Cookie Policy for Po Kolei
Effective date: May 1, 2026
1. Cookies and similar technologies
Po Kolei may use cookies, local storage, session storage, pixels, tags, device identifiers, technical logs and similar technologies. These technologies may be set by the operator or by external providers, including hosting, WordPress, security, anti-spam, analytics, newsletter, social media, advertising, AI and automation providers.
Cookies may be necessary for website operation, security, form handling and remembering preferences. Other cookies may support analytics, content performance measurement, marketing, remarketing, social media integrations, embedded content, session recording, heatmaps or automation. The technologies actually used depend on the current website and WordPress plugin configuration.
2. Cookie categories
The website distinguishes the following categories: strictly necessary, security and anti-spam, preferences, analytics, marketing and remarketing, social and embedded content, and AI/analytics/automation. Strictly necessary cookies may be used without consent where they are necessary to provide a service requested by the user or ensure security. Analytics cookies, marketing cookies, social pixels, session recording, heatmaps and similar technologies generally require consent where required by law.
3. Cookie and similar technologies table
This table is practical and descriptive. After specific tools are implemented, it should be supplemented with actual cookie names, retention periods and providers identified by the consent platform or cookie scanner.
| Category | Provider | Example | Purpose | Period | Basis | Consent required |
|---|---|---|---|---|---|---|
| Strictly necessary | WordPress, hosting, Cloudflare or similar | wordpress_test_cookie, PHPSESSID, technical cookies | Operation of the website, sessions, admin panel, forms, security and core WordPress functions. | Session or technically required period | Technical necessity / legitimate interest; for EEA/UK users Article 6(1)(f) GDPR where applicable | Generally no |
| Security / anti-spam | Cloudflare, Akismet, Antispam Bee, Google reCAPTCHA, hCaptcha, Turnstile | captcha token, risk identifier, anti-spam data | Protection against spam, bots, abuse, attacks, phishing, malware and overload. | Provider-specific; session to several months | Legitimate interest/security; consent where local law requires it | Depends on tool |
| Preferences | WordPress, cookie plugin, accessibility plugin | language, cookie settings, interface preferences | Remembering user preferences, language, consents, accessibility settings or form choices. | Session to 12 months or tool setting | Consent or legitimate interest in remembering a requested preference | Sometimes |
| Comments | WordPress, Gravatar, comment plugin | comment_author, comment_author_email, comment_author_url, Gravatar hash | Facilitating comments, remembering comment form data, displaying avatars and moderation. | Up to 1 year or WordPress configuration | Consent / legitimate interest in comment handling | Yes, if not necessary |
| Analytics | GA4, Matomo, Plausible, Cloudflare Web Analytics, Microsoft Clarity, Hotjar or similar | _ga, _gid, event identifiers, heatmap/session recording | Traffic measurement, statistics, content popularity, referral sources and service improvement. | Provider-specific; usually session to 26 months | Consent; in limited cookieless/aggregated setups, legitimate interest where permitted | Generally yes |
| Marketing / remarketing | Google AdSense/Ads, Meta Pixel, X Ads Pixel, GTM or similar | ads ID, pixel ID, remarketing tag | Ad measurement and personalisation, remarketing, campaign performance and frequency capping. | Provider-specific; usually session to 24 months | Consent where required | Yes |
| Social / embedded content | YouTube, Facebook, Instagram, X, maps, document platforms | platform cookies, embed identifiers | Displaying embedded content, share buttons and interactions with external platforms. | According to platform policies | Consent unless activated only on user request and law permits another approach | Generally yes |
| AI / analytics / automation | AI providers, SEO tools, content quality analytics, editorial automations | event identifiers, local storage, automation logs, aggregated data | Trend analysis, content performance, security, spam, newsletter quality, topic recommendations and process automation. | Tool-specific; minimal period needed | Consent, legitimate interest or other suitable basis depending on configuration | Yes, if it identifies or tracks the user |
4. AI, analytics and tracking technologies
Some AI, analytics, personalisation, security or marketing tools may use cookies, local storage, pixels, device identifiers or similar technologies. AI analytics may be used to analyse traffic, trends, content quality, newsletter effectiveness, security, abuse detection or topic recommendations. If such tools operate only on aggregated data without identifying the user, privacy risk is lower, but the tool category should still be disclosed.
If AI/analytics, pixels, session recording, remarketing or social tracking identify the user or track behaviour on the website or across websites, they should be covered by consent where required. The operator should avoid firing marketing, remarketing, session recording and social pixels before obtaining appropriate user consent.
5. WordPress, comments and administrators
WordPress may use technical, test, session and login cookies, particularly for administrators, editors and logged-in users. If comments are enabled, WordPress may remember comment form data such as name, email and website address to make later commenting easier. Gravatar or similar services may process an email hash to display an avatar.
6. Analytics, advertising and consent management
If the website does not use analytics, marketing, social pixels or session recording, a simple informational banner about necessary and technical cookies with a link to this policy may be sufficient. If the website enables Google Analytics 4, Google Tag Manager, Meta Pixel, X Pixel, Microsoft Clarity, Hotjar, Google AdSense, remarketing or similar tools, full consent management with cookie categories and reject, accept and change-consent mechanisms should be implemented.
The consent panel should block non-essential categories until consent is obtained where required by law. It should also record consent status, notice version, date and consent category to the extent necessary to demonstrate compliance.
7. Embedded content and social media
The website may embed content from YouTube, X, Facebook, Instagram, maps, document platforms, graphics platforms and other services. Embedded content may load resources from external platforms and cause them to use their own cookies, pixels or identifiers. Social media platforms may act as separate controllers for their own services.
The safest configuration is delayed loading of embedded content, meaning that the embed loads only after the user clicks it or consents to the social or marketing category where the platform uses tracking.
8. Managing cookies
The user may manage consents in the cookie banner, if implemented, and in browser settings. Browsers usually allow blocking cookies, deleting cookies, blocking third-party cookies, clearing local storage or using private browsing. Restricting cookies may cause some website, comment, form, embedded content or security functions to operate incorrectly.
9. Updates
This Cookie Policy should be updated after implementing new analytics, advertising, social, AI/automation, captcha, anti-spam, newsletter, comments, forms, user accounts, payments, personalisation, session recording or embedded content tools that change the scope of data or consents.