Luxer One Cookie Policy
Luxer One · An ASSA ABLOY Group Company

Cookie Policy

Effective Date: June 22, 2026  |  Last Updated: June 22, 2026

GDPR UK GDPR PIPEDA CCPA/CPRA Applies Globally

This Cookie Policy describes how Luxer One, Inc. ("Luxer One," "we," "us," or "our"), a member of the ASSA ABLOY Group, uses cookies and similar tracking technologies on our website at www.luxerone.com and web application at app.luxerone.com (collectively, the "Site"). This policy is designed to comply with the EU General Data Protection Regulation (GDPR), UK GDPR, Canada's PIPEDA and Québec Law 25, the CCPA/CPRA, and other applicable privacy laws. It should be read alongside our Privacy Policy.

1. What Are Cookies and Pixels?

A "cookie" is a small text file stored on your device when you visit a website. Cookies make websites work efficiently, remember your preferences, and provide information to website owners. They cannot run programs or deliver viruses. Under GDPR and PIPEDA, information collected via cookies may constitute personal data/information where it can identify or be linked to an individual (e.g., IP addresses, device identifiers, and browsing histories).

"Pixels" (web beacons or pixel tags) are small, invisibly embedded graphics with unique identifiers used to track web user movements. Unlike cookies, pixels are not stored on your device. Our third-party analytics providers may place pixels on the Site. Luxer One does not control the use of pixels by third parties.

We also use related technologies including local storage and session storage. This policy covers all of these technologies collectively.

2. Legal Basis for Using Cookies

GDPR & UK GDPR

Under the ePrivacy Directive and UK PECR, we may only set non-essential cookies with your prior, freely given, specific, informed, and unambiguous consent (Art. 6(1)(a) GDPR). Strictly necessary cookies do not require consent; they are set on the basis of legitimate interest (Art. 6(1)(f)) in operating a functional website. You may withdraw consent at any time without affecting the lawfulness of prior processing.

PIPEDA — Canada

Under PIPEDA and Québec Law 25, we obtain meaningful consent for cookies that collect personal information. For strictly necessary cookies, we rely on implied consent arising from your use of the Site. For analytics, functional, and marketing cookies, we obtain express consent via our consent banner. You may withdraw consent at any time using the cookie preference controls on our Site.

CCPA / CPRA — California

The CCPA does not require consent before setting cookies but requires transparency about cookies that constitute a "sale" or "sharing" of personal information and mandates an opt-out mechanism. California residents may opt out by visiting our Do Not Sell or Share My Personal Information page. Our Site also honors the Global Privacy Control (GPC) signal as a valid opt-out.

3. Categories of Cookies We Use

Strictly Necessary — No Consent Required

Essential for the Site to function. They enable account authentication, security, and access to your locker management dashboard. Legal basis: Legitimate Interests (GDPR Art. 6(1)(f)); implied consent (PIPEDA); not subject to CCPA opt-out as they do not involve sale or sharing.

Performance & Analytics — Consent Required

Collect aggregated, anonymized information about how visitors use our Site to help us improve performance and design. Legal basis: Consent (GDPR Art. 6(1)(a)); express consent (PIPEDA). We use Google Analytics. Google's use of this data is subject to the Google Analytics Terms of Service.

Functional — Consent Required

Allow the Site to remember your choices and deliver enhanced, personalized features. Also include tools such as Google Tag Manager that deploy other scripts only after consent is given. Legal basis: Consent (GDPR Art. 6(1)(a)); express consent (PIPEDA).

Marketing & Targeting — Consent Required / CCPA Opt-Out Available

Deliver interest-based advertising, limit ad frequency, and measure campaign effectiveness. Legal basis: Consent (GDPR Art. 6(1)(a)); express consent (PIPEDA). Under CCPA/CPRA, these may constitute "sharing" for cross-context behavioral advertising — California residents may opt out at any time. We use the Facebook/Meta Pixel, HubSpot, and Google Ads.

If we use Google Enhanced Conversions or Meta's Advanced Matching, email addresses and/or phone numbers collected via our web forms may be hashed (SHA-256) before transmission to Google or Meta for ad attribution and audience matching. Hashed data is transmitted only where you have accepted marketing cookies and, for EU/EEA/UK visitors, only with your prior consent. Marketing team to confirm whether enhanced conversions are active before this paragraph is published.

4. Cookies and Tracking Technologies We Use

The following table describes the cookies and tracking technologies currently in use on our Site. This list is maintained as part of our GDPR Records of Processing Activities (ROPA) and updated as our Site evolves.

Cookie / Tool Category Duration Purpose Data Stored Legal Basis
luxer_session Strictly Necessary Session Maintains authenticated locker management session on app.luxerone.com Encrypted session token / user ID Legitimate Interests
OptanonConsent Strictly Necessary 12 months Consent platform — stores cookie category preferences and consent timestamp Encoded consent state, category opt-ins/outs, timestamp, version ID Legitimate Interests
OptanonAlertBoxClosed Strictly Necessary 12 months Records that the consent banner has been dismissed Timestamp of banner dismissal Legitimate Interests
_cfuvid Strictly Necessary Session Cloudflare CDN — load balancing and abuse prevention; not used for cross-site tracking Anonymized visitor identifier for rate-limiting Legitimate Interests
AWSALB, AWSALBCORS Strictly Necessary 7 days AWS load balancer — routes requests to the correct application server; maintains session stickiness Hashed server-routing identifier; no personal data Legitimate Interests
_ga, _gid Analytics 2 yrs / 24 hrs Google Analytics — site usage, sessions, and traffic source tracking Anonymized client ID, session count, traffic source, pages visited Consent
_gtm (GTM-KCBMGDL) Functional Session Google Tag Manager — manages and deploys other tracking scripts after consent is given No data stored independently; controls firing of other tags Consent
hubspotutk Marketing 13 months HubSpot CRM — identifies returning visitors; de-duplicates contacts Per-visitor unique identifier (UUID) Consent
__hstc, __hssc Marketing 13 mo / 30 min HubSpot CRM — tracks session activity and page views for form analytics and sales follow-up Session count, time of first/last visit, current session start time Consent
_fbp Marketing 90 days Facebook/Meta Pixel — measures ad effectiveness and enables retargeting on Meta platforms Per-browser unique identifier for ad attribution Consent
_gcl_au, _gads Marketing 90 days Google Ads — remarketing to past site visitors; conversion measurement Ad click ID, conversion event data Consent
Stack confirmation required: The OneTrust (OptanonConsent/OptanonAlertBoxClosed), Cloudflare (_cfuvid), and AWS (AWSALB/AWSALBCORS) rows must be verified against the live site before publication. Run a cookie scan on www.luxerone.com and app.luxerone.com. Add any cookies discovered that are not listed above.

5. Third-Party Cookies and Social Media

Some cookies are placed by third parties including social media platforms (Facebook, YouTube, LinkedIn, Twitter/X, and Google). These third parties may use cookies to recognize your device across websites and collect data based on your social network privacy settings. We enter into Data Processing Agreements or rely on Standard Contractual Clauses with third-party processors that receive personal data of EU/EEA/UK residents. We do not control third-party cookie policies.

6. How to Manage and Control Cookies

Cookie Consent Banner (All Jurisdictions)

When you first visit our Site, a cookie consent banner allows you to accept all cookies, reject non-essential cookies, or customize preferences by category. EU/EEA/UK visitors will see a GDPR-compliant consent experience — no non-essential cookies are set before you make a choice. You can revisit your preferences at any time using the cookie settings link in our Site footer. Under GDPR, withdrawing consent is as easy as providing it.

Global Privacy Control (GPC) — CCPA/CPRA

Our Site recognizes and honors the Global Privacy Control (GPC) signal. If your browser has GPC enabled, we treat it as a valid opt-out of the sale and sharing of your personal information under the CPRA. GPC does not affect strictly necessary cookies.

Browser Settings

You can also control cookies through your browser settings. Note that restricting cookies may affect Site functionality. For a plain-language guide, visit www.allaboutcookies.org.

  • Google Chrome: Settings > Privacy and Security > Cookies and other site data
  • Mozilla Firefox: Options > Privacy & Security > Cookies and Site Data
  • Apple Safari: Preferences > Privacy > Manage Website Data
  • Microsoft Edge: Settings > Cookies and site permissions

Complete Opt-Out

The only way to completely opt out of all cookie-based tracking is to delete and disable cookies in your browser. Please note that this may prevent you from accessing certain features of the Service. Under GDPR, you have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

Do Not Track (DNT)

There is currently no uniform industry standard for honoring "Do Not Track" browser signals. Our Site does not alter its data collection practices in response to a DNT signal. However, we do honor GPC signals as described above.

7. Jurisdiction-Specific Cookie Rights

EU / EEA Residents — GDPR & ePrivacy

Under GDPR and the ePrivacy Directive, you have the right to withdraw cookie consent at any time. Withdrawing consent will not affect the lawfulness of any prior processing. You may also object to processing based on legitimate interests if you have specific grounds. You have the right to lodge a complaint with your national data protection authority (DPA). A full list of EU DPAs is available at edpb.europa.eu.

UK Residents — UK GDPR & PECR

The UK Privacy and Electronic Communications Regulations (PECR) require consent for non-essential cookies. You have the same rights as EU residents to withdraw consent and complain to the Information Commissioner's Office (ICO) at ico.org.uk.

Canadian Residents — PIPEDA / Québec Law 25

Under PIPEDA and Québec Law 25, you have the right to withdraw consent for non-essential cookies at any time. Québec residents have enhanced rights under Law 25, including the right to be informed of any profiling or automated decision-making based on cookie data. You may contact our Privacy Officer or the Office of the Privacy Commissioner at priv.gc.ca.

California Residents — CCPA / CPRA

California residents may opt out of the sale or sharing of personal information collected via marketing and targeting cookies by visiting our Do Not Sell or Share My Personal Information page, enabling GPC in your browser, or by contacting us directly. We will process your opt-out request within 15 business days.

8. Changes to This Cookie Policy

We may update this Cookie Policy from time to time. Under GDPR, material changes that affect the basis on which we use cookies will require fresh consent. We will update the "Last Updated" date above and notify users as required by applicable law. Your continued use of the Site after non-material updates constitutes acceptance of those changes.

9. Contact Us

Luxer One Privacy Team

Email: privacy@luxerone.com

Web: www.luxerone.com/contact

Do Not Sell: Link

ASSA ABLOY Americas — Data Protection Manager

110 Sargent Dr., New Haven, CT 06511

Email: Privacy.Americas@assaabloy.com

Toll-Free: 1-833-648-0107

EU/UK Data Protection Officer (GDPR Art. 37)

Email: gc.privacy@assaabloy.com

ASSA ABLOY AB, Box 703 40
SE-107 23 Stockholm, Sweden

Canadian Privacy Officer (PIPEDA)

Email: privacy@luxerone.com

OPC: priv.gc.ca

Phone: 1-800-282-1376