Cookie Policy

Last updated: May 14, 2026

1. What cookies are

Cookies are small text files a website downloads onto your device to store information about your browsing. This policy describes which cookies VRET uses, for what purpose, for how long, and how you can manage them.

This policy forms part of our Privacy Policy and is drafted in line with Art. 22.2 of Spanish Law 34/2002 (LSSI-CE), Directive 2002/58/EC (ePrivacy), the UK PECR, and the Spanish Data Protection Agency cookie guidance (current version).

2. Executive summary

  • Strictly necessary technical cookies: yes (authenticated session, language preference and the consent record). On by default, no consent required. CSRF protection is performed via an Origin header check, with no cookie.
  • Usage analytics: Google Analytics 4 and Microsoft Clarity (heatmaps and replays). Only with your consent.
  • Advertising measurement: LinkedIn Insight Tag. Only with your consent.
  • Third-party social / behavioural personalisation cookies: we do not use them.

VRET shows a cookie configuration banner on your first visit. Until you grant consent, no analytics or advertising cookie is activated (Google Consent Mode v2 with denied defaults). You can change your choice at any time from the "Manage cookies" link in the footer. We also honour the Global Privacy Control (GPC) signal as an automated opt-out.

3. Cookies used

CookieTypeOriginPurposeDurationLegal basis
vret_sessionStrictly necessaryFirst party (vret.es)Keep the professional’s authenticated session in the dashboard1 hour (renewed on session refresh)Necessary (Art. 22.2 LSSI-CE)
vret_localeTechnicalFirst party (vret.es)Remember the selected language (Spanish / English)12 monthsNecessary for the service requested by the user
vret_consentStrictly necessaryFirst party (vret.es)Record your choice about analytics and advertising cookies12 monthsNecessary (Art. 22.2 LSSI-CE)
vret_attribution / vret_attribution_lastAdvertising measurementFirst party (vret.es)First-touch and last-touch attribution (UTM, referrer and campaign click IDs: gclid, fbclid, li_fat_id) to know which campaign brought each visit90 daysConsent (Art. 22.2 LSSI-CE / PECR) — written only if you accept advertising measurement in the banner
_ga, _ga_*AnalyticsGoogle LLCGoogle Analytics 4: distinguish unique visitors and compute sessions13 monthsConsent (Art. 22.2 LSSI-CE / PECR)
_clck, _clsk, CLID, MR, MUID, SM, ANONCHKAnalyticsMicrosoft Corporation (Clarity)Heatmaps and session replays to detect usability issues. Sensitive inputs are masked.1 day to 1 year per cookieConsent (Art. 22.2 LSSI-CE / PECR)
li_gc, li_sugr, UserMatchHistory, AnalyticsSyncHistory, bcookie, lidc, bscookieAdvertising measurementLinkedIn CorporationLinkedIn Insight Tag: measure campaign conversions and enable custom audiences in LinkedIn AdsUp to 24 monthsConsent (Art. 22.2 LSSI-CE / PECR)

Cookies marked strictly necessary are essential for the service to work (authentication, security, consent record). They do not require prior consent under Art. 22.2 LSSI-CE. All others are activated only after your express acceptance via the banner.

4. Analytics and advertising-measurement services

These services are activated only if you give express consent. Until then, their cookies are not created (Google Consent Mode v2 with denied defaults).

4.1 Google Analytics 4 (GA4)

  • Provider: Google LLC (USA) and Google Ireland Limited (EU).
  • Purpose: measure traffic, acquisition sources, aggregate behaviour and conversions (resource downloads, demo bookings). IP anonymised.
  • International transfer: Google adheres to the EU-US Data Privacy Framework (European Commission adequacy decision, 10 July 2023) and its UK Extension, providing a protection framework equivalent to the GDPR.
  • Policy: policies.google.com/privacy.

4.2 Microsoft Clarity

  • Provider: Microsoft Corporation (USA) and Microsoft Ireland Operations Ltd (EU).
  • Purpose: heatmaps and session replays to improve usability. Sensitive inputs (passwords, clinical dashboard data) are masked automatically and not recorded.
  • International transfer: Microsoft adheres to the EU-US Data Privacy Framework and its UK Extension.
  • Policy: privacy.microsoft.com/privacystatement.

4.3 LinkedIn Insight Tag

  • Provider: LinkedIn Ireland Unlimited Company (EU) and LinkedIn Corporation (USA).
  • Purpose: measure conversions from advertising campaigns aimed at healthcare professionals and enable custom audiences in LinkedIn Ads.
  • International transfer: LinkedIn adheres to the EU-US Data Privacy Framework and its UK Extension.
  • Policy: linkedin.com/legal/privacy-policy.

You can withdraw your consent at any time from the "Manage cookies" link in the footer. Withdrawal takes effect on the next refresh of the site.

5. Managing cookies in your browser

Although the technical cookies we use do not require consent, you can configure or delete them at any time from your browser. Note that disabling technical cookies may prevent the dashboard from working.

6. Embedded third-party cookies

Some pages may embed third-party content (for example, a Calendly calendar to book demos, or a YouTube video in the documentation). When this happens, that third party may set its own cookies under its own policy:

VRET does not control cookies set by embedded third parties. Where such third parties set cookies that require consent, we will show a mechanism to accept or reject before loading the component.

7. Changes to this policy

Any substantial change will be published on this same page with its corresponding update date. If the change involves introducing cookies that require consent, we will ask for it before activation.

8. Contact

For any question about this policy: privacidad [arroba] vret.es.