OroCommerce / oroinc.com
Effective date: 21 May 2026 | Last updated: 21 May 2026
About this Cookie Policy
This Cookie Policy explains how Oro Inc. (“Oro,” “we,” “us,” or “our”) uses cookies and similar technologies on the OroCommerce website at https://oroinc.com and its sub-domains (the “Site”). It describes what these technologies are, why we use them, who places them, what data they may collect about you, how long they stay on your device, and the choices you have to control them.
This Cookie Policy should be read together with our Privacy Policy, which explains how we process personal data more generally, and our Terms of Use. In case of any conflict between this Cookie Policy and our Privacy Policy regarding cookies and similar technologies, this Cookie Policy prevails.
What cookies are
Cookies are small text files that a website places on your device (computer, tablet, mobile phone) when you visit. They are widely used to make websites work efficiently, to remember your preferences, to analyse how the Site is used, and to deliver relevant marketing.
We also use related technologies such as pixels, web beacons, tags, software development kits (SDKs), and local-storage objects. For simplicity, in this Cookie Policy we refer to all of these as “cookies.”
Cookies can be grouped in two ways:
- By who sets them — first-party cookies are set by oroinc.com; third-party cookies are set by a partner whose service is loaded on our Site (for example, Google, HubSpot or LinkedIn).
- By how long they stay — session cookies are deleted when you close your browser; persistent cookies remain on your device until they expire or you delete them.
Legal basis for using cookies
We use cookies on the following legal bases under the EU and UK General Data Protection Regulation (together, the “GDPR”), the ePrivacy Directive 2002/58/EC and, in the United Kingdom, the Privacy and Electronic Communications Regulations 2003 (“PECR”):
- Strictly Necessary cookies — we rely on the “strictly necessary” exemption under Article 5(3) of the ePrivacy Directive (and the equivalent UK rule) and, where personal data is processed, on our legitimate interests under Article 6(1)(f) GDPR (operating and securing the Site). These cookies do not require your consent.
- Functional and Marketing cookies — we rely on your consent under Article 6(1)(a) GDPR and Article 5(3) of the ePrivacy Directive. We set these cookies only after you have given your consent through our cookie banner or preference center.
Categories of cookies we use
We group cookies into three categories: Strictly Necessary (Essential), Functional, and Marketing. The tables below list every cookie used on the Site at the date this Cookie Policy was last updated. The list is reviewed regularly and may change; you can always see the current list in our preference center.
Strictly Necessary cookies (Essential)
These cookies are required for the Site to function and cannot be switched off in our systems. They are typically set in response to actions you take, such as logging in, filling in a form, or setting your privacy preferences. They also include security cookies that protect the Site against fraud, abuse and automated bot traffic. You can configure your browser to block these cookies, but parts of the Site may not work as intended.
| Provider | Cookie name | First / Third party | Duration | Purpose |
|---|---|---|---|---|
| WordPress Core | wordpress_[hash] | First-party | Session | Stores authentication details for the /wp-admin/ area. |
| WordPress Core | wordpress_logged_in_[hash] | First-party | 14 days | Identifies the logged-in user and manages the Site interface for that user. |
| WordPress Core | wordpress_test_cookie | First-party | Session | Tests whether cookies are enabled in your browser. |
| WordPress Core | wp-settings-{time}-[UID] | First-party | 1 year | Stores personal UI settings for the admin dashboard. |
| LifterLMS | llms_visitor_id | First-party | 1 year | Tracks unique visitors to support course progress functionality. |
| LifterLMS | llms_sid | First-party | Session | Manages student session state and course interactions. |
| Redis Cache | (optional session cookie) | First-party | Session | May be set if server-side object caching is linked to a user session. |
| Cloudflare | __cf_bm | Third-party (Cloudflare, Inc.) | 30–60 minutes | Bot management; identifies and blocks automated traffic while allowing legitimate users. |
| Cloudflare | cf_clearance | Third-party (Cloudflare, Inc.) | Up to 1 year | Confirms that you have successfully passed a security challenge (e.g., Turnstile / CAPTCHA). |
| Cloudflare | _cfuvid | Third-party (Cloudflare, Inc.) | Session | Rate limiting; distinguishes individual users sharing the same IP address to apply security rules. |
Functional cookies
These cookies enable enhanced functionality and personalisation. They help remember your sign-in state on the front end, balance traffic across our servers, optimise page caching, and protect submission forms from spam and automated abuse. If you do not allow these cookies, some features of the Site may not work properly.
| Provider | Cookie name | First / Third party | Duration | Purpose |
|---|---|---|---|---|
| Google reCAPTCHA | _GRECAPTCHA | Third-party (Google LLC) | 6 months | Risk analysis and spam protection on forms. |
| W3 Total Cache | w3tc_referrer | First-party | Session | Tracks the referring page to support caching logic. |
| Theme My Login | tml_login | First-party | 14 days | Custom login persistence for front-end user profiles. |
| Cloudflare | __cflb | Third-party (Cloudflare, Inc.) | Session | Load balancing; keeps you on the same server during your visit. |
Marketing cookies (including analytics and advertising)
These cookies help us understand how visitors interact with the Site, measure the effectiveness of our marketing campaigns, build a profile of your interests, and show you relevant Oro content on this Site and on third-party platforms (such as search engines, social networks and advertising networks). They are set by us and by carefully selected third-party providers, and some of them enable cross-site tracking.
Where these cookies involve a transfer of your personal data outside the EU/EEA or the United Kingdom — for example to the United States — we rely on the safeguards described in Section 6 below.
| Provider | Cookie name | First / Third party | Duration | Purpose |
|---|---|---|---|---|
| Google Analytics 4 | _ga | Third-party (Google LLC, US — DPF-certified) | 2 years | Distinguishes unique users and calculates visitor statistics. |
| Google Analytics 4 | _ga_* | Third-party (Google LLC, US — DPF-certified) | 2 years | Persists and maintains session state for analytics. |
| HubSpot | __hstc | Third-party (HubSpot, Inc., US — DPF-certified) | 6 months | Main visitor-tracking cookie (domain, utk, initial/most-recent timestamps). |
| HubSpot | hubspotutk | Third-party (HubSpot, Inc., US — DPF-certified) | 6 months | Identifies a visitor for CRM synchronisation. |
| HubSpot | __hssc | Third-party (HubSpot, Inc., US — DPF-certified) | 30 minutes | Tracks sessions to determine whether session count should be incremented. |
| Sourcebuster.js | sbjs_first | First-party | 6 months | Stores the very first acquisition source of the user. |
| Sourcebuster.js | sbjs_current | First-party | 6 months | Stores the current acquisition source (UTM parameters, etc.). |
| Sourcebuster.js | sbjs_session | First-party | 30 minutes | Identifies the current browsing session for traffic-source attribution. |
| Sourcebuster.js | sbjs_first_add | First-party | 6 months | Stores additional first-visit data (entrance page, timestamp). |
| Sourcebuster.js | sbjs_current_add | First-party | 6 months | Stores additional current-visit data (entrance page, timestamp). |
| Sourcebuster.js | sbjs_migrations | First-party | 6 months | Internal library migration and data consistency. |
| Hotjar | _hjSessionUser_* | Third-party (Contentsquare SA, France) | 1 year | Attributes data from subsequent visits to the same user ID. |
| Hotjar | _hjSession_* | Third-party (Contentsquare SA, France) | 30 minutes | Attributes subsequent requests to the same session. |
| Microsoft Bing Ads (UET) | _uetsid | Third-party (Microsoft Corporation, US — DPF-certified) | 24 hours | Stores a unique session ID to track conversions and visitor behaviour. |
| Microsoft Bing Ads (UET) | _uetvid | Third-party (Microsoft Corporation, US — DPF-certified) | 13 months | Stores a unique visitor ID to track users across multiple sessions. |
| Google Conversion Linker | _gcl_au | Third-party (Google LLC, US — DPF-certified) | 90 days | Stores ad-click information to improve conversion attribution. |
| LinkedIn Insight | li_fat_id | Third-party (LinkedIn Ireland UC / LinkedIn Corp., US — DPF-certified) | 30 days | First-party identifier for conversion tracking and member retargeting. |
| LinkedIn Insight | UserMatchHistory | Third-party (LinkedIn Ireland UC / LinkedIn Corp., US — DPF-certified) | 30 days | Used for ID syncing and ad targeting based on site behaviour. |
| ZoomInfo | _ziid | Third-party (ZoomInfo Technologies LLC, US) | 1 year | Identifies and de-anonymises business entities visiting the Site. |
Your choices and how to manage cookies
Cookie banner and preference center
When you first visit the Site (and again whenever we make a material change), we display a cookie banner that lets you:
- Accept all cookies;
- Reject all non-essential cookies; or
- Customise your choices by category (Functional, Marketing).
The “Reject all” option is displayed with equal visual prominence to “Accept all,” and all non-essential categories are switched off by default. We do not set Functional or Marketing cookies until you give your consent.
You can change or withdraw your consent at any time by clicking the “Cookie settings” link in the footer of every page on the Site. Withdrawing your consent will not affect the lawfulness of processing that took place before you withdrew it. We will ask you to renew your consent at least every 12 months and whenever the cookies we use change in a material way.
Browser controls
Most browsers allow you to block, delete or be alerted about cookies. The exact steps depend on your browser; instructions are available here:
- Google Chrome — https://support.google.com/chrome/answer/95647
- Mozilla Firefox — https://support.mozilla.org/kb/cookies-information-websites-store-on-your-computer
- Apple Safari — https://support.apple.com/guide/safari/manage-cookies-sfri11471/mac
- Microsoft Edge — https://support.microsoft.com/microsoft-edge/delete-cookies-in-microsoft-edge-63947406-40ac-c3b8-57b9-2a946a29ae09
We honour the Global Privacy Control (“GPC”) signal where applicable law requires us to do so. Browser “Do Not Track” (DNT) signals are not currently subject to a uniform standard, and the Site does not respond to them.
Opt-outs offered by third-party providers
You can opt out of certain third-party tracking directly with the provider:
- Google Analytics — https://tools.google.com/dlpage/gaoptout
- Google advertising — https://adssettings.google.com
- Hotjar — https://www.hotjar.com/legal/compliance/opt-out
- Microsoft (Bing / UET / LinkedIn) — https://account.microsoft.com/privacy/ad-settings
- LinkedIn — https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out
- HubSpot — https://legal.hubspot.com/privacy-policy
- ZoomInfo — https://www.zoominfo.com/about-zoominfo/privacy-policy
- Network Advertising Initiative — https://optout.networkadvertising.org/
- Digital Advertising Alliance — https://optout.aboutads.info/
- Your Online Choices (EU) — https://www.youronlinechoices.eu/
Children
The Site is intended for business users and is not directed to children under 16. We do not knowingly place non-essential cookies on devices used by children under 16. If you believe that we have inadvertently collected personal data from a child, please contact us at [email protected] and we will delete it.
Changes to this Cookie Policy
We may update this Cookie Policy from time to time to reflect changes in the cookies we use, in applicable law, or in our business. When we make a material change, we will update the “Effective date” and “Last updated” date at the top of this page and, where appropriate, ask you to renew your consent through the cookie banner. We encourage you to review this Cookie Policy periodically.