Cookie Policy
Last updated: May 14, 2026
1. What cookies are
Cookies are small text files a website downloads onto your device to store information about your browsing. This policy describes which cookies VRET uses, for what purpose, for how long, and how you can manage them.
This policy forms part of our Privacy Policy and is drafted in line with Art. 22.2 of Spanish Law 34/2002 (LSSI-CE), Directive 2002/58/EC (ePrivacy), the UK PECR, and the Spanish Data Protection Agency cookie guidance (current version).
2. Executive summary
- Strictly necessary technical cookies: yes (authenticated session, language preference and the consent record). On by default, no consent required. CSRF protection is performed via an
Originheader check, with no cookie. - Usage analytics: Google Analytics 4 and Microsoft Clarity (heatmaps and replays). Only with your consent.
- Advertising measurement: LinkedIn Insight Tag. Only with your consent.
- Third-party social / behavioural personalisation cookies: we do not use them.
VRET shows a cookie configuration banner on your first visit. Until you grant consent, no analytics or advertising cookie is activated (Google Consent Mode v2 with denied defaults). You can change your choice at any time from the "Manage cookies" link in the footer. We also honour the Global Privacy Control (GPC) signal as an automated opt-out.
3. Cookies used
| Cookie | Type | Origin | Purpose | Duration | Legal basis |
|---|---|---|---|---|---|
vret_session | Strictly necessary | First party (vret.es) | Keep the professional’s authenticated session in the dashboard | 1 hour (renewed on session refresh) | Necessary (Art. 22.2 LSSI-CE) |
vret_locale | Technical | First party (vret.es) | Remember the selected language (Spanish / English) | 12 months | Necessary for the service requested by the user |
vret_consent | Strictly necessary | First party (vret.es) | Record your choice about analytics and advertising cookies | 12 months | Necessary (Art. 22.2 LSSI-CE) |
vret_attribution / vret_attribution_last | Advertising measurement | First party (vret.es) | First-touch and last-touch attribution (UTM, referrer and campaign click IDs: gclid, fbclid, li_fat_id) to know which campaign brought each visit | 90 days | Consent (Art. 22.2 LSSI-CE / PECR) — written only if you accept advertising measurement in the banner |
_ga, _ga_* | Analytics | Google LLC | Google Analytics 4: distinguish unique visitors and compute sessions | 13 months | Consent (Art. 22.2 LSSI-CE / PECR) |
_clck, _clsk, CLID, MR, MUID, SM, ANONCHK | Analytics | Microsoft Corporation (Clarity) | Heatmaps and session replays to detect usability issues. Sensitive inputs are masked. | 1 day to 1 year per cookie | Consent (Art. 22.2 LSSI-CE / PECR) |
li_gc, li_sugr, UserMatchHistory, AnalyticsSyncHistory, bcookie, lidc, bscookie | Advertising measurement | LinkedIn Corporation | LinkedIn Insight Tag: measure campaign conversions and enable custom audiences in LinkedIn Ads | Up to 24 months | Consent (Art. 22.2 LSSI-CE / PECR) |
Cookies marked strictly necessary are essential for the service to work (authentication, security, consent record). They do not require prior consent under Art. 22.2 LSSI-CE. All others are activated only after your express acceptance via the banner.
4. Analytics and advertising-measurement services
These services are activated only if you give express consent. Until then, their cookies are not created (Google Consent Mode v2 with denied defaults).
4.1 Google Analytics 4 (GA4)
- Provider: Google LLC (USA) and Google Ireland Limited (EU).
- Purpose: measure traffic, acquisition sources, aggregate behaviour and conversions (resource downloads, demo bookings). IP anonymised.
- International transfer: Google adheres to the EU-US Data Privacy Framework (European Commission adequacy decision, 10 July 2023) and its UK Extension, providing a protection framework equivalent to the GDPR.
- Policy: policies.google.com/privacy.
4.2 Microsoft Clarity
- Provider: Microsoft Corporation (USA) and Microsoft Ireland Operations Ltd (EU).
- Purpose: heatmaps and session replays to improve usability. Sensitive inputs (passwords, clinical dashboard data) are masked automatically and not recorded.
- International transfer: Microsoft adheres to the EU-US Data Privacy Framework and its UK Extension.
- Policy: privacy.microsoft.com/privacystatement.
4.3 LinkedIn Insight Tag
- Provider: LinkedIn Ireland Unlimited Company (EU) and LinkedIn Corporation (USA).
- Purpose: measure conversions from advertising campaigns aimed at healthcare professionals and enable custom audiences in LinkedIn Ads.
- International transfer: LinkedIn adheres to the EU-US Data Privacy Framework and its UK Extension.
- Policy: linkedin.com/legal/privacy-policy.
You can withdraw your consent at any time from the "Manage cookies" link in the footer. Withdrawal takes effect on the next refresh of the site.
5. Managing cookies in your browser
Although the technical cookies we use do not require consent, you can configure or delete them at any time from your browser. Note that disabling technical cookies may prevent the dashboard from working.
6. Embedded third-party cookies
Some pages may embed third-party content (for example, a Calendly calendar to book demos, or a YouTube video in the documentation). When this happens, that third party may set its own cookies under its own policy:
- Calendly (demo scheduling): calendly.com/legal/privacy-notice.
VRET does not control cookies set by embedded third parties. Where such third parties set cookies that require consent, we will show a mechanism to accept or reject before loading the component.
7. Changes to this policy
Any substantial change will be published on this same page with its corresponding update date. If the change involves introducing cookies that require consent, we will ask for it before activation.
8. Contact
For any question about this policy: privacidad [arroba] vret.es.