Cookie Policy
Effective Date: 2026-04-05
Table of Contents
- What Are Cookies and Similar Technologies
- How We Use These Technologies
- Cookie Inventory — Website
- Cookie Inventory — Mobile Application
- Third-Party Services
- Consent Mechanism — Website
- Consent Mechanism — Mobile Application
- Global Privacy Control (GPC)
- Do Not Track (DNT)
- Managing Cookies in Your Browser
- Opt-Out Links
- Impact of Disabling Cookies
- Changes to This Policy
- Contact
1. What Are Cookies and Similar Technologies
Cookies are small text files that a website places on your device when you visit, storing information such as your preferences or session state so the site can recognize you on return visits.
Local storage is a browser-based mechanism that holds data on your device without an expiration date, used for persistent preferences. Session storage functions similarly but is cleared when the browser tab or window is closed.
Pixels (also called tracking pixels or web beacons) are tiny, invisible images embedded in a page or email that signal to a third-party server when content has been loaded, allowing that server to record a visit or interaction.
SDKs (software development kits) are code libraries embedded in mobile applications that collect data about app usage, device characteristics, and user interactions, and transmit that data to third-party analytics or attribution services.
Edge-side tags are scripts loaded and executed at the CDN or infrastructure level (such as Cloudflare Zaraz) rather than directly in your browser. They function similarly to client-side scripts but are managed server-side, which can reduce the number of direct third-party connections your browser makes.
This policy covers all such technologies used on https://www.kaijumechanic.com ("the Website") and in the Kaiju Mechanic mobile application for iOS and Android ("the App"). Together, these are referred to as "the Service."
For our full data practices — including how we collect, use, and protect personal information — please see our Privacy Policy.
2. How We Use These Technologies
Security and Infrastructure
We use strictly necessary cookies and infrastructure-level protections to defend the Website against automated abuse, distributed denial-of-service attacks, and other malicious traffic. These technologies are essential to the operation and availability of the Service and cannot be disabled.
Analytics
We use analytics technologies to understand how visitors interact with the Service — which pages or screens are visited, how long sessions last, which features are used, and where users navigate from. This helps us identify usability issues, measure the impact of changes, and improve the product experience.
On the Website, analytics are delivered via Cloudflare Zaraz (an edge-side tag manager) and Cloudflare Web Analytics (a privacy-first, cookieless analytics service). Cloudflare Zaraz may load Google Analytics 4 tags at the edge, which can set cookies on your device. Analytics cookies on the Website are only activated after you grant consent via our cookie banner (or, in opt-out regions, unless you decline or send a GPC signal).
On the App, analytics are collected through Firebase Analytics (which feeds Google Analytics 4) and PostHog. Both SDKs are initialized in a disabled state and only begin collecting data after you grant explicit opt-in consent within the App.
Consent Record-Keeping
We log your consent choices (categories accepted or rejected, timestamp, banner revision, and whether a GPC signal was detected) to an audit trail via our server-side consent logging endpoint. This log does not contain personally identifiable information — your identity is derived from a one-way cryptographic hash of your IP address and user agent string. This processing is necessary to demonstrate valid consent under GDPR Article 7(1) and to comply with US state privacy law record-keeping obligations.
Advertising and Retargeting
We do not use cookies, pixels, SDKs, or any other technology for advertising, retargeting, cross-site behavioral profiling, or the sale or sharing of personal data for advertising purposes. No advertising network technologies are deployed on the Website or in the App.
3. Cookie Inventory — Website
3.1 Strictly Necessary Cookies
These cookies are required for the Website to function. They cannot be disabled. No consent is required to set them.
| Cookie Name | Provider | Purpose | Duration |
|---|---|---|---|
cc_cookie |
Kaiju Mechanic (RB ZILLA LLC) | Stores your cookie consent preferences (accepted/rejected categories and banner revision number). Required to honor your choices on return visits. | 182 days |
__cf_bm |
Cloudflare | Bot management cookie. Distinguishes human visitors from automated traffic to protect the Website from abuse. Set automatically by Cloudflare's infrastructure. | 30 minutes |
cf_clearance |
Cloudflare | Records that a visitor has successfully completed a Cloudflare security challenge (e.g., CAPTCHA or JavaScript challenge), preventing repeated challenge prompts during a session. Only set when a challenge is triggered. | Up to 24 hours (configurable by site operator) |
3.2 Analytics Cookies
These cookies are set only if you grant analytics consent via the cookie consent banner. In opt-out regions (visitors outside the EEA and UK, and not sending a GPC signal), analytics cookies are active by default unless you decline. They collect anonymized usage data and are never used to identify you personally.
If you revoke analytics consent, these cookies are automatically cleared from your browser by our consent management platform.
| Cookie Name | Provider | Purpose | Duration |
|---|---|---|---|
_ga |
Google (via Cloudflare Zaraz) | Distinguishes unique visitors by assigning a randomly generated client ID. Used to calculate visitor and session counts in analytics reports. | 2 years |
_ga_<container-id> |
Google (via Cloudflare Zaraz) | Persists session state for Google Analytics 4. The <container-id> suffix corresponds to the GA4 measurement ID. |
2 years |
_gid |
Google (via Cloudflare Zaraz) | Distinguishes visitors within a 24-hour window. Used to throttle request rate and aggregate page view data. | 24 hours |
_gat |
Google (via Cloudflare Zaraz) | Rate-limiting cookie that throttles data collection to one request per minute, reducing load on analytics servers. | 1 minute |
3.3 Technologies That Do Not Set Cookies
The following technologies are used on the Website but do not set cookies on your device:
| Technology | Provider | Purpose | Why No Cookies |
|---|---|---|---|
| Cloudflare Web Analytics | Cloudflare | Privacy-first web analytics measuring page views, referrers, and device types. Does not track individual users across sessions. | Operates entirely server-side using edge-level signals. No cookies, no JavaScript fingerprinting, no cross-site tracking. |
| Cloudflare Zaraz | Cloudflare | Edge-side tag manager that loads third-party scripts (such as Google Analytics) from Cloudflare's infrastructure rather than directly from third-party servers. | Zaraz itself sets no cookies. It manages the loading of services that may set their own cookies (listed above). |
| Codex Titan Widget | RB ZILLA LLC | In-page support and assistance widget loaded from cdn.codextitan.com. |
Loaded via `` tag with lazyOnload strategy. Does not set cookies. Backend communication is server-side only. |
| Consent Audit Log | RB ZILLA LLC | Server-side endpoint (/api/consent-log) that records consent actions for GDPR Art. 7 compliance. |
Processing occurs entirely server-side. No cookies are set. Subject identity is derived from a SHA-256 hash — no PII is stored. |
3.4 Local Storage and Session Storage
The Website does not use localStorage or sessionStorage for any purpose. All persistent state (consent preferences) is stored exclusively in the cc_cookie HTTP cookie.
4. Cookie Inventory — Mobile Application
The Kaiju Mechanic mobile application does not use browser cookies. It uses the following SDKs and on-device storage mechanisms, all of which require your explicit opt-in before data collection begins:
4.1 Analytics SDKs (Require Opt-In)
| SDK | Provider | Purpose | Data Collected | Opt-In Mechanism |
|---|---|---|---|---|
| Firebase Analytics / Google Analytics 4 | Measures feature usage, screen views, session duration, and user flows to improve app functionality. | Anonymized usage events, screen names, session metadata, device type, OS version. | Firebase setConsent() defaults to denied; enabled only after explicit user opt-in within the App. |
|
| PostHog | PostHog Inc. | Product analytics measuring feature adoption, user flows, and retention metrics. | Anonymized usage events, feature flag evaluations, session metadata. | Initialized with opt_out_capturing_by_default: true; enabled only after explicit user opt-in within the App. |
4.2 Error Tracking and Crash Reporting (Functional — No Consent Required)
| SDK | Provider | Purpose | Data Collected | Legal Basis |
|---|---|---|---|---|
| Sentry | Functional Software Inc. | Error tracking to identify and resolve bugs. | Crash reports, stack traces, device metadata (model, OS version), breadcrumb events. No PII. sendDefaultPii is set to false. |
Legitimate interest in maintaining app stability and resolving errors that affect user experience. |
| Firebase Crashlytics | Crash reporting to identify and resolve application crashes. | Crash reports, device info (model, OS version), app state at time of crash. No PII. | Legitimate interest in maintaining app stability and resolving crashes that affect user experience. |
4.3 Subscription Management
| SDK | Provider | Purpose | Data Collected |
|---|---|---|---|
| RevenueCat | RevenueCat Inc. | Manages in-app subscriptions and purchase entitlements across iOS and Android. | Subscription status, product identifiers, transaction timestamps, anonymous app user IDs. No payment card data — card processing is handled entirely by Apple App Store and Google Play. |
4.4 On-Device Storage
The App uses standard platform storage mechanisms (iOS Keychain, Android SharedPreferences/EncryptedSharedPreferences) to store authentication tokens, consent preferences, and app settings locally on your device. This data is not transmitted to third parties.
5. Third-Party Services
The following third-party providers may set cookies on the Website or process data in connection with your use of the Service:
| Provider | Role | Cookies Set (Website) | Privacy Policy |
|---|---|---|---|
| Cloudflare | CDN, DDoS protection, edge computing, and security infrastructure. Processes all Website traffic as a reverse proxy. Also provides Zaraz (edge-side tag manager) and Web Analytics. | __cf_bm, cf_clearance |
Cloudflare Privacy Policy |
| Web analytics (GA4) deployed via Cloudflare Zaraz on the Website; Firebase Analytics in the App. | _ga, _ga_<container-id>, _gid, _gat (Website only, via Zaraz) |
Google Privacy Policy | |
| PostHog | Product analytics in the App only. | None (App SDK, no cookies) | PostHog Privacy Policy |
| Sentry | Error tracking and crash reporting in the App only. | None (App SDK, no cookies) | Sentry Privacy Policy |
| RevenueCat | Subscription and entitlement management in the App only. | None (App SDK, no cookies) | RevenueCat Privacy Policy |
| Codex Titan | Backend API, AI engine, support widget, and consent audit logging. First-party service operated by RB ZILLA LLC. | None (server-side only) | Kaiju Mechanic Privacy Policy |
6. Consent Mechanism — Website
How We Obtain Consent
When you first visit https://www.kaijumechanic.com, a cookie consent banner is displayed. The banner's default behavior depends on your detected region:
EEA and UK visitors (opt-in mode): All non-essential cookies are off by default. The banner remains visible until you make an active choice. Non-essential cookies are only set after you click Accept All or enable specific categories via Manage Preferences. Region detection is based on your browser's timezone setting.
All other visitors (opt-out mode): Non-essential cookies are on by default. You may decline them at any time by clicking Opt Out or adjusting your preferences. See Section 8 for GPC-specific behavior, which overrides this default for residents of applicable US states.
Banner Controls
The consent banner presents the following options with equal visual prominence — no option is hidden, pre-selected to a non-default state, or styled to discourage refusal:
- Accept All — Enables all cookie categories (necessary + analytics).
- Reject All / Opt Out — Disables all non-essential cookies immediately. Label adapts to region ("Reject All" in opt-in mode, "Opt Out" in opt-out mode).
- Manage Preferences — Opens a granular panel where you can enable or disable individual categories.
Updating or Withdrawing Consent
You can review and change your cookie preferences at any time by clicking the "Consent Preferences" button in the footer of the Website. Your updated choice takes effect immediately:
- If you revoke analytics consent, analytics cookies (
_ga,_gid,_gat,_ga_<container-id>) are automatically cleared from your browser and analytics collection stops. - If you grant analytics consent after previously declining, analytics collection begins and any queued events are transmitted.
Your updated choice is saved in the cc_cookie cookie for 182 days.
Withdrawing consent does not affect the lawfulness of any processing that occurred before you withdrew it.
Consent Records
Each consent action (grant, deny, or revoke) is logged server-side for compliance purposes. The log entry includes: the action taken, categories accepted or denied, the consent mode (opt-in or opt-out), whether a GPC signal was detected, and the banner revision number. Your identity in the log is a one-way cryptographic hash — no IP address, name, email, or other personally identifiable information is stored.
When we make material changes to our cookie practices (see Section 13), we increment the banner revision number, which triggers a new consent prompt on your next visit regardless of your prior choice.
7. Consent Mechanism — Mobile Application
How We Obtain Consent
The Kaiju Mechanic mobile application initializes all analytics SDKs in a disabled state by default. No analytics data is collected until you grant explicit opt-in consent:
- Firebase Analytics: Consent signals are set to
deniedat initialization viasetConsent(). Collection begins only after you opt in. - PostHog: Initialized with
opt_out_capturing_by_default: true. Capturing begins only after you opt in. - iOS App Tracking Transparency (ATT): On iOS, if any feature requires access to the device advertising identifier (IDFA), the system ATT prompt is displayed before access is requested. We do not prompt ATT on first launch — it is shown only when contextually relevant.
Updating or Withdrawing Consent
You can review and change your analytics preferences at any time from the Settings screen within the App. Withdrawing consent immediately stops analytics collection for the remainder of your session and all future sessions until consent is re-granted.
Error Tracking
Sentry crash reporting operates independently of analytics consent. It collects only technical crash data (stack traces, device metadata) with sendDefaultPii set to false (no personal data is transmitted). This processing is based on our legitimate interest in maintaining app stability and is disclosed in our Privacy Policy.
8. Global Privacy Control (GPC)
We honor the Global Privacy Control (GPC) signal as a valid opt-out of all non-essential tracking on the Website.
How We Detect GPC
GPC signals are detected through two methods:
- Client-side: We check the
navigator.globalPrivacyControlJavaScript property when the consent banner initializes. - Server-side: Our consent logging endpoint reads the
Sec-GPC: 1HTTP request header.
What Happens When GPC Is Detected
When a GPC signal is detected, analytics and all other non-essential cookies are automatically declined and the consent banner is suppressed — in all regions, including both opt-out regions (United States) and opt-in regions (EEA/UK). In opt-in regions, analytics cookies are already off by default under the GDPR, so GPC produces the same outcome as the default behavior. A deny action is logged to the consent audit trail in all cases. Users with GPC enabled can still access the consent preferences panel via the "Consent Preferences" link in the Website footer if they wish to opt in to analytics.
GPC Compliance Declaration
We publish a machine-readable GPC compliance signal at https://www.kaijumechanic.com/.well-known/gpc.json confirming that we honor the GPC specification.
Applicable US States
If you are a resident of one of the following states, your GPC signal is processed as a legally binding opt-out under applicable state privacy law:
California (CCPA/CPRA), Colorado (CPA), Connecticut (CTDPA), Delaware (DPDPA), Maryland (MODPA), Minnesota (MCDPA), Montana (MCDPA), New Hampshire (SB 255), New Jersey (NJDPA), Oregon (OCPA), and Texas (TDPSA).
Residents of these states have a statutory right to opt out of the sale or sharing of personal data and targeted advertising. A valid GPC signal satisfies that right automatically on our platform.
9. Do Not Track (DNT)
We do not respond to the Do Not Track (DNT) browser signal.
DNT lacks a universally accepted technical standard, has no consistent legal definition, and has no established compliance framework. The World Wide Web Consortium (W3C) discontinued its DNT working group in 2019. As a result, there is no reliable way to implement DNT in a manner that is meaningful or verifiable across browsers and platforms.
If you wish to opt out of non-essential tracking, we recommend using Global Privacy Control (GPC) (see Section 8), which is a standardized, legally recognized signal supported by applicable US state privacy laws and honored by our platform.
10. Managing Cookies in Your Browser
You can control or delete cookies directly through your browser settings. Note that disabling strictly necessary cookies may impair the functionality of security protections (such as Cloudflare bot management and challenge verification) on the Website.
Google Chrome
Go to Settings > Privacy and security > Cookies and other site data. You can block all cookies, block third-party cookies only, or clear existing cookies. You can also create exceptions for specific sites.
Mozilla Firefox
Go to Settings > Privacy & Security > Cookies and Site Data. Firefox allows you to block all cookies, block cross-site tracking cookies, or manage cookies on a per-site basis. Click Manage Data to delete cookies from specific sites.
Apple Safari
Go to Settings > Safari > Privacy & Security (iOS) or Safari > Preferences > Privacy (macOS). You can block all cookies or enable "Prevent Cross-Site Tracking." Use Manage Website Data to view and delete cookies from individual sites.
Microsoft Edge
Go to Settings > Cookies and site permissions > Cookies and data stored. You can block third-party cookies, clear cookies on browser close, or manage exceptions for specific sites.
11. Opt-Out Links
| Service | Opt-Out Method | Link |
|---|---|---|
| Google Analytics | Browser add-on that prevents Google Analytics JavaScript from sending data to Google. Works across all sites using GA. | Google Analytics Opt-Out Add-On |
| Google (account-level) | Adjust your Google account's data sharing and ad personalization settings. | Google Privacy Controls |
| PostHog (App only) | Disable analytics in the App's Settings screen. This immediately stops PostHog data collection. | In-app: Settings > Privacy > Analytics |
| Firebase Analytics (App only) | Disable analytics in the App's Settings screen. This sets Firebase consent signals to denied. | In-app: Settings > Privacy > Analytics |
| Cloudflare | Cloudflare operates as security and CDN infrastructure. It processes traffic at the network level to protect site availability. Opt-out is not applicable — Cloudflare cannot be bypassed without blocking access to the Website entirely. | Cloudflare Privacy Policy |
12. Impact of Disabling Cookies or Tracking
Website
| Category | If Disabled |
|---|---|
| Strictly Necessary | Cloudflare security protections (bot detection, challenge verification) may not function correctly. You may be repeatedly challenged or blocked from accessing the Website. The Website does not use authentication cookies — there is no login functionality on the Website. |
| Analytics | Google Analytics and Cloudflare Web Analytics will not collect data about your visit. This has no impact on any Website features — all content and functionality remains fully available. |
Mobile Application
| Category | If Disabled |
|---|---|
| Analytics (Firebase + PostHog) | No usage analytics are collected. All App features remain fully functional. |
| Error Tracking (Sentry) | Cannot be disabled by the user. Collects only technical crash data (no personal information). Necessary for us to identify and fix bugs that affect your experience. |
| Subscription Management (RevenueCat) | Cannot be disabled independently. Required for the App to verify your subscription status and unlock paid features. |
13. Changes to This Policy
The Effective Date at the top of this document identifies the current version. Prior versions are available upon request by contacting [email protected].
Material Changes
A material change is one that:
- Introduces a new cookie category or tracking technology
- Adds a new third-party provider that sets cookies or collects data
- Materially expands the purposes for which cookies or similar technologies are used
- Changes the default consent behavior (e.g., switching from opt-out to opt-in)
For material changes, we will:
- Update the Effective Date.
- Increment the consent banner revision number on the Website.
- Re-prompt all Website visitors for consent on their next visit, regardless of their prior choice.
- Update the App's consent screen if app-side tracking is affected.
Non-Material Changes
Non-material updates — such as correcting cookie durations, updating provider privacy policy links, clarifying existing descriptions, or reformatting — are reflected in the Effective Date only. No new consent prompt is triggered.
We encourage you to review this policy periodically. Continued use of the Service after the Effective Date constitutes acknowledgment of the updated policy.
14. Contact
If you have questions about this Cookie Policy or wish to exercise your privacy rights, please contact us:
RB ZILLA LLC Product: Kaiju Mechanic Email: [email protected] Website: https://www.kaijumechanic.com Mailing Address: 116 E Main St, Suite 201, Rock Hill, SC 29730
To submit a data subject access request (access, deletion, correction, or portability), use our Data Request Form.
For full details on how we collect, use, and protect your personal information — including your rights under GDPR, CCPA/CPRA, and other applicable privacy laws — please review our Privacy Policy.
RB ZILLA LLC | Rock Hill, SC | https://www.rbzilla.com