Legal · Cookies & Tracking

Cookie Policy

Version 1.3 Effective April 1, 2026 Applies to paymullet.com and the Merchant Dashboard

Plain-English summary

Cookies are small text files websites store on your device. We use strictly necessary cookies to run the site (session, CSRF, load balancing) — those can't be turned off. Everything else — preferences, analytics, marketing — is off by default until you explicitly consent. You can change your choices at any time using the cookie settings link.

Manage your preferences. Open cookie settings — your choice is stored locally on this device and in our server-side consent log.

What is a cookie?

A cookie is a small file a website places on your browser. Similar technologies include pixel tags, local storage, session storage, and device fingerprints. In this policy we use “cookie” to refer to all of them collectively.

Categories we use

We group cookies into four categories. You have independent control over three of them (the fourth is required for the site to function):

Strictly necessary. Session ID, CSRF token, load-balancer stickiness, cookie-consent itself. Always on — the site will not function without them. No marketing or analytics data flows through these.
Preferences. Remember your theme (light/dark), saved form inputs, last-viewed pages, and region. Off by default.
Analytics. Anonymous, aggregated usage data that helps us understand which pages people visit and where the site slows down. Off by default.
Marketing. Conversion tracking and ad retargeting placed by third parties on our behalf (e.g., Google Ads, LinkedIn Insight Tag). Off by default.

The full cookie inventory

Here is every cookie or storage key our public site may set, why, who reads it, and how long it persists.

Strictly necessary

pm_session — Authenticates your Dashboard session. First-party. Session only (expires when you close the tab) unless you check “remember this device” in which case 30 days.
pm_csrf — Cross-site-request-forgery token. First-party. Session only.
pm_lb — Load-balancer stickiness. First-party. 8 hours.
pm_consent_v1 — Your cookie choices. First-party localStorage. 12 months.

Preferences

pm_theme — Light / dark / system preference. First-party localStorage. 12 months.
pm_region — Remember country, currency, and applicable disclosures. First-party. 12 months.
pm_form_draft_* — Saves in-progress forms so you don’t lose work on refresh. First-party localStorage. 7 days.

Analytics

_ga, _ga_* — Google Analytics 4 (G4) with IP anonymization and data sharing disabled. Third-party (Google LLC). 13 months. Google’s privacy policy.
pm_sess_anon — Anonymous session ID used by our own aggregated analytics. First-party. 30 minutes of inactivity.

Marketing

_gcl_* — Google Ads conversion tracking. Third-party. 90 days.
li_* — LinkedIn Insight Tag for B2B retargeting. Third-party. 180 days.
fbp — Meta Pixel for retargeting on Facebook and Instagram. Third-party. 90 days.

How we obtain consent

On your first visit we show a banner asking whether you accept all, reject non-essential, or want to customize per category. No analytics or marketing cookies fire until you make a choice. If you reject non-essential, we record that rejection so we don’t ask again on subsequent visits (for 12 months or until you clear your browser storage).

Global Privacy Control (GPC)

If your browser sends a Sec-GPC: 1 header, we treat that as a request to opt out of “sale” and “sharing” of personal information under CCPA/CPRA. We will not show the marketing-cookie banner option and will record the opt-out automatically. To learn more about GPC, visit globalprivacycontrol.org.

Do Not Track (DNT)

Because there is no industry-wide agreement on how to interpret Do Not Track, we do not currently respond to DNT signals. We do honor the successor standard, GPC (above).

How to change or withdraw your consent

On this site: Open cookie settings at any time to change or withdraw.
In your browser: Most browsers let you block or delete cookies. See help for Chrome, Firefox, Safari, or Edge.
Industry opt-outs: DAA WebChoices and NAI Consumer Opt Out.

What happens if you reject everything non-essential

The site will still work exactly the same. You may see the same generic PayMullet ads elsewhere on the web (we won’t know you’ve been to our site), and the quality of our analytics will be lower, but nothing on paymullet.com breaks.

Merchants: your own site

If you embed PayMullet payment elements on your site, it is your responsibility to maintain a cookie notice and obtain consent as required by law for any of your cookies and for any analytics you point at our payment pages. Our hosted checkout pages set only strictly necessary cookies.

Changes to this policy

When we materially change this policy, we will bump the Version number above and post a summary in the Dashboard. Material changes that require new consent will trigger a fresh banner.

Contact us

Questions about cookies: privacy@paymullet.com. To exercise data-subject rights under the CCPA/CPRA, GDPR, or similar laws, see the Privacy Policy or our Do Not Sell / Share page.