Cookie Notice

This Cookie Notice describes the cookies and similar technologies used on the ALETHEIA websites (aletheia.holisticquality.io and safety.holisticquality.io) and in connection with the ALETHEIA API. It supplements the ALETHEIA Privacy Policy.

1. What are cookies and similar technologies

Cookies are small text files stored in your browser when you visit a website. Similar technologies — including local storage, session storage, and pixel tags — serve comparable purposes. Collectively, this Notice refers to them as "cookies."

2. What we use, and why

ALETHEIA is a business-to-business API with a minimal public web surface. We use cookies and similar technologies only for the categories described below. We do not use advertising cookies, marketing pixels, behavioral tracking, cross-site tracking, or third-party analytics that profile individual visitors.

2.1 Strictly necessary (always active)

These cookies are required for the websites to function securely. They cannot be disabled without breaking core functionality.

More information: Cloudflare Cookies reference.

2.2 Operational and security (always active)

These technologies support infrastructure reliability and abuse prevention, processed by our hosting and CDN providers under their own privacy policies.

These are technically not "cookies" in the browser sense but are covered here for transparency. They are described in more detail in Privacy Policy §2.3.

2.3 Analytics (aggregated only)

If aggregate analytics are enabled on the ALETHEIA websites, we access only aggregated or anonymized data. We do not use third-party analytics that profile individual visitors (for example, Google Analytics with identifiable tracking enabled, Meta Pixel, or behavioral retargeting tools).

If we enable an analytics tool that places any browser-side cookie, this Notice will be updated to list it by name before the tool is deployed.

2.4 What we do not use

We do not use:

• advertising or marketing cookies
• cross-site tracking pixels
• third-party retargeting or remarketing cookies
• behavioral profiling technologies
• cookies that share data with advertisers

3. Why we do not show a consent banner

You will not see a cookie-consent banner on these websites. That is a deliberate, documented decision — not an oversight.

3.1 European Union, United Kingdom, Switzerland (GDPR + ePrivacy)

The legal trigger for a cookie-consent banner in the EU is Article 5(3) of the ePrivacy Directive (2002/58/EC, as amended by 2009/136/EC), which requires consent for the storing of or access to information on a user's terminal equipment unless the storage/access is "strictly necessary in order to provide a service explicitly requested by the subscriber or user."

The technologies catalogued in §2.1 (Cloudflare bot-management cookies, session tokens) are strictly necessary under that exemption: without them the security challenge cannot evaluate, the session cannot persist, and the requested service (loading a page, completing a form) cannot be provided. The European Data Protection Board's Guidelines 2/2023 on the technical scope of Article 5(3) confirm that security and integrity cookies fall within the strictly-necessary exemption when they are limited to that purpose.

The technologies catalogued in §2.2 (server logs, edge rate-limiting identifiers) are infrastructure-side and do not involve storage of or access to information on the user's terminal equipment, so they fall outside the scope of Article 5(3) entirely.

The analytics surface catalogued in §2.3 uses Vercel Web Analytics, a first-party, privacy-by-design tool that does not set any browser-side cookies, does not assign a persistent visitor identifier, does not perform cross-site tracking, and aggregates measurements at the edge before any data is stored. Because no information is stored on or accessed from the user's terminal equipment, Article 5(3) is not triggered. The independent EDPB-aligned analysis Vercel publishes at vercel.com/docs/analytics/privacy-policy supports this characterization.

Personal data processed in the server logs and aggregate measurements is processed on the legitimate-interests basis under Article 6(1)(f) GDPR, balanced against the privacy interest of the user as required by Recital 47 GDPR and as scoped narrowly to security, fraud prevention, and the operation of the service that the user has requested.

3.2 California (CCPA / CPRA)

The CCPA requires a "Do Not Sell or Share My Personal Information" link only where a business sells or shares personal information as those terms are defined in Cal. Civ. Code § 1798.140. As stated in the Privacy Policy §9, we do not sell or share personal information, so no opt-out link is required and no consent dialog is triggered for that purpose. Cross-context behavioral advertising is not used.

3.3 Other jurisdictions

Equivalent reasoning applies under the Brazilian LGPD (Lei Geral de Proteção de Dados), the Canadian PIPEDA, the Australian Privacy Act, and the UK GDPR + PECR: the cookies and technologies in use are limited to strictly-necessary security and aggregated first-party measurement that does not require explicit prior consent.

3.4 What would trigger a banner

If we ever enable any of the following, we will deploy a granular consent banner before the technology goes live and will update this Notice to list the specific technology by name:

• third-party analytics that profile individual visitors (e.g., Google Analytics with identifiable tracking, Meta Pixel, Mixpanel with user identifiers, behavioral retargeting)
• advertising or marketing cookies
• cross-site or cross-context behavioral tracking
• session-replay tools that record full user interactions (e.g., FullStory, Hotjar in capture mode)
• any cookie that places a persistent identifier whose purpose is not strictly necessary under ePrivacy Article 5(3)

The trigger is the technology, not the geography. If we add any of the above we will surface a consent dialog to all users worldwide rather than gating consent on geo-IP, because we treat the strongest standard (EU ePrivacy + GDPR + UK GDPR) as the baseline.

4. Your choices

Because we limit cookie usage to strictly necessary and operational categories, most jurisdictions do not require a consent banner for our use. However, you retain full control over cookies through your browser:

• Browser controls. All major browsers allow you to view, block, or delete cookies. Blocking the cookies listed in §2.1 may prevent the websites from functioning correctly or may cause repeated security challenges from Cloudflare.
• Do Not Track (DNT). We do not respond to DNT signals because we do not perform the kind of tracking DNT is designed to opt out of.
• Global Privacy Control (GPC). We do not sell or share personal data; GPC signals therefore do not change our behavior.

5. RapidAPI marketplace users

If you access the Service through RapidAPI, any cookies placed by the RapidAPI marketplace are governed by RapidAPI's own cookie policy, which is available on the RapidAPI website. Holistic Quality does not set or read those cookies.

6. Changes to this Notice

We may update this Cookie Notice from time to time. Material changes will be announced on this page and, where required, through the channels described in Privacy Policy §11. The "Last Updated" date at the top of this Notice indicates the most recent revision.

v1.1 (14 May 2026): added §3 "Why we do not show a consent banner" with citations to ePrivacy Art. 5(3), EDPB Guidelines 2/2023, GDPR Art. 6(1)(f), and Cal. Civ. Code §1798.140. No change to the technologies used.

7. Contact

Questions about this Cookie Notice:

Holistic Quality LLC
Lebanon, Ohio
privacy@holisticquality.io