LegalGE...
Loading...
LegalGEContents
Legal Sandbox Georgia LLC
Version: 2.0 Effective Date: 13 May 2026 Last Updated: [Date] Document Language: English (Georgian version prevails in case of conflict)
| Question | Answer |
|---|---|
| Do we use cookies? | Yes |
| Do we need your consent? | Yes, for non-essential cookies (Functional, Analytics, Marketing) |
| Can you refuse cookies? | Yes, except strictly necessary cookies |
| What happens if you refuse? | The Platform will still work, but some features may be limited |
| Can you change your mind? | Yes, anytime via our cookie settings or your browser |
| Who sets cookies? | We do (first-party) and some service providers (third-party) |
| What about marketing tracking? | Meta Pixel + Meta Conversions API; gated behind explicit marketing consent. See §3.5, §4.4, and §5. |
| What about Google Calendar OAuth? | Server-side tokens, not browser cookies. See §4.5 |
| Supervisory authority? | Personal Data Protection Service of Georgia |
This Cookie Policy explains how Legal Sandbox Georgia LLC ("we," "us," "our," or the "Platform"), operator of legal.ge, uses cookies and similar tracking technologies when you visit our website.
This Policy should be read together with our Privacy Policy v2.1, which explains how we handle personal data collected through cookies, and the applicable Function Rulebooks which govern specific Platform features.
Cookies are small text files that are stored on your device (computer, tablet, or mobile phone) when you visit a website. They help the website recognise your device and remember certain information about your visit, such as your preferences or login status.
In addition to cookies, we may use similar technologies including:
Throughout this Policy, "cookies" refers to all these technologies unless otherwise specified.
Cookies and browser-side technologies described in this Policy are distinct from server-side data storage (such as OAuth tokens stored in our database for Google Calendar integration). Server-side data storage is governed by the Privacy Policy v2.0 and the applicable Function Rulebook (e.g., Calendar Function Rulebook §7.5 for Google Calendar OAuth tokens).
We operate a strict opt-in cookie policy in compliance with the 2023 Georgian Personal Data Protection Law (No. 3144) and applicable European requirements. This means:
When you first visit our website, you will see a cookie consent banner that allows you to:
You can change your cookie preferences at any time by:
If you change your preferences, the new settings will apply from that point forward. Cookies already placed may remain until they expire or you delete them.
We use the following four categories of cookies:
| Category | Consent Required? | Purpose |
|---|---|---|
| Strictly Necessary | No | Essential for website operation |
| Functional | Yes | Enhanced features and preferences |
| Analytics | Yes | Understanding how visitors use our site |
| Marketing | Yes | Conversion tracking and remarketing via Meta Pixel and Meta Conversions API |
Each non-essential category is independently controlled by the user via the cookie consent banner. The user may grant consent for some categories and decline others.
These cookies are essential for the website to function properly. Without them, services you have requested cannot be provided. You cannot opt out of these cookies.
| Cookie Name | Provider | Purpose | Duration | SameSite |
|---|---|---|---|---|
cookie_consent |
legal.ge | Stores your selected consent preferences for the four categories (Necessary, Functional, Analytics, Marketing) | 365 days | Lax |
cookie_consent_session |
legal.ge | Anonymous consent session identifier; used to link consent decisions to authenticated user IDs when available, for audit purposes | 365 days | Lax |
sb-access-token |
Supabase | Authentication token (managed by Supabase auth system) | Session | Per Supabase configuration |
sb-refresh-token |
Supabase | Authentication refresh token | Per Supabase configuration | Per Supabase configuration |
These cookies enable enhanced functionality and personalisation. They may be set by us or by third-party providers whose services we use.
| Cookie Name | Provider | Purpose | Duration | SameSite |
|---|---|---|---|---|
theme |
legal.ge | Remembers light/dark mode preference; set by inline initialisation script in the page layout | 365 days | Lax |
Note on language preference: Language is determined by the URL path segment (e.g., /ka/, /en/, /ru/) rather than by a browser cookie. Language selection persists across visits via URL routing, not cookie storage.
These cookies help us understand how visitors interact with our website by collecting and reporting information anonymously. Analytics cookies are placed only after the user grants explicit consent in the Analytics category via the cookie banner.
| Cookie Name | Provider | Purpose | Duration |
|---|---|---|---|
_ga |
Google Analytics 4 | Distinguishes unique users | 2 years |
_gid |
Google Analytics 4 | Distinguishes unique sessions | 24 hours (typical) |
_ga_<container> |
Google Analytics 4 | Stores additional configuration and traffic data | 2 years |
_gat |
Google Analytics 4 | Throttles request rate | Session |
_gac_<container> |
Google Analytics 4 | Campaign attribution when URL campaign parameters are present | 90 days |
Important: We use Google Analytics 4 configured to:
The Google Analytics script is loaded only after the user grants analytics consent. Until consent is granted, no GA4 cookies are placed and no analytics data is transmitted to Google.
These cookies are used for conversion tracking and remarketing via Meta Pixel and the server-side Meta Conversions API. They are placed only after the user grants explicit consent in the Marketing category via the cookie banner.
| Cookie Name | Provider | Purpose | Duration |
|---|---|---|---|
_fbp |
Meta (Facebook) | Anonymous browser identifier set by Meta Pixel; used for conversion attribution and remarketing | 90 days |
_fbc |
Meta (Facebook) | Click identifier set when a user arrives at the Platform from a Meta-served advertisement; used for click-to-conversion attribution | 90 days |
Server-side complement (Meta Conversions API): In addition to the _fbp and _fbc cookies set by the client-side Meta Pixel, the Platform operates a server-side Meta Conversions API integration which transmits conversion event data, IP address, user agent, and Pixel identifiers from Platform servers to Meta. This server-side path complements the client-side Pixel and is described in detail in Section 7.
Marketing consent gate: The Meta Pixel script is loaded only after the user grants marketing consent. The Meta Conversions API server-side calls are similarly gated behind marketing consent. Without marketing consent, neither client-side Pixel cookies nor server-side Conversions API events are activated for the user.
Withdrawal effects: If you withdraw marketing consent, the Platform ceases new Pixel and Conversions API activity for your subsequent activity. Data already transmitted to Meta is subject to Meta's own retention and deletion policies; the Platform cannot recall data already transmitted.
Additional Meta cookies: The loaded Meta Pixel script may set additional Meta-controlled cookies beyond _fbp and _fbc. These additional cookies operate under Meta's own privacy policies. The Platform's source code explicitly references only _fbp and _fbc.
Some cookies are placed by third-party services that appear on our pages. We do not control these cookies. The third parties set their own cookies according to their privacy policies.
| Service | Purpose | Consent Required? | Their Privacy Policy |
|---|---|---|---|
| Google Analytics 4 | Website analytics (EU-only configuration) | Yes (Analytics category) | https://policies.google.com/privacy |
| Google OAuth | Login authentication | No (Strictly Necessary) | https://policies.google.com/privacy |
| Google Calendar (OAuth) | Calendar synchronisation for Specialists at Expert/Enterprise tiers | Specialist OAuth grant | https://policies.google.com/privacy |
| Bank of Georgia | Payment processing (on payment pages) | No (Strictly Necessary on payment pages) | https://bankofgeorgia.ge/privacy |
| Supabase | Backend services and authentication | No (Strictly Necessary) | https://supabase.com/privacy |
| Meta Platforms, Inc. (Facebook/Meta Pixel) | Conversion tracking and remarketing — client-side Pixel | Yes (Marketing category) | https://www.facebook.com/privacy/policy |
| Meta Platforms, Inc. (Conversions API) | Server-side conversion event transmission | Yes (Marketing category) | https://www.facebook.com/privacy/policy |
| Vercel Analytics | Cookieless page-view and performance monitoring | No (cookieless; legitimate interest) | https://vercel.com/legal/privacy-policy |
For transparency, we want to confirm that we do not use:
Correction note: Earlier versions of this Cookie Policy stated that we do not use any social media tracking pixels. That representation was inaccurate — Meta Pixel and Meta Conversions API have been operating in production behind marketing consent. v2.0 of this Cookie Policy corrects this disclosure.
Vercel Analytics provides page-view and performance monitoring for the Platform. It is included in the page layout via the @vercel/analytics/next package and operates without setting cookies and without creating persistent identifiers. It uses anonymised request metadata (path, response time) for operational performance monitoring.
Because Vercel Analytics is cookieless and does not track users across visits or sites, it operates under legitimate interest (operational monitoring) and is not gated by the cookie consent banner. The Platform discloses Vercel Analytics here for transparency.
If Vercel Analytics is determined in the future to set persistent identifiers or otherwise constitute tracking, the Platform will gate it behind analytics consent and update this Policy accordingly.
Where a Specialist (at Expert tier for Solo Specialists or Enterprise tier for Company Specialists) authorises Google Calendar synchronisation, the resulting OAuth tokens are stored server-side in our database (not as browser cookies).
This is governed by:
OAuth tokens are not cookies and are not affected by browser cookie settings. They are managed through the Specialist's Calendar Tab on the Platform.
For all browser-side cookies set during the OAuth handshake (state parameter, redirect tokens), these are session cookies that expire upon completion of the OAuth flow.
In addition to the client-side Meta Pixel, the Platform operates a server-side Meta Conversions API integration. The Conversions API transmits conversion event data directly from Platform servers to Meta Platforms, Inc. infrastructure in the United States.
The Conversions API exists to improve conversion measurement reliability when client-side Pixel data is incomplete (e.g., due to browser tracking-prevention features, ad-blockers, or network failures).
For each conversion event (e.g., subscription purchase, role registration), the Platform's Conversions API integration transmits to Meta:
_fbp cookie value (if available from the same request);_fbc cookie value (if available from the same request);The Conversions API is gated behind marketing consent. Until the user grants marketing consent via the cookie consent banner, no Conversions API events are transmitted for that user.
When the user grants marketing consent, the Conversions API begins transmitting events for the user's subsequent activities. When the user withdraws marketing consent, transmissions cease for subsequent activities; events already transmitted remain at Meta.
Meta's servers are located in the United States. Transmission via the Conversions API constitutes an international data transfer outside the European Economic Area.
The Platform's lawful basis for this transfer is dual:
(a) Explicit user consent (marketing category) — granted via the cookie consent banner;
(b) Standard Contractual Clauses (SCCs) — Meta's data processing terms incorporate Standard Contractual Clauses approved by the European Commission as the safeguard for international transfers.
The Privacy Policy v2.1 §6.3.1 contains additional detail on the lawful basis.
Once data has been transmitted to Meta via the Conversions API, the Platform cannot recall the transmitted data. Subsequent withdrawal of marketing consent prevents new transmissions but does not delete data already at Meta. Users wishing to delete data already received by Meta should contact Meta directly through Meta's data subject rights mechanisms.
The Conversions API integration is implemented in the codebase at src/lib/analytics/meta-capi.ts. It complements the client-side Meta Pixel implementation at src/components/analytics/MetaPixel.tsx.
The easiest way to manage cookies on our website is through our cookie consent controls:
You can also control cookies through your browser settings. Here's how for popular browsers:
| Browser | Instructions |
|---|---|
| Chrome | Settings → Privacy and Security → Cookies and other site data |
| Firefox | Settings → Privacy & Security → Cookies and Site Data |
| Safari | Preferences → Privacy → Manage Website Data |
| Edge | Settings → Cookies and site permissions → Manage and delete cookies |
For detailed instructions, visit your browser's help documentation.
If you disable or delete cookies:
| Cookie Type Disabled | Effect |
|---|---|
| Strictly Necessary | Website may not function properly; you may not be able to log in |
| Functional | Preferences (language, theme) will reset each visit |
| Analytics | No impact on your experience; we simply won't collect analytics data |
For mobile apps or mobile browsers, cookie settings are typically found in:
The Platform's codebase contains a constant representing the current Cookie Policy version (COOKIE_POLICY_VERSION). When this version constant is incremented (typically when material changes are made to this Policy), the Platform's isPolicyOutdated() mechanism detects that previously-recorded user consent corresponds to an older policy version.
Where a user has previously granted cookie consent under an older policy version, and the current policy version constant indicates a material update:
(a) The user is shown the cookie consent banner again on next visit;
(b) The prior consent record is preserved as historical audit evidence but no longer treated as current consent;
(c) The user must affirmatively grant consent under the new policy version before non-essential cookies are placed;
(d) The strictly-necessary cookies remain in effect throughout (per §3.2).
(a) Material updates (e.g., addition of a new cookie category, change of consent mechanics, addition of a new cross-border data transfer) → version constant incremented → re-consent required;
(b) Non-material updates (e.g., typo correction, clarifying language without operational change) → version constant not incremented → continued use under prior consent acceptable.
This approach implements the principle that consent must be informed: where the underlying processing changes materially, prior consent does not validly cover the new processing.
In addition to storing consent decisions in the user's browser via the cookie_consent cookie, the Platform persists consent decisions on the server for audit purposes:
(a) Consent decisions are saved server-side via the Platform's /api/consent endpoint;
(b) The cookie_consent_session cookie provides an anonymous identifier linking consent decisions to specific browsers/sessions;
(c) Where the user is authenticated, the Platform links anonymous consent records to the authenticated user identity for full audit traceability.
The server-side audit trail enables the Platform to:
(a) Demonstrate compliance with the 2023 Georgian Personal Data Protection Law's consent record-keeping requirements;
(b) Respond to user requests to verify their consent history;
(c) Investigate consent-related disputes or audit inquiries.
Consent audit records are retained per the Privacy Policy retention table (account lifetime + 2 years for active accounts; longer where required for legal compliance).
Different cookies have different lifespans:
| Type | Duration |
|---|---|
| Session cookies | Deleted when you close your browser |
| Persistent cookies | Remain until expiry date or manual deletion |
Specific retention periods for each cookie are listed in Section 3.
We set cookie expiration periods based on their purpose:
We may update this Cookie Policy to reflect changes in:
If we make significant changes to this Policy, we will:
We encourage you to review this Policy periodically.
If you believe we have not handled cookies in compliance with applicable law, you have the right to lodge a complaint with:
Personal Data Protection Service of Georgia (PDPS)
Address: 7 Vachnadze Street, 0105, Tbilisi, Georgia (Branch office: Bako Street No. 48, Batumi, Georgia)
Email: office@pdps.ge Phone: +995 032 242 10 00 Website: https://personaldata.ge/en
For EU residents, you may also complain to your local data protection authority.
If you have questions about our use of cookies, please contact us:
Legal Sandbox Georgia LLC
Registration Number: 405713768
Address: Tbilisi, Agmashenebeli Alley N240, Georgia
Email: contact@legal.ge
CEO: Vakhtang Baramashvili
For developers and technical users, here is a complete list of cookies actually set by the production codebase as of v2.0:
STRICTLY NECESSARY (no consent required)
├── cookie_consent (legal.ge) — 365 days — User's consent preferences for 4 categories
├── cookie_consent_session (legal.ge) — 365 days — Anonymous consent session ID for audit
├── sb-access-token (Supabase) — Session — Auth token
└── sb-refresh-token (Supabase) — Per Supabase config — Auth refresh
FUNCTIONAL (Requires Functional consent)
└── theme (legal.ge) — 365 days — Light/dark mode preference
ANALYTICS (Requires Analytics consent)
├── _ga (Google Analytics 4) — 2 years — User distinction
├── _gid (Google Analytics 4) — 24 hours — Session distinction
├── _ga_<container> (Google Analytics 4) — 2 years — Configuration / traffic data
├── _gat (Google Analytics 4) — Session — Throttling
└── _gac_<container> (Google Analytics 4) — 90 days — Campaign attribution
MARKETING (Requires Marketing consent)
├── _fbp (Meta) — 90 days — Browser identifier for Meta Pixel
├── _fbc (Meta) — 90 days — Click identifier (set when arriving from Meta ad)
└── (Additional Meta cookies may be set by the loaded Meta Pixel script)
SERVER-SIDE STORAGE (NOT BROWSER COOKIES)
├── Google Calendar OAuth tokens — managed per Calendar Rulebook §7.5 — Specialist Expert/Enterprise tier only
├── Supabase session/refresh tokens — managed by authentication system
├── Server-side consent audit records — saved via /api/consent endpoint
└── Meta Conversions API events — transmitted server-side to Meta (US); not stored as cookies
LANGUAGE PREFERENCE (NOT A COOKIE)
└── Language is determined by URL path segment (/ka/, /en/, /ru/), not by cookie
THIRD-PARTY UNCONDITIONAL (NOT COOKIE-BASED)
└── Vercel Analytics (@vercel/analytics/next) — cookieless; uses anonymised request metadata only; legitimate interest
LEGAL SANDBOX GEORGIA LLC
Version 2.0 — Effective 13 May 2026
END OF DOCUMENT
© 2026 LegalGE. All rights reserved.