Skip to main content
FreeGCPBeta

Cookie Policy

Transparency about how we use cookies to enhance your learning experience

Last updated: September 3, 20255 min read

Important Cookie Notice

Under GDPR and CCPA regulations, we are required to obtain your explicit consent before placing non-essential cookies on your device. Essential cookies required for basic website functionality are exempt from this requirement but are listed for transparency.

By continuing to use our website, you acknowledge that you have read and understood this comprehensive Cookie Policy. You can manage your preferences at any time through your account settings.

Quick Navigation

What Are Cookies?Legal Basis & ComplianceDetailed Cookie CategoriesThird-Party Services & DPAsGDPR Rights (EU Residents)CCPA Rights (CA Residents)Cookie ManagementInternational TransfersConsent & WithdrawalChildren's PrivacyCookie AuditingContact Information

What Are Cookies?

Cookies are small text files (typically 4KB or less) that websites place on your device when you visit them. They contain unique identifiers and sometimes other information that helps websites recognize your browser across visits. This comprehensive policy explains in detail how FreeGCP.com ("we", "us", "our") uses cookies and similar tracking technologies in compliance with global privacy regulations.

Technical Cookie Information:

  • First-Party Cookies: Set directly by freegcp.com domain and accessible only by our servers
  • Third-Party Cookies: Set by external services we integrate (with your consent where required)
  • Session Cookies: Temporary cookies deleted when you close your browser
  • Persistent Cookies: Remain on your device for a set period (disclosed for each cookie)
  • Secure Cookies: Only transmitted over encrypted HTTPS connections
  • SameSite Cookies: Protected against CSRF attacks with strict/lax policies

Similar Technologies: We also use Local Storage, Session Storage, IndexedDB, and ETags which function similarly to cookies. This policy covers all such technologies. Web beacons and pixels may be used for analytics but do not store data on your device.

Legal Basis for Cookie Use & Regulatory Compliance

GDPR Compliance (European Union)

Under the General Data Protection Regulation (GDPR) and the ePrivacy Directive (Cookie Law), we process cookie data based on the following legal grounds:

  • Article 6(1)(a) - Consent:For analytics, functional, and marketing cookies. You can withdraw consent at any time.
  • Article 6(1)(b) - Contract:For cookies necessary to provide services you've requested (e.g., keeping you logged in).
  • Article 6(1)(f) - Legitimate Interest:For essential security cookies and fraud prevention, balanced against your rights.

We conduct Legitimate Interest Assessments (LIAs) for all processing under Article 6(1)(f) and maintain Records of Processing Activities (RoPA) as required under Article 30.

CCPA Compliance (California, USA)

Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), we provide:

  • Notice at Collection: This policy serves as notice of categories of data collected via cookies
  • Right to Opt-Out: You can opt-out of cookie-based tracking at any time
  • No Sale of Personal Information: We do NOT sell cookie data or any personal information
  • No Discrimination: Exercising privacy rights won't affect service quality or pricing

Other Jurisdictions

LGPD (Brazil)

We comply with Lei Geral de Proteção de Dados requirements including consent, purpose limitation, and data subject rights for Brazilian residents.

PIPEDA (Canada)

We follow Personal Information Protection and Electronic Documents Act principles including accountability, consent, and limiting collection.

UK GDPR

Post-Brexit, we maintain compliance with UK GDPR which mirrors EU GDPR requirements with UK-specific guidance from the ICO.

POPIA (South Africa)

We adhere to Protection of Personal Information Act requirements for lawful processing and data subject participation.

Types of Cookies We Use

IMPORTANT: We perform quarterly cookie audits to ensure this information remains accurate. Last audit: August 4, 2025

Strictly Necessary Cookies

Always ActiveDuration: Session to 1 year

Purpose:

Essential for website operation, security, and legal compliance. Cannot be disabled.

Legal Basis:

Legitimate Interest (GDPR Art. 6(1)(f))

Cookie Examples:

  • Authentication tokens (sess_*, auth_*)
  • Security tokens (csrf_*, sec_*)
  • Session identifiers (sid_*, session_*)
  • Load balancing cookies (lb_*, route_*)
  • Cookie consent preferences (cookie_consent, gdpr_*)
  • Anti-fraud detection (af_*, fraud_*)

Data Collected:

  • Session ID
  • Authentication status
  • Security tokens
  • Basic device information for security
Retention Period:

Deleted when browser closes or after 12 months of inactivity

Third-Party Access:

None - strictly first-party only

Performance & Analytics Cookies

Requires ConsentDuration: 13 months to 2 years

Purpose:

Monitor website performance, identify technical issues, and improve user experience through aggregated analytics.

Legal Basis:

Consent (GDPR Art. 6(1)(a))

Cookie Examples:

  • Google Analytics (_ga, _gid, _gat_*)
  • Performance monitoring (perf_*, monitor_*)
  • Error tracking (err_*, exception_*)
  • Page timing metrics (timing_*, speed_*)
  • A/B testing cookies (test_*, exp_*)
  • Heatmap tracking (hm_*, click_*)

Data Collected:

  • Pages visited and time spent
  • Browser and device type
  • Geographic location (country/city level)
  • Traffic source and campaigns
  • Site search terms
  • Download and click events
  • Error messages and stack traces
Retention Period:

_ga: 2 years, _gid: 24 hours, custom: 13 months

Third-Party Access:

Analytics providers (see Data Processing Agreements)

Functional & Preference Cookies

Requires ConsentDuration: 6 months to 1 year

Purpose:

Remember your choices and provide enhanced, personalized features without identifying you.

Legal Basis:

Consent (GDPR Art. 6(1)(a))

Cookie Examples:

  • Language preferences (lang_*, locale_*)
  • Display preferences (theme_*, display_*)
  • Course progress tracking (progress_*, course_*)
  • Video player settings (player_*, video_*)
  • Form auto-fill data (form_*, autofill_*)
  • Accessibility settings (a11y_*, access_*)

Data Collected:

  • Language and region preferences
  • Display and accessibility settings
  • Course enrollment and progress
  • Content preferences
  • Feature usage patterns
Retention Period:

6-12 months from last interaction

Third-Party Access:

Limited to essential service providers under strict DPAs

Marketing & Advertising Cookies

Requires ConsentDuration: 90 days to 2 years

Purpose:

Measure advertising effectiveness, deliver relevant content, and prevent showing repetitive ads. We do NOT sell your data.

Legal Basis:

Consent (GDPR Art. 6(1)(a)) / Legitimate Interest for limited analytics

Cookie Examples:

  • Conversion tracking (conv_*, pixel_*)
  • Campaign attribution (utm_*, campaign_*)
  • Retargeting pixels (rt_*, audience_*)
  • Social media pixels (fb_*, tw_*, li_*)
  • Cross-site tracking prevention (cst_*, block_*)
  • Frequency capping (freq_*, cap_*)

Data Collected:

  • Ad interactions and conversions
  • Campaign effectiveness metrics
  • Aggregated demographic data
  • Interest categories (education, professional development)
  • Cross-site behavior (if consented)
Retention Period:

90 days for conversion data, up to 2 years for attribution

Third-Party Access:

Google Ads, Facebook (Meta), LinkedIn - all under Standard Contractual Clauses

Cookie Prefixes and Security

We implement security best practices for all cookies:

  • __Secure-Prefix ensures cookies are only sent over HTTPS connections
  • __Host-Prefix adds domain-locking and path restrictions for maximum security
  • SameSite=StrictPrevents CSRF attacks by restricting cross-site requests
  • HttpOnlyPrevents JavaScript access to sensitive cookies

Third-Party Services

Data Processing Agreements (DPAs): We maintain executed DPAs with all third-party services that process personal data on our behalf. These agreements ensure GDPR Article 28 compliance and include Standard Contractual Clauses (SCCs) for international transfers where required.

We carefully vet all third-party services for privacy compliance and data security. Each service listed below has been assessed for GDPR compliance, data minimization practices, and security measures:

Authentication Services

Essential
WebsitePrivacy Policy

Purpose:

Secure user authentication, session management, and access control

Cookies Set:

  • __client (1 year): User identification
  • __session (24 hours): Active session
  • __cf_bm (30 min): Bot protection
  • __auth_jwt (session): Authentication token
  • __auth_refresh (7 days): Token refresh

Data Shared:

  • Email address (hashed)
  • Authentication timestamps
  • IP address for security
  • Device fingerprint for fraud prevention
  • OAuth provider data (if used)
Data Location:

United States, EU (adequacy decision)

Retention:

Active account + 90 days

User Control:

Account deletion removes all data

DPA Status:

Yes - Data Processing Agreement in place

Analytics & Web Vitals

Performance
WebsitePrivacy Policy

Purpose:

Anonymous website performance monitoring and Core Web Vitals tracking

Cookies Set:

  • _analytics_id (1 year): Visitor identification
  • _analytics_session (1 year): Analytics session
  • _web_vitals (24 hours): Performance data

Data Shared:

  • Page URLs (anonymized)
  • Browser and OS type
  • Screen resolution
  • Performance metrics (load time, etc.)
  • Country-level geolocation
  • Referrer information
Data Location:

Global CDN (primarily US/EU)

Retention:

14 months

User Control:

Opt-out via cookie settings

DPA Status:

Yes - DPA with SCCs in place

Payment Processing

Essential (when purchasing)
WebsitePrivacy Policy

Purpose:

Secure payment processing, fraud prevention, and PCI DSS compliance

Cookies Set:

  • __payment_mid (1 year): Machine identifier
  • __payment_sid (30 min): Session identifier
  • payment_csrf (session): Security token
  • __payment_props (1 min): Checkout state
  • checkout_session (24 hours): Payment session

Data Shared:

  • Payment card details (tokenized)
  • Billing address
  • Email for receipts
  • IP address for fraud detection
  • Device fingerprint
  • Transaction amount and currency
Data Location:

United States (Privacy Shield certified)

Retention:

As required by law (typically 7 years)

User Control:

Data deletion requests via support

DPA Status:

Yes - DPA with enhanced security measures

Cloudflare Security & Performance

Essential
WebsitePrivacy Policy

Purpose:

DDoS protection, bot mitigation, and content delivery optimization

Cookies Set:

  • __cf_bm (30 min): Bot detection
  • __cfruid (session): Rate limiting
  • cf_clearance (1 year): Challenge passed
  • __cflb (23 hours): Load balancing

Data Shared:

  • IP address
  • Request headers
  • TLS/SSL information
  • Performance metrics
Data Location:

Global network (data localization available)

Retention:

24 hours for logs

User Control:

Limited - essential for security

DPA Status:

Yes - Enterprise agreement with GDPR compliance

Subprocessor List

Our third-party services may use subprocessors. We maintain a current list of all subprocessors and notify users of changes via our privacy updates. Key subprocessors include:

  • • Amazon Web Services (AWS) - Infrastructure hosting
  • • Google Cloud Platform - Analytics processing
  • • Cloudflare - Content delivery and security
  • • SendGrid - Transactional email delivery

Your Rights Under GDPR (European Union Residents)

If you are located in the European Union, European Economic Area, or United Kingdom, you have the following rights regarding cookie data under GDPR Articles 15-22:

Article 15 - Right of Access

You can request a copy of all cookie data we hold about you, including:

  • • Categories of cookies storing your data
  • • Purposes of each cookie category
  • • Third parties with access to cookie data
  • • Retention periods for each cookie type
  • • The logic involved in any automated decision-making

Article 16 - Right to Rectification

You can request correction of inaccurate cookie data or completion of incomplete data. This is limited as cookies typically contain identifiers rather than descriptive personal data.

Article 17 - Right to Erasure ('Right to be Forgotten')

You can request deletion of cookie data when:

  • • The data is no longer necessary for original purposes
  • • You withdraw consent (for consent-based cookies)
  • • You object to processing under legitimate interests
  • • The data has been unlawfully processed
  • • Erasure is required by law

Article 18 - Right to Restriction

You can request we limit cookie processing while disputes are resolved regarding accuracy, lawfulness, or our legitimate interests.

Article 20 - Right to Data Portability

You can receive your cookie data in a structured, commonly used, machine-readable format (JSON/CSV) and transmit it to another controller.

Article 21 - Right to Object

You can object to cookie processing based on legitimate interests or for direct marketing. We must stop unless we demonstrate compelling legitimate grounds.

Article 22 - Automated Decision Making

You have the right not to be subject to decisions based solely on automated cookie data processing that significantly affects you.

How to Exercise Your GDPR Rights

  1. 1. Submit Request: Use our contact form with "GDPR Request" as subject
  2. 2. Identity Verification: We may request proof of identity to protect your data
  3. 3. Response Timeline: We respond within 30 days (extendable to 90 days for complex requests)
  4. 4. No Fee: Exercising rights is free unless requests are manifestly unfounded or excessive
  5. 5. Lodge Complaint: You can complain to your local Data Protection Authority if unsatisfied

Your Rights Under CCPA (California Residents)

The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide California residents with specific rights regarding personal information collected through cookies:

Right to Know

You can request disclosure of:

  • • Categories of personal information collected via cookies
  • • Specific pieces of information collected
  • • Sources of cookie data collection
  • • Business purposes for collecting
  • • Third parties with whom we share data

Right to Delete

You can request deletion of personal information collected via cookies, subject to exceptions:

  • • Complete transactions you initiated
  • • Detect security incidents
  • • Debug and repair functionality
  • • Exercise free speech rights
  • • Comply with legal obligations

Right to Opt-Out

You have the right to opt-out of the "sale" or "sharing" of personal information:

WE DO NOT SELL PERSONAL INFORMATION

However, some cookie data sharing might be considered a "sale" under CCPA's broad definition.

Right to Non-Discrimination

We will not discriminate against you for exercising privacy rights. You will not experience:

  • • Denial of goods or services
  • • Different prices or rates
  • • Different quality of service
  • • Suggestions you may receive different treatment

Additional CPRA Rights (Effective 2023)

Right to Correct

Request correction of inaccurate personal information in our cookie data.

Right to Limit Use

Limit use and disclosure of sensitive personal information collected via cookies.

How to Submit a CCPA Request

Methods to Submit Requests:

  • • Online: Contact Form (select "CCPA Request")
  • • Authorized Agent: Agents must provide written authorization

Verification Process: We verify identity through account authentication or government ID to prevent fraud.

Response Time: 45 days (extendable by additional 45 days with notice)

Annual Privacy Rights Metrics: As required by CCPA, we disclose that in the previous calendar year, we received 0 verifiable consumer requests. We maintain metrics on request types, response times, and outcomes.

Managing Your Cookies

Important Note

Disabling essential cookies may prevent you from accessing certain features of our platform, including course content and progress tracking. We recommend keeping essential cookies enabled for the best learning experience.

Browser-Specific Instructions

Chrome

Settings → Privacy and security → Cookies and other site data

Guide

Firefox

Settings → Privacy & Security → Cookies and Site Data

Guide

Safari

Preferences → Privacy → Manage Website Data

Guide

Edge

Settings → Cookies and site permissions → Cookies and site data

Guide

Cookie Settings on FreeGCP

You can manage your cookie preferences directly on our platform:

  1. 1. Log in to your FreeGCP account
  2. 2. Navigate to Account Settings
  3. 3. Click on "Privacy Preferences"
  4. 4. Adjust your cookie settings as desired

International Data Transfers

Cookie data may be transferred internationally as part of our global service delivery. We ensure all transfers comply with applicable data protection laws through appropriate safeguards:

Transfer Mechanisms

EU-US Data Privacy Framework

For transfers to US-based services certified under the new framework replacing Privacy Shield.

Standard Contractual Clauses (SCCs)

EU Commission-approved clauses ensuring adequate protection for data transfers outside the EEA.

Adequacy Decisions

Transfers to countries deemed adequate by the EU Commission (UK, Canada, Japan, etc.)

Binding Corporate Rules (BCRs)

For transfers within multinational organizations with approved internal policies.

Transfer Impact Assessment (TIA)

Following Schrems II requirements, we conduct assessments for each international transfer:

  • Evaluate laws of destination country regarding government data access
  • Implement supplementary measures (encryption, pseudonymization) where needed
  • Document assessment outcomes and review annually
  • Suspend transfers if adequate protection cannot be ensured

Your Rights Regarding International Transfers

You have the right to:

  • • Be informed about transfers of your cookie data outside your country
  • • Request information about safeguards in place
  • • Object to transfers in certain circumstances
  • • Receive a copy of transfer safeguards documentation

Cookie Consent & Withdrawal

Consent Requirements

Under GDPR and similar laws, valid consent for non-essential cookies must be:

  • Freely given:No coercion or negative consequences for refusing
  • Specific:Separate consent for different cookie purposes
  • Informed:Clear information about data processing
  • Unambiguous:Clear affirmative action required

How We Obtain Consent

Cookie Banner

First-time visitors see a clear banner with options to accept all, reject non-essential, or customize preferences.

Granular Controls

Separate toggles for each cookie category allow specific consent choices.

Consent Records

We maintain records of consent including timestamp, version, and specific categories accepted.

Withdrawing Consent

You can withdraw cookie consent at any time. This is as easy as giving consent:

  1. 1. Cookie Settings: Access preferences via the cookie icon in footer or account settings
  2. 2. Browser Controls: Delete cookies and adjust browser settings
  3. 3. Account Preferences: Logged-in users can manage via dashboard
  4. 4. Contact Support: Request assistance through our contact form

Note: Withdrawing consent doesn't affect lawfulness of processing before withdrawal.

Cookie Walls & Access

We do NOT use "cookie walls" that require accepting non-essential cookies to access our service. You can use FreeGCP with only essential cookies enabled, though some features may be limited:

  • • Course progress tracking may not persist between sessions
  • • Personalized recommendations will be disabled
  • • Some video player preferences won't be saved
  • • Analytics-based features will be unavailable

Children's Privacy & Cookies

Age Restrictions and Protections

FreeGCP is designed for adult learners and professionals. We do not knowingly collect cookie data from children under 16 (or applicable age of consent in your jurisdiction). If we discover such collection, we immediately delete the data.

Parental Rights

If you believe your child has accessed our services without permission:

  • 1.Contact us immediately via our contact form
  • 2.We will verify and delete any data collected
  • 3.We will block the account from future access
  • 4.You may request all data collected about your child

COPPA Compliance (US)

We comply with the Children's Online Privacy Protection Act by not collecting data from users under 13 without verifiable parental consent.

GDPR-K (EU)

For EU residents, we apply enhanced protections for users under 16, including no profiling or marketing cookies for detected minors.

Cookie Auditing & Compliance Monitoring

Regular Cookie Audits

We conduct comprehensive cookie audits to ensure ongoing compliance:

Quarterly Technical Audits

  • • Automated cookie scanning across all pages
  • • Third-party cookie detection
  • • Consent mechanism testing
  • • Data flow mapping updates
  • • Security header verification

Annual Compliance Review

  • • Legal requirements assessment
  • • Privacy policy alignment
  • • Third-party contract reviews
  • • Data retention compliance
  • • Cross-border transfer evaluation

Audit Results & Transparency

Latest Audit Summary

Last audit completed: July 20, 2025

  • • Total cookies identified: 47
  • • New cookies since last audit: 2
  • • Removed/deprecated cookies: 5
  • • Compliance issues found: 0

Cookie Inventory Maintenance

We maintain a detailed inventory of all cookies including:

  • • Cookie name and domain
  • • Purpose and description
  • • Category (essential, functional, etc.)
  • • Duration and expiry
  • • First/third party status
  • • Data collected and shared
  • • Legal basis for processing
  • • Associated privacy risks

Your Rights

You have full control over cookies and how we use them. Your rights include:

You Can:

  • Accept or reject any non-essential cookies
  • Delete cookies at any time through your browser
  • Change your preferences at any time
  • Request information about cookies we store

We Never:

  • Sell cookie data to third parties
  • Use cookies for targeted advertising
  • Track you across other websites
  • Store sensitive personal information in cookies

Updates to This Policy

We may update this Cookie Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. When we make changes:

  • We'll update the "Last updated" date at the top of this policy
  • For significant changes, we'll notify you via email or through a notice on our platform
  • We'll provide a summary of key changes if the updates are substantial

Contact Us

If you have any questions about our Cookie Policy or how we use cookies, we're here to help:

Cookie Inquiries

For questions specifically about cookies and privacy preferences

Contact Privacy Team

General Support

For all other inquiries and support requests

Visit Contact Page

Your privacy matters to us. We're committed to transparency and giving you control over your data.

Important Legal Disclaimers

LIMITATION OF LIABILITY

TO THE MAXIMUM EXTENT PERMITTED BY LAW, FREEGCP AND ITS AFFILIATES, OFFICERS, EMPLOYEES, AGENTS, PARTNERS, AND LICENSORS WILL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, OR ANY LOSS OF PROFITS OR REVENUES, WHETHER INCURRED DIRECTLY OR INDIRECTLY, OR ANY LOSS OF DATA, USE, GOODWILL, OR OTHER INTANGIBLE LOSSES RESULTING FROM YOUR USE OF COOKIES OR OUR SERVICES.

IN NO EVENT SHALL OUR AGGREGATE LIABILITY FOR ALL CLAIMS RELATED TO COOKIES OR THE SERVICES EXCEED ONE DOLLAR ($1.00 USD).

NO WARRANTIES

THE COOKIE FUNCTIONALITY AND RELATED SERVICES ARE PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTY OF ANY KIND. WE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.

INDEMNIFICATION

You agree to indemnify, defend, and hold harmless FreeGCP from any claims, losses, damages, liabilities, including legal fees and expenses, arising out of your use or misuse of cookies, violation of this policy, or violation of any third-party rights.

GOVERNING LAW & ARBITRATION

This Cookie Policy is governed by the laws of the State of California, USA. Any disputes must be resolved through binding arbitration in California in accordance with the American Arbitration Association rules. YOU WAIVE YOUR RIGHT TO A JURY TRIAL AND TO PARTICIPATE IN CLASS ACTIONS.