Cookie and Tracking Consent Policy

This Cookie and Tracking Consent Policy explains how Vourigo SARL ("we", "us", "our") uses cookies, web beacons, pixels, and similar tracking technologies (collectively, "Trackers") on the Vourigo Platform ("Platform"). This Policy is designed to comply with:

(a) EU General Data Protection Regulation (GDPR) Article 4(11) and Article 7 regarding the definition and conditions of consent;

(b) EU ePrivacy Directive (2002/58/EC) as amended;

(c) CNIL (Commission Nationale de l'Informatique et des Libertés) Cookie Guidelines;

(d) Cameroon Law No. 2024/017 relating to Personal Data Protection, including provisions on electronic tracking and user consent;

(e) Cameroon Cyber Security Law (2010/012) regarding information system monitoring.

This Policy applies to all Trackers placed on the Platform, whether by Vourigo SARL or by authorised third-party processors. It covers web browsers, mobile applications, and any other interface through which a user accesses the Platform.

• Cookie: A small text file stored on your device by a web server, which can be read or updated by the server on subsequent visits.
• Tracker: Any technology that enables tracking of user activity, including cookies, pixels, tags, web beacons, fingerprinting, and local storage.
• Consent: A freely given, specific, informed, and unambiguous indication of the data subject's wishes signifying agreement to the processing of personal data (GDPR Article 4(11)).
• Essential Tracker: A Tracker strictly necessary for the operation of the Platform or the provision of a service explicitly requested by the user.
• Functional Tracker: A Tracker that enables enhanced functionality and personalisation.
• Behavioural or Analytical Tracker: A Tracker used to analyse user behaviour, measure audience, or deliver targeted advertising.

3.1 Essential or Strictly Necessary Trackers

Required for the Platform to function; cannot be disabled. They do not store personally identifiable information beyond what is necessary for the session or security purpose.

Examples: Session authentication tokens (JWT); Security cookies (CSRF protection, fraud detection); Load balancing cookies; User consent state records.

Duration: Session or up to 1 year for security tokens.

Consent Required: No. These are exempt from prior consent under GDPR Recital 30 and CNIL guidelines.

3.2 Functional Trackers

Enable enhanced functionality and personalisation. Disabled by default; activate only upon your explicit consent.

Examples: Language preference storage; Currency preference storage; Itinerary draft saving (local storage); Accessibility settings.

Duration: Up to 1 year. Consent Required: Yes.

3.3 Behavioural and Analytical Trackers

Help us understand how visitors interact with the Platform. All data is processed under pseudonymisation where possible. Disabled by default; activate only upon your explicit, granular consent.

Examples: Google Analytics 4 (IP anonymisation enabled); Heatmap and session recording tools (anonymised); Meta Pixel (Facebook/Instagram advertising); Conversion tracking pixels.

Duration: Up to 2 years for analytics; 90 days for marketing pixels. Consent Required: Yes.

Upon your first visit to the Platform, we display a clear, conspicuous consent banner that:

(a) Informs you that we use Trackers;

(b) Groups Trackers by category (Essential, Functional, Behavioural/Analytical);

(c) Provides a clear affirmative action ("Accept All", "Reject Non-Essential", or granular toggles by category);

(d) Links to this full Policy and to the Privacy Policy;

(e) Records your consent choice with a timestamp stored in a tamper-evident format.

You may consent to Tracker categories individually. Consent to one category does not imply consent to another.

No Behavioural or Analytical Trackers will activate until you grant explicit consent. This complies with CNIL guidelines and GDPR Article 7.

We maintain granular consent records including: the date and time of consent; the consent mechanism used; the categories to which consent was given or withheld; your IP address (anonymised) and user agent. These records are retained for 2 years.

The following third-party processors may place Trackers on the Platform subject to your consent:

• Google Analytics 4: Google LLC (USA). Purpose: Audience measurement and UX analysis. Safeguard: IP anonymisation enabled; Data Processing Amendment signed; EU SCCs in place.
• Meta Platforms, Inc.: USA. Purpose: Conversion tracking and retargeting. Safeguard: Activated only with explicit marketing consent; EU SCCs in place.

If we add new third-party Trackers, we will update this Policy and, where required, seek renewed consent. We do not sell Tracker data to data brokers or unauthorised advertisers.

You have the absolute right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal (GDPR Article 7(3)). Withdrawal is as easy as giving consent.

You can manage your Tracker preferences at any time by:

(a) Clicking the "Cookie Settings" link in the Platform footer;

(b) Accessing your account dashboard under "Privacy and Security";

(c) Emailing dpo@vourigo.com with the subject line "Tracker Preference Update".

The management interface allows you to review all active Tracker categories, toggle consent for Functional and Behavioural/Analytical Trackers, view the date of your last consent update, and export your consent record.

• Essential Tracker data: Retained for the duration necessary to fulfil the purpose (session to 1 year).
• Functional Tracker data: Retained for 1 year or until you withdraw consent, whichever occurs first.
• Behavioural/Analytical Tracker data: Retained for 2 years or until you withdraw consent, whichever occurs first. Aggregated, non-identifiable statistical data may be retained indefinitely.

Upon withdrawal of consent or expiry of retention periods, Tracker data is securely deleted or anonymised in accordance with NIST 800-88 Rev 1 guidelines.

Tracker data collected by third-party processors (for example, Google, Meta) may be transferred outside Cameroon and the EU. Such transfers are governed by:

• Standard Contractual Clauses (SCCs) approved by the European Commission;
• Supplementary technical measures (pseudonymisation, encryption);
• Cameroon Law No. 2024/017 cross-border transfer provisions.

For EU residents, GDPR Chapter V safeguards apply. For Cameroon residents, data localisation preferences are respected for sensitive categories.

We may update this Cookie and Tracking Consent Policy to reflect changes in technology, regulation, or business operations. Material changes will be notified via:

• A prominent banner on the Platform;
• Email to registered users (if email consent is active);
• 30-day advance notice for changes affecting consent requirements or data subject rights.

Your continued use of the Platform after the effective date of an updated Policy constitutes acknowledgment of the changes.

Data Protection Officer (DPO): dpo@vourigo.com

EU Representative: eu-rep@vourigo.com

Platform Support: privacy@vourigo.com

For complaints, EU residents may contact their local data protection supervisory authority. Cameroon residents may contact the Personal Data Protection Authority once operationalised.

Version 1.0. Effective 19 May 2026. Next Review: 19 November 2026