Cookies v1.0

Last update: July 16th, 2025 version 1.0

1. Who We Are

Haystack Consulting (“we”, “us”, “our”) is a market research and consultancy agency with offices in Heverlee, Belgium, and Amsterdam,  The Netherlands.

This Cookie Policy explains how and why we use cookies and comparable tracking technologies when you visit any Haystack‑controlled website, web‑application or open an online questionnaire we host.

2. What Are Cookies (and Similar Technologies)?

  • Cookies are small text files placed on your device by your browser that store certain information.
  • Scripts (JavaScript, tags) are pieces of code used to make a site function interactively.
  • Pixels / Web Beacons are tiny transparent images or code snippets that record that you have visited a page or opened an e‑mail.

Throughout this policy we collectively call these technologies "cookies” for readability.

3. Legal Framework

  • Article 5(3) of the EU ePrivacy Directive and its national transpositions require prior consent for storing or accessing information on a user’s terminal equipment, except where the cookie is strictly necessary to provide the service the user expressly requested.
  • Consent must meet the GDPR standard of freely given, specific, informed and unambiguous (CJEU Planet49, C‑673/17) and cannot be obtained through pre‑ticked boxes or by bundling different purposes.
  • The European Data Protection Board’s Guidelines 02/2023 (version 2.0, 16 Oct 2024) confirm that the “cookie rule” also covers technologies such as local storage, SDKs and device fingerprinting.

4. How We Use Cookies & Our Lawful Bases

Category Purpose Lawful basis (GDPR) Lifespan*
Strictly necessary / functional Enable core site functionality, load‑balancing, security (e.g. Cloudflare), remember privacy choices Legitimate interest (Art. 6 (1)(f)) or contract (Art. 6 (1)(b)); no consent required under Art. 5(3) ePD Session–1 year
Preference Remember language or survey progress Consent (Art. 6 (1)(a)) Up to 1 year
Analytics / performance Aggregate statistics (e.g. pageviews, completion rates) to improve services Consent 1 day–2 years
Marketing / tracking Measuring campaign effectiveness, displaying tailored ads across sites Consent Up to 24 months

*Exact names, providers, purposes and durations of each individual cookie are listed in the Cookie Table. Haystack dynamically keeps that table up‑to‑date.

Cookies We Use

5. First‑Layer Consent Mechanism

When you first land on our site, a granular cookie banner appears that:

  1. identifies us as data controller;
  2. explains that we use cookies, with links to this detailed policy;
  3. offers options to “Accept all”, “Reject all” and “Customize consent”;
  4. contains purpose‑based toggles so you can consent per category;
  5. stores your choices in a first‑party cookie for 12 months, after which you will be asked again, or earlier if we materially change our use of cookies.

No non‑essential cookies are set until you give consent. Your decision is never a condition to access the site.

6. Managing or Withdrawing Consent

You may at any time:

  • revisit the banner via the “Cookie Settings” link below;
  • delete cookies through your browser settings (see the Help section of your browser);
  • use opt‑out mechanisms offered by third‑party providers (e.g. Google Ads Settings);
  • enable Do Not Track (we currently treat it as a request to block marketing cookies).

Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

7. Third‑Party Cookies & International Transfers

Some cookies come from trusted partners (e.g. analytics, A/B‑testing, video hosting, consent‑management). Where these partners process data outside the European Economic Area, we ensure one of the following safeguards:

  • an Adequacy Decision by the European Commission;
  • Standard Contractual Clauses (SCCs) plus additional technical/organisational measures (encryption, pseudonymisation, access‑controls);
  • or another valid transfer mechanism under GDPR Chapter V.

8. Data Retention

Cookie‑derived personal data is kept no longer than necessary for the declared purpose. Raw analytics logs are aggregated or anonymised within 25 months. Technical logs needed for security may be retained up to 12 months.

9. Your Rights

For any data obtained through cookies you have the rights of access, rectification, erasure, restriction, objection, data portability and to withdraw consent (Arts. 15‑21 GDPR). You also have the right to lodge a complaint with your supervisory authority, e.g. the Belgian Data Protection Authority (Drukpersstraat 35, 1000 Brussels, contact@apd-gba.be).

Requests may be sent to privacy@haystack-consulting.com. If a cookie is set while we act as processor for a client, we will forward your request to the controller and assist them.

10. Security Measures

Haystack applies industry‑standard security such as HTTPS/TLS, firewalls, access‑controls, regular audits and data‑minimisation to prevent unauthorised access or disclosure of cookie data (Art. 32 GDPR).

11. Changes to This Policy

We may update this Cookie Policy to reflect changes in technology, legislation or our practices. The “last updated” date changes with each revision. Material changes will be announced in the banner or on the homepage. Your existing consent will be re‑requested if the changes concern the categories or purposes of cookies used.

12. Contact

Haystack Consulting
Romeinsestraat 4, 3001 Heverlee, Belgium
Tel: +32 (0) 16 62 11 58
Email: privacy@haystack-consulting.com

For Dutch matters you may also write to our Amsterdam office:
Haystack Consulting BV, Binnenkant 24, 1011 BG Amsterdam, The Netherlands.