Cookies & Tracking Technologies

Last updated: April 2026

This page explains how MultiMail uses cookies, local storage, and tracking technologies on its marketing website (multimail.dev). It supplements our Privacy Policy.

1. What we use and why

MultiMail uses Meta Pixel (provided by Meta Platforms, Inc.) and Google Ads gtag.js (provided by Google LLC) on five marketing pages to measure ad-attribution conversions. We are not currently running paid ad campaigns; these scripts are installed to accumulate conversion-history data so that when paid campaigns launch, the bidding algorithms have a learning-phase head start.

2. Cookie and storage inventory

Name	Set by	Type	Purpose	Duration	Consent required
`_fbp`	Meta Pixel (`connect.facebook.net`)	First-party cookie	Identifies the browser for Meta ad-attribution	90 days	Yes
`_gcl_au`	Google Ads gtag.js (`googletagmanager.com`)	First-party cookie	Stores Google Ads conversion-linker data	90 days	Yes
`mm_consent_v2`	MultiMail (`attribution.js`)	localStorage	Records your consent choice (granted/denied) so we do not re-prompt	1 year	No (strictly necessary for consent management)
`mm_attribution_v1`	MultiMail (`attribution.js`)	localStorage	Stores click IDs (`gclid`, `fbclid`, `msclkid`) and UTM parameters from your landing-page URL for first/last touch attribution	Until cleared	No (first-party, no PII, not shared with third parties pre-signup)
`cf_clearance`	Cloudflare Turnstile (signup page only)	First-party cookie	Records that you passed the Turnstile bot-detection challenge	Session	No (strictly necessary for bot protection)

The MultiMail API does not set cookies. Authentication uses API keys in request headers.

3. Consent mechanism

Visitors in the European Economic Area (EEA) and the United Kingdom see a consent banner before any tracking scripts load. The banner offers two choices:

Accept — Meta Pixel and Google Ads scripts are loaded; _fbp and _gcl_au cookies may be set.
Reject non-essential — tracking scripts are never loaded; no third-party cookies are set.

Visitors with Global Privacy Control (GPC) enabled are automatically treated as “denied” and never see the banner. Their privacy signal is honored as a settled choice.

Visitors outside the EEA/UK without GPC receive tracking scripts by default (consent is implied under applicable law). They may opt out at any time using the instructions in Section 5 below.

We use Google Consent Mode v2 to communicate your consent choice to Google Ads. When consent is denied, ad_storage, ad_user_data, ad_personalization, and analytics_storage are all set to denied, and Google Ads does not write cookies or collect user data.

4. Click identifiers and UTM parameters

When you arrive at a MultiMail marketing page via a link containing click identifiers (gclid, fbclid, msclkid) or UTM parameters (utm_source, utm_medium, utm_campaign, utm_content, utm_term), we capture these values in your browser’s localStorage under the key mm_attribution_v1.

This data:

Is stored locally in your browser only — it is not transmitted to our servers unless you complete a signup.
Contains no personally identifiable information (no email, name, or device fingerprint).
Is used solely to attribute signups to the marketing channel that referred them.
Is capped at 256 characters per parameter and 4,096 bytes total.

Because this data is first-party, does not identify you, and is not shared with third parties until you take a deliberate action (signing up), it does not require prior consent under UK PECR or the ePrivacy Directive. It falls within the “strictly necessary” exemption for analytics that the site operator needs to measure the effectiveness of its own marketing.

5. How to opt out

Withdraw consent (EEA/UK visitors)

Open your browser’s developer tools (F12), go to the Application > Local Storage panel, and delete the entry mm_consent_v2 for multimail.dev. On your next visit, the consent banner will reappear and you can choose “Reject non-essential.”

Clear attribution data

In the same Local Storage panel, delete the entry mm_attribution_v1. This removes all stored click IDs and UTM parameters.

Browser-level controls

Enable Global Privacy Control (GPC) in your browser or via an extension. MultiMail honors GPC as an automatic opt-out.
Use your browser’s built-in cookie controls to block third-party cookies from facebook.com and google.com domains.
Install an ad blocker that blocks connect.facebook.net and googletagmanager.com.

Platform opt-outs

Meta: Ad Preferences
Google: Ads Settings

6. Data shared with third parties

When consent is granted, the following data may be transmitted to third parties:

Meta Platforms, Inc. — page URL, browser user agent, IP address (collected by the Meta Pixel script). Meta’s data use is governed by Meta’s Privacy Policy.
Google LLC — page URL, browser user agent, IP address (collected by gtag.js). Google’s data use is governed by Google’s Privacy Policy.

When consent is denied (or not yet granted), no data is transmitted to Meta or Google. Scripts are not loaded, and no network requests are made to their domains.

7. Pages where tracking is active

Tracking scripts are loaded on these five marketing pages only:

Home (index.html)
Pricing (pricing.html)
Welcome (welcome.html)
Billing Success (billing-success.html)
Confirm (confirm.html)

The API (api.multimail.dev), documentation pages, and all other pages do not load tracking scripts.

8. Changes to this page

We will update this page when we add, remove, or change tracking technologies. The “Last updated” date at the top reflects the most recent change.

9. Contact

Questions about cookies or tracking: [email protected]