Cookie Policy

DataBillity, Inc. · doing business as Billity AI

Effective date: April 1, 2026 · Last updated: May 9, 2026 · Version 1.1

URL: https://billity.ai/cookie-policy

1. Introduction

DataBillity, Inc., doing business as Billity AI ("Billity AI," "we," "us," or "our"), uses cookies and similar tracking technologies on our website (https://billity.ai), our Platform administration dashboard, and our customer-facing Channels (collectively, the "Site"). This Cookie Policy explains what cookies are, the categories of cookies we use, why we use them, and how you can manage your cookie preferences.

This Cookie Policy supplements, and should be read together with, the Billity AI Privacy Policy ("Privacy Policy") and the Billity AI Terms of Service ("ToS"). Capitalized terms used but not defined in this Cookie Policy have the meanings assigned to them in the Privacy Policy and ToS. Disputes relating to this Cookie Policy are subject to the governing law and dispute resolution provisions of the ToS (laws of the State of Delaware; binding arbitration administered by the American Arbitration Association under its Commercial Arbitration Rules in Seattle, Washington, USA). This Cookie Policy specifically addresses the cookie and tracking technology regulations that are excluded from the scope of the Privacy Policy under Section 2.2 of the Privacy Policy.

2. What Are Cookies and Similar Technologies

2.1 Cookies

Cookies are small text files that are placed on your device (computer, tablet, or mobile phone) when you visit a website. Cookies are widely used to make websites work efficiently, to remember your preferences, to understand how you interact with the site, and to deliver relevant content and advertising. Cookies may be set by the website you are visiting ("first-party cookies") or by third parties whose services are embedded in the page ("third-party cookies"). Cookies may persist for varying durations: "session cookies" are deleted when you close your browser, while "persistent cookies" remain on your device for a defined period or until you delete them.

2.2 Similar Technologies

In addition to cookies, we may use similar technologies including:

Web Beacons (Pixel Tags): Small, transparent image files embedded in web pages or emails that track whether a page or email has been viewed and measure engagement.

Local Storage and Session Storage: Browser-based storage mechanisms that allow websites to store data on your device. Unlike cookies, local storage data is not sent to the server with every request.

Fingerprinting: We do not engage in browser or device fingerprinting for tracking or advertising purposes.

References to "cookies" in this policy include all of the technologies described above unless otherwise specified.

3. Legal Bases for Cookie Use

The legal basis for our use of cookies depends on the category of cookie, the jurisdiction of the visitor, and the purpose of the cookie. The following regulatory frameworks apply to our use of cookies:

3.1 United States (CCPA/CPRA and State Privacy Laws)

Under the CCPA/CPRA and comparable state privacy laws (including the Colorado Privacy Act, Virginia Consumer Data Protection Act, and Connecticut Data Privacy Act), cookies that collect Personal Data are subject to disclosure and opt-out requirements. We disclose all categories of Personal Data collected through cookies in Section 5 of this Cookie Policy and in the Privacy Policy. California residents have the right to opt out of the "sale" or "sharing" of Personal Data, which may include the use of certain advertising and analytics cookies. We honor the Global Privacy Control ("GPC") signal as a valid opt-out of sale and sharing, as required by the CCPA/CPRA and the Colorado Privacy Act.

3.2 Canada (PIPEDA and Provincial Laws)

Under PIPEDA, the use of cookies to collect Personal Data requires meaningful consent. For non-sensitive data collected for purposes that would be obvious to a reasonable person, implied consent may be sufficient, provided that clear notice is given and an easy opt-out mechanism is available. For cookies that collect sensitive data or that are used for purposes beyond the visitor's reasonable expectations (such as cross-site behavioral advertising), express consent is required.

3.3 Québec (Law 25)

Québec's Act respecting the protection of personal information in the private sector ("Law 25") requires explicit, informed, opt-in consent before any non-essential cookies or tracking technologies may be activated.

For visitors identified as being located in Québec (based on IP geolocation), the Site operates under a "consent-first" model: no analytics, functional, or advertising cookies are loaded until the visitor provides explicit consent through our cookie consent banner. Only strictly necessary cookies (those required for the Site to function) are loaded by default. This approach aligns with Law 25's confidentiality-by-default principle. Penalties for non-compliance with Law 25's cookie consent requirements may reach CAD $25 million or 4% of worldwide turnover.

3.4 GDPR-Aligned Principles

Although the GDPR is not the controlling law for U.S. and Canadian operations, Billity AI incorporates GDPR cookie consent principles as a best-practice framework, consistent with the approach described in Section 6.3 of the Privacy Policy. For visitors from the EU/EEA (if any), the Site applies a consent-first model consistent with the ePrivacy Directive and GDPR Article 6(1)(a).

4. How We Obtain Cookie Consent

4.1 Cookie Consent Banner

When you first visit the Site, a cookie consent banner is displayed. The banner:

Identifies Billity AI as the operator of the Site.

Describes the categories of cookies used (Strictly Necessary, Functional, Analytics, and Advertising/Marketing).

Provides a link to this Cookie Policy for detailed information.

Offers granular, category-level consent controls allowing you to accept or reject each category independently.

Includes equally prominent "Accept All" and "Reject All" buttons. The "Reject All" option is not hidden, de-emphasized, or made more difficult to select than "Accept All."

Does not use dark patterns, manipulative language, or pre-checked boxes to influence your consent decision.

For visitors in Québec and the EU/EEA, blocks all non-essential cookies until explicit consent is provided (consent-first model).

4.2 Consent Storage and Duration

Your cookie consent preferences are stored in a first-party cookie on your device for a period of twelve (12) months. After twelve months, the consent banner will reappear and you will be asked to confirm or update your preferences. You may change your cookie preferences at any time by accessing the cookie preference center (accessible via the "Cookie Settings" link in the Site footer).

4.3 Withdrawal of Consent

You may withdraw your cookie consent at any time by:

Clicking the "Cookie Settings" link in the Site footer to reopen the cookie preference center and updating your selections.

Clearing cookies from your browser (this will reset all cookie preferences and trigger the consent banner on your next visit).

Enabling the Global Privacy Control (GPC) signal in your browser, which we honor as an opt-out of advertising and analytics cookies.

Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

5. Categories of Cookies We Use

The following table describes the categories of cookies used on the Site, their purposes, the data they collect, and whether they require consent.

5.1 Strictly Necessary Cookies

These cookies are essential for the Site to operate and cannot be switched off in our systems. They are usually set in response to actions you take, such as logging in, setting privacy preferences, or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the Site will not function properly. Strictly necessary cookies do not store any personally identifiable information beyond what is required for session management and security.

5.2 Functional Cookies

Functional cookies enable the Site to provide enhanced features and personalization. They may be set by us or by third-party providers whose services we use. If you do not allow these cookies, some or all of the enhanced features may not function properly, but you will still be able to access the core functionality of the Site.

5.3 Analytics Cookies

Analytics cookies allow us to count visits and traffic sources so we can measure and improve the performance of the Site. They help us understand which pages are the most and least popular and see how visitors move around the Site. All information these cookies collect is aggregated and, where technically supported, anonymized (e.g., IP anonymization). If you do not allow these cookies, we will not know when you have visited the Site and will not be able to monitor its performance.

5.4 Advertising and Marketing Cookies

These cookies may be set through the Site by our advertising partners. They may be used to build a profile of your interests and show you relevant advertisements on other websites. They do not directly store Personal Data but are based on uniquely identifying your browser and device. If you do not allow these cookies, you will experience less targeted advertising.

Under the CCPA/CPRA, the use of advertising cookies may constitute "sharing" of Personal Data for cross-context behavioral advertising purposes. California residents may opt out by clicking the "Do Not Sell or Share My Personal Information" link on the Site, by enabling the Global Privacy Control (GPC) signal, or by adjusting cookie preferences in the cookie consent banner. This is consistent with Section 11.1 of the Privacy Policy.

6. Third-Party Cookies

Some cookies on the Site are set by third-party services that we use to enhance functionality, analyze usage, or deliver advertising. We do not control the cookies set by these third parties. The following third-party services may set cookies on the Site:

Authentication Provider: Our authentication system (Clerk) sets cookies necessary for secure login, session management, and role-based access control for Subscriber administrators.

Payment Processor: Stripe sets cookies related to payment processing, fraud detection, and PCI compliance for subscription billing.

Content Delivery and Performance: Our content delivery network may set cookies for load balancing, bot detection, and performance optimization.

Analytics Services: Third-party analytics tools may be used to measure Site traffic and usage patterns. Where analytics cookies are used, we configure them to anonymize IP addresses where the tool supports this capability.

Advertising Platforms: Where Subscribers have enabled advertising integrations through the Platform (as described in Section 8 of the ToS), advertising platforms such as Google Ads and Meta may set cookies for conversion tracking, audience building, and retargeting. These cookies are loaded only with your consent (or subject to opt-out rights, depending on your jurisdiction).

Each third-party provider operates under its own privacy policy and cookie policy. We encourage you to review the privacy policies of these providers for information about their data practices.

7. Billity Bot Widget and Embedded Channel Cookies

When a Subscriber deploys a Billity Bot web widget on its own website or Shopify storefront (as described in Section 3.2 and Section 8.2 of the ToS), the widget may use cookies and local storage to:

Maintain the state of the Bot conversation across page navigation within the Subscriber's website (session continuity).

Store the End Customer's identification status (recognized vs. first-time visitor) for personalization purposes, consistent with the consent framework described in Section 7 of the Privacy Policy.

Remember widget display preferences (open/closed state, minimized position).

The Billity Bot widget is rendered inside a Shadow DOM container that is isolated from the host website's CSS and JavaScript. Widget cookies and local storage are scoped to the widget's functionality and do not access, read, or modify any cookies set by the host website.

Widget cookies that relate to End Customer identification or personalization are subject to the layered consent model described in Section 7.1 of the Privacy Policy. No personalized data is stored in widget cookies unless the End Customer has been identified through a consented mechanism (email lookup, Shopify login, loyalty program ID, or payment token).

Subscriber-deployed widgets on Subscriber websites are subject to the Subscriber's own cookie policy and consent management. Billity AI provides Subscribers with the technical documentation necessary to accurately describe widget cookies in their own cookie policies.

8. Check-In Application and Event Mode Cookies

The Billity AI check-in application (accessible at /checkin/{slug}) and event mode deployments use session-based cookies and local storage to:

Maintain the check-in session during the End Customer's interaction.

Store kiosk reset state for shared devices (ensuring that one End Customer's session does not persist after the device is reset for the next user).

Track event-specific branding and offer configurations.

Check-in cookies are strictly session-based and are deleted when the browser session ends or when the kiosk reset action is triggered. No persistent cookies are set on shared kiosk devices. Personal Data entered during check-in (email, name) is transmitted to the Platform via encrypted API connections and is not stored in cookies or local storage on the device.

9. How to Manage Your Cookie Preferences

9.1 Cookie Preference Center

You can manage your cookie preferences at any time by clicking the "Cookie Settings" link in the Site footer. The cookie preference center allows you to enable or disable each category of non-essential cookies (Functional, Analytics, Advertising/Marketing) independently. Changes to your preferences take effect immediately for future page loads.

9.2 Browser Controls

Most web browsers allow you to manage cookies through their settings. You can typically configure your browser to block all cookies, block third-party cookies, notify you when a cookie is set, or delete cookies when you close your browser. Please note that blocking all cookies may impair the functionality of the Site, including authentication and session management.

9.3 Global Privacy Control (GPC)

We honor the Global Privacy Control ("GPC") signal as a valid mechanism for opting out of advertising and analytics cookies, and as an opt-out of the "sale" or "sharing" of Personal Data under the CCPA/CPRA and the Colorado Privacy Act. When we detect a GPC signal from your browser, we automatically disable advertising and analytics cookies and treat the signal as a "Do Not Sell or Share" request for the duration of your session. You can enable GPC in your browser or through a browser extension. More information is available at https://globalprivacycontrol.org.

9.4 Do Not Track

Some browsers include a "Do Not Track" ("DNT") feature. There is currently no uniform standard for how websites should respond to DNT signals. We do not currently alter our data collection or use practices in response to DNT signals, but we do honor the Global Privacy Control (GPC) signal as described in Section 9.3.

10. Personal Data Collected Through Cookies

Cookies used on the Site may collect the following categories of Personal Data, depending on the cookie category and your consent preferences:

Online identifiers, including cookie IDs, device identifiers, and IP addresses (anonymized where supported).

Browsing behavior, including pages visited, links clicked, time spent on pages, and referral sources.

Device and browser information, including device type, operating system, browser type and version, and screen resolution.

Authentication data, including session tokens and login state (strictly necessary cookies only).

Personal Data collected through cookies is processed in accordance with the Privacy Policy, including the data minimization principles described in Section 8.2, the data security controls described in Section 14, and the data retention practices described in Section 13 of the Privacy Policy. Cookie-derived data is not used for AI model training, Persona generation, LTV scoring, or cross-network enrichment unless the visitor is an identified End Customer who has provided the relevant consent under the Privacy Policy's layered consent model (Section 7.1).

10.1 Sharing of Cookie Data

We do not sell cookie-derived Personal Data. We may share cookie data in the following circumstances:

With Service Providers: Analytics and infrastructure providers who process data on our behalf, subject to data processing agreements.

With Advertising Partners: When you have consented to advertising cookies, data may be shared with advertising platforms for conversion tracking and audience building. This sharing may constitute "sharing" under the CCPA/CPRA and is subject to opt-out rights as described in Section 5.4.

As Required by Law: Where required by law, regulation, or court order.

Cookie data is not shared with other Subscribers in the Billity AI Network and is not subject to the cross-network data sharing governed by the Third-Party Data Sharing Network Participation Agreement.

11. Cookie Retention Periods

Cookie retention periods vary by category:

Strictly Necessary: Session cookies are deleted when you close your browser. Consent preference cookies persist for twelve (12) months.

Functional: Up to twelve (12) months, or until you clear cookies or change your preferences.

Analytics: Typically up to twenty-four (24) months, depending on the analytics provider. We configure retention to the shortest period supported by each tool.

Advertising/Marketing: Varies by advertising partner, typically thirteen (13) to twenty-four (24) months. You may delete these cookies at any time through your browser settings or our cookie preference center.

12. Your Rights

In addition to the cookie-specific controls described in Sections 4 and 9, you have the following rights with respect to Personal Data collected through cookies, as described in Section 11 of the Privacy Policy:

CCPA/CPRA (California): Right to know what Personal Data is collected; right to delete; right to opt out of sale or sharing (including via GPC); right to non-discrimination for exercising these rights.

PIPEDA (Canada, federal): Right of access; right to correction; right to withdraw consent; right to complain to the Office of the Privacy Commissioner of Canada.

Québec Law 25: Right to explicit opt-in consent before any non-essential cookies are activated; right to withdraw consent at any time; right to access, correction, and de-indexation; private right of action for violations.

Other U.S. State Laws: Colorado CPA, Virginia VCDPA, Connecticut CTDPA, and other applicable state privacy laws provide comparable rights. We honor the GPC signal as required by the Colorado CPA.

13. Children's Privacy

The Site and Platform are designed for use by businesses and are not directed at individuals under the age of sixteen (16). We do not knowingly use cookies to collect Personal Data from children, consistent with Section 17 of the Privacy Policy and Section 2.2 of the ToS.

14. Subscriber Platform Administration Cookies

When a Subscriber's authorized administrators access the Billity AI Platform dashboard, the following cookies and technologies may be used:

Authentication and Session Management: Clerk authentication cookies maintain the administrator's login session, enforce role-based access controls (OWNER and ADMIN roles), and support multi-factor authentication. These are strictly necessary cookies.

Platform Preferences: Functional cookies store dashboard display preferences, filter settings, and notification preferences.

Analytics and Performance: We may use analytics cookies on the Platform dashboard to monitor performance, identify usability issues, and improve the Platform experience. These are subject to the same consent controls described in Section 4.

Platform dashboard cookies are scoped to the Platform domain and do not track administrators across third-party websites. Personal Data of Subscriber administrators collected through Platform cookies is processed in accordance with the Privacy Policy.

15. Changes to This Cookie Policy

We may update this Cookie Policy from time to time to reflect changes in the cookies we use, changes in applicable law, or changes in the operation of the Site. When we make material changes, we will:

Update the "Effective Date" and "Last Updated" date at the top of this Cookie Policy.

Display the updated cookie consent banner to all visitors, requiring reconfirmation of cookie preferences.

Provide notice to Subscribers through the Platform, if the changes affect Platform cookies.

We encourage you to review this Cookie Policy periodically to stay informed about how we use cookies.

16. Contact Information

If you have questions about this Cookie Policy or about how we use cookies, please contact us at:

DataBillity, Inc. d/b/a Billity AI

Attn: Data Protection Officer

Email: privacy@billity.ai

Phone: 206-657-6752

Web: www.billity.ai

The designated Privacy Officer and Data Protection Officer for Billity AI, and the PIPEDA / Québec Act regulatory contact for privacy matters, are identified by name in Section 16 of the Privacy Policy (see the “Related Documents” section below for the current Privacy Policy version).

17. Related Documents

This Cookie Policy should be read together with the following documents, which form part of the Billity AI legal framework:

Privacy Policy (Version 2.3) — governs the collection, use, sharing, and protection of Personal Data across the Platform.

Terms of Service (Version 1.5) — governs the use of the Billity AI Platform, including Messaging Services, AI governance, and Subscriber obligations.

Third-Party Data Sharing Network Participation Agreement (Version 1.3) — governs voluntary participation in the Billity AI cross-network data sharing program.

Cookie data is not subject to the cross-network data sharing governed by the Network Agreement.

© 2026 DataBillity, Inc. d/b/a Billity AI. All rights reserved.