Cookies and similar technologies are small bits of data the EasyMark websites and the in-product application store in your browser or on your device. We use them for a few clear purposes: to keep you signed in and protect your account, to remember your language and preferences, to understand how the product is used so we can improve it, and (only with your express consent) to support marketing. We do not use cookies to track you across other websites for advertising. You can refuse non-necessary cookies — through the in-product preferences (once the cookie banner ships), your browser settings, or by writing to privacy@easymark.ca. The strictly necessary cookies — the ones that make sign-in, security, and load-balancing work — cannot be turned off, because without them the product does not work.

1. What cookies are, and what similar technologies we use

A “cookie” is a small text file that a website places in your browser when you visit. Cookies are commonly used to keep you signed in across pages, to remember your preferences, to measure how the website is used, and (with consent) to support marketing. The EasyMark websites at easymark.ca, the marketing site, the in-product application at app.easymark.ca, and the e-mail SZTek sends you also use technologies similar to cookies — including localStorage and sessionStorage entries in your browser, pixel tags or “web beacons” in e-mail and on pages, server-set first-party identifiers that travel in HTTP headers, and device-fingerprint metadata derived from non-identifying signals. Throughout this Policy, the term “cookies” is used as a shorthand for cookies and these similar technologies unless the context requires distinguishing them. SZTek is the enterprise responsible for the personal information that flows through cookies set by SZTek on its own properties (called “first-party cookies”). Third parties whose code runs on SZTek properties (for example, a payment-card form embedded by Stripe, or an analytics SDK) may set their own cookies (called “third-party cookies”); each such third party is responsible for the cookies it sets, under that third party’s own privacy notice and cookie practices. SZTek lists in Clause 5 the third parties whose code currently runs on SZTek properties.

2. Categories of cookies, grouped by purpose

SZTek groups the cookies and similar technologies used on its properties into four purpose-categories. Each category is described below in plain language; the specific cookies in each category are listed in Clause 5. Consent for non-strictly-necessary categories is sought separately, in accordance with Quebec Law 25, before non-necessary cookies are set.

(a) Strictly necessary. These cookies and similar technologies are required for the EasyMark websites and in-product application to function. They support sign-in and session management (so you stay signed in across pages and so you are signed out when your session expires), security and abuse prevention (including CSRF token cookies and rate-limiting identifiers), load-balancing (so traffic is routed to a healthy server), and the recording of your own cookie-consent choices (so SZTek can honor those choices on your next visit). Strictly necessary cookies do not require consent under applicable law and cannot be refused without preventing the Service from functioning; refusing them would make sign-in, security, and load-balancing fail. SZTek minimizes the set of strictly necessary cookies and reviews the set periodically to remove any that are not actually required.

(b) Functional (preference) cookies. These remember choices you have made — your preferred language (English or French), your time-zone, the open/closed state of in-product panels, the dismissed-banner state for in-product notices, and similar preferences. Without these cookies the Service still works, but you would have to re-select these preferences on each visit. Functional cookies are set on the basis of your consent, with the consent of necessary cookies treated as bundled where this Policy permits, or by an opt-in toggle in the in-product preferences (once the cookie-consent UI ships).

(c) Analytics and performance cookies. These help SZTek understand how the Service is used in aggregate — which features are popular, where users encounter errors, how page loads perform, how onboarding flow conversions trend. SZTek uses analytics in the most privacy-respecting configuration available — including IP-anonymization where supported, short-lived identifiers, sampling, and de-identification before storage where feasible. Analytics cookies are set only with your consent, sought separately from strictly necessary and functional cookies. Withdrawing analytics consent does not affect any of the other categories.

(d) Marketing and advertising cookies. These would support marketing on third-party platforms (re-marketing on social channels, attribution of conversions on advertising channels) if and when SZTek operates such marketing. As of the effective date of this Policy, SZTek may set marketing cookies on its marketing website (easymark.ca and the locale-prefixed marketing pages) only where you have given express, separately-collected consent. The in-product application at app.easymark.ca does not set marketing cookies. Withdrawing marketing consent does not affect any of the other categories.

SZTek does not use cookies for cross-site tracking, behavioral profiling, or sale of identifiers to data brokers. SZTek does not knowingly join cookie identifiers to identifiable personal information for purposes outside this Policy.

3. Identification of specific cookies

The table below describes the cookies and similar technologies SZTek currently sets, or that are set by code embedded by SZTek on its properties. SZTek reserves the right, in its sole discretion subject to applicable law, to add or substitute equivalent cookies within the same category; adding a cookie in a new purpose-category, or in a third-party-recipient relationship not already covered, requires a renewed disclosure and (where applicable) renewed consent. The list is updated as cookies are added or removed; you are encouraged to consult the most recent version of this Policy for the current list.

Strictly necessary — first-party (SZTek-set on easymark.ca and app.easymark.ca):

• session — authentication session cookie; HttpOnly, Secure, SameSite=Lax; retention: session-lifetime, expires at session end or on sign-out.
• csrf_token — cross-site request-forgery defense; HttpOnly, Secure; retention: session-lifetime.
• lb_route — load-balancer sticky-session routing token; retention: session-lifetime.
• cookie_consent — records your cookie-consent choices so SZTek can honor them on subsequent visits; retention: twelve (12) months, renewed on each consent interaction.
• locale_pref — preferred user-interface language (en or fr); retention: twelve (12) months. Treated as strictly necessary because the marketing site selects the correct locale-resource bundle from this value.

Functional (preference) — first-party (SZTek-set):

• tz_pref — preferred time-zone for in-product timestamp display; retention: twelve (12) months.
• ui_panels_state — open/closed state of in-product side panels; retention: twelve (12) months.
• dismissed_banners — set of in-product banner identifiers you have dismissed; retention: twelve (12) months.
• localStorage[“em_onboarding_progress”] — onboarding flow progress; retention: until cleared or account deletion.

Analytics and performance — first-party (SZTek-set, set only with consent):

• em_analytics_session — short-lived analytics-session identifier (rotates every thirty (30) minutes of inactivity); retention: rolling thirty (30) minutes; IP-truncated before storage.
• em_perf_sample — performance-sampling flag; retention: twenty-four (24) hours.

Analytics and performance — third-party (set by analytics SDK embedded by SZTek, only with consent):

• SZTek uses Plausible Analytics, self-hosted on Oracle Cloud Infrastructure (Canada region), for product analytics. Plausible is cookieless by design and does not set any analytics cookies on app.easymark.ca or easymark.ca. Because no analytics cookies are set, no separate analytics-consent prompt is required. SZTek does not embed Google Analytics, Meta Pixel, or any other third-party analytics SDK that would set cookies on its properties.

Marketing and advertising — third-party (set on easymark.ca marketing site only, set only with separately-collected express consent):

• Where SZTek operates marketing campaigns on Meta, Google, LinkedIn, or other channels, the corresponding pixel (e.g., Meta Pixel, Google Tag, LinkedIn Insight Tag) may be embedded on marketing pages. These pixels are subject to the third party’s own privacy notice and cookie practices. As of the effective date of this Policy, SZTek will list the currently-active marketing pixels here; in the absence of an active marketing campaign, no marketing pixels are embedded. The in-product application at app.easymark.ca does not embed marketing pixels.

Third-party functional cookies (set by Stripe Elements when you submit a payment):

• When a payment form embedded by Stripe Elements is loaded on the billing page, Stripe sets its own cookies (__stripe_mid, __stripe_sid, and others) for the purpose of payment-fraud prevention and session-continuity. These cookies are set and read by Stripe under Stripe’s privacy notice at stripe.com/privacy. SZTek embeds Stripe Elements solely for payment processing and does not control Stripe’s cookie practices.

SZTek does not set cookies in the marketing e-mails it sends. Where transactional e-mails contain pixel tags (web beacons) — for example, to record delivery and open events for transactional message-delivery diagnostics — those pixel tags are operated by the e-mail-delivery provider; they are not used for marketing-attribution purposes without your separate consent.

4. How we obtain consent for non-strictly-necessary cookies, and how to withdraw consent

Consent for non-strictly-necessary cookies is obtained in accordance with Quebec Law 25 and PIPEDA. Consent is manifest, free, enlightened, and given for specific purposes; consent for one category does not imply consent for any other.

(a) Account-creation acceptance flow. At account creation, you are asked to accept the Terms of Service, the Privacy Policy, and this Cookie Policy. Acceptance of this Cookie Policy at account creation covers the strictly-necessary cookies described in Clause 5; it does not cover analytics, marketing, or third-party cookies that require separately-collected consent.

(b) Cookie-consent UI banner (forthcoming). SZTek is implementing an in-product and on-marketing-site cookie-consent UI banner, which will be the primary mechanism for obtaining separately-collected consent for analytics, functional (where consent is the basis), and marketing cookies. The banner offers purpose-grouped consent toggles (“accept all”, “reject all where allowed”, or “manage preferences”) and a preference-center URL at which you may at any time revisit and modify your choices. Until the consent-UI banner ships, SZTek does not set analytics or marketing cookies; strictly-necessary cookies and the functional cookies bundled with strictly necessary at acceptance (per Clause 5) are the only cookies set in the interim. The cookie-consent UI banner is a separate engineering deliverable governed by the legal-cookie-consent-ui brief.

(c) Browser-level controls. Independent of the in-product consent mechanism, you may use your browser’s settings to refuse, restrict, or delete cookies from any website, including easymark.ca and app.easymark.ca. Browser settings vary by browser; instructions are typically available in the browser’s “Privacy” or “Cookies” settings menu. Note: refusing or deleting strictly necessary cookies in your browser will prevent the Service from functioning — sign-in, security, and load-balancing depend on them.

(d) Do-Not-Track and Global Privacy Control signals. Where SZTek’s properties receive a recognized Global Privacy Control (GPC) signal in your HTTP request, SZTek treats the signal as a request to refuse non-strictly-necessary cookies and applies the refusal where technically feasible. Where SZTek’s properties receive a “Do-Not-Track” signal, SZTek honors the signal in the same way to the extent technically feasible.

(e) Withdrawal of consent. You may withdraw consent for any non-strictly-necessary cookie category at any time, through the cookie-consent UI banner preference center (once available), through the in-product account settings, through your browser-level cookie-deletion controls, or by writing to privacy@easymark.ca. Withdrawal takes effect within a reasonable time and in any event within the time period required by Law 25.

(f) Effect of withdrawal. Withdrawing consent for analytics, functional, or marketing cookies disables those categories on future visits; it does not retroactively delete information collected before withdrawal. To request deletion of previously-collected information, exercise the right of deletion described in the Privacy Policy Clause 11(d) / Section 6(d).

(g) First-visit posture. On your first visit to a SZTek property (before any consent is recorded), SZTek sets only strictly-necessary cookies. No analytics, marketing, or third-party cookies are set until consent has been recorded.

5. Trans-border data flows triggered by cookies

Where a cookie or similar technology is set by a third party whose servers are located outside the Province of Quebec — for example, the Stripe payment-fraud cookies referenced in Clause 5, third-party analytics SDK cookies, or marketing pixels operated by Meta, Google, LinkedIn, X, or other platforms — the values transmitted in those cookies, together with associated HTTP-header values, may be received and processed in the destination jurisdictions. The Privacy Policy Clause 15 / Section 8 (trans-border data transfers) describes SZTek’s posture on such transfers, including the Article-17 privacy-impact-assessment requirement, the contractual safeguards SZTek requires, the acknowledgment SZTek seeks from you, and your alternative of not using the Service if you do not accept the trans-border processing. The same posture applies to cookie-triggered transfers. By accepting analytics or marketing cookies through the consent mechanism in Clause 7, you acknowledge the trans-border data flows associated with the third parties listed in Clause 5 for those categories.

6. Browser-level controls and additional opt-out paths

In addition to the in-product consent mechanism described in Clause 7, you may exercise the following browser-level and platform-level controls:

(a) Block all cookies in your browser. Each major browser exposes settings to block all cookies, block third-party cookies, accept cookies only from sites you visit, or clear all cookies on exit. Consult your browser’s Privacy or Cookies settings.

(b) Clear cookies for a specific site. Each major browser allows you to clear cookies and localStorage / sessionStorage entries for a specific origin (e.g., easymark.ca and app.easymark.ca). Doing so resets all consent and preference state on that property; you will be asked for consent again on next visit.

(c) Use a privacy-focused browser or extension. Browser extensions and privacy-focused browsers that block tracking technologies generally honor the SZTek properties’ cookie surface; SZTek does not employ anti-tracking-extension circumvention.

(d) Refuse advertising-platform cookies at the platform level. Where a marketing pixel is operated by a third-party platform (Meta, Google, LinkedIn, X), that platform typically offers its own platform-level opt-out (for example, the Meta ad-preference settings, the Google ad-settings page, the LinkedIn ad-preferences page). SZTek lists the third-party opt-out URLs in the most recent version of this Policy where SZTek operates a campaign with that platform.

(e) Network-level opt-out frameworks. SZTek does not currently participate in centralized network-level opt-out frameworks beyond honoring GPC and Do-Not-Track signals (Clause 7(d)). Where such participation becomes appropriate in the future, this Policy will be updated.

Document Information. This document is AI-drafted (v2.0 — first version; created de novo on 2026-05-29 by AI under MON Council-of-Build authority). Substantive obligations and bilingual parity are under review by Canadian legal counsel. Document version: v2.0. Effective date: [TBD at publish time by SZTek]. Last counsel review: Pending.

Changes to this Policy. SZTek may update this Policy from time to time. Material changes will be communicated through in-product notice, e-mail, or the websites at least thirty (30) days before they take effect, and (per the re-consent mechanism described in the Terms of Service Section 23) acceptance of the new version is requested on next login. Non-material changes (corrections of typographical errors, clarifications that do not alter substantive obligations, additions or removals of individual cookies within an already-disclosed purpose category) take effect on posting. The “Effective” date appears at the top of this page. After Canadian counsel sign-off, the wording “under review by Canadian legal counsel” is replaced by a version-stamped “reviewed by Canadian legal counsel on [date]” and a new document version (v2.1+) is seeded.