1. Who we are and scope
Yuno Payments Limited and its group entities ("Yuno," "we," or "us") operate www.y.uno and its subdomains. This policy explains the cookies and similar tracking technologies we place when you visit those sites, the purposes behind them, and how you can control them.
This policy complements our Global Privacy Policy, which provides the full framework for how we handle personal data, including data collected through cookies.
2. What cookies are
Cookies are small text files stored on your device by your browser when you visit a website. We also use related technologies — local storage, pixel tags, and scripts — that serve similar purposes. Some are placed directly by y.uno (first-party); others are placed by our service providers operating from their own domains (third-party).
3. Legal framework for cookies
Cookie law operates on two layers that are often conflated. The first is the ePrivacy Directive (Directive 2002/58/EC, as amended), which governs whether consent is required to place a cookie at all. The second is the GDPR (or equivalent national law), which governs the processing of any personal data those cookies collect. Where the ePrivacy Directive exempts a category from consent — because the cookie is technically necessary for a service the user has explicitly requested — we rely on a GDPR basis other than consent. Where consent is required by both layers, we collect it through the banner before placing any cookie.
4. Cookie categories, tools, and legal bases
4.1 Strictly necessary
These cookies are technically essential — without them the site cannot function. They manage your session, record your consent choices, protect against cross-site request forgery attacks, and handle server-side routing. Under Article 5(3) of the ePrivacy Directive, placing these cookies does not require your prior consent because they are necessary to deliver the service you have explicitly requested. The underlying GDPR basis is legitimate interest (Art. 6(1)(f)) for security and fraud-prevention purposes, and performance of a contract (Art. 6(1)(b)) where the processing is necessary to operate the site you are actively using. For Brazilian users, the applicable bases under the LGPD are legitimate interest (Art. 7(IX)) and contract performance (Art. 7(V)).
| Cookie | Provider | Purpose | Retention |
|---|---|---|---|
cookie_consent | Yuno | Records your consent choices per category | 12 months |
lang | Yuno | Stores selected language/locale | Session |
XSRF-TOKEN | Yuno | CSRF security token | Session |
4.2 Analytics
These cookies help us understand how visitors interact with the site — which pages they reach, how they arrived, and how long they engage. We use this data to improve content and performance. Because this processing is not technically necessary for site operation, it requires your consent (GDPR Art. 6(1)(a); LGPD Art. 7(I); LFPDPPP consent; Ley 1581 Art. 6 autorización). Analytics cookies are only placed after you accept this category in the banner.
| Cookie | Provider | Purpose | Retention |
|---|---|---|---|
_ga, _ga_* | Google Analytics 4 | Visitor identification across sessions | 2 years |
_gid | Google Analytics 4 | Session-level visitor tracking | 24 hours |
_gat | Google Analytics 4 | Throttles request rate | 1 minute |
__cr_* | Common Room | Product analytics and community engagement signals | 12 months |
Google Analytics 4 is operated by Google LLC (United States). Data transfers outside the EEA and UK are governed by Standard Contractual Clauses (EU Commission Decision 2021/914 and the UK Addendum). Further detail: Google Privacy Policy.
4.3 Marketing and advertising
These cookies track visitor activity to deliver relevant advertising, support lead generation, and measure campaign performance across channels. Legal basis: consent.
| Cookie | Provider | Purpose | Retention |
|---|---|---|---|
hubspotutk, __hstc | HubSpot | Visitor identity tracking for CRM and lead management | 13 months |
__hssc, __hssrc | HubSpot | Current session and browser-session tracking | 30 min / session |
_gcl_au | Google Ads | Conversion measurement and ad attribution | 3 months |
li_fat_id, bcookie | LinkedIn Insight Tag | Campaign attribution and retargeting | 30 days / 2 years |
lidc | Data center routing | 1 day | |
| Session cookies | Chili Piper | Meeting scheduling attribution | Session |
These providers process data on servers located primarily in the United States. Transfers are covered by Standard Contractual Clauses or other approved mechanisms. Their privacy policies: HubSpot · Google · LinkedIn · Chili Piper.
4.4 Personalization
The locale cookie stores the language or region you have explicitly selected using the site's language switcher. Because this cookie is placed in direct response to an action you have taken — and stores only that explicit choice, with no profiling — it falls under the ePrivacy Directive's Art. 5(3) exemption for technically necessary storage. The GDPR basis is legitimate interest (Art. 6(1)(f)): providing the site in the language you have chosen is a legitimate operational purpose that does not override your rights or freedoms. Under the LGPD, the basis is legitimate interest (Art. 7(IX)). No consent is required or collected for this category.
| Cookie | Provider | Purpose | Retention |
|---|---|---|---|
locale | Yuno | Stores language and region preference explicitly selected by the user | 30 days |
5. Consent management
When you first visit y.uno, a banner presents three options: accept all, reject all, or manage preferences by category. Your selection is stored in the cookie_consent cookie and applied on all subsequent visits.
We use Google Tag Manager with Consent Mode v2. Tags and scripts activate only for the categories you have accepted — rejected categories do not fire, including in modeled or anonymized modes. If you wish to change your preferences, clear your browser cookies and reload the page; the banner will reappear.
6. International data transfers
Several of our providers — primarily Google, HubSpot, and LinkedIn — process data on servers in the United States and other countries outside the European Economic Area and the United Kingdom. These transfers take place under Standard Contractual Clauses pursuant to EU Commission Decision 2021/914, together with the UK Addendum where applicable. For transfers involving data subjects in Brazil, transfers comply with LGPD transfer rules under ANPD guidance. For Colombia, applicable international transfer protocols under Ley 1581 de 2012 and Decree 1377 of 2013 apply.
7. Managing cookies through your browser
You can view, block, or delete cookies at any time through your browser settings. Browser controls operate independently of the choices made on our banner. Note that blocking strictly necessary cookies will affect site functionality.
Chrome · Firefox · Safari · Edge
8. Do Not Track
There is no uniform industry standard for responding to Do Not Track (DNT) browser signals, and this site does not currently process them. We do respond to your explicit choices through the cookie banner.
9. Changes to this policy
This policy is updated when our cookie usage changes or when applicable legal requirements evolve. The current version is always available at this URL. Material changes will be reflected in the "Last updated" date at the top.
10. Contact and data controller
For questions about this policy or to exercise your data rights, contact us at privacy@y.uno.
The entity responsible for personal data processed through cookies on y.uno is Yuno Payments Limited (Cayman Islands), operating as global data controller for the Yuno group. Where you are located in a specific jurisdiction, the applicable local Yuno entity is identified in our Global Privacy Policy.