Legal · Cookie Policy · v2026.03

Cookies, session storage, and product telemetry on testml.org.

TestML serves enterprise reviewers and procurement teams. We publish this policy at the same level of specificity we expect from the AI providers we audit — every cookie named, every retention window stated, every processor disclosed. No hidden third-party advertising trackers run on this domain.

Read the privacy policyEmail the data office

The short version

Four categories of cookies. Three of them are optional.

The same four-tier taxonomy our compliance team applies to customer audit packs. Each row is enforceable in your browser today — none of it depends on us shipping a future feature.

Strictly necessary

Session, CSRF, and consent-state cookies that keep the site functional, authenticated, and audit-traceable. Cannot be switched off without breaking sign-in.

Product analytics

First-party, IP-truncated event counts on marketing pages. Used to prioritise documentation and reduce the volume of pages we ship that nobody reads.

Anti-abuse telemetry

Bot, jailbreak, and credential-stuffing signals on /contact and /docs. Retained 30 days, never joined to identified-user data, never sold or shared.

Your control

Reject non-essential cookies in the consent banner, the per-browser controls below, or by sending the Global Privacy Control header — we honour all three.

Inventory · 6 entries

Every cookie this site sets, named and timed.

First-party only. We deliberately do not embed advertising or social-graph SDKs on testml.org — they would compromise the audit lineage we promise customers.

CookiePurposeCategoryRetention
tml_sessiontestml.orgAuthenticated session token for the customer dashboard and audit-pack downloads. HttpOnly, Secure, SameSite=Lax.EssentialSession
tml_csrftestml.orgCross-site-request-forgery protection on contact, demo-booking, and risk-assessment forms. Rotated on each request.EssentialSession
tml_consenttestml.orgStores your cookie-consent decisions so the banner does not re-prompt on every page. Records timestamp and policy version.Essential12 months
tml_uidtestml.orgFirst-party visitor identifier used for aggregated marketing analytics. IP is truncated to /24 (IPv4) or /48 (IPv6) before storage.Analytics13 months
tml_pathtestml.orgRecords the high-level page sequence within a single visit so we can prune content nobody uses. No URL fragments, no query strings.Analytics30 days
tml_shieldtestml.orgBot, scraper, and credential-stuffing signals on form-bearing pages. Cleared whenever a user signs in or completes a verified contact submission.Security30 days

How and why

Storage on your device, processors on ours.

What counts as a cookie here

For brevity we use the word “cookie” to cover three related browser-storage technologies: classical HTTP cookies, the Web Storage API (localStorage and sessionStorage), and the IndexedDB caches that Next.js uses to memoise navigation. The same consent rules apply to all three.

Lawful basis for setting them

Strictly necessary cookies are set under our legitimate interest in delivering a working, secure site (GDPR Art. 6(1)(f)). Analytics and product-telemetry cookies are set only after explicit, granular consent (GDPR Art. 6(1)(a) and Art. 5(3) of the ePrivacy Directive). Withdrawing consent does not retroactively invalidate earlier processing.

What we deliberately do not do

We do not run advertising pixels, conversion tags from ad networks, social-share widgets that read cookies, or cross-site fingerprinting libraries. Customer prompt and response data is processed inside the customer tenant only — the marketing site has no access to it and never will.

Per-browser controls

How to refuse, revoke, or wipe cookies entirely.

Browser settings always override our consent banner. Refusing all non-essential cookies will not break sign-in or break forms — only the aggregated marketing analytics stop firing.

Chrome & Edge
  1. Settings → Privacy and security → Third-party cookies
  2. Block third-party, or clear site data for testml.org
  3. Optional: enable “Send a Do Not Track request”
Firefox
  1. Preferences → Privacy & Security → Enhanced Tracking Protection
  2. Choose Strict, or use Custom and tick Cookies
  3. Optional: enable Global Privacy Control under about:config
Safari
  1. Preferences → Privacy → Manage Website Data
  2. Search testml.org and click Remove
  3. Tick “Prevent cross-site tracking” for all sites
Mobile
  1. iOS Safari: Settings → Safari → Advanced → Block All Cookies
  2. Android Chrome: ⋮ → Settings → Site settings → Cookies
  3. Re-open the consent banner via the link in our footer

Regional rights

Where you live, what you can demand.

EU / EEA / UK

GDPR & UK GDPR

Lawful basis for analytics and security cookies is your prior consent (Art. 6(1)(a)). Withdraw it at any time without affecting the lawfulness of prior processing.

California

CCPA / CPRA

We do not sell or share personal information. The Global Privacy Control header is treated as a valid opt-out signal under §7025 CPRA regulations.

Brazil

LGPD

We rely on consent (Art. 7, IX) for non-essential cookies and provide a downloadable data-portability export on request to privacy@testml.org.

Need a redlined version for your DPIA pack?

Procurement teams routinely ask us to deliver this policy as a signed PDF with change history, mapped to the cookie inventory in your audit pack. We turn around redline requests within two business days.

Request a redlined PDFRead the privacy policy