Cookie Policy
Cookies, pixels and similar tracking technologies used on mintbyte.com — categories, vendors, retention, and how to opt out. DPDP-2023 + GDPR aligned.
Effective date: 3 June 2026 Last updated: 3 June 2026 Supersedes: Cookie Policy v2.0 dated 31 May 2026 Version: 2.1
This Cookie Policy explains how MintByte Investment Services Private Limited uses cookies and similar tracking technologies on www.mintbyte.com. Read with our Privacy Policy — particularly §13. Issued in compliance with the DPDP Act 2023, the IT Act 2000 + SPDI Rules 2011, applicable SEBI / AMFI guidance, and (where applicable) the EU ePrivacy Directive, UK PECR 2003, and GDPR.
1. What is a "cookie"?
A cookie is a small text file a website places on your device. Cookies allow a site to recognise your device, remember preferences, secure your session, measure usage and (sometimes) personalise content. The umbrella term "cookies" here also covers:
- localStorage and sessionStorage entries
- pixels and web beacons (1×1 transparent images)
- fingerprinting scripts that derive a quasi-identifier from your browser configuration
- tag managers that load other scripts conditionally on consent
2. Your consent — and how you can change your mind
We deploy non-essential cookies only after you give consent through our cookie banner (managed by CookieYes). On the banner you can:
- Accept all — strictly necessary + functional + analytics + marketing
- Reject all (non-essential) — only strictly-necessary cookies will be set
- Customise — opt in to specific categories
You can change your preferences at any time using the floating "Cookie Settings" icon at the bottom-left of every page, or by clearing the cookieyes-consent cookie (this re-shows the banner on your next visit).
Consistent with s.6 DPDP, your consent is informed, specific, free, unconditional and capable of being withdrawn. Withdrawal must be as easy as giving consent and does not affect the lawfulness of prior processing.
Global Privacy Control / Do-Not-Track. Where your browser sends a GPC signal, we treat it as a valid opt-out for the marketing and (consent-based) analytics categories.
3. Categories of cookies we use
3.1 Strictly necessary (no consent required)
Essential for the site to operate — session management, security, load balancing, CSRF protection, the consent banner itself.
| Cookie / domain | Set by | Purpose | Retention |
|---|---|---|---|
cookieyes-consent | CookieYes | Records consent preference | 1 year |
__cf_bm, cf_clearance, _cfuvid | Cloudflare edge | Bot management, DDoS protection, visitor distinction | 30 min – 30 days |
__Secure-authjs.session-token (or authjs.session-token on non-HTTPS dev) | MintByte (Auth.js v5) | Signed-in session JWT. Issued at sign-in, used to authenticate every subsequent request. HttpOnly, Secure, SameSite=Lax. Server-side jti revocation backs each token (wp_mb_sessions). | Up to 7 days from sign-in (sliding) |
__Host-authjs.csrf-token | MintByte (Auth.js v5) | CSRF double-submit token for sign-in / sign-out POSTs. HttpOnly, Secure. | Session |
mb_pending_2fa | MintByte | HMAC-signed bridge cookie used between the password step and the OTP step at sign-in. Cleared as soon as 2FA verifies (or fails). HttpOnly, Secure, SameSite=Lax. | 5 minutes |
mb_impersonate | MintByte | HMAC-signed admin-impersonation state. Set only when a MintByte admin uses Account Tools → Impersonate to view a user's surface. Carries adminId + targetUserId + start time. Banner is always shown while active. HttpOnly, Secure, SameSite=Lax. | 30 minutes |
mb_device_salt | MintByte | Random per-device salt used to derive the device fingerprint we hash for the "new-device sign-in" suspicious-login email and trusted-device list. The salt itself is not personally identifying (a random UUID) and never leaves the server. HttpOnly, Secure, SameSite=Lax. | 5 years |
3.2 Functional (consent-based)
Remember your choices — language, time-zone, last-viewed pages, sidebar state.
| Cookie / domain | Set by | Purpose | Retention |
|---|---|---|---|
_calendly_* | Calendly | Embedded scheduling widget; fires only on click | Session – 30 days |
cookieyes-language | CookieYes | Banner-language preference | 1 year |
3.3 Performance / analytics (consent-based)
Aggregated usage analytics to improve content and product.
| Cookie / domain | Set by | Purpose | Retention |
|---|---|---|---|
_ga, _ga_<measurement-id> | Google Analytics 4 via Site Kit | Pages viewed, session duration, traffic sources, conversion events. IP truncated. | Up to 2 years |
3.4 Marketing & third-party (consent-based)
Set by third-party services we use for lead capture, social proof, content embeds and outreach.
| Cookie / domain | Set by | Purpose | Retention |
|---|---|---|---|
__hssc, __hssrc, __hstc, hubspotutk, __hs_do_not_track, messagesUtk | HubSpot | CRM, form submission, lead identification, pre-fill, automation, embedded CTAs, live chat | Session – 13 months |
g_state | Google Identity Services | Google One Tap dismissal state | Up to 6 months |
__Secure-ROLLOUT_TOKEN, __Secure-YNID, VISITOR_INFO1_LIVE, YSC, PREF | YouTube | Set when an embedded YouTube video loads/plays. Privacy-enhanced (no-cookie) variant used where possible. | Session – 2 years |
trustindex-* | TrustIndex | Embedded reviews / testimonial widgets. Only on pages with a reviews widget. | Up to 1 year |
| TradingView session cookies + localStorage | TradingView | Renders embedded market widgets; remembers chart preferences/drawings. Storage on tradingview-widget.com origin. Fires only on Markets / Home. | Session – 1 year |
__gads, __gpi, _grecaptcha | reCAPTCHA protection on forms; Google account features | Session – 13 months |
Vendor-set cookies may be added or renamed at the vendor's discretion. We periodically reconcile this table against live-site scans.
4. Tag managers, pixels and similar technologies
We use Google Tag Manager (via Site Kit) to fire analytics and marketing tags only when the corresponding consent category has been granted. We also use localStorage and sessionStorage entries for non-identifying UI state (e.g., last-opened mega-menu). These behave similarly to cookies and are governed by the same consent classification.
5. Cross-border data transfers
Some vendor servers are hosted outside India — Google Analytics edge, HubSpot US/EU, Cloudflare global edge, TrustIndex (Hungary), TradingView (US / Cyprus). Cross-border processing is consistent with s.16 DPDP and only to jurisdictions not restricted by the Central Government. For EEA / UK / Swiss residents: EU SCCs, UK IDTA, and (where applicable) EU-US DPF. See Privacy Policy §8 for the full sub-processor list.
6. How long cookies are stored
- Session cookies — deleted when you close your browser
- Persistent cookies — stay for the period above or until you delete them
7. How to opt out
- Our consent banner — "Cookie Settings" icon at the bottom-left of every page
- Browser settings — block all, block third-party, accept per-site, or delete existing cookies
- Vendor-specific opt-outs:
- Google Analytics: tools.google.com/dlpage/gaoptout
- HubSpot Do-Not-Track: clear
__hs_do_not_trackor use our consent banner - YouTube: do not click on embedded video thumbnails
- Industry self-regulatory: youronlinechoices.eu (EU); youradchoices.com (US)
- Device-level privacy controls — iOS App Tracking Transparency, Android "Limit Ad Tracking" / Privacy Sandbox
Blocking some cookies will degrade specific features (scheduling widget, embedded videos, live chat).
8. Grievance Officer
| Field | Detail |
|---|---|
| Name | Ms. Abhilasha Tiwari, Compliance Officer |
[email protected] | |
| Postal | HD-327, WeWork Oberoi Commerz II, 20th Floor, CTS No. 95, Off W. E. Highway, Oberoi Garden City, Goregaon East (D2), Mumbai, Maharashtra 400063, India |
| Phone | +91 9833139568 (Mon–Fri, 10:00–18:00 IST) |
9. Changes
We may update this Cookie Policy at any time. Material changes notified via prominent notice on the Services.