Cookie + tracker inventory
In one paragraph
Standard Intelligence runs a near-cookieless marketing site. We do not use third-party marketing or behavioural-advertising cookies. We use a small number of strictly-necessary cookies for sign-in and product features, a cookieless analytics service (Plausible Cloud EU), and a privacy-scrubbed error tracker (Sentry, EU region). The cookie consent banner records your preference for how Sentry Session Replay is sampled; everything else either falls under the ePrivacy strictly-necessary exemption or, in the case of Plausible and Vercel Analytics, does not use terminal-equipment storage at all.
This page enumerates every storage write and tracker we use. It is maintained alongside our internal privacy + tracking audit, so it stays empirically accurate rather than drifting from the code.
What we store on your device
Three classes of storage: strictly-necessary (sign-in and security), functional preferences (in-product UI state once you are signed in), and one piece of marketing-attribution storage that never leaves your browser until you submit a form.
Strictly necessary (no consent required)
| Storage key | Type | Surface | Purpose | Lawful basis | Lifetime |
|---|---|---|---|---|---|
| si_session | HTTP-only cookie | Signed-in product | Session JWT after OIDC sign-in | Contract (GDPR Art 6(1)(b)) + ePrivacy Art 5(3) strictly necessary | 1 hour, sliding |
| si_id_token | HTTP-only cookie | Signed-in product | OIDC id_token, used for backchannel logout | Contract + ePrivacy strictly necessary | 1 hour |
| si_oidc_state / si_oidc_verifier / si_oidc_nonce | HTTP-only cookies | Sign-in flow | OIDC CSRF + PKCE protections | Contract + ePrivacy strictly necessary | Tied to flow (~5 minutes) |
| si_return_to | HTTP-only cookie | Sign-in flow | Where to send you after sign-in | Contract + ePrivacy strictly necessary | Tied to flow |
| si-cookie-consent | localStorage | Marketing site | Records your cookie preference | Consent record (GDPR Art 7 demonstrability) | Permanent (until you clear it) |
Functional preferences (signed-in product)
These remember in-product UI state once you are signed in and have accepted our terms. They contain no personal data.
| Storage key | Type | Surface | Purpose | Lawful basis | Lifetime |
|---|---|---|---|---|---|
| si_active_system_id | HTTP-only cookie | Signed-in product | Which workspace you have open | Contract (post-auth functional) | 30 days |
| sidebar_state | Cookie | Signed-in product | Sidebar collapsed / expanded state | Contract (post-auth functional) | 7 days |
| si-theme | localStorage | All surfaces | Light / dark theme preference | Functional (no PII; explicit user action) | Permanent |
| si-guide-bookmarks | localStorage | Guides | Your saved guide pages | Functional (no PII; explicit user action) | Permanent |
| classify-draft-* | localStorage | Signed-in product | Draft of risk-classification answers | Contract (post-auth functional) | Permanent until you submit |
| header-detail-level / header-pin / placeholder-page-* | localStorage | Signed-in product | In-product UI preferences | Contract (post-auth functional) | Permanent |
Marketing attribution (one item)
| Storage key | Type | Surface | Purpose | Lawful basis | Lifetime |
|---|---|---|---|---|---|
| si.utm.first-touch | sessionStorage | Marketing site | Records the campaign tag (utm_source, utm_medium, etc.) of the URL you arrived on, so we can attribute leads when you submit a form. Never shared with any third party until you explicitly submit a form with consent. | ePrivacy Art 5(3) strictly necessary for the service you requested by visiting the page; written to HubSpot only on form submission with explicit consent | Session only — cleared when you close the tab |
Third-party trackers
Every third-party service that loads in your browser, why it is there, and whether it uses cookies or stores anything on your device.
Plausible Cloud EU
- Residency
- Estonia / Frankfurt
- Cookies
- None — Plausible is cookieless by design
- Data captured
- Page URL, referrer, country (derived from a daily-rotating salt-hashed IP). No user identifiers, no email, no cross-site tracking.
- Consent
- Not required — falls outside ePrivacy Art 5(3) because it does not access or store anything on your terminal equipment. Aligned with Plausible's published legal assessment.
Vercel Analytics
- Residency
- EU edge with SCCs + EU-US Data Privacy Framework
- Cookies
- None — Vercel uses a per-request hash, not a persisting identifier
- Data captured
- Page views, an ephemeral hash-based unique-visitor count (no cookies, no fingerprint).
- Consent
- Not required — Vercel's identifier is per-request, not a persistent terminal-equipment cookie or stored value.
Vercel Speed Insights
- Residency
- EU edge with SCCs + EU-US Data Privacy Framework
- Cookies
- None
- Data captured
- Real-User-Monitoring data: page-load timings, Web Vitals. No identifiers.
- Consent
- Not required — same reasoning as Vercel Analytics.
Sentry (browser + Session Replay)
- Residency
- Sentry EU region
- Cookies
- None on the cookie itself; Sentry uses an in-page SDK
- Data captured
- Error events, stack traces, and breadcrumbs (with URL query strings stripped). User UUID only — no email, no IP. Session Replay records DOM mutations and clicks with text masked and media blocked, on a 10% sample of sessions plus 100% of sessions where an error occurs.
- Consent
- Session Replay is the one tracker we ask you about. If you reject analytics or marketing in the cookie banner, Session Replay is downgraded to errors-only on your sessions. Error reporting itself is required for the service to be safe to operate and runs regardless.
LinkedIn Conversions API
- Residency
- LinkedIn Marketing Solutions Ireland UC (EU controller)
- Cookies
- None on this site
- Data captured
- When you submit a form, we send LinkedIn a SHA-256 hash of your email, a timestamp, and the conversion type. The send happens on our server, not from your browser.
- Consent
- Covered by your form-submission consent. We do not run the LinkedIn Insight Tag on the site, so there are no LinkedIn cookies in your browser from us.
HubSpot CRM
- Residency
- HubSpot EU1 (Frankfurt)
- Cookies
- None on this site
- Data captured
- When you submit a form, we send the form fields to HubSpot from our server. The HubSpot JavaScript tracker is NOT loaded — there is no hubspotutk, __hssc, or __hssrc cookie in your browser from us.
- Consent
- Covered by your form-submission consent.
Resend (transactional email)
- Residency
- EU
- Cookies
- None
- Data captured
- Recipient email and message body when we send you an email (e.g. your readiness-assessment PDF).
- Consent
- Covered by your form-submission consent.
Managing your preferences
- Open the cookie preferences dialog at any time from the link in the marketing site footer. Your choice is saved in this browser and re-applied on future visits.
- Your browser provides additional controls — clearing cookies and site storage from your browser settings will reset everything on this site, including your consent record.
- You can withdraw consent for marketing emails at any time using the unsubscribe link in every email we send you.
- For data-subject rights (access, correction, deletion, restriction, portability, objection) email privacy@standardintelligence.com.
What we do not use
For completeness, the following are deliberately absent from this site (verified by source inspection):
- No HubSpot tracking script (no hubspotutk, no __hssc, no __hssrc)
- No LinkedIn Insight Tag (no li_sugr, lidc, bcookie, li_gc)
- No Google Analytics or Google Tag Manager (no _ga, _gid, gtag)
- No Facebook Pixel (no _fbp, no fbq)
- No behavioural-advertising cookies of any kind
- No cross-site fingerprinting
This page is maintained alongside our internal privacy + tracking audit. We update it whenever the underlying inventory changes — not on a fixed schedule.
Questions? Email privacy@standardintelligence.com.