Cookie Policy

Cookies are small text files that websites store on your browser when you visit them. They help websites recognize your device and remember information about you (such as your preferences). In addition to cookies, this notice equally applies to similar technologies that store or read information on your browser or device (for example, localStorage / sessionStorage, pixel tags / web beacons, and SDK tracking identifiers).

We classify cookies used on our website into the following three categories:

• Essential Cookies (always on): Used for basic website functionality such as session management, CSRF security verification, and load balancing. These cookies do not require your consent and fall within the "strictly necessary" exemption under PECR Reg.6(4).

• Analytics Cookies (consent required): We use Google Tag Manager (GTM, container ID: GTM-T7DH9J9W) to load Google Analytics, which helps us understand website usage and improve our services. GTM is only injected into the page after you click "Accept" via the Cookie Banner; if you reject or have not made a selection, GTM and Google Analytics are not loaded at all, in line with the PECR / UK GDPR requirement that non-essential cookies must not be enabled by default.

• Functional Cookies (consent required): Remember your preferences such as language selection (zh / en) and theme (dark / light).

We expressly state: we do NOT use advertising cookies on our website. We do not engage in profile-based advertising and do not share your browsing data with advertising networks for advertising purposes.

You can manage cookies in the following ways:

• You can accept or reject non-essential cookies via the Cookie Banner on your first visit. The two buttons ("Accept" / "Reject") are equally prominent, in line with UK ICO guidance that "reject must be as easy as accept".

• You can re-open the Cookie Banner at any time and on any page by clicking the "Cookie Settings" entry in the "Legal" section of the website Footer. The banner re-appears immediately and you can choose "Accept" or "Reject" again in **one click (1-click)**. **Withdrawing consent is as easy as granting it**, in compliance with UK GDPR / GDPR Article 7(3), which requires that "it shall be as easy to withdraw consent as to give it". The entry is available in both zh and en locales, requires no login, no contacting support, and no manual browser-storage cleanup.

• If you wish to remove cookies more thoroughly, you can also clear or disable cookies through your browser settings (Chrome, Firefox, Safari, and Edge all provide this functionality). Clearing the cookie-consent key from your browser's localStorage will likewise cause the Cookie Banner to be shown again on your next visit.

Please note that disabling essential cookies may affect the website's functionality (for example, unstable login sessions or failed form submissions).

We use the following third-party services that may set their own cookies in your browser:

• Google Analytics / Google Tag Manager (provided by Google LLC): Website traffic analysis. The GTM container ID is GTM-T7DH9J9W and is injected into the page only after you click "Accept" via the Cookie Banner; Google Analytics is loaded by GTM and uses persistent cookies such as _ga / _ga_* / _gid. See Google's privacy policy (https://policies.google.com/privacy).

• Cloudflare (provided by Cloudflare, Inc.): Provides security (DDoS mitigation, Bot management) and performance optimization (CDN, caching, AI Gateway routing layer) for the website. Cloudflare uses essential-class cookies such as __cf_bm (bot-management identifier), which fall within the essential cookies category.

The third parties above (Google, Cloudflare) involve transferring cookie-derived data from UK/EEA to the United States. The legal basis is the **EU Standard Contractual Clauses (SCC)** and the **UK International Data Transfer Agreement (UK IDTA)**. For Google LLC and Cloudflare, Inc., which are self-certified under the **EU-US Data Privacy Framework (DPF)**, DPF may serve as a supplementary basis. **If the DPF adequacy decision is revoked or fails, all relevant transfers will automatically fall back to SCC / UK IDTA as the sole basis.** **GDPR Art.28 Data Processing Agreements (DPA)** with corresponding SCCs have been executed with each processor.

In addition, we have executed **Google's Data Processing Terms (DPT)** for Google Tag Manager (GTM), forming the contractual basis of the GDPR Art.28 processor relationship.

These third parties have their own privacy policies which we recommend you review.

We may update this Cookie Policy. Significant changes (e.g., new cookie categories, changes to the cross-border transfer legal basis, changes to the PIPL applicability boundary) will be communicated via website notifications (in-site banner / changelog), and where necessary, your consent will be re-captured via the Cookie Banner. Please review this policy periodically for the latest changes.

The current amendments (§4 cross-border transfer basis + GTM DPT disclosure / §7 NEW Cross-Border & PIPL Note) take effect on June 15, 2026, after a 30-day notice period.

The third-party processors above (Google, Cloudflare) have their own privacy policies and cookie practices, which we recommend you review:

• Google Privacy & Terms: https://policies.google.com/privacy
• Google Tag Manager Use Policy: https://marketingplatform.google.com/about/analytics/tag-manager/use-policy/
• Cloudflare Privacy Policy: https://www.cloudflare.com/privacypolicy/
• Cloudflare Cookie Policy: https://www.cloudflare.com/cookie-policy/

These third-party policies may change in line with their own compliance needs; such changes do not constitute a breach by the Service.

This Cookie Policy is currently based on UK GDPR / PECR / ePrivacy. Once CodeGateway formally launches services in the People's Republic of China mainland jurisdiction during Phase 4 (see roadmap Issue #95), we will supplement this section with PIPL-specific provisions on cookies and tracking technologies, **including but not limited to PIPL §13 (consent basis), §14 (separate consent), §23 (provision of personal information to third parties), §29 (automated decision-making), §38 (cross-border transfer — one of three: standard contract / security assessment / PI protection certification), §39 (separate consent for cross-border transfer), and §44-50 (data subject rights), as well as the supporting rules of the Personal Information Protection Law regarding the principle that "automated tracking must not be the default"**. Until then, **this service is not provided to data subjects in mainland China** (see Terms of Service, Section 3, Geographic Restrictions).

If you are a mainland-China user accessing this website, cookies used by this site are activated only upon your explicit click on "Accept", and any data collected remains processed under the UK GDPR / SCC / UK IDTA framework. This does not constitute "processing of personal information" or "cross-border transfer" within the meaning of PIPL §13 / §14 / §29 / §38 / §39 / §44-50, and we do not issue separate consent forms or security-assessment materials in respect of cross-border transfers for mainland-China users.

If you have any questions about this Cookie Policy, the way cookies are used, or the status of your consent, please contact us:

• Email: support@codegateway.dev

We will respond to your inquiry within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the data protection authority in your jurisdiction (UK: the ICO; EU: your member-state DPA).