Cookie Policy
Effective Date: March 17, 2026 Last Updated: March 17, 2026
1. Introduction
Fintech Orchestration Solutions, Inc. ("Fintech Orchestration Solutions," "we," "our," or "us") operates the PayFlow Orchestrator platform, associated developer tools, the PayFlow Developer Dashboard, and the public-facing website at fintechorchestration.io (collectively, the "Services").
This Cookie Policy explains what cookies and similar tracking technologies are, how we use them across our Services, what choices you have regarding their use, and how you can manage or disable them. This policy should be read alongside our Privacy Policy, which governs how we collect, use, and protect your personal data more broadly.
By continuing to use our Services after this policy has been made available to you, you acknowledge that you have read and understood how we use cookies. Where applicable law requires your consent prior to setting non-essential cookies, we will seek that consent through an in-product consent mechanism before any such cookies are placed on your device.
2. What Are Cookies?
Cookies are small text files placed on your browser or device by a website or application you visit. They are widely used to make websites and platforms function correctly, to remember your preferences, and to provide operators and third parties with analytical information about how services are used.
In addition to cookies, we may use similar tracking technologies including:
- Local Storage and Session Storage — browser-based key/value stores used to persist state within or across sessions.
- Pixel tags / web beacons — tiny transparent images embedded in web pages or emails that signal when content has been accessed.
- Device fingerprinting — a technique that derives a probabilistic identifier from device and browser characteristics, used primarily for fraud detection.
- Software Development Kits (SDKs) — embedded libraries in our developer tools and sandbox environment that may collect usage telemetry.
For the purposes of this policy, all of the above are referred to collectively as "cookies."
3. Types of Cookies We Use
We categorize the cookies deployed across our Services into four types, as described below.
| Category | Purpose | Consent Required? | |---|---|---| | Essential / Strictly Necessary | Required for core functionality — authentication, session management, CSRF protection, and security. The Services cannot function correctly without these cookies. | No — these are placed on a legitimate-interest basis. | | Functional | Remember your preferences and settings — such as your chosen dashboard layout, preferred API region, timezone, or notification configuration — so you don't have to reconfigure them on every visit. | Yes (where applicable law requires). | | Analytics / Performance | Help us understand how visitors interact with our Services — which pages are visited, where users encounter errors, API call volumes in the sandbox, and similar aggregate usage metrics. All data is pseudonymized or anonymized before analysis. | Yes. | | Marketing / Targeting | Used to deliver relevant advertising and promotional content across third-party networks, to measure campaign effectiveness, and to build audience profiles. | Yes. |
Note for PayFlow Orchestrator API Clients: Cookies are not used in machine-to-machine API calls authenticated via API keys or OAuth 2.0 client credentials. This policy applies exclusively to browser-based interactions with our web properties and developer-facing tools.
4. Specific Cookies Used
The following table lists the primary cookies and similar technologies currently deployed across our Services. This list is updated when our cookie configuration changes; the effective date at the top of this policy reflects the most recent revision.
| Name | Provider | Purpose | Duration | Type |
|---|---|---|---|---|
| __session | Fintech Orchestration Solutions | Maintains the authenticated session for users logged into the PayFlow Developer Dashboard. Contains a signed, encrypted session identifier — no personally identifiable information is stored in the cookie value itself. | Session (expires on browser close) | Essential |
| csrf_token | Fintech Orchestration Solutions | CSRF (Cross-Site Request Forgery) protection token. Validated on all state-changing HTTP requests to our APIs and dashboard. Required to prevent cross-site attack vectors. | Session | Essential |
| auth_refresh | Fintech Orchestration Solutions | Stores an encrypted refresh-token reference used to silently renew short-lived access tokens for dashboard sessions without requiring re-authentication. Set only for users who select "Stay signed in." | 30 days | Essential |
| pf_region | Fintech Orchestration Solutions | Records the user's preferred PayFlow Orchestrator API region (e.g., us-east-1, us-west-2) to pre-select the correct endpoint in the developer dashboard and documentation. | 1 year | Functional |
| pf_prefs | Fintech Orchestration Solutions | Stores dashboard UI preferences including theme selection, sidebar state, code-sample language preference, and pagination settings. | 1 year | Functional |
| cookie_consent | Fintech Orchestration Solutions | Records the consent choices you made in our cookie consent banner. Used to ensure we respect your preferences on return visits. | 1 year | Essential |
| _pf_anon_id | Fintech Orchestration Solutions | A randomly generated anonymous identifier used to stitch together a single visitor's page views and actions in our analytics pipeline. Contains no personally identifiable information. | 2 years | Analytics |
| _plausible | Plausible Analytics | Privacy-first, cookieless-by-default analytics. Where a cookie is set (only with consent), it is used to distinguish unique visitors without cross-site tracking. No data is shared with advertising networks. | 1 year | Analytics |
| _ga | Google Analytics (Google LLC) | Distinguishes unique users for aggregate traffic analysis. Used on our public marketing website only — not deployed in the PayFlow Developer Dashboard. | 2 years | Analytics |
| _ga_* | Google Analytics (Google LLC) | Stores session state for Google Analytics 4 measurement. Used on public marketing pages only. | 2 years | Analytics |
| _fbp | Meta Platforms, Inc. | Facebook Pixel identifier. Used to attribute visits and conversions originating from Meta advertising campaigns. Only active with explicit marketing consent. | 3 months | Marketing |
| li_fat_id | LinkedIn Corporation | LinkedIn Insight Tag. Used to track conversions from LinkedIn advertising campaigns and to enable LinkedIn retargeting audiences. Only active with explicit marketing consent. | 30 days | Marketing |
| hubspotutk | HubSpot, Inc. | Tracks a visitor's identity for HubSpot CRM lead-attribution purposes. Used on marketing contact and demo-request forms. | 13 months | Marketing |
5. Third-Party Cookies and SDKs
Some cookies listed above are set by third-party service providers. When you interact with embedded content, third-party analytics scripts, or social plugins, those third parties may also place their own cookies on your device according to their own privacy and cookie policies. Fintech Orchestration Solutions does not control third-party cookies and is not responsible for the practices of third-party providers.
Key third parties whose technologies we integrate include:
- Google LLC — Analytics (Google Analytics 4). Privacy policy: policies.google.com/privacy
- Plausible Analytics — Privacy-first web analytics (EU-hosted, GDPR-compliant). Privacy policy: plausible.io/privacy
- HubSpot, Inc. — CRM and marketing automation. Privacy policy: legal.hubspot.com/privacy-policy
- Meta Platforms, Inc. — Advertising attribution via Facebook Pixel. Privacy policy: facebook.com/privacy/policy
- LinkedIn Corporation — B2B advertising attribution via Insight Tag. Privacy policy: linkedin.com/legal/privacy-policy
- Amazon Web Services (AWS) — Our infrastructure provider. AWS infrastructure-level cookies (e.g., load balancer stickiness cookies such as
AWSALB) may be set for routing purposes. Privacy policy: aws.amazon.com/privacy
We perform due diligence on third-party providers to ensure they maintain standards commensurate with the sensitivity of our platform. Marketing-category third-party scripts are blocked by default and only activated following your explicit consent.
6. Cookie Duration
Cookies deployed by our Services fall into two duration categories:
- Session cookies — Exist only for the duration of your browser session. They are automatically deleted when you close your browser. We use session cookies primarily for authentication and CSRF protection.
- Persistent cookies — Remain on your device after you close your browser, for a defined period specified in the table above. They are used for remembering your preferences, supporting analytics, and enabling marketing attribution.
All persistent cookies have defined expiry periods. We do not set cookies with indefinite expiry. Upon expiry, cookies are automatically purged by your browser and, where applicable, are not renewed without re-presenting the consent mechanism.
7. How to Control Cookies
You have several options for controlling or disabling cookies. Please note that disabling certain cookies — particularly Essential cookies — may impair or completely prevent your access to the PayFlow Developer Dashboard and other authenticated areas of our Services.
7.1 Browser-Level Cookie Controls
All major browsers allow you to view, manage, block, and delete cookies through their settings menus. Instructions for commonly used browsers are linked below:
- Google Chrome — support.google.com/chrome/answer/95647
- Mozilla Firefox — support.mozilla.org/kb/enable-and-disable-cookies-website-preferences
- Apple Safari — support.apple.com/guide/safari/manage-cookies-sfri11471
- Microsoft Edge — support.microsoft.com/microsoft-edge/delete-cookies-in-microsoft-edge-63947406
- Opera — help.opera.com/en/latest/web-preferences/#cookies
- Brave — Brave blocks third-party cookies by default. Cookie settings are available at
brave://settings/cookies.
7.2 Our Cookie Consent Banner
Where applicable law (such as the EU ePrivacy Directive or similar national legislation) requires prior consent for non-essential cookies, we display a cookie consent banner on your first visit. You can accept all categories, accept only essential cookies, or granularly select which categories you permit. You may revisit and update your preferences at any time using the Cookie Preferences link in the footer of our website.
7.3 Analytics Opt-Out Tools
- Google Analytics — Install the Google Analytics Opt-out Browser Add-on to prevent your data from being used by Google Analytics across all websites.
- Plausible Analytics — Plausible respects standard browser Do Not Track signals and does not track users who have opted out at the browser level.
7.4 Advertising and Marketing Opt-Outs
- Digital Advertising Alliance (DAA) — optout.aboutads.info
- Network Advertising Initiative (NAI) — optout.networkadvertising.org
- European Interactive Digital Advertising Alliance (EDAA) — youronlinechoices.com
- Meta Ad Preferences — facebook.com/ads/preferences
- LinkedIn Ad Settings — linkedin.com/psettings/guest-controls/retargeting-opt-out
8. Do Not Track
Some browsers include a "Do Not Track" (DNT) feature that signals to websites that you prefer not to be tracked. There is currently no industry-wide standard for how websites must respond to DNT signals. Fintech Orchestration Solutions does not currently alter its data collection practices in response to DNT signals, except where explicitly noted (e.g., Plausible Analytics respects DNT). We will continue to monitor developments in this area and update this policy as standards emerge.
Users in jurisdictions with opt-out rights (such as California under the CCPA) may exercise their right to opt out of the sale or sharing of personal information through the mechanisms described in our Privacy Policy and via our cookie preference center.
9. Cookies and Financial Data
Fintech Orchestration Solutions is a B2B infrastructure provider. Cookies deployed across our Services interact only with web application state, user preferences, and usage analytics — they do not access, store, or transmit payment transaction data, cardholder data, bank account numbers, routing numbers, or any financial data processed through the PayFlow Orchestrator API.
Payment transaction data processed via our APIs is subject to our Privacy Policy, our contractual Data Processing Agreements (DPAs) with customers, and our PCI DSS-aligned security controls — not the cookie mechanisms described in this policy.
10. International Transfers
Some of the third-party providers listed in this policy process data outside your country of residence, including in the United States. Where data is transferred from the European Economic Area (EEA), the United Kingdom, or Switzerland, we rely on lawful transfer mechanisms — including the EU-U.S. Data Privacy Framework, Standard Contractual Clauses (SCCs), or the UK International Data Transfer Agreement (IDTA) — to ensure adequate protection of your personal data.
11. Updates to This Policy
We may update this Cookie Policy from time to time to reflect changes in the technologies we use, changes in applicable law, or changes to our Services. When we make material changes, we will update the Last Updated date at the top of this policy and, where required by law or where we consider it appropriate, notify you by email or through an in-product notice.
We encourage you to review this policy periodically to stay informed about how we use cookies. Your continued use of our Services after any update constitutes acknowledgment of the revised policy.
Previous versions of this policy are available upon request by contacting us at the address below.
12. Contact Us
If you have questions about this Cookie Policy, wish to exercise your rights under applicable data protection law, or would like to request a copy of your data, please contact us:
Fintech Orchestration Solutions, Inc. Privacy & Compliance Team
- Email: privacy@fintechorchestration.io
- Subject line: Cookie Policy Inquiry
For inquiries related to the PayFlow Orchestrator platform, enterprise DPAs, or PCI DSS compliance documentation, please contact your designated account manager or reach us at compliance@fintechorchestration.io.
This Cookie Policy applies to all web properties operated by Fintech Orchestration Solutions, Inc., including fintechorchestration.io, the PayFlow Developer Dashboard, the PayFlow Developer Sandbox, and associated documentation portals.