VelisAds Network

Cookie Policy

Effective date: February 17, 2026 | Version: 2026.02-global

This Cookie Policy defines how cookies and similar technologies are used for service reliability, consent management, analytics, and lawful personalization on VelisAds Network.

Consent and tracking obligations may differ by region and must be implemented accordingly.

Scope and Applicability

  1. Applies to browser cookies, local storage, pixels, and similar tracking identifiers.
  2. Applies to first-party and approved third-party technologies used in platform workflows.
  3. Applies to desktop web, mobile web, and app webview traffic.
  4. Applies to essential, analytics, fraud-prevention, and consented personalization use cases.
  5. Applies to cookie notice UX, consent logging, and preference synchronization systems.
  6. Applies to all domains and subdomains linked to verified publisher inventory.

Mandatory Requirements

Consent and Preference Management

  • Non-essential cookies must not load before valid consent where law requires prior consent.
  • Reject and withdraw options must be as accessible as accept options.
  • Consent records must include timestamp, version, and context metadata.
  • Preference updates must take effect quickly across active sessions.

Cookie Classification and Disclosure

  • Each cookie must have a documented purpose, owner, and retention duration.
  • Cookie descriptions must be clear and understandable for users.
  • Third-party trackers must be reviewed before activation.
  • Deprecated cookies must be removed from code and policy inventory.

Security and Integrity Controls

  • Security-sensitive cookies must use appropriate Secure and SameSite settings.
  • Session identifiers must be rotated after privileged state changes.
  • Cookie scopes must be minimized to reduce unnecessary cross-domain exposure.
  • Consent states must be protected against client-side tampering abuse.

Prohibited Practices

  1. Dropping non-essential tracking cookies before consent in consent-required regions.
  2. Labeling advertising trackers as strictly necessary without legal justification.
  3. Using hidden scripts to bypass explicit user preferences.
  4. Recreating deleted identifiers through undisclosed fingerprinting techniques.
  5. Ignoring opt-out and withdrawal actions from verified users.
  6. Transferring cookie identifiers to unauthorized third parties.
  7. Tracking minors in ways prohibited by child-protection laws.
  8. Disabling consent interfaces while continuing behavioral tracking.

Governance, Monitoring, and Enforcement

  1. Cookie inventory reviews must run periodically and before major releases.
  2. Consent UX changes require legal and compliance approval.
  3. Tag scanning must detect unauthorized trackers and policy drift.
  4. Operational logs must support regulator-ready consent evidence.
  5. Violations may trigger tag suspension and incident escalation.
  6. Rollback plans are required for consent framework deployments.
  7. Support requests related to cookies must be triaged with evidence logs.
  8. Policy updates are versioned and published with effective dates.

Global Source Links and Standards

  1. EU ePrivacy Directive 2002/58/EC
  2. EU GDPR Regulation (EU) 2016/679
  3. California Privacy Protection Agency (CPPA)
  4. ICO Cookies Guidance
  5. IAB Europe Transparency and Consent Framework
  6. NIST Privacy Framework
  7. FTC Privacy and Data Security Guidance
  8. W3C Tracking Preference Expression

Operational Interpretation and Regional Mapping

These requirements should be interpreted as global baseline controls for a live ad operations platform. Teams must map each requirement to local legal obligations, contractual duties, and traffic-source constraints before enabling production delivery at scale.

When regional regulations impose stricter standards, the stricter standard applies. Where legal ambiguity exists, operations should default to least-risk handling and documented escalation to legal or compliance owners.

Policy-to-Workflow Mapping

  • Map each policy control to one concrete workflow checkpoint.
  • Define accountable owner, review cadence, and evidence source.
  • Link policy failures to clear remediation and rollback actions.
  • Track policy exceptions with expiry and approval metadata.

Evidence and Audit Quality

  • Keep verifiable logs for approvals, enforcement, and account state changes.
  • Maintain immutable records for policy acceptance and version changes.
  • Preserve incident evidence with timestamp accuracy and actor context.
  • Support regulator and partner audits with structured evidence retrieval.

Release and Change Governance

  • Run policy impact review before major workflow or billing changes.
  • Gate high-risk releases behind compliance and security readiness checks.
  • Document rollback criteria for policy or abuse regressions.
  • Communicate material policy updates with effective-date clarity.

Extended Compliance Checklist

  1. Confirm access controls for admin, publisher, advertiser, and support roles.
  2. Verify domain ownership, sitemap coverage, and install-code integrity before launch.
  3. Validate ad creatives, landing behavior, and category eligibility rules.
  4. Ensure budget, spend, and settlement paths align with billing model selection.
  5. Run fraud and abuse controls for both ad-serving and click attribution pathways.
  6. Confirm user data handling for consent, retention, and rights-response timelines.
  7. Check payout safeguards, webhook integrity, and transaction audit visibility.
  8. Review security events, incident triage flow, and postmortem documentation quality.
  9. Ensure policy pages remain reachable, indexable, and version-consistent in sitemap.
  10. Require periodic policy refresh training for operational and support teams.

Policy FAQ for Operations Teams

How often should this policy be reviewed?

Review before each major release and at recurring governance intervals, especially when billing logic, targeting controls, or verification workflows change.

What happens if live behavior conflicts with policy text?

Live enforcement should default to safer behavior immediately, then trigger incident review and documented correction to either implementation or policy wording.

How should teams handle partner-specific requirements?

Apply partner requirements as stricter overlays where needed, while preserving baseline platform controls and maintaining auditable policy-to-process mapping.