Cookies and Trackers Policy — Fabrik

Publisher: Fabrik. Service concerned: https://www.fabrik.so, https://app.fabrik.so and their subdomains. Document no.: 6/10 of the Fabrik contractual corpus. Version: 2.0. Effective date: April 28, 2026. Last update: April 28, 2026. The French version is the authoritative one — translations into any other language are provided for information only.

DETAILED TABLE OF CONTENTS

Preamble

Article 1 — Definitions

Article 2 — Scope

Article 3 — Applicable legal framework

Article 4 — Categories of cookies and trackers used by Fabrik

Article 5 — Strictly necessary cookies

Article 6 — Audience measurement cookies

Article 7 — Product analytics cookies

Article 8 — Preference cookies

Article 9 — Partner and third-party cookies

Article 10 — Cookie retention period

Article 11 — Consent — collection and management

Article 12 — Global Privacy Control (GPC) signal and universal opt-out mechanisms

Article 13 — Withdrawal of consent and modification of choices

Article 14 — Browser settings

Article 15 — Processing associated with cookies — reference to the Privacy Policy

Article 16 — Transfers outside the EU related to trackers

Article 17 — Possible joint controllership

Article 18 — Changes to this Policy

Article 19 — Complaints

Annex A — Detailed list of cookies and trackers used

Annex B — Technical glossary

PREAMBLE

This Cookies and Trackers Policy (the "Policy") informs Visitors and Users of the Fabrik Site and Service of the use of cookies, pixels, tags, scripts, web beacons, persistent identifiers, fingerprints (fingerprinting) and any other similar technology (collectively, the "Trackers"), as well as their consent rights.

It complements the Privacy Policy (document 5/10 of the Fabrik corpus) and falls within the scope of the obligations resulting from:

Directive 2002/58/EC as amended (the "ePrivacy" Directive) and its national transpositions, in particular Article 82 of the French Data Protection Act (Law No. 78-17 of 6 January 1978 as amended);

Regulation (EU) 2016/679 (GDPR), in particular for processing of Personal Data associated with Trackers;

CNIL guidelines and recommendations (in particular those of 17 September 2020 and their updates) and those of the European Data Protection Board (EDPB);

equivalent legislation applicable in other jurisdictions (UK Privacy and Electronic Communications Regulations, German TTDSG, Swiss nFADP, California CCPA/CPRA, etc.).

Fabrik undertakes to use Trackers that are not strictly necessary only with the free, specific, informed and unambiguous consent of Data Subjects, collected under the conditions of Article 11 and which can be withdrawn as easily as it was given.

ARTICLE 1 — DEFINITIONS

1.1. "Cookie": a small text file deposited and read by the browser when consulting a website, allowing information related to navigation or the User's terminal equipment to be stored or retrieved.

1.2. "Tracker": any technology, software or hardware, deposited on or read from a terminal device, allowing a User to be identified or tracked, including HTTP cookies, Flash cookies, local storage, session storage, IndexedDB, invisible pixels, web beacons, JavaScript tags, fingerprints, device identifiers (device fingerprinting), and any other similar technology within the meaning of Article 82 of the French Data Protection Act and the CNIL guidelines of 17 September 2020 as amended.

1.3. "Consent": any freely given, specific, informed and unambiguous indication of the Data Subject's wishes by which they accept, by a statement or a clear positive action, that Trackers be deposited or read on their device, within the meaning of Article 4(11) of the GDPR.

1.4. "CMP": Consent Management Platform, the consent-management platform used by Fabrik to collect, document, archive and enable the withdrawal of Users' consent.

1.5. "GPC": Global Privacy Control, a universal signal transmitted by the browser allowing the User to automatically refuse the sale or sharing of their Personal Data.

1.6. "Terminal equipment": any device (computer, tablet, smartphone, connected object) from which a User accesses the Service.

1.7. The other terms used with a capital letter have the meaning given to them in the Terms of Service, the General Terms and Conditions of Sale, and the Privacy Policy.

ARTICLE 2 — SCOPE

2.1. This Policy applies to all Trackers deposited or read by Fabrik, or by its partners and processors acting on its instructions, when visiting the Site or using the Service.

2.2. It does not cover Trackers placed by third-party sites to which Fabrik may redirect a User via hyperlinks. Such third-party sites have their own policy, which the User is responsible for consulting.

ARTICLE 3 — APPLICABLE LEGAL FRAMEWORK

3.1. Principle of prior consent. In accordance with Article 82 of the French Data Protection Act and the ePrivacy Directive, the deposit or reading of Trackers on the User's Terminal equipment is subject to the prior collection of their consent, except for Trackers whose sole purpose is to enable or facilitate communication by electronic means, or which are strictly necessary for the provision of an online communication service expressly requested by the User.

3.2. Consent standards. Consent must meet the requirements of Article 4(11) and Article 7 of the GDPR. It must be:

Freely given: access to the Service cannot be conditioned on consent to non-strictly-necessary Trackers, except where an equivalent alternative is offered (e.g., the "pay-or-consent" model for audience measurement, strictly assessed against the EDPB criteria of 17 April 2024);

Specific: separate consent is collected for each purpose;

Informed: clear, prior and complete information is provided;

Unambiguous: a clear positive action is required (no pre-ticked boxes; continued browsing does not amount to consent).

3.3. Equivalence between "refuse" and "accept". In accordance with CNIL guidelines, refusal must be as easy as acceptance. A "Reject all" button or equivalent is offered at the first level of the banner, on a par with "Accept all".

3.4. Consent documentation. Consents and refusals are timestamped, documented and archived by the CMP for a period allowing compliance to be demonstrated (generally 13 months from the last collection).

ARTICLE 4 — CATEGORIES OF COOKIES AND TRACKERS USED BY FABRIK

4.1. Fabrik distinguishes the following categories of Trackers:

4.1.1. Strictly necessary Trackers: indispensable for the operation of the Site and the Service. No consent is required, but information is provided.

4.1.2. Audience measurement Trackers: used for statistical purposes to monitor traffic on the Site and Service. Consent required, except for solutions benefiting from the CNIL exemption (strictly limited configuration, compliance with the conditions of the CNIL recommendation).

4.1.3. Product analytics Trackers: used to understand the use of Service features. Consent required.

4.1.4. Preference Trackers: store the User's preferences (language, time zone, display). Consent required for non-strictly-necessary Trackers used for this purpose.

4.1.5. Partner and third-party Trackers: used by commercial partners or third parties (social networks, advertising platforms). Consent required.

4.2. The detailed list of Trackers used by Fabrik, by category, is set out in Annex A and is updated regularly.

ARTICLE 5 — STRICTLY NECESSARY COOKIES

5.1. Purposes. Strictly necessary cookies allow:

User authentication and session maintenance;

session security (CSRF protection, anti-replay tokens);

server load balancing;

storage of the User's own consent preferences;

compliance with certain legal or security obligations.

5.2. Legal basis. These cookies are exempt from consent under Article 82 of the French Data Protection Act, being strictly necessary for the provision of the service expressly requested by the User.

5.3. Information. This Policy, through its Annex A, lists the strictly necessary cookies deposited by Fabrik. No "refuse" button is offered for this category, since they are essential for operation.

5.4. Examples (indicative list, to be refined according to actual implementation):

session cookie (session_id)

authentication cookie (auth_token)

anti-CSRF cookie

consent cookie (consent_state)

language preference cookie strictly necessary for proper display

ARTICLE 6 — AUDIENCE MEASUREMENT COOKIES

6.1. Purposes. Fabrik uses audience-measurement tools to:

understand traffic on the Site and Service;

identify the most visited pages;

detect navigation paths;

adjust ergonomics and features.

6.2. Tool used. Fabrik does not use a third-party audience-measurement solution subject to consent for this category. Analytics is provided by PostHog (see Article 7).

6.3. Legal basis. Not applicable — Google Analytics 4 has been removed from the Service. Audience measurement is provided by PostHog (see Article 7).

6.4. Transfers. Not applicable — Google Analytics 4 has been removed from the Service.

6.5. Settings. Not applicable — Google Analytics 4 has been removed from the Service.

ARTICLE 7 — PRODUCT ANALYTICS COOKIES

7.1. Purposes. Fabrik uses product-analytics tools to:

understand the use of Service features;

identify usage paths;

improve ergonomics and performance;

where applicable, perform session recordings (session replay) for debugging and improvement;

enable feature flags.

7.2. Tool used. Fabrik uses PostHog, provided by PostHog Inc. PostHog may be hosted in an EU or US region depending on the configuration chosen by Fabrik and the evolution of the provider's technical offerings.

7.3. Legal basis. The User's consent is required.

7.4. Session replay — precautions. Session-replay features are configured to mask sensitive data (password fields, payment-card fields, health data where applicable), in accordance with CNIL recommendations and best practices. No recording is made without prior consent.

7.5. Anonymisation and aggregation. Product analyses are, as far as possible, carried out on pseudonymised or aggregated data. The identifier used is, where possible, a random identifier distinct from the Account identifier.

7.6. Transfers. See Article 16.

ARTICLE 8 — PREFERENCE COOKIES

8.1. Purposes. Store the User's preferences (non-strictly-necessary language choice, dark/light display, accessibility configuration).

8.2. Legal basis. Consent, except for preferences that are strictly necessary for the proper operation of the Service.

ARTICLE 9 — PARTNER AND THIRD-PARTY COOKIES

9.1. Principle. Fabrik strictly limits the use of partner or third-party cookies. As of the date of this version, Fabrik does not use third-party advertising cookies, advertising conversion pixels, or social-network trackers.

9.2. Evolution. Should Fabrik come to integrate such cookies (for example, to measure marketing campaign effectiveness), this Policy will be updated accordingly, and the User's consent will be specifically collected.

ARTICLE 10 — COOKIE RETENTION PERIOD

10.1. Maximum durations. In accordance with CNIL recommendations:

the retention period for non-strictly-necessary cookies does not exceed 13 months from their first deposit or consent;

information collected via these cookies is retained for a maximum of 25 months from collection;

at the end of these periods, fresh consent is collected, unless the User has previously confirmed their refusal.

10.2. Shorter durations. Fabrik favours the shortest durations necessary for the purpose. The specific durations of each Tracker are set out in Annex A.

10.3. Session cookies. Strictly necessary session cookies are deleted at the end of the session or upon log-out.

ARTICLE 11 — CONSENT — COLLECTION AND MANAGEMENT

11.1. Consent banner. On the first visit to the Site or Service by a User, a consent banner is displayed, containing at a minimum:

clear and concise information on the purpose of non-strictly-necessary Trackers;

an "Accept all" button to consent to all Trackers;

a "Reject all" button or equivalent, with the same visibility and accessibility as "Accept all";

a "Settings" button allowing fine-grained choice by category and, where applicable, by Tracker.

11.2. No consent by default. No non-strictly-necessary Tracker is deposited as long as the User has not given informed consent. Boxes are unticked by default. Mere continued browsing does not constitute consent.

11.3. Granular consent. The User can accept some categories and refuse others. Fine-grained settings are offered at the second level.

11.4. Proof of consent. The CMP records, for each choice: the version of the banner displayed, the list of Trackers presented, the date and time (UTC), the anonymous Visitor identifier, and the choice made. These elements are kept to demonstrate compliance.

11.5. Renewal. At the end of the retention period referred to in Article 10.1, consent is renewed.

ARTICLE 12 — GLOBAL PRIVACY CONTROL (GPC) SIGNAL AND UNIVERSAL OPT-OUT MECHANISMS

12.1. Honouring the GPC signal. When a User transmits, via their browser, the Global Privacy Control (GPC) signal, Fabrik interprets it as a refusal of non-strictly-necessary Trackers and as an opt-out of any "sharing" or "selling" of Personal Data within the meaning of CCPA/CPRA and equivalent texts.

12.2. Effect. The GPC signal triggers, without any further action being required from the User:

refusal of non-strictly-necessary Trackers;

activation of the "Do Not Sell or Share My Personal Information" opt-out for Users covered by CCPA/CPRA;

application of an equivalent mechanism for US states recognising Universal Opt-Out Mechanisms (in particular Colorado, Connecticut, Texas, Oregon, etc.).

12.3. Other signals. Fabrik reserves the right to honour any other universal refusal mechanism recognised by the law applicable to the User's jurisdiction (for example, future signals stemming from a revised ePrivacy Directive or ePrivacy Regulation, if adopted).

ARTICLE 13 — WITHDRAWAL OF CONSENT AND MODIFICATION OF CHOICES

13.1. Permanent access to settings. A link accessible from each page of the Site (typically in the footer, labelled "Manage cookies" or equivalent) allows the User, at any time, to review and modify their choices.

13.2. Withdrawal as simple as acceptance. In accordance with Article 7(3) of the GDPR, withdrawal of consent is as simple as giving it. Withdrawal does not affect the lawfulness of prior processing.

13.3. Effect of withdrawal. Withdrawal of consent results in:

the immediate cessation of the deposit and reading of the corresponding Trackers on new visits;

the deletion of Trackers already deposited, to the extent technically possible;

the transmission, where applicable, of an instruction to third-party processors to delete the corresponding data.

ARTICLE 14 — BROWSER SETTINGS

14.1. Additional settings. Independently of the choices expressed via the Fabrik consent banner, the User can configure their browser to block cookies, delete them after each session, or be alerted when they are deposited.

14.2. Documentation by browser. The procedure varies depending on the browser:

Google Chrome: Settings > Privacy and security > Cookies and other site data;

Mozilla Firefox: Settings > Privacy & Security > Cookies and Site Data;

Safari: Preferences > Privacy;

Microsoft Edge: Settings > Cookies and site permissions.

14.3. Consequences. Blocking strictly necessary cookies may result in the Site or Service malfunctioning (inability to log in, loss of session, etc.). The User bears sole responsibility for the consequences.

ARTICLE 15 — PROCESSING ASSOCIATED WITH COOKIES — REFERENCE TO THE PRIVACY POLICY

15.1. Personal Data collected via Trackers is processed under the conditions of the Privacy Policy (document 5/10 of the Fabrik corpus), to which express reference is made for any additional information on purposes, legal bases, recipients, retention periods, transfers and rights of Data Subjects.

ARTICLE 16 — TRANSFERS OUTSIDE THE EU RELATED TO TRACKERS

16.1. Processors concerned. The audience-measurement and product-analytics tools used by Fabrik (in particular PostHog) may involve transfers of Personal Data to third countries, in particular the United States.

16.2. Legal framework. These transfers are governed under the conditions of Article 9 of the Privacy Policy (adequacy decisions, 2021 Standard Contractual Clauses, DPF for certified processors, additional measures post-Schrems II).

16.3. TIA. Fabrik carries out a Transfer Impact Assessment (TIA) for each flow involving a transfer to a country without an adequacy decision.

ARTICLE 17 — POSSIBLE JOINT CONTROLLERSHIP

17.1. In certain cases, in particular when Fabrik uses a third-party audience-measurement or analytics tool, Fabrik and the tool provider may qualify as joint controllers within the meaning of Article 26 GDPR, as interpreted by case law (in particular CJEU, Fashion ID, C-40/17, 29 July 2019; CJEU, Wirtschaftsakademie, C-210/16, 5 June 2018).

17.2. In such cases, Fabrik concludes a joint controller agreement with the provider defining each party's responsibilities, in particular as regards the exercise of Data Subjects' rights and information obligations.

17.3. The essential elements of this agreement are made available to Data Subjects on request to legal@fabrik.so.

ARTICLE 18 — CHANGES TO THIS POLICY

18.1. This Policy may be amended to reflect legislative, case-law, technical or organisational changes, in particular in the event of the addition or removal of a Tracker, a change of purpose, or evolution of the guidelines of competent authorities.

18.2. Any material change (addition of a new Tracker, new purpose) gives rise to a renewal of consent.

18.3. The applicable version is the one in force on the date considered, with mention of the date of last update.

ARTICLE 19 — COMPLAINTS

19.1. Any question or complaint relating to Trackers may be sent to legal@fabrik.so or to Fabrik — Data Protection, 4 rue du Four, 55500 Cousances-lès-Triconville, France.

19.2. Complaint with the CNIL. Without prejudice to any other remedy, the User may lodge a complaint with the CNIL (3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, www.cnil.fr).

19.3. Complaints outside France. For Users residing outside France, the competent authorities are those listed in Article 39 of the Privacy Policy.

ANNEX A — DETAILED LIST OF COOKIES AND TRACKERS USED

This list is indicative and is updated regularly. The current version is accessible via the "Manage cookies" link in the Site footer.

A.1 — Strictly necessary Trackers

Name

Set by

Purpose

Duration

Domain

sb-access-token / sb-refresh-token

Fabrik (via Supabase)

User authentication, session maintenance

Session + token lifetime

app.fabrik.so

csrf_token

Fabrik

CSRF protection

Session

fabrik.so / app.fabrik.so

consent_state

Fabrik (CMP)

Storage of consent preferences

13 months

fabrik.so

locale (where strictly necessary)

Fabrik

Correct language display

Session / 6 months

fabrik.so

April 28, 2026

A.2 — Audience-measurement Trackers (consent required)

Name

Set by

Purpose

Duration

Transfer

— (removed)

April 28, 2026

A.3 — Product-analytics Trackers (consent required)

Name

Set by

Purpose

Duration

Transfer

ph_* (PostHog cookies and localStorage)

PostHog

Product analytics, feature flags, session replay

12-13 months max.

EU region preferred; US by default depending on offering — SCCs if outside EU

April 28, 2026

A.4 — Preference Trackers (consent required for those that are not strictly necessary)

Name

Set by

Purpose

Duration

theme

Fabrik

Remember the theme (dark/light)

12 months

timezone

Fabrik

Remember the time zone

12 months

April 28, 2026

A.5 — Partner and third-party Trackers

As of the date of this version: no third-party advertising cookies, no conversion pixels, no social-network trackers are deposited by Fabrik.

ANNEX B — TECHNICAL GLOSSARY

CMP (Consent Management Platform): software platform for managing consent.

Cookie: a small text file stored by the browser.

CSRF (Cross-Site Request Forgery): a type of web attack against which certain cookies provide protection.

DPF (Data Privacy Framework): EU-US adequacy framework for data transfers, succeeding the Privacy Shield.

Fingerprinting: tracking technique based on the unique combination of parameters of the terminal equipment.

GPC (Global Privacy Control): universal opt-out signal transmitted by the browser.

IndexedDB: client-side browser database.

LocalStorage / SessionStorage: browser-side storage mechanisms.

Pixel (web beacon): an invisible single-pixel image used to trace actions.

Internal proxy: architecture allowing certain data to be hidden or filtered before being sent to a third-party tool.

Session replay: technique for recording user sessions for after-the-fact analysis.

TIA (Transfer Impact Assessment): impact assessment of the transfer required post-Schrems II for transfers outside the EU.

End of Document 6/10 — Cookies and Trackers Policy — Fabrik

Fabrik Legal Corpus — Version 2.0 — April 28, 2026