Cookie Policy
Information about cookies, local/session storage and similar technologies we use on neurapay.ai.
1. Overview
This cookie policy supplements our privacy policy. It explains which cookies and similar technologies we use, for what purpose and on what legal basis.
The controller is LegaFund AG, Basteiplatz 5, 8001 Zurich. Privacy: datenschutz@lega-fund.com.
2. Legal basis
We use strictly necessary technologies on the basis of our legitimate interest in operating the website (Art. 31(1) revFADP, Art. 6(1)(f) GDPR). All non-essential technologies – in particular analytics and reach measurement – are only used with your consent (Art. 6(1)(a) GDPR); we inform you via our consent banner.
3. Consent management
Your cookie consent is stored in your browser's localStorage under the key neurapay_cookie_consent as a structured JSON object in version 2. The object contains a version indicator v (currently the value 2), an ISO-8601 timestamp decided_at of your decision and the two boolean fields analytics (reach measurement and product analytics) and functional (enhanced convenience features such as embedded meeting-booking widgets). Nothing beyond these fields is stored.
In parallel, we transmit your decision to our accountability endpoint (/api/consent-log), where it is stored for 3 years in pseudonymised form (hashed IP, hashed user agent). This serves to document consent (Art. 7 GDPR).
In the event of material changes to this policy or the underlying processing, we increase the consent version. You will then see the banner again and can decide anew.
You can change or revoke your consent at any time by accessing "Cookie settings" in the footer or by clearing the localStorage entry.
4. Technologies used
4.1 Essential (no consent required)
| Technology | Provider | Purpose | Storage | Duration |
|---|---|---|---|---|
| Language preference | NeuraPay (First-Party) | Remember chosen language | localStorage (neurapay_language) | persistent until deletion |
| Consent decision | NeuraPay (First-Party) | Store your cookie consent | localStorage (neurapay_cookie_consent) | persistent until revocation |
| Nura session ID | NeuraPay (First-Party) | Attribute your Nura conversation | sessionStorage (nura_session_id) | tab lifetime |
| CSRF / security token | NeuraPay (First-Party) | Protection against CSRF | Cookie (__Host-csrf) | Session |
4.2 Functional
We currently do not use any functional technologies beyond the essential ones. This category is enabled by default in the banner so that customer portals (e.g. HubSpot meeting widget) can load once configured.
4.3 Analytics and reach measurement (consent required)
| Technology | Provider | Purpose | Storage | Duration |
|---|---|---|---|---|
| Mixpanel SDK | Mixpanel Inc. (EU residency) | Usage analytics (page views, click events) | localStorage (mp_<token>_mixpanel), __mp_opt_in_out_<token>, __mp_opt_in_out_tracking_<token> | 12 months |
4.4 Marketing
We currently do not use marketing/advertising cookies. The category is disabled by default in the banner.
5. Third-party services without cookies
neurapay.ai makes use of a small number of third-party services which do not set any cookies on your device but which do process personal data while they are in use. We inform you transparently about each of these services below.
Google Gemini API (Nura chat). When you use our AI assistant Nura, your inputs are transmitted via an encrypted connection to the Gemini API in the EU region for each request. The generated responses are returned by Gemini. For quality assurance and abuse-prevention purposes we subsequently retain both your input and the response for 30 days within our own infrastructure at Vercel (region fra1, Frankfurt). A complete description can be found in section 11 of our privacy policy.
Mailgun (transactional email). To send transactional emails triggered by our contact and application forms, we use Mailgun via the EU endpoint api.eu.mailgun.net. No cookies are set and no tracking pixels are embedded in the emails. Data is only transmitted to Mailgun at the time you submit a form.
HubSpot meeting scheduler. The HubSpot meeting widget is only loaded once you actively wish to schedule a conversation and provided that you have previously consented to functional technologies. When the widget is opened, HubSpot sets the cookies __hssc, __hstc and hubspotutk, which are used for session recognition and meeting management.
6. Server log files
When you access our pages, log data (time, IP address, user agent, URL accessed, referrer, status code) is recorded by our hoster (Vercel, region fra1) for technical reasons and deleted after 90 days. Legal basis: legitimate interest in secure operation (Art. 6(1)(f) GDPR).
7. Revocation and browser settings
You may withdraw your consent at any time: (a) via the "Cookie settings" link in the footer or (b) by clearing the aforementioned localStorage entries. In addition, you can configure your browser to reject cookies in general.
