UA

[ COOKIE POLICY ]

Cookies and Similar Technologies Policy

This policy explains in full detail how PENGER (mypenger.com) uses cookies and similar technologies when you visit our website. We believe in radical transparency: you deserve to know exactly what data is collected, how it is processed, where it goes, and who has access. We use strictly necessary, analytics, and marketing technologies — each described below with full technical detail. Analytics and marketing technologies are only activated after you give explicit consent.

Policy version: 1.1 — Last updated: March 16, 2026

[ DEFINITION ]

What Are Cookies and Similar Technologies?

Cookies are small text files placed on your device by websites you visit. They are widely used to make websites work efficiently, remember your preferences, and provide information to site owners.

Local storage and similar technologies (such as localStorage and sessionStorage) serve a similar purpose — they allow the website to store data locally on your device. Unlike cookies, they are not sent with every HTTP request and can hold more data.

On this website, we use these technologies to ensure the site functions correctly, to remember your consent choices, and — with your permission — to measure site usage and deliver relevant advertising.

[ CATEGORIES ]

Categories of Technologies We Use

1. Strictly Necessary

Required for the website to function and to save basic user settings (language preference, consent choice). These technologies are always active and cannot be disabled through the consent toggle. They do not track you across websites and do not send any data to third parties. Specifically, we store: your language preference (lang in localStorage), your consent choice (penger_consent in localStorage), and your order configuration (penger_order in sessionStorage — temporary data used to carry your selected product options between checkout pages, automatically cleared when you close the browser tab or after a successful purchase).

2. Analytics

Used to measure visits, events, user behavior, and traffic quality. These technologies are only activated after you give explicit consent. Analytics data helps us understand which pages are visited, how users navigate the site, and where they experience friction. We use this data solely to improve the website experience — we do not build personal profiles or sell this data. All analytics data is aggregated and we do not attempt to identify individual users.

3. Marketing

Used for advertising measurement, remarketing, and matching ad campaigns. These technologies are only activated after you give explicit consent. The "strictly necessary" exception does not apply to advertising purposes. Marketing technologies allow ad platforms to measure whether an ad click led to a website visit or purchase, and to show you relevant ads on other platforms. When enabled, these technologies may set cookies that can track your activity across different websites.

[ SERVICES ]

Services and Technologies

Service Provider Category Purpose Data / Signals Storage / Retention Loaded when Provider policy
Google Tag Manager Google LLC Strictly Necessary Tag management container. Controls loading of analytics and marketing tags based on user consent via Google Consent Mode v2. GTM itself does not track users — it acts as a dispatcher that loads or blocks other scripts depending on your consent state. The consent defaults are set to 'denied' for all categories before GTM initializes. Consent state signals (analytics_storage, ad_storage, ad_user_data, ad_personalization), tag configuration events. GTM does not collect personal data on its own — it only reads the consent state and decides which tags to fire. No cookies set by GTM itself (container script only). The GTM JavaScript file is loaded from googletagmanager.com. Always (manages consent signals for other tags) Link
Google Analytics 4 Google LLC Analytics Web analytics — measures site traffic, page views, events, user engagement, and traffic sources. GA4 uses an event-based data model: every interaction (page view, click, scroll, etc.) is recorded as an event with parameters. Data is sent to Google's servers where it is aggregated into reports. Page URL and title, referrer URL, campaign parameters (utm_source, utm_medium, utm_campaign, utm_term, utm_content), session ID, client ID (random identifier), screen resolution, viewport size, browser name and version, operating system, device category (desktop/mobile/tablet), language setting, approximate geolocation (country/city level, derived from IP), page load timing, scroll depth percentage, engagement time (how long the page was in focus), outbound link clicks, file downloads, site search terms, custom events we configure (e.g. button clicks, product configuration changes), and ecommerce events: view_item (when you view the product page), begin_checkout (when you start checkout), purchase (on successful payment — includes order ID, order total, currency, and product details such as finish, quantity, and selected options), and generate_lead (a conversion event sent alongside purchase for ad campaign optimization — includes order value and currency). Your IP address is used by Google to derive approximate geolocation but is not stored in GA4 reports (IP anonymization is enabled by default in GA4). _ga — client identifier cookie, randomly generated, used to distinguish users. Expires after 2 years of inactivity. Format: GA1.1.XXXXXXXXXX.TIMESTAMP. _ga_* — session state cookie tied to the specific GA4 property. Expires after 2 years. Stores session count and timestamp of first/last visit. _gid — daily user identifier. Expires after 24 hours. Used to group events within a single day. After analytics consent is granted Link
Microsoft Clarity Microsoft Corporation Analytics Session behavior analysis — session recordings, heatmaps, and behavioral analytics. Clarity records how users interact with the page (where they click, how they scroll, what they hover over) and plays it back as an anonymized session recording. This helps us identify UX issues such as dead clicks, rage clicks, and confusing navigation. Requires valid consent signal for EEA/UK/CH traffic per Microsoft's Consent Mode integration. Clicks (coordinates, target element), scroll depth and direction, mouse/touch movement coordinates, page views and navigation paths, session recordings (DOM snapshots with all text input fields automatically masked — no passwords, emails, or personal text is captured), rage clicks (repeated fast clicks indicating frustration), dead clicks (clicks on non-interactive elements), JavaScript errors, page load performance, viewport size, device type. Clarity does not record keystrokes in input fields. _clck — Clarity user identifier. Expires after 1 year. _clsk — Clarity session grouping cookie. Expires after 1 day. CLID — long-term identifier for linking sessions. ANONCHK — checks whether session data was properly transferred. MR — Microsoft cookie for referral tracking. MUID — Microsoft user identifier (set by bing.com domain). SM — used in synchronizing MUID across Microsoft domains. Some of these cookies are set on the microsoft.com/bing.com domains (third-party context). After analytics consent is granted Link
Meta Pixel Meta Platforms, Inc. Marketing Tracking visitor activity and ad measurement — advertising conversions, remarketing audiences, and campaign effectiveness across Meta platforms (Facebook, Instagram). When loaded, the Meta Pixel sends a PageView event to Meta's servers. This allows Meta to: (1) measure whether ad clicks led to visits on our site, (2) build remarketing audiences (e.g., show ads to people who visited our site), and (3) optimize ad delivery. The Pixel can track across websites if the user is logged into Facebook/Instagram. Page URL, referrer, PageView events, custom conversion events (e.g. Purchase, Lead, InitiateCheckout — sent when you complete a purchase or start checkout, including order value and currency for ad measurement), HTTP headers (user agent, Accept-Language), Meta cookie identifiers (_fbp, _fbc), Facebook click identifier (fbclid from URL if present), browser and device information, IP address (used by Meta for geo-targeting and then hashed), screen resolution, and Facebook Login status if applicable. Important: Meta may combine this data with your Facebook/Instagram profile to show targeted ads. _fbp — browser identifier set by Meta Pixel on our domain (first-party). Format: fb.1.TIMESTAMP.RANDOM. Expires after 90 days. Used to identify the browser for ad attribution. _fbc — click identifier, set when a user arrives from a Facebook ad (contains the fbclid parameter). Expires after 90 days. fr — third-party cookie set by facebook.com domain for ad delivery and measurement. Expires after 90 days. Additionally, Meta may set cookies on the facebook.com domain that are outside our control. After marketing consent is granted Link

[ DATA & SIGNALS ]

What Data and Signals Are Collected

Below is a comprehensive and transparent breakdown of every type of data that may be collected when you visit our website. We want you to know exactly what is captured, by whom, and for what purpose.

Always collected (strictly necessary, no consent required):

  • Language preference — your selected language (en/uk), stored in localStorage on your device. Never sent to any server.
  • Consent state — your cookie consent choices (which categories you accepted/rejected), stored in localStorage under the key penger_consent. Includes timestamp, policy version, and per-category status. Never sent to any external server.
  • Google Consent Mode signals — when GTM loads, it reads your consent state and sets Google Consent Mode parameters (analytics_storage, ad_storage, ad_user_data, ad_personalization) to 'granted' or 'denied'. These signals are sent to Google to control tag behavior.

Collected only with analytics consent:

  • Page views — the URL and title of every page you visit on our site, sent to Google Analytics and Microsoft Clarity.
  • Referrer — the URL of the page that linked you to our site (e.g., a Google search results page or a social media post).
  • Campaign parameters (UTM) — if you arrived via an ad or campaign link, the UTM tags in the URL (utm_source, utm_medium, utm_campaign, utm_term, utm_content) are captured by Google Analytics.
  • Session information — a randomly generated session ID, session start time, number of sessions, and whether this is your first visit. Used to group your page views into a single browsing session.
  • Client identifiers — randomly generated IDs stored in cookies (_ga, _ga_*, _gid, _clck). These are not your real identity — they are random strings used to distinguish one browser from another. Example: GA1.1.1234567890.1710000000.
  • Device and browser information — device category (desktop, mobile, tablet), operating system name and version, browser name and version, screen resolution, viewport size, device language setting.
  • Approximate geolocation — your country and city, derived from your IP address by Google and Microsoft. Your IP address is not stored in Google Analytics 4 reports. Microsoft Clarity uses IP for session-level geo but does not expose it in dashboards.
  • User interactions — clicks (which elements you click on), scroll depth (how far down you scroll expressed as a percentage), engagement time (how long the page was actively in the browser foreground), outbound link clicks (links that take you away from our site), file downloads.
  • Mouse and touch movement — Microsoft Clarity records cursor movement coordinates and touch gestures to generate heatmaps and session recordings. This shows where users tend to look and interact on the page.
  • Session recordings — Microsoft Clarity captures a replay of your browsing session as a series of DOM changes. All text typed into input fields is automatically masked and not recorded. The recording shows page layout, scrolling, clicks, and navigation — not personal input.
  • UX quality signals — Clarity detects rage clicks (repeated fast clicks on the same area), dead clicks (clicks on non-interactive elements), excessive scrolling, and JavaScript errors. These help us identify broken or confusing UI elements.
  • Page performance — page load timing, time to first byte, DOM content loaded time. Helps us optimize site speed.

Collected only with marketing consent:

  • Meta Pixel events — when marketing consent is granted, the Meta Pixel fires a PageView event on every page load. This sends the page URL, referrer, and a browser identifier (_fbp cookie) to Meta's servers.
  • Ad click identifiers — if you arrived from a Facebook/Instagram ad, the fbclid parameter from the URL is captured and stored in the _fbc cookie. This links your website visit to the specific ad you clicked.
  • Cross-site identifiers — Meta may set third-party cookies (e.g., fr on facebook.com) that can link your visit to our site with your activity on Facebook, Instagram, and other sites that use Meta Pixel. This is how Meta builds advertising audiences.
  • IP address (by Meta) — Meta receives your IP address as part of the Pixel request. Meta uses it for geo-targeting and fraud detection, and may hash and store it.
  • Browser fingerprint signals (by Meta) — user agent string, Accept-Language header, screen resolution, and timezone are sent with the Pixel request. Meta may use these to improve ad targeting accuracy.

What we do NOT collect: We do not collect your name, email address, phone number, physical address, or any other directly identifiable personal information through cookies or tracking technologies. We do not use tracking technologies on any forms. We do not engage in browser fingerprinting on our own. We do not sell your data to anyone. The randomly generated identifiers in cookies are not linked to your real identity in our systems.

[ WHEN TECHNOLOGIES LOAD ]

When Each Technology Is Activated

Before you make a consent choice, only strictly necessary components are loaded (site functionality and the consent management script).

Analytics and marketing technologies are not activated until you explicitly grant consent. No tracking scripts run, no third-party cookies are set, and no data is sent to analytics or advertising providers before your choice.

After you make your choice, the consent state is saved to localStorage and applied to all tags via Google Consent Mode v2. Here is exactly what happens for each consent scenario:

  • You reject all (or close the banner): Only the GTM container script runs. Google Consent Mode signals are set to 'denied'. GA4 may send cookieless pings (without identifiers) for basic measurement, but no cookies are set and no personal data is collected. Clarity and Meta Pixel are not loaded at all.
  • You accept analytics only: GA4 starts collecting data and sets _ga, _ga_*, _gid cookies. Microsoft Clarity loads and begins session recording with _clck and _clsk cookies. Meta Pixel is not loaded. No marketing data is sent.
  • You accept marketing only: Meta Pixel loads and sends PageView events, setting _fbp cookie. GA4 and Clarity remain in consent-denied mode (no analytics cookies set).
  • You accept all: All technologies load — GA4 with full analytics, Clarity with session recordings, and Meta Pixel with conversion tracking. All corresponding cookies are set.

[ MANAGING YOUR CONSENT ]

How to Manage Your Consent

You can change your cookie and technology preferences at any time by clicking Cookie Settings in the site footer. This reopens the settings panel where you can enable, disable, or fully withdraw consent for analytics and marketing technologies.

You can withdraw your consent just as easily as you gave it. When you withdraw consent, analytics and marketing cookies are deleted immediately and the corresponding scripts stop running.

Your choice is respected across the entire website for the duration of the consent storage period.

Browser Settings

You can also manage cookies through your browser settings. Most browsers let you block or delete cookies. Check your browser's help documentation for instructions. Note that blocking all cookies may affect site functionality.

[ CONSENT STORAGE & RETENTION ]

How Long Your Consent Choice Is Stored

Your consent state is stored in your browser's localStorage under the key penger_consent. It includes your choices for each category (necessary, analytics, marketing), a timestamp, and the current policy version.

The consent state is valid for 12 months from the date of your last choice. After this period, the consent banner will reappear so you can review and update your preferences.

If the policy version changes (for example, when we add or remove services), the consent banner will be shown again regardless of the expiration period, so you can make an informed choice based on the updated policy.

[ THIRD PARTIES ]

Third-Party Providers

When you consent to analytics or marketing technologies, data is processed by the following third-party providers. Each provider processes data under their own privacy policy. We do not sell or share your data with any other parties beyond those listed below.

  • Google LLC (Google Tag Manager, Google Analytics 4) — headquartered in Mountain View, CA, USA. Processes analytics data on Google Cloud infrastructure. Data may be stored in the US and other countries where Google operates data centers. Google acts as a data processor on our behalf for GA4 data. — Privacy Policy | GA4 Data Practices
  • Microsoft Corporation (Microsoft Clarity) — headquartered in Redmond, WA, USA. Session recording and heatmap data is processed on Microsoft Azure infrastructure. Microsoft may process data in the US, Europe, and other regions. — Privacy Statement | Clarity Cookie Consent
  • Meta Platforms, Inc. (Meta Pixel) — headquartered in Menlo Park, CA, USA. Advertising and conversion data is sent to Meta's servers. Meta may use this data to improve its advertising products, including showing you targeted ads on Facebook and Instagram. Meta acts as an independent data controller for some of this data, meaning Meta determines its own purposes for processing. — Privacy Policy

Important: Once data is sent to a third-party provider, it is subject to that provider's privacy policy and data handling practices, which are outside our direct control. We encourage you to read their policies. We have selected these providers carefully and configured them to minimize data collection where possible.

[ INTERNATIONAL DATA TRANSFERS ]

International Data Transfers

Our website is hosted and operated from Europe. However, when you consent to analytics or marketing technologies, your data may be transferred to and processed in the United States and other countries where our third-party providers operate data centers.

Specifically: Google (GA4, GTM) and Meta (Pixel) are US-based companies. Data sent to these services may cross international borders. These providers rely on the EU-US Data Privacy Framework, Standard Contractual Clauses (SCCs), and other legal mechanisms for lawful data transfers.

Microsoft (Clarity) processes data on Azure infrastructure which has data centers worldwide, including in the EU. Microsoft relies on SCCs and the EU-US Data Privacy Framework for transfers outside the EEA.

By granting consent to analytics or marketing technologies, you acknowledge that your data may be transferred to and processed in countries outside your country of residence, including the United States, where data protection laws may differ from those in your jurisdiction.

[ YOUR RIGHTS ]

Your Rights Regarding Cookie Data

Depending on your location, you may have the following rights regarding data collected through cookies and similar technologies:

  • Right to withdraw consent — you can withdraw your consent at any time by clicking "Cookie Settings" in the footer. This is as easy as giving consent. When withdrawn, tracking stops immediately and cookies are deleted.
  • Right to information — you have the right to know what data is collected about you. This policy provides that information in full detail.
  • Right to deletion — you can delete all cookies at any time through your browser settings or by withdrawing consent (which automatically deletes analytics and marketing cookies).
  • Right to object — by not granting consent, you effectively exercise your right to object to analytics and marketing data processing. No data is collected without your explicit consent.

To exercise any of these rights or for any questions, contact us at [email protected].

[ UPDATES ]

Changes to This Policy

We may update this policy when we add or remove services, change data processing practices, or when regulations change.

Any updates will be posted on this page with a new policy version number and last updated date.

When the policy version changes, the consent banner will reappear so you can review the changes and update your preferences.

[ CONTACT ]

Contact Information

PENGER

If you have questions about our use of cookies and similar technologies, or about this policy, contact us:

[email protected]