L&S Legal Tech LTD

Cookie Policy
Effective Date: 2 June 2025
Website: www.lsdifc.com

1. Introduction

1.1 The purpose of this Cookie Policy (“Policy”) is to give transparent, comprehensive information about how and why cookies and similar technologies (collectively, “cookies”) are deployed on the Website. By continuing to browse or use the Website, you acknowledge that you have read, understood, and consented to the practices described herein.

1.2 This Policy forms part of, and should be read together with, (a) our Terms and Conditions and (b) our Privacy / Data Protection Compliance Statement. Capitalised terms not defined in this Policy have the meaning given to them in those documents.

1.3 We recognise the importance of protecting individuals’ fundamental rights to privacy and data protection. Accordingly, we adhere to the principles set out in DIFC Data Protection Law No. 5 of 2020 and, where applicable, draw guidance from international frameworks such as the EU General Data Protection Regulation (GDPR), the UK GDPR, and the e-Privacy Directive.

2. What Are Cookies?

2.1 A cookie is a small alphanumeric file that a website transfers to the hard drive or solid-state storage of your device (e.g., computer, smartphone, tablet) through your web browser. The cookie enables the website or a third-party provider to recognise your browser, capture, and remember certain information.

2.2 Cookies perform numerous functions, including but not limited to:

1. Essential operations – enabling core page navigation or authentication.

1. Performance measurement – collecting statistical information to improve site performance.
2. Functionality enhancement – remembering choices (such as language, region, or font size).
3. Targeted advertising – tailoring marketing content or ads to users’ interests.

2.3 Cookies can be categorised by:

1. Duration – Session cookies (which expire when you close your browser) vs. Persistent cookies (which remain until a set expiry date or manual deletion).

1. Origin – First-party cookies (set by the domain you are visiting) versus Third-party cookies (set by external domains).

3. Legal Bases for Using Cookies

3.1 Under Article 10(1) of the DIFC Data Protection Law, the processing of personal data must rest upon a lawful ground. In the context of cookies, we rely on two primary bases:

1. Legitimate Interests – for strictly necessary cookies essential to the operation or security of the Website.

1. Consent – for any non-essential cookies, including analytics, functionality, and targeting cookies.

3.2 Where consent is required, we deploy a compliant cookie-consent banner and preference-management tool. You may grant or refuse consent granularly (i.e., category by category) and may withdraw consent at any time by adjusting settings within the tool or your browser.

4. Types of Cookies We Use — Narrative Description

To give you a precise yet fully “word-based” explanation, the five categories of cookies we deploy are set out below in prose rather than in a spreadsheet-style table. The headings match those that appear in our consent banner, so you can easily recognise them when you visit the “Cookie Settings” panel on the Website.

4.1 Necessary (Essential) Cookies

These cookies are indispensable to the technical operation, security, and accessibility of www.lsdifc.com. They enable core functions such as page rendering, load balancing across servers, session management, fraud prevention, and verification of bot mitigation challenges. Typical cookie names you might encounter include cf_bm, AWSALB, and PHPSESSID. They store random session identifiers and server-affinity tokens, not personal profile data, and most expire when you close your browser. However, some security tokens can persist for up to twelve months. Because they are strictly necessary for the Website to function, they are always active and cannot be disabled through our preference centre.

4.2 Performance (Analytics) Cookies

Performance cookies collect aggregated, pseudonymised statistics that help us understand how visitors navigate our pages, which URLs load slowly, where error messages occur, and what content is most frequently consulted. The insights drawn from these metrics enable us to refine layouts, streamline code, and prioritise improvements that matter most to our users. Examples include Google Analytics 4 identifiers such as _ga, _gid, and _gat, or Mixpanel tokens. The data points captured, visitor ID hashes, timestamps, referrer URLs, and click paths do not directly identify you, and retention periods range from one minute to twenty-four months. These cookies are set only after you have granted explicit consent in the banner or settings panel.

4.3 Functionality Cookies

Functionality cookies remember the choices you make, such as your preferred language, region, font size, colour-contrast mode, or the fact that you have dismissed the cookie notice, so that the Website behaves consistently during this and future sessions. Example names include lng_pref, theme, cookie, and notice dismissed. By storing these preferences (usually in simple alphanumeric values), the site spares you from re-configuring settings on every visit. The lifespan for such cookies can extend up to twenty-four months, though many expire sooner. Because they are not strictly essential, they load only after you have opted in via the consent interface; if you decline them, certain personalised features may revert to defaults each time you return.

4.4 Targeting / Advertising Cookies

Targeting cookies build an interest profile so that the adverts you see—either on our pages or across the wider web—are more relevant to you. They may share limited, pseudonymized data with advertising networks or social media platforms. Typical examples are Google Marketing Platform cookies such as IDE and test cookie, Facebook’s fbp, or Google AdSense’s gcl_au. Typically, the information captured includes an advertising identifier, device type, truncated IP-based geolocation, and high-level interaction events (such as impressions and clicks). Lifespans vary from a single day to roughly eighteen months (540 days), and every such cookie is deployed only after you have given granular, category-specific consent. You can revoke that consent at any time through our settings panel or by visiting network-wide opt-out portals such as Your Online Choices.

4.5 Social-Media Plugin Cookies

Where we embed sharing widgets or one-click log-in flows provided by platforms like LinkedIn, X (Twitter), or YouTube, those platforms may place their cookies—e.g., LinkedIn’s li_oatml and bcookie, or X’s guest_id. These cookies recognise whether you are already logged in to the relevant social network and can track your browsing across different sites that feature the same plugin. They store your social-network user ID and login status, with expiry periods ranging from the end of a session to approximately twenty-four months. Because they are non-essential and potentially involve cross-site tracking, we request your explicit permission before loading them.

How to Control These Cookies
You can accept, reject, or later modify your preference for each of the non-essential categories above, Performance, Functionality, Targeting, and Social-Media, via the floating “Cookie Settings” icon available on every page. Necessary cookies remain active by design, but all other types depend entirely on your freely given, revocable consent.

5. First-Party vs. Third-Party Cookies

5.1 First-party cookies originate from the lsdifc.com domain and are controlled directly by us. They include our content-management system session cookie and preference cookies.

5.2 Third-party cookies are placed by external service providers integrated with our Website, e.g., analytics vendors (Google Analytics 4, Mixpanel), advertising exchanges (Google Marketing Platform), A/B testing tools (Optimizely), or embedded video platforms (YouTube). While we strive to select reputable partners committed to strong privacy practices, their use of cookies is subject to their privacy policies.

5.3 We maintain a due diligence register that documents each third-party provider’s data protection posture, transfer mechanisms, and retention schedules, which are reviewed at least annually.

6. Cookie Deployment Lifecycle

6.1 Prior Assessment: Before any new cookie is launched, the Company conducts a Cookie Impact Assessment, balancing (a) technological necessity, (b) proportionality, (c) user expectations, and (d) potential privacy risks.

6.2 Documentation: Each cookie is logged in our Record of Processing Activities (ROPA) in compliance with Articles 14 and 19 of the DIFC Law. The log captures the following information: name, purpose, data categories, retention period, recipients, transfer locations, and lawful basis.

6.3 Technical Implementation:

1. For consent-based cookies, dataLayer events trigger cookie set-up only after our consent-management API returns a “true” state.

1. Cookies are set using the Secure and HttpOnly flags wherever browsers support them; SameSite=Lax or SameSite=Strict is applied unless cross-site functionality is indispensable, in which case SameSite=None; Secure is used.
2. All JavaScript tags that write or read cookies are scanned nightly by a tag-governance script to prevent unauthorised code injection.

6.4 User Controls: Users can revisit their cookie preferences at any time by clicking the floating “Cookie Settings” icon. Changes take effect immediately, and revocation triggers deletion of any existing non-essential cookies via a purge script.

7. Managing Cookies – Your Choices

7.1  Via the Website Banner / Panel
  (a) On your first visit, you see a banner explaining that cookies are in use.
  (b) You may accept all cookies, decline all non-essential cookies, or select specific categories.
  (c) An audit log records timestamp, anonymised IP, and category selection for evidentiary purposes.

7.2 Via Browser Settings
Most browsers (Chrome, Firefox, Safari, Edge, Opera) allow you to:

1. View a list of installed cookies.

1. Delete individual or all cookies.
2. Block third-party cookies by default.
3. Receive notifications before a cookie is stored.

7.3 Opt-Out Mechanisms for Targeting Cookies
Providers such as Google and Meta participate in industry self-regulatory programs (e.g., YourOnlineChoices, NAI). You may opt out of behavioural advertising network-wide by visiting those portals.

7.4 Effect of Disabling Cookies
Blocking or deleting necessary or functionality cookies may impair Website usability—e.g., you might need to log in repeatedly or encounter layout issues. Performance cookies help us improve services; refusing them limits our ability to measure usage. Targeting cookies, being optional, can be declined without affecting core functionality.

8. Data Collected Through Cookies

8.1 Identifiers – randomly generated strings, device IDs, or advertising IDs.
8.2 Device Information – browser type, operating system, screen resolution.
8.3 Network Data – IP address (truncated or hashed where feasible), connection speed, proxy status.
8.4 Usage Metrics – pages visited, dwell time, click paths, referring URLs.
8.5 Preference Data – language selection, region, font size, contrast mode.
8.6 Ad Interaction – impressions, clicks, view-through conversions (for consented targeting cookies).

We do not intentionally use cookies to collect sensitive categories of data (e.g., special-category personal data under DIFC law) unless expressly necessary and with heightened safeguards.

9. International Data Transfers

9.1 As noted in our Privacy Statement, we may transmit cookie-derived personal data to processors outside the DIFC. This typically occurs when using cloud-hosted analytics or advertising services domiciled in the EU, the US, or APAC.

9.2 Where transfers occur to jurisdictions without an adequacy determination by the DIFC Commissioner, we rely on appropriate safeguards, including DIFC-approved Standard Contractual Clauses (SCCs), Binding Corporate Rules, or Article 27 derogations (explicit consent, necessity for contract).

9.3 A list of all third-country transfers linked to cookies, together with the relevant safeguards, is available upon request from our Data Protection Officer (DPO).

10. Retention and Expiry

10.1 Persistent cookies automatically expire after the period stated in § 4 above unless renewed by a subsequent visit and consent.

10.2 We truncate or pseudonymize analytics identifiers after 26 months, unless a shorter period better meets data minimization expectations.

10.3 Server-level logs (which may include cookie data in HTTP headers) are retained for a maximum of 14 months for security forensics, then deleted or anonymised.

10.4 When you withdraw consent, our revocation script flags the associated cookie for immediate deletion and ensures no further writes are made from that time onward.

11. Security Measures

11.1 We employ encryption in transit (TLS v1.3 or higher) for all cookie exchanges.

11.2 Cookie values are hashed or tokenised where possible, avoiding storage of plain-text personal data inside the cookie payload.

11.3 Access to raw analytics datasets is restricted by least-privilege principles and multi-factor authentication, and is audited quarterly by our Security & Compliance team.

11.4 Vulnerability assessments, including OWASP ZAP scans and penetration tests, are carried out not less than once per annum to validate cookie integrity and flag misconfigurations (e.g., missing Secure flag).

12. Children’s Data

The Website is not directed to minors under 18. We do not knowingly place cookies to profile children or collect children’s data without a verified parental consent mechanism. If you believe we have inadvertently processed a child’s data via cookies, please get in touch with the DPO immediately for remediation.

13. Automated Decision-Making and Profiling

13.1 Some targeting cookies facilitate profiling—i.e., automated processing of personal data to evaluate personal preferences or interests. Profiling is limited to marketing contexts and never produces legal or similarly significant effects on individuals.

13.2 Where profiling occurs, you maintain the right to object at any time (Article 32 DIFC Law). Exercising this right is as simple as disabling “Targeting Cookies” within the preference panel.

14. Do Not Track (DNT) Signals

Specific browsers transmit “DNT” headers indicating the user’s preference not to be tracked. There is no uniform industry standard for interpreting these signals. We treat a valid DNT header as an opt-out of non-essential cookies, mirroring the effect of declining all categories except “Necessary.”

15. Changes to This Cookie Policy

15.1 We reserve the right to update this Policy to reflect changes in technology, law, or our business operations. Material changes include additions of new cookie categories, significant changes to suppliers, or modifications to consent mechanisms.

15.2 When updates occur, we will:

1. Amend the “Last Updated” date at the bottom of this document.

1. Display a prominent banner or pop-up summarising key modifications.
2. Where legally required, solicit renewed consent (e.g., introducing a new targeting vendor).

15.3 We encourage you to review this Policy periodically. Continued use of the Website after changes are posted constitutes your acceptance of the updated Policy.

16. Your Rights and How to Exercise Them

In addition to cookie-specific options, you may exercise broader data-protection rights as outlined in our Privacy Statement, including:

1. Right of Access – obtain confirmation and a copy of cookie-derived personal data.

1. Right to Rectification – correct inaccurate pseudonymous identifiers, where feasible.
2. Right to Erasure – request deletion of personal data obtained through cookies.
3. Right to Restrict Processing – pause processing of cookie data under certain conditions.
4. Right to Object – object to profiling or direct marketing.
5. Right to Data Portability – receive data you provided in machine-readable format (where technically practicable).

To submit a request, email privacy@lsdifc.com with sufficient details for identity verification. We respond within one month, with an additional two months for complex requests, as per Article 33(3) of the DIFC Law.

17. Regulatory Oversight

If you are dissatisfied with our handling of cookie-related personal data, you may complain to the DIFC Commissioner of Data Protection. We would, however, appreciate the opportunity to address your concern first. Please get in touch with our DPO using the details below.

18. Contact Us

L&S Legal Tech LTD
Website: www.lsdifc.com

General Enquiries
 Email: info@lsdifc.com
 Phone: +971 58 100 8038

Data Protection Officer
 Email: dpo@lsdifc.com

Last Updated: 2 June 2025