Cookie policy

At a glance.

The short version. The full detail is in the sections below.

Question	Honest answer
Does Fluxa use cookies	Yes, a small number, only where they are strictly necessary to make the service work or to keep it secure
Does Fluxa use advertising cookies	No. Not on the public website, not in the dashboard, not on the hosted checkout
Does Fluxa use cross-site tracking	No. No retargeting pixels, no shared identifiers, no behavioural profiles
Does Fluxa use third-party analytics (Google Analytics, Hotjar, Mixpanel)	No
Does Fluxa show a cookie consent banner	No. There is a one-time informational notice on the homepage (“This site uses essential cookies only. No tracking, no ads.”) so you know up-front what to expect, but it is not a consent gate; there is nothing to opt out of because we do not set any cookies that require consent
Do you sell or share cookie data	No. Cookie data never leaves Fluxa for marketing or data-broker purposes
Can I turn off the cookies you do set	Yes, through your browser controls. Note that turning off strictly necessary cookies will break the dashboard or checkout
What is the legal regime	UK Privacy and Electronic Communications Regulations (PECR), UK GDPR, Data Protection Act 2018, and the ICO storage and access guidance finalised on 29 April 2026
Maximum penalty for breaching PECR	£17.5 million or 4% of global annual turnover, whichever is higher, since the Data (Use and Access) Act 2025 came into force on 5 February 2026
Who to contact about cookies	dpo@fluxapay.co.uk

What is a cookie.

A cookie is a small text file a website asks your browser to store on your device. When you come back, the website can read the cookie and recognise that it is the same browser. Cookies can keep you logged in, remember a setting, protect a form against attack, or measure traffic. They can also, in less honest hands, track you across thousands of websites to build an advertising profile.

The same rules apply to other forms of storage that work like cookies: browser local storage, session storage, IndexedDB, and any similar technology that stores information on your device. UK law (PECR regulation 6) covers all of these, not just classic HTTP cookies. The Data (Use and Access) Act 2025 widened the language further to cover any technology that stores or accesses information on terminal equipment.

Cookies have two important properties: who set them (the website you are visiting, called first-party, or someone else, called third-party), and how long they last (session cookies disappear when you close your browser; persistent cookies have an explicit expiry date). Both properties matter for privacy and both are listed for every cookie below.

Our position.

Fluxa is a UK B2B payments company. We do not sell advertising, we do not run a marketplace funded by ad revenue, and we do not need to know which other websites you have visited. So we do not use cookies for advertising, retargeting, behavioural profiling, or third-party analytics that share your behaviour with their parent platforms.

What we use cookies for, in full:

Keeping you logged in to the merchant dashboard once you have signed in
Securing forms on the dashboard and the hosted checkout against cross-site request forgery
Bot management at the edge, run by our content delivery network, to keep the platform up under denial-of-service attempts
Remembering your theme preference (light or dark) if you change it in the dashboard

That is the whole list. There are no further cookies. There is no advertising stack, no consent management platform, no tag manager loading dozens of third-party scripts. The marketing pages on this website set zero cookies of their own; a small notice appears on the homepage on first visit explaining this, with a “Got it” acknowledgement that is recorded in browser local storage so the notice does not reappear. The notice exists to inform, not to gate consent.

Categories we use.

UK cookie law gives a small number of narrowly defined exceptions to the consent requirement. The Data (Use and Access) Act 2025, section 112 and Schedule 12, inserted a new Schedule A1 to PECR which expanded the strictly necessary exception with six clarifying examples and added three new categories: statistical purposes, preference and adaptation, and emergency assistance. Together with the two existing exceptions under regulation 6 itself (communication transmission and strictly necessary), there are now five exempt categories in total. Cookies that fall within these categories do not need consent, although for the new categories users must be given clear information about the purpose and a simple, free way to object. Cookies outside these categories need explicit consent before they are set.

Category	Consent required	Does Fluxa use this
Strictly necessary	No, exempt under PECR regulation 6 and Schedule A1	Yes. Session, CSRF protection, bot management. The cookies that make the dashboard and checkout work.
Communication transmission	No, exempt under PECR regulation 6	No. We do not set cookies solely for routing network communications; this is handled at the protocol layer.
Statistical (first-party only, sole purpose)	No, exempt under PECR Schedule A1 from 5 February 2026, provided clear information is given and a simple, free way to object is offered	No. We measure traffic from anonymised server access logs only, with no cookies set for that purpose.
Preference and adaptation	No, exempt under PECR Schedule A1 from 5 February 2026, provided clear information is given	Yes. One cookie remembers your light or dark theme choice in the dashboard.
Emergency assistance	No, exempt under PECR Schedule A1 from 5 February 2026	No. We do not operate an emergency identification service.
Analytics with shared data (Google Analytics and similar)	Yes, explicit consent required (purpose-mixing voids the statistical exemption)	No.
Advertising and retargeting	Yes, explicit consent required	No.
Social media embeds and share buttons	Yes, explicit consent required	No.
Fingerprinting and device tracking	Yes, explicit consent required	No.

Every cookie Fluxa sets falls into either the strictly necessary category or the preference category, both of which are exempt from the consent requirement under PECR after the Data (Use and Access) Act 2025 amendments. This is why we do not show a consent banner.

Every cookie listed.

The complete list of cookies Fluxa sets, across the public website, the merchant dashboard, the hosted checkout, the docs site and the demo. If a cookie is set, it is in this table. If it is not in this table, it is not set by us.

Important scope note. The public marketing website (fluxapay.co.uk and its content pages) sets zero cookies of its own. We have no analytics scripts, no advertising tags, and no JavaScript that writes to document.cookie on the marketing pages. The only cookies that appear on those pages are the Cloudflare edge cookies below, set by our content delivery network to keep the site secure. Cookies for session, authentication and CSRF apply only when you sign in to the dashboard or initiate a payment on the hosted checkout.

Cookie name	Set by	Where	Purpose	Category	Duration
`fluxa.sid`	Fluxa, first party	dashboard.fluxapay.co.uk, pay.fluxapay.co.uk	Server-side session identifier. Keeps you signed in. HttpOnly, Secure, SameSite=Lax.	Strictly necessary	Session, or 30 days if “remember me” is selected
`__Host-fluxa.csrf`	Fluxa, first party	dashboard.fluxapay.co.uk, pay.fluxapay.co.uk	Cross-site request forgery token. Protects every form submission against attack. Host-prefixed, Secure, SameSite=Strict.	Strictly necessary	Session
`fluxa.theme`	Fluxa, first party	dashboard.fluxapay.co.uk	Remembers your light or dark theme choice so we can render the dashboard correctly on the next page load before the user-preference media query resolves. Not used for any other purpose.	Preference (PECR Schedule A1 exempt)	1 year
`__cf_bm`	Cloudflare, our content delivery network	All Fluxa subdomains	Cloudflare Bot Management or Bot Fight Mode. Distinguishes real visitors from automated traffic to protect the platform from denial-of-service and credential-stuffing attacks. Encrypted by Cloudflare; not used to track users across sites or sessions. A separate cookie is generated for each site, and the cookie does not correspond to any user ID in our application. Required for the service to function reliably under load.	Strictly necessary	30 minutes of continuous inactivity
`cf_clearance`	Cloudflare, our content delivery network	All Fluxa subdomains, only if a security challenge is triggered	Records that your browser has passed a Cloudflare security challenge so you are not asked to solve it on every page. Only set if a challenge is presented.	Strictly necessary	30 minutes, up to 1 year for trusted IPs

Five cookies in total. Four strictly necessary, one preference. None for advertising, none for cross-site tracking, none for third-party analytics. The public marketing pages (fluxapay.co.uk and subpages) set only the two Cloudflare cookies; everything else activates only inside the merchant dashboard or the hosted checkout, both of which require you to actively sign in or initiate a payment.

Third parties.

The only third party that sets a cookie on a Fluxa domain is Cloudflare, our content delivery and security provider. Cloudflare cookies are used solely to protect the platform from automated abuse and to deliver content reliably under load; they are not used by Cloudflare to build a profile of you across other Cloudflare-protected sites for advertising purposes. Cloudflare publishes its own cookie behaviour at cloudflare.com/cookie-policy.

Specifically, Fluxa does not use:

Google Analytics, Google Tag Manager, Google Ads, or any other Google tracking technology
Facebook Pixel, LinkedIn Insight Tag, X Pixel, or any other social-media advertising tag
Hotjar, Mixpanel, Heap, Amplitude, Segment, or any other behavioural analytics platform
Intercom, Drift, or any other in-page chat tool that sets visitor-identification cookies
HubSpot, Marketo, Pardot, or any other marketing-automation tracker
Any consent-management platform (we do not need one, see below)
Any data-broker or audience-enrichment service that uses cookies for identification

If we add a third-party cookie in future, this page will be updated before the cookie is enabled, and the version history below will record the change. The default position is and will remain: we do not add third-party tracking.

How to manage cookies.

Every web browser lets you view, block, or delete cookies for any website. Because Fluxa only sets strictly necessary and preference cookies, blocking them will affect how the dashboard or checkout works for you, but it will not break anything irrecoverably; signing back in will reset whatever needs resetting.

Browser	Where to manage cookies
Chrome (desktop and Android)	Settings » Privacy and security » Cookies and other site data. Or visit support.google.com/chrome/answer/95647
Safari (macOS)	Safari » Settings » Privacy » Manage Website Data. Or visit support.apple.com/guide/safari
Safari (iOS)	Settings » Safari » Privacy and Security » Block All Cookies, or Clear History and Website Data
Firefox	Settings » Privacy and Security » Cookies and Site Data. Or visit support.mozilla.org
Edge	Settings » Cookies and site permissions » Manage and delete cookies and site data. Or visit support.microsoft.com
Brave	Settings » Privacy and security » Cookies and other site data. Brave blocks third-party cookies and trackers by default.

If you use a privacy-focused browser (Brave, Firefox with strict tracking protection, Safari with Intelligent Tracking Prevention), Fluxa works without any changes. We test against all of these regularly and none of them are deliberately worked around.

The Global Privacy Control signal is respected where it applies. Since we do not set any cookies that require consent, the signal currently has nothing to switch off, but it is honoured for any analogous controls we may add in future.

Legal basis.

UK cookie law sits at the intersection of two regimes, both of which apply.

Privacy and Electronic Communications Regulations 2003 (PECR)

PECR regulation 6 is the specific UK law on cookies. It requires that information is not stored on or accessed from a user’s device unless either the user has given consent or the storage falls within a listed exception. The Data (Use and Access) Act 2025, in force from 5 February 2026, made two material changes:

It inserted a new Schedule A1 to PECR (via section 112 and Schedule 12 of the DUAA), which expanded the strictly necessary exception with six clarifying examples and added three new exempt categories: statistical purposes, preference and adaptation, and emergency assistance. The two pre-existing exceptions, communication transmission and strictly necessary, are retained. Total exempt categories: five.
It expanded the scope of PECR to cover not only those who set or access cookies, but also any party that instigates their storage or access. If an organisation directs a third party to set cookies on its behalf, that organisation is liable under PECR even if the third party physically sets the cookie.

The maximum penalty for a PECR breach was raised by the same Data (Use and Access) Act from £500,000 to £17.5 million or 4% of global annual turnover, whichever is higher, aligning PECR penalties with UK GDPR. We take this seriously: every cookie listed on this page has been reviewed against the current ICO guidance, and the default position when adding any new cookie is to default to not setting it.

UK GDPR and the Data Protection Act 2018

Where a cookie processes personal data, the UK GDPR and the Data Protection Act 2018 also apply. Fluxa relies on the following lawful bases:

Contract (UK GDPR Article 6(1)(b)) for session and authentication cookies on the dashboard and checkout: we cannot deliver the service you have signed up for without keeping you logged in
Legitimate interests (UK GDPR Article 6(1)(f)) for the security and bot-management cookies set by Cloudflare: protecting the platform from automated abuse is a legitimate interest, and the privacy impact on you is low because the data is not used for marketing or profiling
Consent (UK GDPR Article 6(1)(a)) would apply to any non-essential cookies; we currently set none, so this lawful basis is not in play, and no consent record needs to be kept

Our full privacy policy sets out lawful bases for every category of processing, not only cookies.

ICO guidance

The Information Commissioner’s Office published its finalised guidance on storage and access technologies on 29 April 2026, following two rounds of consultation in December 2024 and July 2025. The guidance is the authoritative interpretation of PECR regulation 6 and Schedule A1 in the UK. We have built this page against that final guidance, including the two new sub-chapters on what a “simple means of objecting” requires and on using the same storage technology for multiple purposes.

Other storage technologies.

The cookie rules under PECR cover any technology that stores or accesses information on a user’s device, not just classic HTTP cookies. For completeness, this section lists every other browser-side storage technology Fluxa uses and confirms that none of them is used for tracking or advertising.

Technology	Where	What we store and why
Local storage	fluxapay.co.uk (marketing site), dashboard.fluxapay.co.uk	On the marketing site: a single key, `fluxa_cookies_ack`, records that you have seen the one-time cookie notice so it does not reappear. No other use. On the dashboard: UI state such as collapsed or expanded panel preferences, table sort orders, last-viewed tab. Cleared by clearing browsing data. Not transmitted to Fluxa or any third party. Strictly necessary for the dashboard to remember where you left off.
Session storage	dashboard.fluxapay.co.uk, pay.fluxapay.co.uk	Form state during a multi-step flow (onboarding, checkout) so a page refresh does not lose progress. Cleared when you close the tab. Not transmitted to Fluxa.
IndexedDB	None	We do not use IndexedDB.
Service workers	None at present	We do not register service workers. If we add one in future (for example, to support offline reading of the docs site), it will be listed here before it is deployed.
Web push notifications	None	We do not request or send push notifications.
Browser fingerprinting	None	We do not use canvas, font, audio or any other form of browser fingerprinting. Cloudflare’s bot management uses some passive signal collection at the edge for security purposes only; this is documented in their own privacy policy.

Changes to this policy.

We will update this page whenever the cookies we set change, whenever the law changes in a way that affects us, or when our position on cookies needs to be clearer. Two principles apply:

New cookies are listed here before they are enabled. If we plan to set a new cookie, the row will appear in the table above first, and the cookie will be activated only after the page has been updated. There is no “deploy first, document later” route.
Version history is public. Material changes are recorded with the date and a brief description. The current version was published on 19 May 2026.

For minor edits (typo fixes, formatting), the last-updated date is bumped without a separate version entry.

Contact.

Questions, complaints, or corrections about this page or about any cookie Fluxa sets, email dpo@fluxapay.co.uk. Acknowledged within one working day. The full set of routes is on the contact page.

If you are not satisfied with our handling of a cookie-related matter under UK GDPR, the statutory escalation route is the Information Commissioner’s Office. Full contact details are on the complaints page.

This procedure follows the Privacy and Electronic Communications Regulations 2003 as amended by the Data (Use and Access) Act 2025, UK GDPR, the Data Protection Act 2018, and the ICO guidance on storage and access technologies finalised 29 April 2026. We update this page whenever the underlying regulation or our cookie set changes; the version date is recorded above. Related documents: Privacy Policy, Terms of Service, Security.

Cookies. Every one named.