Kallflow LogoKallflow

Cookie Policy

This is the current website cookie policy.

Last updated: 19/02/2026

This Cookie Policy explains how BASELINK, SL (the "Website Publisher", "we") uses cookies and similar technologies on the website kallflow.com and the associated Portal.

For your privacy, the website implements a consent system with:

  • a banner with Accept, Reject and Configure buttons, and
  • a settings modal by categories.

1) Legal framework (EU and Spain)

1.1. ePrivacy (EU): the general rule requires prior consent to store or access information on your device (cookies, localStorage, identifiers, pixels, etc.), except when it is strictly necessary to provide the requested service.

  • Directive 2002/58/EC (ePrivacy), art. 5.3: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32002L0058

1.2. Spain (LSSI-CE): article 22.2 regulates "data storage and retrieval devices" and requires clear information and consent, with exemptions for strictly necessary cookies.

  • Law 34/2002 (LSSI-CE) (BOE): https://boe.es/buscar/act.php?id=BOE-A-2002-13758&tn=2

1.3. Data protection (GDPR/LOPDGDD): when cookies/identifiers involve personal data (e.g. pseudonymous identifiers), the GDPR applies.

  • GDPR (Regulation (EU) 2016/679): https://eur-lex.europa.eu/eli/reg/2016/679/oj
  • LOPDGDD (BOE): https://boe.es/buscar/act.php?id=BOE-A-2018-16673&tn=2

1.4. Authority guidance (practical implementation):

  • AEPD - Guide on the use of cookies (updated 11/07/2023): https://www.aepd.es/guias/guia-cookies.pdf
  • EDPB - Guidelines 2/2023 (technical scope of art. 5.3 ePrivacy; includes technologies beyond cookies): https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-22023-technical-scope-art-53-eprivacy-directive_en

2) What are cookies and similar technologies

2.1. Cookies: small text files that the browser stores on your device (computer, mobile, etc.) when you visit a website.

2.2. Similar technologies (also regulated): identifiers, pixels, and web storage such as localStorage/sessionStorage, insofar as they involve storing or accessing information on your device.

3) Types and categories of cookies (how we classify them)

Our consent manager uses these categories:

  • Necessary: essential for basic functions (e.g. authenticated session, remembering consent).
  • Preferences: remember options (e.g. language) when the user configures them.
  • Analytics: measure usage and conversions (e.g. DataFast).
  • Marketing: targeted advertising and campaigns (if applicable).

By default, when you have not made a choice yet, only necessary cookies are enabled.

4) How we obtain and manage your consent

4.1. First layer (banner) When you visit the website for the first time (or when there is no stored decision), we show a banner with:

  • Accept all
  • Reject
  • Configure

Following AEPD criteria, the reject option must be as easy as the accept option.

4.2. Second layer (settings modal) The modal allows enabling/disabling by categories. The necessary category is always enabled.

4.3. How we store your choice We store consent in a cookie:

  • Name: kallflow_cookie_consent
  • Format: JSON (e.g. { "necessary": true, "analytics": false, ... })
  • Duration: 365 days
  • Attributes: SameSite=Lax; Secure; path=/

4.4. How to change or withdraw consent You can reopen cookie settings from the website (e.g. a "Cookie settings" link/button in the footer, if provided) and:

  • accept categories,
  • reject categories,
  • save changes.

Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal, but it does affect future processing.

5) Cookies and identifiers we use (technical details)

Note: some third parties may change names/durations over time. This list reflects our current implementation and must be updated when integrations change.

5.1) Necessary cookies (exempt / strictly necessary)

5.1.1. kf_auth_session

  • Provider: first-party (Portal)
  • Purpose: keep the authenticated session (an HttpOnly cookie).
  • Duration: up to 30 days (or until logout).

5.1.2. kallflow_cookie_consent

  • Provider: first-party
  • Purpose: remember your consent choice (required to comply with ePrivacy/LSSI and avoid showing the banner repeatedly).
  • Duration: 365 days.

5.2) Preference cookies (personalization)

5.2.1. NEXT_LOCALE

  • Provider: first-party
  • Purpose: remember the language when the user changes it manually.
  • Duration: 365 days.
  • AEPD note: user-chosen personalization (e.g. language) is usually considered technical and may be exempt from consent, provided it is not used for other purposes.

5.3) Analytics cookies (only if you accept "Analytics")

5.3.1. DataFast (analytics) This website integrates DataFast and loads its script only when you have accepted analytics cookies.

Relevant implementation details:

  • The script is served as a first-party proxy at \/js\/script.js (rewrite to https://datafa.st/js/script.js).
  • Event sending is done at \/api\/events (rewrite to https://datafa.st/api/events).

Cookies/identifiers that may appear (depending on DataFast):

  • datafast_visitor_id
  • datafast_session_id

Purpose:

  • identify a session/visitor pseudonymously to measure visits and conversions (e.g. "purchase_completed" or "payment_cancelled").

Duration:

  • may include a session cookie and a more persistent one (depending on DataFast configuration).

5.4) Anti-abuse technologies (forms) - reCAPTCHA

We use Google reCAPTCHA v3 in forms (e.g. support and sales contact) to prevent abuse and bots.

How it works:

  • the reCAPTCHA script is loaded when the form widget/modal is opened,
  • a token is generated to validate the request on the server.

Potential cookies:

  • Google may install cookies/identifiers (names and durations may vary; _GRECAPTCHA and/or Google-domain cookies are often mentioned).

Purpose:

  • security, abuse prevention, and service protection.

Provider policies:

  • https://policies.google.com/privacy

6) What happens if you reject cookies?

6.1. Necessary

  • they remain enabled, because without them the website/Portal may not work (e.g. authenticated session) or we would not be able to remember your consent decision.

6.2. Analytics

  • DataFast is not loaded,
  • no analytics events are sent,
  • and analytics identifiers must not be written to your device.

6.3. Preferences

  • if you do not accept them (or do not configure them), some preferences will not be remembered (e.g. language), and you may have to choose them again.

7) How to delete cookies from your browser

You can delete cookies and site data from your browser settings. Additionally:

  • you can block third-party cookies,
  • you can delete data for a specific domain.

Keep in mind that if you delete kallflow_cookie_consent, the banner may appear again until you make a new choice.

8) Updates to this policy

We will update this document when:

  • we add or remove tools (e.g. analytics),
  • we change purposes or categories,
  • regulatory requirements or guidance changes.