-party vendors providing analytics or functionality services must comply with Alva Intelligence’s prohibition on cross-device re-identification.
Contracts require vendors to:
Any attempt by a vendor to engage in cross-device tracking for advertising or unrelated purposes triggers immediate suspension pending investigation.
The cross-device synchronization systems operate within a hardened environment subject to:
Encryption in transit and at rest using TLS 1.3 and AES-256;
Key rotation every 12 months or upon incident detection;
Strict network segmentation separating correlation services from analytics and marketing systems;
Continuous monitoring for anomalous linkage requests; and
Integrity verification through hash-based message authentication codes (HMACs).
Logs of all correlation and unlinking events are retained for five years for compliance verification.
Cross-device linkage data is retained only while necessary to provide requested functionality or comply with legitimate security needs.
If a user deletes their account or withdraws consent, all associated linkage records are erased immediately as part of the Data Deletion Protocol.
Users maintain all rights enumerated in Section 14 of this Policy, specifically:
Requests are processed through the Privacy Rights Portal or privacy@joinalva.ai, verified under the same authentication protocol as other rights requests.
If cross-device correlation data involves transfers between jurisdictions, such transfers occur under the lawful mechanisms detailed in Section 12 of this Policy (SCCs, DPF certification, or BCRs).
No cross-device mapping data is transferred to vendors or regions lacking adequate legal safeguards.
The Data Protection Officer (DPO) and the Security Compliance Committee conduct annual cross-device data-mapping audits verifying:
Results are recorded in the Annual Data Correlation Audit Report and retained for review by external auditors under SOC 2 Type 2 and GDPR accountability principles.
Alva Intelligence acknowledges that cross-device technology continues to evolve.Accordingly, all systems and policies are reviewed semi-annually to evaluate new industry standards, such as browser privacy sandbox frameworks, token-based federations, and emerging global consent specifications.
Changes are adopted only after validation that they enhance, rather than diminish, user privacy and control.
Every cross-device process implemented by Alva Intelligence adheres to Privacy by Design and Default principles. Data linkage occurs only where proportionate, transparent, and technically safeguarded. Through encryption, pseudonymization, minimal retention, and clear user control, Alva Intelligence ensures that cross-device functionality serves the user’s convenience without compromising privacy.
Alva Intelligence LLC (“Alva Intelligence,” “we,” or “our”) is committed to maintaining transparency in how we collect and use data through cookies and similar technologies.
Because privacy laws, browser technologies, and company practices evolve over time, this Cookie Policy is reviewed and updated periodically to ensure continued accuracy and legal compliance.
This section explains how Alva Intelligence manages updates to this Cookie Policy, the mechanisms used to notify users of material changes, and how updated versions are approved, documented, and archived.
The Cookie Policy is formally reviewed at least once every twelve months as part of Alva Intelligence’s Annual Privacy Compliance Review.
However, an interim update may occur whenever any of the following events take place:
Each trigger initiates a structured Change Control Procedure, managed jointly by the Data Protection Officer (DPO), Chief Information Security Officer (CISO), and Legal Department.
When a change is required, the Privacy Team drafts proposed revisions, ensuring alignment with current laws, guidance, and corporate practices.
Drafts are reviewed by:
Once finalized, the updated Cookie Policy is approved by the Privacy Governance Committee. Each version receives a unique identifier, effective date, and summary of changes.
The prior version is archived in the Policy Management System for a minimum of five years to support regulatory audits and historical transparency.
A change log is maintained containing:
Alva Intelligence distinguishes between these two types of changes to determine the level of user notification required.
For material changes, Alva Intelligence provides users with clear, proactive notice using multiple channels, such as:
For non-material changes, the updated date at the top of the Cookie Policy is revised, and users are encouraged to review it periodically.
Each revision includes a clearly stated “Effective Date.”
Unless otherwise required by law, updates apply prospectively, meaning they govern future interactions from the effective date onward.
In cases where continued use of certain cookies requires renewed consent due to expanded purposes or third-party changes, users will be prompted to consent again before those cookies are re-activated.
No retroactive application of new purposes occurs without explicit user approval.
When an update materially changes the nature, category, or purpose of cookies used, Alva Intelligence initiates a consent re-collection process.
This process involves:
This ensures that all active consents correspond to the most recent and accurate disclosures.
By continuing to use Alva Intelligence’s websites or applications after being notified of an update, users acknowledge that they have read and understood the revised Cookie Policy.
However, users may adjust their cookie settings at any time through the Preference Center or by sending a rights request under Section 14 of this Policy.
Alva Intelligence does not interpret silence or inactivity as consent to new cookie categories or expanded processing purposes.
To satisfy regulatory and audit obligations, Alva Intelligence maintains the following documentation:
These records demonstrate compliance with accountability principles under GDPR Article 5(2) and SOC 2 Type 2 requirements for policy change traceability.
Auditors and regulators may request copies of historical versions or change logs to confirm compliance. Such requests are handled by the DPO and Legal Department.
The Cookie Policy is included in the broader Annual Privacy Governance Review conducted by Alva Intelligence’s Privacy Office.
This review assesses:
Outcomes are documented in the Annual Privacy Assurance Report presented to executive management and made available to supervisory authorities upon lawful request.
Alva Intelligence affirms its ongoing commitment to transparency, clarity, and proactive communication. We recognize that privacy obligations evolve and that users deserve timely notice of how their information is handled. By maintaining rigorous version control, consent re-validation, and documented accountability, Alva Intelligence ensures that all updates to this Cookie Policy uphold both the spirit and letter of global privacy laws.
Alva Intelligence LLC (“Alva Intelligence,” “we,” or “our”) enforces its Cookie Policy and associated privacy commitments through a structured governance and compliance framework designed to uphold the highest standards of integrity and accountability. This enforcement framework ensures that every instance of cookie use, consent handling, or data processing adheres to applicable law, company policy, and ethical practice.
Compliance is not viewed as a passive obligation but as an active operational discipline. The enforcement of this Cookie Policy reflects our broader corporate philosophy: privacy and data protection are integral to product excellence, not administrative formality.
This enforcement section applies to all individuals and entities that process or have access to cookie-related data within the scope of Alva Intelligence’s operations, including:
All such parties are bound by Alva Intelligence’s policies, Data Processing Agreements (DPAs), and confidentiality obligations. Violations, whether intentional or negligent, are treated as serious compliance incidents.
The Data Protection Officer has independent authority to monitor compliance with this Cookie Policy, investigate potential breaches, and recommend remedial action. The DPO reports directly to the Chief Executive Officer and has unrestricted access to company leadership for compliance matters.
Responsibilities include:
The CISO is responsible for enforcing technical and cybersecurity controls governing cookie data, including encryption, access control, and incident response measures. All system logs and audit trails relevant to cookie activity fall under the CISO’s monitoring domain.
The Legal Department advises on interpretation of applicable privacy laws, oversees enforcement of contractual obligations with third parties, and coordinates incident disclosures. It ensures that violations are addressed in accordance with both statutory requirements and company disciplinary policies.
Alva Intelligence performs quarterly internal audits of cookie usage, consent records, and vendor activity logs.
Audits verify that:
Findings are documented in the Cookie Compliance Audit Report.
Any identified non-conformities are tracked to resolution through the Corrective and Preventive Action (CAPA) system.
Violations by employees or contractors may result in disciplinary action up to and including termination of employment or contract.
Severity is determined based on:
Corrective actions may include mandatory retraining, written warnings, or suspension of system access.
Third-party vendors that fail to comply with cookie-related obligations under their DPA are subject to contractual enforcement.
Remedies include:
Vendor non-compliance is reported to the DPO and recorded in the Vendor Risk Management Register.
When a potential violation is identified, Alva Intelligence follows a standardized investigation process:
Each investigation is assigned a unique case number and documented in the Incident Management Register.
Alva Intelligence fully cooperates with supervisory authorities in any investigation, audit, or inquiry concerning compliance with cookie regulations or privacy law.
This includes the California Privacy Protection Agency (CPPA), European Data Protection Board (EDPB), UK Information Commissioner’s Office (ICO), and other relevant national authorities.
Upon lawful request, Alva Intelligence provides:
Regulatory findings or directives are reviewed by senior leadership and implemented promptly under oversight of the DPO.
Alva Intelligence ensures that users whose privacy rights have been infringed have access to multiple remedies:
Users may contact the Privacy Office at privacy@joinalva.ai to file a complaint regarding cookie usage or data handling. Complaints are acknowledged within ten business days and investigated by the DPO. Findings and outcomes are communicated to the complainant in writing within thirty days.
If users are unsatisfied with the internal response, they may escalate the matter to:
Under GDPR Articles 77–82, users may also seek judicial remedies for violations resulting in harm. Alva Intelligence respects and complies with all final determinations or orders issued by competent authorities.
Where legally required, individuals who suffer material or non-material damage due to unlawful cookie processing are entitled to compensation. Claims are reviewed in coordination with Legal and resolved through established dispute resolution procedures.
Alva Intelligence treats enforcement not as punitive but as preventive.
To minimize the likelihood of violations:
Lessons learned from any enforcement action are incorporated into revised training, policy updates, and technical controls.
All enforcement actions internal or external are documented in the Compliance Enforcement Register, which includes:
Records are retained for at least five years, ensuring traceability and accountability consistent with SOC 2 and GDPR documentation requirements.
Alva Intelligence maintains a zero-tolerance policy for any willful violation of privacy or data-protection obligations. The company’s leadership fully supports robust enforcement to preserve the integrity of its systems, the trust of its users, and the credibility of its compliance commitments.
Violations of this Cookie Policy are not treated as isolated incidents but as critical risk events demanding full remediation and disclosure. Every employee, partner, and vendor shares the collective responsibility to ensure that cookie use remains lawful, transparent, and ethical.
Alva Intelligence LLC (“Alva Intelligence,” “we,” or “our”) maintains formalized recordkeeping and audit mechanisms to demonstrate continuous compliance with every requirement contained in this Cookie Policy and the broader privacy-management program. Accountability is a legal and ethical obligation under global privacy law. Accurate, verifiable records provide proof that data-protection commitments are not aspirational but operational. This section outlines the documentation maintained, the frequency and scope of audits, and the governance structure that ensures privacy accountability across all business units.
The following registers and logs are maintained within the Central Privacy Repository (CPR), an encrypted, access-controlled documentation system located in Alva Intelligence’s secure compliance cloud:
| Register / Record | Primary Content | Retention Period | Owner |
|---|---|---|---|
| Cookie Inventory Register | List of all cookies, scripts, purposes, lawful bases, and retention schedules | 5 years minimum | Privacy Operations |
| Consent Event Log | Timestamp, version ID, categories accepted / rejected, source (GPC, banner, portal) | 5 years (GDPR Art. 7(1)) | DPO Office |
| Vendor Data Processing Register | Vendors, subprocessors, contract terms, jurisdiction, transfer mechanism (SCC, DPF) | Duration of contract + 5 years | Legal Department |
| Incident and Breach Register | Nature, impact, notifications, remediation evidence | 7 years | CISO |
| Data Subject Request Register | Rights requests, verification method, completion status | 5 years | Privacy Support |
| Policy Change Log | Version history, approvals, effective dates, summary of changes | Permanent | Privacy Governance Committee |
| Audit Trail Archive | System logs of cookie deployments and administrative actions | 5 years | Internal Audit |
Records are stored in immutable format, protected by AES-256 encryption, and indexed for retrieval within two business days of lawful request.
Non-compliance with recordkeeping obligations constitutes a reportable control deficiency under the corporate compliance program.
Internal audits occur semi-annually and cover:
accuracy of the Cookie Inventory Register;
functionality and evidence of consent mechanisms;
alignment of vendor contracts with current SCC / DPF requirements;
verification of deletion and retention controls; and
testing of incident-response and notification procedures.
Each audit follows a risk-based sampling plan approved by the DPO and CISO.
Audits adhere to the Institute of Internal Auditors (IIA) standards and SOC 2 Type 2 criteria. Procedures include:
Findings are graded as Low, Moderate, or High risk, with mandatory corrective-action plans for any Moderate or High-risk item.
The Internal Audit Report is delivered to the Privacy Governance Committee within 30 days of completion. Management responses and remediation evidence are verified within 90 days. Unresolved issues escalate to executive leadership and the Board Audit Committee.
To reinforce credibility, Alva Intelligence engages independent assessors annually to validate its controls under:
Audit evidence includes the registers listed in 19.2 and policy change logs from 17.3. External assessors issue a compliance attestation detailing scope, findings, and recommendations. Summaries of attestation results are made available to clients and regulators upon request under appropriate confidentiality protections.
To complement manual audits, Alva Intelligence implements continuous-monitoring tools that:
Alerts feed into the Compliance Dashboard, providing real-time metrics to the DPO and CISO. Key performance indicators include percentage of cookies compliant with policy, time-to-honor consent changes, and incident resolution rates.
All correspondence with supervisory authorities including notifications, requests for information, and audit outcomes is archived under the Regulatory Engagement File. This file provides traceability for demonstrating good faith cooperation and timely remediation of regulatory findings. Records are retained for a minimum of seven years.
The Committee meets quarterly to review:
Minutes are recorded and signed by the DPO and General Counsel. Material issues are escalated to executive leadership and included in the annual Privacy Compliance Report.
A summarized privacy-risk dashboard is presented to the Board Audit Committee each year, covering:
This ensures direct oversight of privacy accountability at the highest corporate level.
All records referenced in this section follow the Data Retention and Destruction Policy approved by the Legal Department. When retention periods expire:
Deletion events are logged with timestamp, record type, and authorizing officer signature.
Following each audit cycle, the Privacy Office prepares a Continuous Improvement Plan summarizing:
Implementation progress is monitored quarterly and feeds directly into next-year SOC 2 Type 2 and ISO certification preparations. This loop ensures that recordkeeping and accountability remain dynamic, not static.
Alva Intelligence affirms that privacy accountability extends beyond regulatory compliance; it is a core component of corporate ethics and trust. By maintaining comprehensive records, independent audits, and documented governance, the company ensures that every representation made to users, clients, and regulators can be substantiated through verifiable evidence.
This system of accountability demonstrates our commitment to transparency, responsibility, and continuous improvement in data-protection practice.
This section sets forth Alva Intelligence LLC’s (“Alva Intelligence,” “we,” or “our”) commitments and limitations concerning liability for the use of cookies and related tracking technologies, as well as the rights and remedies available to users and partners in the event of harm, breach, or noncompliance. The provisions herein reflect the principle of proportional responsibility meaning each party bears the consequences of its own conduct while safeguarding users’ rights and ensuring fairness in risk allocation.
Alva Intelligence operates under a “reasonable diligence and due care” standard in managing the collection and processing of cookie-derived data. Our liability for any breach or violation of this Cookie Policy, or for related data-protection failures, is governed by applicable law and subject to the limitations and exclusions set forth below.
Liability arises only when harm results directly from actions or omissions within Alva Intelligence’s control and where such harm was foreseeable and preventable through adherence to required technical and organizational safeguards.
Alva Intelligence is liable under the General Data Protection Regulation (GDPR), California Privacy Rights Act (CPRA), and comparable laws where the company acts as a controller of personal data derived from cookies. When functioning as a processor for third parties, Alva Intelligence’s liability is limited to breaches of its processing obligations under written instructions and Data Processing Agreements.
Where Alva Intelligence jointly determines the purposes and means of cookie processing with another controller (for example, a marketing or analytics partner), both parties share liability under GDPR Article 26(3) to the extent of their respective participation. A clear delineation of roles is maintained through contractual terms ensuring transparency and mutual cooperation in case of claims.
Alva Intelligence agrees to defend, indemnify, and hold harmless users, clients, and authorized partners from and against any direct losses, damages, costs, or expenses (including reasonable attorney’s fees) arising from:
Indemnification applies only to direct losses and excludes indirect, consequential, or exemplary damages except where prohibited by law. The indemnifying obligation is subject to prompt written notice by the injured party and full cooperation in defense of the claim.
Third-party vendors and processors providing cookies, scripts, or analytics technologies to Alva Intelligence are contractually bound to indemnify and defend Alva Intelligence against:
Each vendor must maintain adequate professional liability and cyber-insurance coverage throughout the term of engagement. Failure to maintain coverage or satisfy indemnity obligations constitutes grounds for immediate termination.
To the fullest extent permitted by law, Alva Intelligence’s total aggregate liability for all claims, losses, or damages arising from or relating to the use of cookies, this Cookie Policy, or related processing activities shall not exceed:
This limitation does not apply in cases of willful misconduct, gross negligence, or intentional violation of data-protection law.
Alva Intelligence shall not be liable for:
These exclusions are intended to reflect proportional fairness and do not limit statutory remedies available under applicable consumer protection or privacy laws.
Alva Intelligence is not liable for failure or delay in performance caused by events beyond its reasonable control, including natural disasters, cyberattacks by third parties, governmental actions, or widespread Internet outages. Obligations suspended under such circumstances resume immediately once normal operations are restored.
Users are responsible for:
Alva Intelligence disclaims liability for consequences resulting from user-initiated disabling of essential technical cookies that are necessary to maintain service integrity.
Any potential claim, suspected violation, or instance of harm related to cookie processing must be reported promptly to the Privacy Office via privacy@joinalva.ai or by certified mail to:
Alva Intelligence LLC
Attn: Data Protection Officer
30 N Gould Street, Suite R
Sheridan, WY 82801
Reports should include a description of the incident, affected systems, and evidence of harm.
Acknowledgment of receipt will be provided within ten business days, followed by a formal investigation under Section 18.5 of this Policy.
Nothing in this section limits users’ statutory rights to:
Alva Intelligence cooperates fully with any regulatory or judicial authority handling such complaints and will not require arbitration or waiver of statutory remedies unless expressly permitted by law and mutually agreed.
Alva Intelligence maintains comprehensive cyber-liability and professional indemnity insurance covering:
The insurance policy is reviewed annually by the Legal Department to ensure adequacy relative to evolving privacy and cybersecurity risks.
This liability and indemnification framework operates in conjunction with:
In case of inconsistency, the document granting the highest degree of user protection prevails, unless expressly superseded by a binding contractual term.
If any provision of this section is held invalid or unenforceable by a competent authority, the remaining provisions shall remain in full force and effect.
Obligations relating to indemnification, limitation of liability, dispute resolution, and recordkeeping survive termination or expiration of this Policy for as long as necessary to resolve outstanding matters or enforce rights and obligations arising before termination.
Alva Intelligence aims to strike a balance between protecting user rights and preserving operational feasibility. Through carefully constructed liability caps, mutual indemnities, and a robust insurance framework, Alva Intelligence ensures accountability while preventing disproportionate exposure that could undermine service delivery or innovation.
The company’s guiding principle remains: to act transparently, to remedy any proven harm swiftly, and to maintain trust through fairness and compliance.
This section establishes the official channels through which individuals may contact Alva Intelligence LLC (“Alva Intelligence,” “we,” or “our”) regarding the collection or use of data through cookies and similar technologies. It also defines how complaints are received, investigated, and, where appropriate, coordinated with competent supervisory or regulatory authorities. The objective is to ensure that every person has a direct, reliable, and law-compliant path to obtain information, assert rights, or escalate concerns.
Alva Intelligence maintains dedicated communication channels for privacy and data-protection matters:
| Function | Contact Details | Availability |
|---|---|---|
| Data Protection Officer (Primary Contact) | privacy@joinalva.ai | Business days, 9 a.m.–5 p.m. (MST) |
| Postal Address | Alva Intelligence LLC Attn: Data Protection Officer 30 N Gould Street, Suite R Sheridan, Wyoming 82801 USA | For formal notices or verified-mail submissions |
| Telephone (Compliance Office) | +46 70 571 48 21 | Recorded for quality and verification |
| Online Privacy Rights Portal | https://privacy.joinalva.ai | 24 hours / 7 days |
All communications are acknowledged within ten business days, and substantive responses are normally provided within thirty calendar days unless complexity or volume necessitates extension.
To ensure efficient handling, individuals are encouraged to provide:
Incomplete submissions will receive a request for additional information before investigation begins.
All complaint records are retained for five years for accountability and audit purposes.
Alva Intelligence recognizes the oversight authority of privacy regulators in every jurisdiction in which it operates. The company cooperates promptly and transparently with such authorities by:
The DPO acts as the single liaison point for all supervisory-authority interactions and ensures consistency of responses across jurisdictions.
| Region | Supervisory / Regulatory Body | Reference / Contact |
|---|---|---|
| European Union / EEA | Relevant national Data Protection Authority (list maintained in the Privacy Portal) | https://edpb.europa.eu |
| United Kingdom | Information Commissioner’s Office (ICO) | https://ico.org.uk |
| United States – California | California Privacy Protection Agency (CPPA) | https://cppa.ca.gov |
| Other U.S. States | Applicable State Attorney General offices | See state-specific privacy notice |
| Canada | Office of the Privacy Commissioner of Canada (OPC) | https://priv.gc.ca |
When a complaint originates from outside the United States, the DPO determines the competent authority based on the user’s habitual residence or place of alleged infringement.
If an investigation is initiated by a supervisory authority:
Confidentiality is maintained throughout, and communications are logged in the Regulatory Engagement Register described in Section 19.7.
For data subjects in the EU/EEA, Alva Intelligence applies the one-stop-shop mechanism under GDPR Articles 56 and 60, coordinating primarily with the lead supervisory authority designated by the DPO. For users in other regions, the company cooperates directly with the authority that first receives the complaint. Where multiple jurisdictions assert competence, Alva Intelligence facilitates a cooperative resolution ensuring consistency of factual representations and remediation.
To ensure accessibility and inclusivity:
Each year the DPO prepares a Privacy Interaction Summary Report including:
This anonymized report is shared with executive management and made available to regulators upon request, demonstrating a culture of openness and continuous improvement.
If a user remains dissatisfied after internal review and external regulatory contact, they retain the right to:
Alva Intelligence honors all final judgments or orders issued by competent courts or authorities and implements any corrective actions promptly.
Alva Intelligence views dialogue with users and regulators as an essential element of trust. Every complaint or inquiry is treated as an opportunity to refine controls and strengthen transparency. By maintaining clear contact points, efficient investigation procedures, and cooperative relationships with oversight bodies, the company ensures that accountability extends beyond written policy into verifiable practice.
The exhibits and appendices accompanying this Cookie Policy are integral components of Alva Intelligence LLC’s (“Alva Intelligence,” “we,” or “our”) compliance documentation. They provide the factual and operational evidence necessary to demonstrate adherence to the commitments and procedures described in the main body of this Policy.
Each exhibit is maintained as a separate living document, updated periodically without requiring republication of the entire Policy.
The exhibits are designed to:
| Exhibit | Title | Purpose / Description |
|---|---|---|
| Exhibit A | Comprehensive Cookie Inventory Register | Complete, regularly updated table listing all cookies, their characteristics, purpose, provider, and compliance category. |
| Exhibit B | Consent Event and Preference Record Template | Standardized form capturing user consent actions, withdrawal events, and audit metadata. |
| Exhibit C | Technical Architecture Diagram – Consent and Script Control | Graphical depiction of consent capture, enforcement, and synchronization flow. |
| Exhibit D | Vendor Data Transfer and Suppression Notification Matrix | Mapping of third-party processors and their receipt of suppression or opt-out signals. |
| Exhibit E | Browser and Device Cookie Management Reference Guide | Practical guide describing how users can manage cookies on common browsers and mobile operating systems. |
Each exhibit forms part of the compliance portfolio maintained by the Data Protection Officer (DPO) and is available upon lawful request to regulators, auditors, or contractual clients.
The Cookie Inventory Register lists every cookie and similar technology deployed by Alva Intelligence and its approved vendors.
Entries are organized by function and category, each including:
| Field Name | Description |
|---|---|
| Cookie Name / Identifier | System label or vendor-defined name |
| Provider / Source Domain | Alva Intelligence or third-party vendor |
| Category | Strictly Necessary, Performance, Functional, Targeting, Social Media, Preference |
| Purpose | Description of intended functionality |
| Lawful Basis | Consent, Legitimate Interest, or Contractual Necessity |
| Duration / Expiry | Session, Persistent (specify timeframe) |
| Data Collected | Types of personal data or identifiers stored |
| Transfer Recipients | Vendors or subprocessors receiving associated data |
| Opt-Out Mechanism | Link or method for deactivation |
| Last Validation Date | Date of most recent review or confirmation |
The Register is reviewed quarterly and certified by the Privacy Office.
Changes trigger an update process as defined in Section 17 (Change Management).
This standardized template documents every consent or withdrawal event to ensure evidentiary integrity and audit traceability under GDPR Article 7(1) and CPRA Section 1798.135.
| Field | Example / Description |
|---|---|
| Event ID | UUID-1234-5678 |
| Timestamp (UTC) | 2025-05-15T14:32:18Z |
| Policy Version | Cookie Policy v2.3 |
| Consent Source | Banner, Preference Center, GPC Signal, API |
| Categories Accepted | Performance, Functional |
| Categories Declined | Advertising, Social Media |
| User Identifier (Pseudonymized) | SHA256-hash of session ID |
| IP Region / Country | United States / California |
| Consent Validity | Active, Withdrawn, Expired |
| Withdrawal Timestamp | If applicable |
| Processor Notifications Sent | Yes / No |
| Audit Reviewer | DPO or delegate name |
This record is automatically generated within the Consent Management Platform (CMP) and stored in the secure Consent Registry Database.
Records are retained for a minimum of five years.
Purpose:
To provide visual and technical clarity on how Alva Intelligence’s cookie-consent infrastructure functions end-to-end.
Core Components Illustrated:
Each diagram version includes revision number, creation date, and reviewer signatures from the DPO and CISO. The diagram is updated upon any architectural or vendor integration change.
This exhibit identifies each vendor or subprocessor receiving cookie-derived data and documents their opt-out propagation process.
| Vendor Name | Service Type | Jurisdiction | Data Category Shared | Transfer Mechanism | Opt-Out Method | Suppression Confirmation SLA | Last Verification |
|---|---|---|---|---|---|---|---|
| Example: Google LLC | Analytics | United States | Anonymized usage statistics | EU SCCs / DPF | API notification | 72 hours | 2025-03-01 |
| Example: HubSpot Inc. | Marketing Automation | United States | Pseudonymous email engagement | SCCs | Manual interface update | 48 hours | 2025-02-15 |
The DPO reviews this matrix quarterly to confirm that vendors remain within scope, continue to honor suppression notifications, and maintain active compliance certifications.
This guide provides non-technical users with clear instructions for managing cookies across devices. It includes:
The guide also outlines limitations such as per-browser scope and lack of cross-device synchronization without account login so users can make informed privacy decisions.
Each exhibit is versioned separately from this Cookie Policy and includes:
Exhibit updates follow the same governance and approval workflow described in Section 17.3.
Users are notified only when exhibit changes materially alter data categories, processing purposes, or user choices.
Access to exhibit content is restricted to authorized personnel with a demonstrated need, including:
Where exhibits contain proprietary vendor information, only aggregated or redacted versions are shared publicly. Complete versions are disclosed solely to regulators or contractual clients upon lawful or written request.
All exhibits undergo comprehensive review at least annually. The DPO issues a Certificate of Exhibit Accuracy confirming that the data and processes reflected remain correct as of the certification date. This certificate forms part of the Annual Privacy Assurance Report described in Section 19.8 and is available for inspection by supervisory authorities.
The exhibits accompanying this Cookie Policy represent Alva Intelligence’s operational transparency and accountability in tangible form. They translate the commitments of this Policy into measurable, verifiable practice. Together, the main body of the Cookie Policy and its supporting exhibits form a complete compliance framework demonstrating that Alva Intelligence not only states its privacy obligations but documents, audits, and proves them in full accordance with law and industry best practice.
COOKIE POLICY
of
ALVA INTELLIGENCE LLC
Effective Date: 2nd of November 2025
Version:
This Cookie Policy has been reviewed, approved, and adopted by the authorized representatives of Alva Intelligence LLC in accordance with internal governance protocols and applicable data-protection regulations.
By executing this Policy, the undersigned certify that all operational, technical, and administrative controls necessary to enforce the commitments contained herein have been implemented and validated through internal audit.
The signatories below further affirm that this Policy will be:
ALVA INTELLIGENCE LLC
30 N Gould Street, Suite R
Sheridan, Wyoming 82801
United States
| Name | Title | Signature | Date |
|---|---|---|---|
| Denniz Özden | Chief Executive Officer | Denniz Özden | 2nd of November 2025 |
| ___________________________ | Data Protection Officer | ___________________________ | ___________________________ |
| ___________________________ | Chief Information Security Officer | ___________________________ | ___________________________ |
| ___________________________ | General Counsel | ___________________________ | ___________________________ |
This document has been examined by qualified legal counsel to confirm compliance with applicable laws and regulations, including the California Privacy Rights Act (CPRA), General Data Protection Regulation (GDPR), ePrivacy Directive, and relevant U.S. state privacy frameworks. Counsel has verified that all required disclosures, rights, and procedural safeguards are appropriately represented.
| Name of Counsel / Firm | Signature | Date |
|---|---|---|
| ___________________________ | ___________________________ | ___________________________ |
| Publication Platform | URL / System Location | Initial Publication Date | Last Reviewed | Next Scheduled Review |
|---|---|---|---|---|
| Public Website | https://www.alvaintelligence.com | ___________________ | ___________________ | ___________________ |
| Internal Policy Repository | Corporate SharePoint / Compliance Hub | ___________________ | ___________________ | ___________________ |
| Customer Portal | https://privacy.alvaintelligence.com | ___________________ | ___________________ | ___________________ |
The undersigned officers acknowledge collective responsibility for the accuracy, transparency, and enforcement of this Policy. Failure to implement or maintain controls described herein constitutes a breach of internal compliance duties and may trigger disciplinary or remedial action as outlined in Section 18 of this Policy.
ALVA INTELLIGENCE LLC
By: Denniz Özden
Authorized Signatory
Title: Chief Executive Officer
Date: 2nd of november 2025
Name / Title Denniz Özden CEO
Date 2nd of november 2025