Last updated · May 4, 2026
Cookie Policy
This Cookie Policy explains the cookies and similar tracking technologies we use on www.mumara.com, school.mumara.com, support.mumara.com, and any other Mumara-operated marketing site that links to this Policy (collectively, our "Sites"). It supplements our Privacy Policy. This Policy does not cover cookies or tracking inside the Mumara application — those are covered by your subscription and the in-product settings.
You can update your choices at any time via the link in the footer of every page.
Contents
- 1. What is a cookie?
- 2. Other tracking technologies we use
- 3. Why we use cookies
- 4. Cookie categories and consent model
- 5. Detailed cookie list
- 6. First-party vs third-party cookies
- 7. How long cookies last
- 8. How we protect performance and privacy
- 9. Email and SMS tracking inside Mumara
- 10. How to manage your preferences
- 11. Browser controls
- 12. Do Not Track and Global Privacy Control
- 13. Cookies and the GDPR / ePrivacy
- 14. Cookies and California (CPRA)
- 15. Children
- 16. Updates to this Policy
- 17. Contact
1. What is a cookie?
A cookie is a small text file that a website places on your device (computer, phone, or tablet) when you visit it. Cookies allow a site to remember things about you between page loads or visits — for example, your language preference, whether you are signed in, or whether you have accepted analytics tracking. Cookies cannot read other files on your device and cannot run programs.
Cookies are either session cookies (deleted when you close your browser) or persistent cookies (remain until they expire or you delete them). They are either first-party (set by the site you are visiting) or third-party (set by another organization whose code is embedded on the site).
2. Other tracking technologies we use
Several technologies behave like cookies and are governed by the same consent rules:
- Local storage and session storage — browser-level storage similar to cookies but typically larger and not sent on every request.
- Pixels (web beacons) — tiny invisible images (1x1 pixel) used by analytics and advertising tools to record that a page was loaded.
- SDKs / script-injected identifiers — for example, the identifiers analytics vendors generate to deduplicate visits.
- Server-side analytics — Cloudflare Web Analytics aggregates anonymous, cookieless metrics at the edge. We classify it as essential for measurement, not as a cookie.
Throughout this Policy, "cookies" includes the technologies above, except where the distinction matters.
3. Why we use cookies
- To make the Sites work (sign-in state, security, language).
- To remember your preferences (cookie consent state, region, dark/light theme).
- To measure how the Sites perform and which content helps visitors.
- To support customer-facing features like live chat, where you choose to use them.
- To measure conversions from ads (only if you opt in).
4. Cookie categories and consent model
We group cookies into four categories. Necessary cookies are always on; the other three are off by default and load only after you opt in.
| Category | Default | Used for |
|---|---|---|
| Necessary | Always on (cannot be disabled) | Site state, security (CSRF), language, the cookie-consent state itself. |
| Functional | Off — opt-in | Optional features such as live chat that set their own cookies when you use them. |
| Analytics | Off — opt-in | Measuring visits, page performance, and which content helps. Cloudflare Web Analytics is cookieless and used by default; opting in additionally enables Google Analytics 4. |
| Marketing | Off — opt-in | Conversion tracking and audience building for ads on third-party platforms. |
5. Detailed cookie list
The table below lists the specific cookies our Sites may set, who sets each one, what it does,
and how long it lasts. Cookie names that include a wildcard (*) cover a family
of related cookies set by the same provider.
5.1 Necessary
| Name | Set by | Purpose | Lifetime |
|---|---|---|---|
mumara_session | Mumara (first-party) | Maintains anonymous site state during your visit. | Session |
mumara_csrf | Mumara (first-party) | CSRF token for form submissions (contact form, newsletter, etc.). | Session |
mumara_locale | Mumara (first-party) | Remembers your language and region preference. | 1 year |
mumara_consent | Mumara (first-party) | Stores your cookie-consent decision so we don't ask again on every page. | 12 months |
cf_* (e.g. __cf_bm) | Cloudflare (third-party) | Bot management, security, and rate-limiting at the edge. | Up to 30 minutes |
5.2 Functional (opt-in)
| Name | Set by | Purpose | Lifetime |
|---|---|---|---|
gleap_* | Gleap (third-party) | Maintains the live-chat session and any open conversation. Set when you open the chat widget. | Up to 1 year |
5.3 Analytics (opt-in)
| Name | Set by | Purpose | Lifetime |
|---|---|---|---|
| Cloudflare Web Analytics | Cloudflare (third-party) | Server-side, cookieless aggregate metrics. No cookie or device identifier is set. | — |
_ga | Google Analytics (third-party) | Distinguishes unique visitors. Loaded only with your consent, via Partytown. | 2 years |
_ga_* | Google Analytics 4 (third-party) | Used to persist session state for GA4 measurement. | 2 years |
_gid | Google Analytics (third-party) | Distinguishes users for short-term session continuity. | 24 hours |
5.4 Marketing (opt-in)
| Name | Set by | Purpose | Lifetime |
|---|---|---|---|
_fbp | Meta / Facebook Pixel (third-party) | Tracks conversions and supports re-marketing on Facebook/Instagram. Loaded only with your marketing consent, via Partytown. | 3 months |
fr | Meta / Facebook (third-party) | Used for ad delivery and measurement on the Meta platforms. | 3 months |
Lifetimes shown are the maximum the third-party sets. We may add or remove cookies as we change tooling; we update this page when we do. If you spot a cookie not listed here, tell us via /contact/ and we will investigate.
6. First-party vs third-party cookies
First-party cookies are set by Mumara (e.g. mumara_consent). They never leave the
Mumara environment. Third-party cookies are set by services we embed (Cloudflare for security,
Gleap for chat if you opt in, Google Analytics if you opt in to analytics, Meta if you opt in
to marketing). Each third party operates under its own privacy policy.
7. How long cookies last
- Session cookies are deleted when you close your browser.
- Persistent cookies remain until the lifetime listed in the table above expires, or until you clear them via your browser or the cookie-preferences panel.
- Local storage remains until cleared by you or by the application that set it.
8. How we protect performance and privacy
Marketing and analytics scripts are offloaded to a web worker via Partytown. They run in the background and cannot block page rendering. They are loaded only after you opt into the relevant category. This is a deliberate engineering choice — we do not want third-party scripts to harm the experience or to fire before you decide.
We use Cloudflare Web Analytics (cookieless, server-side) by default for basic visit metrics so we can keep operating the Sites even when no analytics consent is granted.
9. Email and SMS tracking inside Mumara
Inside the Mumara application, our customers (Members) can enable open and click tracking on the campaigns they send. Open tracking uses a tracking pixel (a 1×1 image) and click tracking rewrites links so the click is logged before the recipient is redirected to the destination. Both are configurable per campaign and can be disabled. These mechanisms are not governed by this Cookie Policy — they are governed by the agreement between the Member and their Contacts and by the Member's own privacy notice.
10. How to manage your preferences
Click the link in the footer of any page to open the preferences panel. There you can:
- Switch each non-essential category on or off.
- See exactly which third-party services would load if you opt in.
- Save your choices, which we remember for 12 months via
mumara_consent. - Withdraw consent at any time. Withdrawing consent stops future loading of the affected scripts; cookies already set are not retroactively deleted by us, but you can delete them via your browser.
11. Browser controls
Your browser provides additional controls. You can clear cookies, block third-party cookies, or block all cookies. Doing so will reset all preferences (including ours) and you will see the consent banner again on your next visit. Some Site functionality may not work with all cookies blocked.
- Chrome — Settings → Privacy and security → Cookies and other site data.
- Edge — Settings → Cookies and site permissions.
- Firefox — Settings → Privacy & Security → Cookies and Site Data.
- Safari (macOS) — Safari → Settings → Privacy.
- Safari (iOS) — Settings → Safari → Block All Cookies.
12. Do Not Track and Global Privacy Control
Browsers signal user intent in different ways. Mumara honours an explicit consent decision made through our preferences panel — that is the most reliable way to control what runs on your visit. We also recognize the Global Privacy Control (GPC) signal where it is sent: visitors with GPC enabled are treated as opting out of "sale" and "share" categories under the CPRA and similar laws. Pure "Do Not Track" (DNT) signals are inconsistent across browsers and we do not rely on them as a substitute for our consent panel; if both are present, the panel choice wins.
13. Cookies and the GDPR / ePrivacy
In the EU and UK, the ePrivacy Directive (and the UK PECR) require consent for any cookie or similar technology that is not strictly necessary for the service the user has requested. The GDPR applies to the personal data those technologies process. We use a consent gate that:
- Loads only necessary cookies before consent.
- Treats analytics, functional, and marketing cookies as opt-in (no pre-checked boxes).
- Records consent state and timestamp so we can demonstrate compliance.
- Lets you withdraw consent as easily as you gave it.
14. Cookies and California (CPRA)
The California Privacy Rights Act treats certain cookie-driven advertising as a "sale" or "share" of personal information. Mumara does not sell personal information for money. We do not engage in cross-context behavioural advertising by default. Where opting into the marketing category would enable third-party advertising tools that fall within "sharing" under the CPRA, you can decline that category in the preferences panel; we also honour the Global Privacy Control signal as an opt-out of any such "sharing".
15. Children
Our marketing Sites are not directed to children. We do not knowingly use cookies or similar technologies to collect personal information from children under 16. If you believe we have done so, contact us via /contact/ and we will investigate.
16. Updates to this Policy
We update this Policy when our cookie usage changes. Material changes — for example, adding a new third-party tag — are reflected in the table in Section 5 and in the consent panel before the change is enabled. The "Last updated" date at the top of this page reflects the most recent revision. We may also reset stored consent state when we add new categories so you can review and re-confirm.
17. Contact
Questions about cookies? Contact /contact/ with subject line "Cookies" or "Privacy". For California-specific opt-out questions, mark "CCPA — opt out of sharing".