Operator: Xelora Pty Ltd (ACN 692 975 107, ABN 96 692 975 107), incorporated in Australia on 18 November 2025, trading as Xelora Privacy contact: privacy@xelora.host Last updated: 2026-05-13
1. About cookies and similar technologies
When you visit https://xelora.host or use the customer dashboard, we and selected third parties may store and read small files (“cookies”) on your device, and use related technologies such as localStorage, session storage, pixels, and SDK identifiers (collectively “cookies and similar technologies”).
This Policy explains what we use, why, and how you can control them. It is part of our Privacy Policy.
2. Cookies set by Xelora
The Xelora platform sets two categories of cookies on public pages: strictly necessary cookies (always on, listed in 2.1) and analytics cookies (Google Analytics 4, listed in 2.3 — these are blocked by default until you click Accept on the consent banner that appears on your first visit).
We do not set advertising, retargeting, or marketing cookies. We do not sell or share personal data with third parties for advertising purposes.
2.1 Strictly necessary cookies (always on)
These are required for the site and dashboard to function. Disabling them will break sign-in, billing, and core features.
| Name | Set by | Purpose | Duration |
|---|---|---|---|
PHPSESSID |
Xelora | Authenticated server session. Secure, HttpOnly, SameSite=Lax. |
Session |
remember_token |
Xelora | “Remember me” persistent login. Only set when you tick the box at sign-in. Secure, HttpOnly. |
Up to 30 days |
__stripe_mid |
Stripe | Fraud prevention across browser sessions. Set when a billing or checkout page loads. | Up to 1 year |
__stripe_sid |
Stripe | Fraud prevention within a single checkout session. | 30 minutes |
We do not ask for consent for strictly necessary cookies — they are essential to providing the service you requested.
2.2 Browser local storage (similar technology, not cookies)
We use the browser’s localStorage API to remember user-interface preferences. These keys are stored on your device only and are not transmitted to our servers:
| Key | Purpose |
|---|---|
xelora-theme |
Your light / dark theme choice. |
xelora_editor_mode |
Whether the website-builder editor is in simple or advanced mode. |
wb_onboarding_complete, wb_onboarding_version |
Whether you’ve completed the editor onboarding tour, and which version you saw. |
wb_setup_<project_id> |
State of the per-project setup wizard (e.g. “skipped”). |
xelora_cookie_consent_v1 |
Your choice on the cookie consent banner (granted or denied). Stored on your device only; allows us to honour your preference on return visits without re-prompting. |
You can clear these at any time via your browser’s site-data clear function.
2.3 Analytics cookies (consent required, blocked by default)
On public pages of xelora.host we use Google Analytics 4 (tag ID G-HSCFBR725S) to understand aggregate visitor traffic, page popularity, and the funnel from landing page → signup → first build. We use Google Consent Mode v2 with default-deny: the Google Analytics script loads in a no-tracking state and only begins collecting analytics data after you click Accept on the consent banner.
| Name | Set by | Purpose | Duration |
|---|---|---|---|
_ga |
Google Analytics | Distinguishes unique visitors by assigning a randomly generated client ID. Set only after consent is granted. | 2 years |
_ga_HSCFBR725S |
Google Analytics | Persists session state for this specific GA4 property. Set only after consent is granted. | 2 years |
The data Google Analytics collects is aggregated and reported to us at the level of countries, devices, browsers, and pages — we do not receive individual user profiles or contact details. Google’s privacy and data-handling terms for Analytics customers apply additionally: https://policies.google.com/privacy.
If you click Reject, no analytics cookies are set, no analytics pings are sent, and we will not re-prompt you. If you click Accept, the choice is recorded in xelora_cookie_consent_v1 and analytics resumes on subsequent visits without re-prompting. You can revoke consent at any time by clearing site data for xelora.host in your browser; the banner will reappear on your next visit.
We do not use Google Analytics on authenticated areas (login, customer dashboard, admin) — only on public marketing and information pages.
2.4 Advertising and marketing cookies
Not used. We do not currently run advertising trackers, retargeting pixels, or marketing SDKs.
3. Consent model
3.1 All visitors. A consent banner is displayed on your first visit to any public page of xelora.host. Until you click Accept, all analytics cookies are blocked via Google Consent Mode v2 default-deny — the Google Analytics script may load but is prevented from setting cookies, sending pageviews, or transmitting any identifiers.
3.2 Strictly necessary cookies (section 2.1) are exempt from consent under both Australian and EU/UK rules because they are essential to providing the service you requested. Disabling them will break sign-in, billing, and core features.
3.3 EU/EEA and UK visitors. Under the ePrivacy Directive (and national implementations) and the UK PECR, consent must be freely given, specific, informed, and unambiguous, and equally easy to refuse as to grant. The Xelora banner satisfies these requirements: Accept and Reject are presented as visually equivalent buttons, no consent is inferred from continued browsing, and the default state is Reject.
3.4 Australian visitors. Australian privacy law does not currently require an opt-in banner for the analytics cookies described in section 2.3, but we apply the same Accept / Reject banner to all visitors for consistency and respect of preference.
3.5 Recording your choice. Your choice is stored in xelora_cookie_consent_v1 in your browser’s localStorage (not in a cookie, and not transmitted to our servers). Clearing your browser’s site data for xelora.host will reset the choice and re-display the banner on your next visit.
4. How to control cookies
You can control cookies by: - clearing cookies in your browser (this will sign you out); - using browser settings to block or warn before accepting cookies — see the help pages for Chrome, Firefox, Safari, and Edge; - using browser-level privacy signals such as Global Privacy Control (GPC) — where present, we treat GPC as a request to refuse non-essential cookies (currently a no-op because we do not set non-essential cookies).
Blocking strictly necessary cookies will prevent the Services from working correctly.
5. Third-party cookies
The Xelora platform sets the following third-party cookies:
- Stripe —
__stripe_midand__stripe_sid, set on billing and checkout pages for fraud prevention. These are strictly necessary in connection with payment processing. Stripe’s privacy policy: https://stripe.com/au/privacy. - Google Analytics 4 —
_gaand_ga_HSCFBR725S, set only after you consent via the banner (see section 2.3). Google’s privacy policy: https://policies.google.com/privacy. Google Analytics data-handling terms: https://business.safety.google/adsservices/.
6. Do Not Track and Global Privacy Control
We do not currently rely on the legacy Do Not Track (DNT) browser header, because there is no industry consensus on its meaning. The Xelora consent banner’s default state of Reject is functionally equivalent: until you explicitly Accept, no analytics cookies are set. We treat the presence of a Global Privacy Control (GPC) header similarly — analytics consent will not be inferred and the banner will continue to default to Reject.
7. Children
We do not direct cookies to children under 16 and do not knowingly profile them. See section 14 of the Privacy Policy.
8. Changes to this Policy
We may update this Policy when our cookie usage changes. The “last updated” date at the top reflects the current version. Material changes — for example, new analytics or advertising cookies — will be re-prompted via the consent banner where required.
9. Contact
privacy@xelora.host · Xelora Pty Ltd, postal address as shown in the Privacy Policy