1. What this policy covers
This Cookie Policy explains how SemlyPro (“we”, “us”, “our”) uses cookies and similar technologies on semlypro.com, semlypro.nl, app.semlypro.com, and any subdomain, application, or browser extension/plugin operated by us (together, the “Sites”).
Who we are (the data controller). The Sites are operated by Semly Pro, a sole proprietorship (eenmanszaak) established in the Netherlands, registered with the KvK (Dutch Chamber of Commerce) under number 99448351, VAT ID NL005387029B31, with registered address Hawaiiweg 41, 1339 NW Almere, Netherlands (trading as “SemlyPro”). Semly Pro is currently owned and operated by its sole proprietor, Surya Pillai. Semly Pro intends to incorporate a private limited company (Semly Pro B.V.); upon incorporation, references to “SemlyPro” in this policy will be read as references to Semly Pro B.V. For contact and grievance details, see Section 9.
Scope. This policy covers cookies and equivalent client-side storage set through the Sites, our web application at app.semlypro.com, and any SemlyPro browser extension or plugin. It also covers tracking technologies embedded in the emails we send (see Section 2 on email tracking pixels). It does not govern cookies set by third-party websites you reach via links from the Sites — those are governed by those third parties’ own policies.
This policy sits alongside our Privacy Policy (published at https://semlypro.com/privacy), which explains how we handle personal data generally, our lawful bases, your rights, and our international-transfer safeguards, and our Sub-processor List (https://semlypro.com/subprocessors). Where a term is capitalised but not defined here, it has the meaning given in the Privacy Policy or Terms of Service.
2. What cookies and similar technologies are
Cookies are small text files placed on your device when you visit a website. They can be first-party (set by the site you are visiting) or third-party (set by another domain the site includes).
Similar technologies we may use include local storage, session storage, IndexedDB and other browser storage, pixels, tags, web beacons, software development kits (SDKs), device or browser fingerprinting signals, and server-side tracking identifiers. Storage set or read by our browser extension(s)/plugin(s) is treated the same way. Where this policy refers to “cookies” it also covers those similar technologies.
Cookies can be session cookies (deleted when you close your browser) or persistent cookies (stored for a longer period). We disclose typical retention/expiry in the cookie inventory at Section 3.6.
Email tracking pixels. Some of the emails we send — both transactional (e.g. account, security and service notices) and, where you have opted in, marketing emails — contain small tracking pixels or tagged links that tell us whether a message was opened and which links were clicked. These are “similar technologies” read/written on your device and are subject to the same consent and transparency rules as cookies. We use email-open/click tracking in marketing emails only on the basis of your consent / a valid soft opt-in (see Sections 3.4 and 4 and the Privacy Policy), and each marketing email carries a working unsubscribe/opt-out that we honour within the statutory period. Transactional-message delivery/diagnostic tracking is used on the basis of our legitimate interest in operating the Service securely and reliably, and is minimised; it is described in the Privacy Policy.
Local/session storage in the app and extensions. Our authenticated web application and any browser extension use local/session storage principally for strictly necessary functions (keeping you logged in, holding your in-app state, and securing the session). Where any browser storage in the app or an extension is not strictly necessary, we treat it as a non-essential technology requiring consent under Section 3 and the applicable law in Section 7.
3. Categories of cookies we use
The legal basis stated for each category below is summarised; the full statutory basis that applies to you, by jurisdiction (Netherlands/EEA, United Kingdom, India), is set out in Section 7.
3.1. Strictly necessary cookies
These cookies are required for the Sites to work. They enable you to log in, keep your session, remember your consent choices, and use secure features. Without them, parts of the Service will not function.
Legal basis: strictly necessary; no consent required. In the Netherlands this exemption is provided by Article 11.7a of the Telecommunicatiewet (the Dutch “cookiewet”, implementing Article 5(3) of the ePrivacy Directive 2002/58/EC). In the United Kingdom the equivalent exemption is in Regulation 6 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), as amended by the Data (Use and Access) Act 2025. In India, cookies that are strictly necessary to provide a service you have requested are used consistently with the Digital Personal Data Protection Act 2023 and the DPDP Rules 2025 (see Section 7.3).
Examples:
- Authentication tokens.
- Session identifiers.
- CSRF-prevention tokens.
- Load-balancer routing cookies.
- Cookie-consent record (the small record that stores your consent choices; see the note on consent records in Section 4).
3.2. Preference cookies
These cookies remember choices you make (for example, language, region, or interface settings) so that we can provide a customised experience.
Legal basis: consent, where required by law (Netherlands/EEA and India). In the United Kingdom, cookies that solely customise the appearance or functionality of the Sites at your request (such as accessibility or display preferences) may fall within the DUAA 2025 “appearance” exemption to PECR consent, in which case we rely on that exemption and provide clear information and a free-of-charge means to opt out rather than a consent gate.
3.3. Analytics and product-improvement cookies
These cookies help us understand how the Service is used, so we can improve it. They record events, feature usage, page views, and error information. Where possible we pseudonymise or aggregate the data.
Legal basis: consent in the Netherlands/EEA and India. In the United Kingdom, cookies used solely for statistical/analytics purposes may fall within the DUAA 2025 statistical-purposes exemption to PECR consent (added by section 112 of, and Schedule 12 to, the Data (Use and Access) Act 2025); where we rely on that exemption we provide clear and comprehensive information about the analytics and a free right to opt out, and we do not rely on it for any analytics cookie that also feeds advertising or cross-site targeting.
Providers we use: PostHog or Plausible for privacy-oriented product analytics, and Sentry (Functional Software, Inc.) for error and performance monitoring. Note: Sentry is an error-monitoring tool rather than a marketing analytics tool. Our analytics stack is reconciled with our live CMP scan and our Sub-processor List (https://semlypro.com/subprocessors).
Who can access data collected via these cookies. Access to analytics and product-improvement data by SemlyPro personnel and authorised contractors is bounded to what is necessary to operate, secure, support and improve the Service for our internal, non-public purposes, subject to confidentiality, least-privilege/role-based access controls and access logging. We do not use this data to train publicly-released AI models. The full clause is in our Privacy Policy and Data Processing Agreement.
3.4. Marketing and advertising cookies
These cookies are used to make marketing messages more relevant, to measure the performance of marketing campaigns, and to attribute sign-ups to marketing sources. We use these on our marketing site (semlypro.com, semlypro.nl). We do not set marketing or advertising cookies inside the authenticated Service (app.semlypro.com).
Legal basis: consent (Netherlands/EEA, United Kingdom and India). In the United Kingdom, advertising and cross-site targeting cookies continue to require consent under PECR reg. 6 and are not covered by the DUAA 2025 statistical/appearance exemptions. Related direct-marketing email is governed by PECR regs. 22–23 (including the “soft opt-in” for existing customers) in the UK, by Article 11.7a Telecommunicatiewet in the Netherlands, and by the applicable rules on commercial communications in India; see the Privacy Policy for the marketing-email lawful basis and opt-out commitments.
Providers we use: HubSpot (HubSpot, Inc.), LinkedIn Insight Tag (LinkedIn Ireland Unlimited Company), Google Ads and Google Analytics 4 (Google Ireland Limited), or successors listed on our Sub-processor List.
Children (India — DPDP). For traffic that may be attributable to a child (defined under the DPDP Act 2023 as an individual under 18), we do not undertake behavioural tracking, behavioural monitoring or targeted advertising, and we suppress marketing/advertising cookies, consistent with the DPDP Rules 2025. See Section 7.3.
3.5. Note — Google marketing cookies vs. Google data integrations
To avoid confusion: the Google Ads and Google Analytics 4 cookies described in Section 3.4 are set by us on our marketing site to measure our own campaigns. This is separate from the customer-authorised Google data integrations — Google Ads, Google Analytics 4 and Google Search Console connected by OAuth to import a customer’s own campaign, analytics and search-console data into the Service. Those integrations are not cookies on your device; they are described, together with their lawful basis, transfers, and our Google API Services / Limited Use commitments, in our Privacy Policy and Data Processing Agreement.
3.6. Cookie inventory
The table below sets out the main cookies and similar technologies used across the Sites, the app and any extension. We keep this inventory current as our cookies change. As required by transparency law, each cookie is disclosed with its provider, purpose, category and typical retention.
| Cookie / storage item | Provider (1st / 3rd party) | Purpose | Category | Typical retention |
|---|---|---|---|---|
| Session / auth token | SemlyPro (1st) | Keep you logged in; secure the session | Strictly necessary | Session |
| CSRF token | SemlyPro (1st) | Prevent cross-site request forgery | Strictly necessary | Session |
| Load-balancer routing cookie | SemlyPro (1st) | Route requests to the correct server | Strictly necessary | Session |
| Cookie-consent record | SemlyPro (1st) | Store your consent choices | Strictly necessary | Up to 6 months (re-prompt) |
| Preference (language/region/UI) | SemlyPro (1st) | Remember your interface choices | Preference | Up to 12 months |
| Product-analytics ID | PostHog or Plausible (3rd) | Understand feature usage; improve the Service | Analytics | Up to 12 months |
| Error-monitoring signal | Sentry (3rd) | Capture errors/performance issues | Analytics/diagnostics | Session |
| Marketing/attribution cookies | HubSpot; LinkedIn Insight Tag; Google Ads / GA4 (3rd) | Campaign measurement; sign-up attribution | Marketing | Up to 24 months (varies by tag) |
4. How we obtain consent
Where consent is required by law, we ask for your consent before setting non-essential cookies. Our cookie banner allows you to accept all, reject all, or manage cookies by category, with the reject option as prominent and as easy to use as the accept option, and no non-essential cookie fires before you consent. You can change your choices at any time by clicking the “Cookie settings” link in the site footer.
Withdrawing consent. Withdrawing consent is as easy as giving it; use the “Cookie settings” link at any time. For Indian Data Principals, consent (and its withdrawal) may also be exercised through a registered Consent Manager where we make one available, as contemplated by the DPDP Rules 2025.
Consent re-prompt. Consent is stored for a maximum of six (6) months, after which we will ask again. This six-month figure is the re-prompt cadence of the consent record on your device — it is not the retention period of our audit record of your consent.
Consent audit record. Separately from the six-month re-prompt, we keep a record demonstrating that and how you consented (or refused), so that we can evidence consent as required by Article 7(1) GDPR / UK GDPR and the DPDP Rules 2025. This audit record is retained for the period stated in our internal Data Retention & Deletion Schedule and is not affected by clearing cookies.
We keep the wording of this Section, the categories in Section 3, and the six-month re-prompt aligned to whatever our live CMP actually enforces.
5. How to control cookies
5.1. Through our cookie banner
Use the cookie banner or the “Cookie settings” link in the site footer at any time to accept, reject, or manage cookies by category, and to withdraw consent.
5.2. Through your browser
Most browsers allow you to view, delete, and block cookies. Instructions vary by browser:
- Chrome:
support.google.com/chrome/answer/95647 - Firefox:
support.mozilla.org/en-US/kb/enhanced-tracking-protection-firefox-desktop - Safari:
support.apple.com/guide/safari/manage-cookies-sfri11471 - Edge:
support.microsoft.com/en-gb/microsoft-edge
Blocking or deleting cookies may affect how the Service works.
5.3. Through opt-out tools
- Your Online Choices (EU):
youronlinechoices.eu - NAI Opt-Out:
optout.networkadvertising.org
5.4. Automated browser privacy signals (Do Not Track / Global Privacy Control)
Some browsers can transmit automated privacy preferences such as Do Not Track (DNT) or Global Privacy Control (GPC). There is not yet a settled legal standard requiring websites to honour these signals, and our Sites do not currently respond to DNT or GPC. We will update this Section as machine-readable browser-signal law matures (the EU Digital Omnibus proposal of 19 November 2025 expressly contemplates honouring browser-transmitted consent/refusal signals, though it is not yet law — see Section 7.1).
6. Third-party cookies and cross-border transfers
Some of the third-party providers listed above (for example our analytics, error-monitoring, and marketing/advertising providers) may transfer data outside the European Economic Area or the United Kingdom. Where this occurs, we rely on the safeguards described in our Privacy Policy (https://semlypro.com/privacy) and identify each recipient on our Sub-processor List (https://semlypro.com/subprocessors). Those safeguards include, as applicable, adequacy decisions (such as the EU–US Data Privacy Framework and its UK extension, where the recipient is certified), the EU Standard Contractual Clauses, and, for the United Kingdom, the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs. For transfers of Indian personal data, transfers are permitted except to any country restricted by the Indian government. The definitive list of recipients and the specific transfer mechanism for each is maintained in the Privacy Policy and Sub-processor List.
7. Legal framework and jurisdiction-specific information
This policy applies globally, but the governing statutory framework depends on where you are. The cookie-law landscape is changing; we review these citations at each update.
7.1. European Economic Area / Netherlands
Cookies and similar technologies are governed by Article 5(3) of the ePrivacy Directive 2002/58/EC, as implemented in the Netherlands by Article 11.7a of the Telecommunicatiewet (the “cookiewet”), read together with the GDPR (Regulation (EU) 2016/679) for the processing of any personal data. Strictly necessary cookies are exempt from consent; all other categories require prior, freely given, specific, informed and unambiguous consent (GDPR Article 4(11) and Article 7), and we must be able to demonstrate that consent. The Dutch supervisory authority is the Autoriteit Persoonsgegevens (AP), which runs automated scans checking, among other things, that a reject button is as prominent as accept and that no non-essential cookie fires before consent.
Framework in flux (for information): the proposed ePrivacy Regulation was formally withdrawn on 11 February 2026, and the European Commission’s Digital Omnibus proposal of 19 November 2025 would move cookie rules into the GDPR (proposed new Articles 88a and 88b), introducing single-click reject, a six-month bar on re-asking after refusal, and honouring of machine-readable browser signals. That proposal is not yet law; the ePrivacy Directive framework above continues to govern. We will update this policy if and when it is adopted.
7.2. United Kingdom
For UK visitors, cookies and similar technologies are governed by the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), Regulation 6, read with the UK GDPR consent standard, and enforced by the Information Commissioner’s Office (ICO). PECR has been materially amended by the Data (Use and Access) Act 2025 (DUAA) (Royal Assent 19 June 2025), with the relevant PECR changes in force from 5 February 2026. In particular, the DUAA:
- creates new consent exemptions for certain lower-risk purposes — including cookies used solely for statistical/analytics purposes, cookies that adjust appearance/functionality at the user’s request, and emergency-assistance purposes — provided clear information and a free opt-out are offered (we apply these only where genuinely applicable, and never to advertising/targeting cookies);
- broadens Regulation 6 so that it also catches parties who instigate the storage of, or access to, information on a device; and
- raises the maximum PECR fine from £500,000 to UK GDPR levels (up to £17.5 million or 4% of global annual turnover).
Direct-marketing email to UK users is governed by PECR regs. 22–23, including the “soft opt-in” for existing customers.
7.3. India
For users in India, cookies and trackers that store identifiers (cookie IDs, device IDs) or enable profiling are treated as processing of digital personal data under the Digital Personal Data Protection Act 2023 (DPDP Act) and the DPDP Rules 2025 (notified on 13 November 2025), with a phased commencement (the notice, consent, grievance and children’s-data obligations are expected to be fully operative around May 2027). For such cookies we rely on free, specific, informed and unambiguous prior consent, preceded or accompanied by a standalone, plain-language notice of the categories of data and the purposes; consent can be withdrawn as easily as it is given (including, where available, via a registered Consent Manager). SemlyPro acts as a Data Fiduciary for cookie data it determines the purposes of, and its India-facing obligations — Data Principal rights, cross-border transfer (permitted except to any country the Indian government restricts), and breach notification — are set out in our Privacy Policy and India Privacy & Grievance Addendum.
Children. Under the DPDP Act a child is anyone under 18. We do not undertake tracking, behavioural monitoring or targeted advertising directed at children, and we require verifiable parental/guardian consent before processing a child’s personal data; accordingly, marketing/advertising and behavioural-analytics cookies are suppressed for India-facing traffic that may be a child.
Grievance. A Grievance Officer contact is published in Section 9 and in our India Privacy & Grievance Addendum, as required by the DPDP Rules 2025 (and, where applicable, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021 and the Consumer Protection (e-Commerce) Rules 2020).
8. Changes
We may update this Cookie Policy from time to time — for example, to reflect changes in the cookies we use, in our providers, or in the law (including the UK DUAA changes, the DPDP phase-in, and any EU Digital Omnibus adoption). Material changes will be notified via our Sites, and the “Last updated” date at the top will be revised. Where the change requires it, we will ask for your consent again.
9. Contact
This Cookie Policy is issued by Semly Pro (eenmanszaak), trading as SemlyPro, KvK 99448351, VAT NL005387029B31, Hawaiiweg 41, 1339 NW Almere, Netherlands — the data controller for cookies set through the Sites.
- Cookies / privacy questions: anil@semlypro.com
- Grievance Officer (India — DPDP Act 2023 / DPDP Rules 2025): anil@semlypro.com. You can contact our Grievance Officer at this address, and we will respond within the statutory timeline.
Last updated 13 July 2026 · Operated by Semly Pro (eenmanszaak), KvK 99448351, Hawaiiweg 41, 1339 NW Almere, Netherlands · Questions about this document: anil@semlypro.com