# Cookie Policy
Effective from 9 May 2026. Version 1.1.0.
This Cookie Policy describes how ElevateFinance Private Limited ("**ElevateFinance**", "**we**", or "**us**") uses cookies and similar device-storage technologies on the Platform. It is read together with the Privacy Policy, the Terms of Service, the Acceptable Use Policy, and the Sub-Processor List.
## Defined terms
In this Policy:
- "**Cookie**" means a small text file or equivalent record stored by the User's browser, mobile shell, or desktop shell when the User accesses the Platform. References to "Cookies" in this Policy include the similar device-storage technologies described at clause 5.
- "**Platform**" or "**Service**" means the software-as-a-service product operated under the apex domain `elevatefinance.co` and every white-label tenant subdomain configured under the Master Services Agreement (the "**MSA**").
- "**User**" means a natural person who uses the Platform, whether through a browser, the mobile shells, or the desktop shells.
- "**Personal Data**" has the meaning given in the Digital Personal Data Protection Act 2023 (the "**DPDP Act**").
## 1. What is a Cookie?
**Plain-language summary.** A Cookie is a small piece of data that the Platform places in the User's browser or device so that the Platform can recognise the User on the next request and remember preferences. The Platform also uses the equivalent device-storage mechanisms described at clause 5.
1.1 A Cookie is a small text file that a website places on the User's device when the User accesses it.
1.2 The Platform uses Cookies and the equivalent device-storage technologies described at clause 5 for the purposes set out in clause 2.
## 2. Categories of Cookie used
**Plain-language summary.** The Platform uses three categories of Cookie. The first category is required for the Platform to work and cannot be turned off without breaking sign-in. The second category remembers User preferences. The third category does not exist on this Platform: there are no third-party advertising or analytics trackers.
### 2.1 Strictly necessary
These Cookies are essential for the Platform to function. They are set in response to actions that amount to a request for service, such as signing in, setting privacy preferences, or completing a step-up authentication. The User cannot turn them off without breaking the Platform.
| Purpose | Description |
| ---------------------------------- | ------------------------------------------------------------------- |
| Session | Authenticates the User across requests within a session |
| Cross-site request forgery defence | Binds form submissions to the issuing session |
| Step-up authentication | Holds the short-lived state required to complete a sensitive action |
These Cookies are configured with the protective attributes that modern browsers require for high-assurance Cookies, including host-scoped naming, transport security, HTTP-only access, and same-site restrictions. The technical configuration is held in source and not enumerated here so as to avoid giving an attacker free reconnaissance.
### 2.2 Functional
These Cookies remember non-essential User preferences across visits.
| Purpose | Description |
| ----------------- | ----------------------------------------------- |
| Theme preference | Remembers the User's light or dark theme choice |
| Locale preference | Remembers the User's preferred language |
Blocking functional Cookies does not break the Platform but resets the User's preferences on each visit.
### 2.3 Performance and analytics
ElevateFinance does not use any third-party analytics Cookie. The Platform's product analytics are computed in-house from the audit log.
### 2.4 Advertising
ElevateFinance does not set advertising Cookies. ElevateFinance does not permit any third-party advertising to be served through the Platform.
## 3. Third-party Cookies
**Plain-language summary.** When the User signs in with a third-party identity provider or pays through the listed payment partner, that third party sets its own Cookies on its own domain. ElevateFinance does not control those Cookies; the third party's own privacy notice governs them.
3.1 When the User signs in with a third-party identity provider, that provider sets Cookies on its own domains as part of the OAuth flow. ElevateFinance does not control those Cookies; the provider's privacy notice governs them. The provider is identified in the Sub-Processor List.
3.2 When the User initiates a payment through the listed payment partner, the partner sets Cookies on its domain to facilitate the transaction. ElevateFinance does not control those Cookies; the partner's privacy notice governs them. The partner is identified in the Sub-Processor List.
## 4. User choices
**Plain-language summary.** The User can manage Cookies through the browser. Blocking the strictly necessary category will prevent the User from signing in.
4.1 The User can control Cookies through browser settings. Each browser provides documented mechanisms for inspecting, blocking, and deleting Cookies.
4.2 Blocking strictly necessary Cookies will prevent sign-in and break the Platform.
4.3 Blocking functional Cookies will not break the Platform but will reset preferences on each visit.
## 5. Local storage and secure storage
**Plain-language summary.** In addition to Cookies, the Platform uses the device's own storage to keep small pieces of state that make navigation faster and preserve in-progress work. None of this storage leaves the User's device on its own.
The Platform uses the following device-storage mechanisms:
(a) **localStorage**, used to cache resolved values that are stable within a session, such as the User's tenant feature flags;
(b) **sessionStorage**, used to hold transient UI state, such as the in-progress drafts of a filing wizard before they are persisted to the database;
(c) **secure storage** on the desktop and mobile native shells, used to hold the pinned tenant slug.
None of these stores Personal Data outside the boundary of the device.
## 6. Mobile push identifiers
**Plain-language summary.** The mobile applications register a push token with the operating system so they can deliver notifications. The token is removed when the User signs out or revokes the notification permission.
6.1 The mobile native shells use the operating-system push identifier (such as the Apple Push Notification service token or the Firebase Cloud Messaging token) only for delivering push notifications.
6.2 The token is removed when the User signs out or revokes the notification permission.
## 7. Children
**Plain-language summary.** The Platform is not intended for persons under eighteen years of age, and Cookies are not used to profile children.
7.1 The Platform is intended for Users who are at least eighteen years of age. Cookies are not used to track or profile a child.
## 8. Changes to this Policy
**Plain-language summary.** ElevateFinance may update this Policy from time to time. Material changes are notified in advance.
8.1 ElevateFinance may update this Policy from time to time.
8.2 Material changes are notified at least thirty (30) calendar days in advance through an in-product banner and an email to the registered email address of the User.
## 9. Contact
**Plain-language summary.** Questions go to the privacy inbox or the Grievance Officer named in the Privacy Policy.
9.1 Questions about this Policy go to `privacy@elevatefinance.co`.
9.2 Grievances under the DPDP Act go to the Grievance Officer named in the Privacy Policy and the DPDP Grievance Redressal page, through `support@elevatefinance.co` with the literal token `[Grievance]` in the subject line.
## 10. Cross-references
This Policy is read together with:
- Privacy Policy
- Terms of Service
- Acceptable Use Policy
- Sub-Processor List
- Data Processing Agreement
- DPDP Grievance Redressal
- Master Services Agreement
---
By using the Platform, the User consents to the use of Cookies as described in this Policy.