Skip over navigation

Cookie Policy

OroCommerce / oroinc.com

Effective date: 21 May 2026 | Last updated: 21 May 2026

About this Cookie Policy

This Cookie Policy explains how Oro Inc. (“Oro,” “we,” “us,” or “our”) uses cookies and similar technologies on the OroCommerce website at https://oroinc.com and its sub-domains (the “Site”). It describes what these technologies are, why we use them, who places them, what data they may collect about you, how long they stay on your device, and the choices you have to control them.

This Cookie Policy should be read together with our Privacy Policy, which explains how we process personal data more generally, and our Terms of Use. In case of any conflict between this Cookie Policy and our Privacy Policy regarding cookies and similar technologies, this Cookie Policy prevails.

What cookies are

Cookies are small text files that a website places on your device (computer, tablet, mobile phone) when you visit. They are widely used to make websites work efficiently, to remember your preferences, to analyse how the Site is used, and to deliver relevant marketing.

We also use related technologies such as pixels, web beacons, tags, software development kits (SDKs), and local-storage objects. Certain tools may send basic, non-identifying device and consent-state data to your vendors even if cookies are rejected. For simplicity, in this Cookie Policy we refer to all of these as “cookies.”

Cookies can be grouped in two ways:

  • By who sets them — first-party cookies are set by oroinc.com; third-party cookies are set by a partner whose service is loaded on our Site (for example, Google, HubSpot or LinkedIn).
  • By how long they stay — session cookies are deleted when you close your browser; persistent cookies remain on your device until they expire or you delete them.

Legal basis for using cookies

We use cookies on the following legal bases under the EU and UK General Data Protection Regulation (together, the “GDPR”), the ePrivacy Directive 2002/58/EC and, in the United Kingdom, the Privacy and Electronic Communications Regulations 2003 (“PECR”):

  • Strictly Necessary cookies — we rely on the “strictly necessary” exemption under Article 5(3) of the ePrivacy Directive (and the equivalent UK rule) and, where personal data is processed, on our legitimate interests under Article 6(1)(f) GDPR (operating and securing the Site). These cookies do not require your consent.
  • Functional and Marketing cookies — we rely on your consent under Article 6(1)(a) GDPR and Article 5(3) of the ePrivacy Directive. We set these cookies only after you have given your consent through our cookie banner or preference center.
  • We rely on Legitimate Interest (Article 6(1)(f) GDPR) to transmit basic, cookieless consent signals to Google for conversion modeling and to respect their privacy choices.

Categories of cookies we use

We group cookies into three categories: Strictly Necessary (Essential), Functional, and Marketing. The tables below list every cookie used on the Site at the date this Cookie Policy was last updated. The list is reviewed regularly and may change; you can always see the current list in our preference center.

Strictly Necessary cookies (Essential)

These cookies are required for the Site to function and cannot be switched off in our systems. They are typically set in response to actions you take, such as logging in, filling in a form, or setting your privacy preferences. They also include security cookies that protect the Site against fraud, abuse and automated bot traffic. You can configure your browser to block these cookies, but parts of the Site may not work as intended.

Provider Cookie name First / Third party Duration Purpose
WordPress Core wordpress_[hash] First-party Session Stores authentication details for the /wp-admin/ area.
WordPress Core wordpress_logged_in_[hash] First-party 14 days Identifies the logged-in user and manages the Site interface for that user.
WordPress Core wordpress_test_cookie First-party Session Tests whether cookies are enabled in your browser.
WordPress Core wp-settings-{time}-[UID] First-party 1 year Stores personal UI settings for the admin dashboard.
LifterLMS llms_visitor_id First-party 1 year Tracks unique visitors to support course progress functionality.
LifterLMS llms_sid First-party Session Manages student session state and course interactions.
Redis Cache (optional session cookie) First-party Session May be set if server-side object caching is linked to a user session.
Cloudflare __cf_bm Third-party (Cloudflare, Inc.) 30–60 minutes Bot management; identifies and blocks automated traffic while allowing legitimate users.
Cloudflare cf_clearance Third-party (Cloudflare, Inc.) Up to 1 year Confirms that you have successfully passed a security challenge (e.g., Turnstile / CAPTCHA).
Cloudflare _cfuvid Third-party (Cloudflare, Inc.) Session Rate limiting; distinguishes individual users sharing the same IP address to apply security rules.

Functional cookies

These cookies enable enhanced functionality and personalisation. They help remember your sign-in state on the front end, balance traffic across our servers, optimise page caching, and protect submission forms from spam and automated abuse. If you do not allow these cookies, some features of the Site may not work properly.

Provider Cookie name First / Third party Duration Purpose
Google reCAPTCHA _GRECAPTCHA Third-party (Google LLC) 6 months Risk analysis and spam protection on forms.
W3 Total Cache w3tc_referrer First-party Session Tracks the referring page to support caching logic.
Theme My Login tml_login First-party 14 days Custom login persistence for front-end user profiles.
Cloudflare __cflb Third-party (Cloudflare, Inc.) Session Load balancing; keeps you on the same server during your visit.

Marketing cookies (including analytics and advertising)

These cookies help us understand how visitors interact with the Site, measure the effectiveness of our marketing campaigns, build a profile of your interests, and show you relevant Oro content on this Site and on third-party platforms (such as search engines, social networks and advertising networks). They are set by us and by carefully selected third-party providers, and some of them enable cross-site tracking.

Where these cookies involve a transfer of your personal data outside the EU/EEA or the United Kingdom — for example to the United States — we rely on the safeguards described in Section 6 below.

Provider Cookie name First / Third party Duration Purpose
Google Analytics 4 _ga Third-party (Google LLC, US — DPF-certified) 2 years Distinguishes unique users and calculates visitor statistics.
Google Analytics 4 _ga_* Third-party (Google LLC, US — DPF-certified) 2 years Persists and maintains session state for analytics.
HubSpot __hstc Third-party (HubSpot, Inc., US — DPF-certified) 6 months Main visitor-tracking cookie (domain, utk, initial/most-recent timestamps).
HubSpot hubspotutk Third-party (HubSpot, Inc., US — DPF-certified) 6 months Identifies a visitor for CRM synchronisation.
HubSpot __hssc Third-party (HubSpot, Inc., US — DPF-certified) 30 minutes Tracks sessions to determine whether session count should be incremented.
Sourcebuster.js sbjs_first First-party 6 months Stores the very first acquisition source of the user.
Sourcebuster.js sbjs_current First-party 6 months Stores the current acquisition source (UTM parameters, etc.).
Sourcebuster.js sbjs_session First-party 30 minutes Identifies the current browsing session for traffic-source attribution.
Sourcebuster.js sbjs_first_add First-party 6 months Stores additional first-visit data (entrance page, timestamp).
Sourcebuster.js sbjs_current_add First-party 6 months Stores additional current-visit data (entrance page, timestamp).
Sourcebuster.js sbjs_migrations First-party 6 months Internal library migration and data consistency.
Hotjar _hjSessionUser_* Third-party (Contentsquare SA, France) 1 year Attributes data from subsequent visits to the same user ID.
Hotjar _hjSession_* Third-party (Contentsquare SA, France) 30 minutes Attributes subsequent requests to the same session.
Microsoft Bing Ads (UET) _uetsid Third-party (Microsoft Corporation, US — DPF-certified) 24 hours Stores a unique session ID to track conversions and visitor behaviour.
Microsoft Bing Ads (UET) _uetvid Third-party (Microsoft Corporation, US — DPF-certified) 13 months Stores a unique visitor ID to track users across multiple sessions.
Google Conversion Linker _gcl_au Third-party (Google LLC, US — DPF-certified) 90 days Stores ad-click information to improve conversion attribution.
LinkedIn Insight li_fat_id Third-party (LinkedIn Ireland UC / LinkedIn Corp., US — DPF-certified) 30 days First-party identifier for conversion tracking and member retargeting.
LinkedIn Insight UserMatchHistory Third-party (LinkedIn Ireland UC / LinkedIn Corp., US — DPF-certified) 30 days Used for ID syncing and ad targeting based on site behaviour.
ZoomInfo _ziid Third-party (ZoomInfo Technologies LLC, US) 1 year Identifies and de-anonymises business entities visiting the Site.

We utilize Google Consent Mode v2 on this Site. If you decline marketing or analytics cookies, Google will not store tracking cookies on your device. However, we still send basic, cookieless signals (such as your consent status, device type, and timestamp) to Google. This allows Google to use aggregate modeling to help us understand website traffic and campaign performance without identifying you personally.

Your choices and how to manage cookies

Cookie banner and preference center

When you first visit the Site (and again whenever we make a material change), we display a cookie banner that lets you:

  • Accept all cookies;
  • Reject all non-essential cookies; or
  • Customise your choices by category (Functional, Marketing).

The “Reject all” option is displayed with equal visual prominence to “Accept all,” and all non-essential categories are switched off by default. We do not set Functional or Marketing cookies until you give your consent. If you choose to ‘Reject all’, no non-essential cookies will be stored, though anonymous consent-status signals will still be sent to our analytics providers to register your choice and provide modeled data.

You can change or withdraw your consent at any time by clicking the “Cookie settings” link in the footer of every page on the Site. Withdrawing your consent will not affect the lawfulness of processing that took place before you withdrew it. We will ask you to renew your consent at least every 12 months and whenever the cookies we use change in a material way.

Browser controls

Most browsers allow you to block, delete or be alerted about cookies. The exact steps depend on your browser; instructions are available here:

We honour the Global Privacy Control (“GPC”) signal where applicable law requires us to do so. Browser “Do Not Track” (DNT) signals are not currently subject to a uniform standard, and the Site does not respond to them.

Opt-outs offered by third-party providers

You can opt out of certain third-party tracking directly with the provider:

Children

The Site is intended for business users and is not directed to children under 16. We do not knowingly place non-essential cookies on devices used by children under 16. If you believe that we have inadvertently collected personal data from a child, please contact us at [email protected] and we will delete it.

Changes to this Cookie Policy

We may update this Cookie Policy from time to time to reflect changes in the cookies we use, in applicable law, or in our business. When we make a material change, we will update the “Effective date” and “Last updated” date at the top of this page and, where appropriate, ask you to renew your consent through the cookie banner. We encourage you to review this Cookie Policy periodically.

Back to top