Cookie Policy
Last updated: June 2026
This Cookie Policy explains how Acquia, Inc. and its affiliates ("Acquia," "we," "us," or "our") use cookies and similar tracking technologies on www.acquia.com and the other websites, subdomains, and applications we own or operate that link to this policy, including our documentation, community, and event-registration sites (collectively, the "Websites").
This Cookie Policy forms part of, and is incorporated into, our Terms of Use. Capitalized terms not defined here have the meanings given in our Privacy Policy. Where cookies or similar technologies collect information that identifies you, or that becomes identifying when combined with other information, we handle that information as described in our Privacy Policy.
This policy has been prepared to address the requirements of the following legal frameworks, among others: the EU General Data Protection Regulation (GDPR); the UK GDPR and Privacy and Electronic Communications Regulations 2003 (PECR); the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA); applicable US state wiretap and electronic-communications statutes; the Children's Online Privacy Protection Act (COPPA); Canada's PIPEDA and Quebec's Law 25; Brazil's LGPD; Australia's Privacy Act 1988; and the US state privacy laws described in Section 5.
2. What Are Cookies and Similar Technologies?
2.1 Cookies
Cookies are small text files placed on your computer or mobile device when you visit a website. They make websites work, make them work more efficiently, remember your preferences, and report information to site owners. Cookies set by the site you visit are called first-party cookies; cookies set by anyone other than the site owner are third-party cookies.
2.2 Related Technologies
We also use the following technologies, referred to collectively as "cookies" throughout this policy:
- Pixels and web beacons -- tiny invisible graphics embedded on a page or in an email that report whether the page was loaded or the email was opened.
- Local and session storage -- browser-based storage used to support site features and remember settings.
- Software development kits (SDKs) -- code libraries in mobile or embedded applications that may collect usage data analogously to cookies.
- Session recording tools -- technologies that capture anonymized or pseudonymized records of session activity, mouse movements, and click interactions to help us improve usability. See Section 3 for details.
- Chat and support tools -- platforms that enable real-time chat interactions between visitors and our team, which may record or process conversation content. See Section 3 for details.
- Advertising tags and pixels -- scripts that share information about your visit with our advertising partners when you consent to advertising cookies. See Section 4.3 for details.
- Device and browser characteristics -- information such as browser type, screen resolution, and IP address used for security purposes, including bot and fraud detection.
3. Session Recording and Communications Notice
Some of the tools we use to operate and improve our Websites record or process interactions in ways you should be aware of. We obtain your consent to these activities through our cookie banner before any such tools are loaded.
3.1 Session Recording
When you consent to Functional cookies, certain tools (currently Microsoft Clarity and Datadog) may record a pseudonymized replay of your browsing session, including mouse movements, clicks, and scroll behavior. These recordings help us identify usability issues and improve our Websites. They are pseudonymized and are not used to identify you personally. By consenting to Functional cookies, you consent to this session-recording activity.
3.2 Chat and Support Interactions
Our Websites use chat tools (currently Qualified and Forethought) to enable real-time conversations with our sales and support teams. When you initiate a chat session, a notice is displayed informing you that the conversation may be recorded and processed by the relevant platform. By continuing the conversation, you consent to that recording. Chat tools are loaded only after you consent to Functional cookies.
3.3 Real-Time Data Sharing with Advertising Partners
When you consent to Advertising cookies, certain tags and pixels on our Websites share information about your visit -- such as pages viewed and actions taken -- with our advertising partners in real time. This data sharing enables us to serve you relevant advertising and to measure campaign effectiveness. The advertising partners currently active are listed in Section 4.3. All advertising tags are blocked from loading until you provide consent.
4. Legal Basis for Processing (GDPR / UK GDPR)
For visitors from the European Economic Area (EEA) or the United Kingdom, we rely on the following legal bases under the GDPR, UK GDPR, and the ePrivacy Directive (implemented in the UK as PECR):
Cookie Category | Legal Basis | Explanation |
|---|---|---|
Required (Strictly Necessary) | Legitimate interests (Art. 6(1)(f)) / Contractual necessity (Art. 6(1)(b)) | Strictly necessary cookies do not require consent under the ePrivacy Directive. We rely on our legitimate interest in operating and securing the Websites and, where applicable, the need to perform our contract with the user. |
Functional & Analytics | Consent (Art. 6(1)(a) GDPR) | Non-essential functional and analytics cookies require freely given, specific, informed, and unambiguous consent, obtained via our cookie banner before any such cookies are placed. |
Advertising | Consent (Art. 6(1)(a) GDPR) | Advertising cookies are placed only after you actively opt in. You may withdraw consent at any time via the Cookie Preferences center without affecting the lawfulness of prior processing. |
A Legitimate Interests Assessment (LIA) has been conducted for Required cookies. Records are available to our supervisory authority on request. Our EU/EEA representative (GDPR Art. 27): Acquia Sarl, 7 rue Meyerbeer, 75009 Paris, France, +33 01 42 46 79 92.
5. Categories of Cookies We Use
We group cookies into three categories consistent with the choices in our TrustArc cookie banner. Specific cookies may change as we update our Websites and vendor relationships; the most current list is always available in our Cookie Preferences center (see Section 9).
5.1 Required Cookies
Strictly necessary to provide the Websites and their core features. They cannot be switched off through our banner; blocking them in your browser may impair functionality.
Provider | Purpose | Typical Retention |
|---|---|---|
Acquia (Drupal) | Operates the Websites; maintains your authenticated session and core site functionality. | Session |
CHEQ | Bot detection, fraud prevention, and malicious-traffic protection. Loads outside GTM on strictly necessary security grounds. | Session / Up to 1 year |
Cloudflare | Content delivery, traffic routing, load balancing, and DDoS / malicious-traffic mitigation. | Session / Up to 1 year |
Google Tag Manager | Loads and orchestrates other tags in accordance with your cookie choices. GTM itself does not place independent tracking cookies. | Session |
TrustArc | Stores and enforces your cookie-consent preferences so they are applied on future visits. | 1 year |
5.2 Functional Cookies
Enable features and measurement that improve your experience but are not strictly necessary. Loaded only after you consent. If rejected, some features may be unavailable or degraded.
Provider | Purpose | Typical Retention |
|---|---|---|
Google Analytics | Measures site usage and performance (pages visited, traffic sources, session duration, conversion events) to help improve our Websites. | Up to 2 years |
Microsoft Clarity | Analyzes on-site behavior through session activity recording and heatmaps to improve usability. Recordings are pseudonymized. Your use of this Website constitutes consent to this recording activity. | Up to 1 year |
Monsido | Web governance, accessibility monitoring, content-quality assurance, and usage analytics. | Up to 1 year |
VWO (Visual Website Optimizer) | A/B testing, multivariate testing, and experience personalization to improve site effectiveness. | Up to 1 year |
Knotch | Content performance and engagement measurement. | Up to 1 year |
Qualified | Conversational chat and meeting booking. Chat sessions may be recorded and processed by Qualified to support our sales team. A notice is displayed at the start of each chat session. | Up to 1 year |
Cvent | Event and webinar registration on our event pages. | Session / Up to 1 year |
Datadog | Application performance monitoring and session activity recording on certain pages. Recordings are pseudonymized. Your use of this Website constitutes consent to this recording activity. | Up to 1 year |
Vimeo | Delivers embedded video content and measures video-viewing engagement. | Up to 2 years |
Widen (Acquia DAM) | Delivers images and other digital assets from our digital asset management system. | Session / Up to 1 year |
SearchUnify / Acquia Search | Powers full-text search on our website, documentation, and community properties. | Session / Up to 1 year |
Forethought | Powers AI-assisted support chat and knowledge retrieval. Chat sessions may be recorded and processed by Forethought to improve support quality. A notice is displayed at the start of each chat session. | Up to 1 year |
Atlassian Statuspage | Displays live system and service status information. | Session |
5.3 Advertising Cookies
Set by us and our advertising partners to build interest profiles, serve relevant advertising, and measure campaign effectiveness. Loaded only after you opt in.
Provider | Purpose | Typical Retention |
|---|---|---|
Google Ads / Campaign Manager 360 (DoubleClick) | Delivers, personalizes, and measures display, search, and remarketing advertising across Google's ad network. Information about your visit is shared with Google in real time when this cookie is active. | Up to 13 months |
Delivers advertising to LinkedIn members and measures ad conversions. Information about your visit is shared with LinkedIn in real time when this cookie is active. | Up to 1 year | |
Meta (Facebook) | Delivers advertising on Facebook and Instagram and measures ad conversions. Information about your visit is shared with Meta in real time when this cookie is active. | Up to 90 days |
Microsoft Advertising (Bing) | Delivers advertising on Microsoft search and display networks and measures campaign conversions. | Up to 13 months |
Delivers advertising on Reddit and measures ad conversions. | Up to 2 years | |
G2 | Buyer-intent data for advertising targeting and audience measurement on the G2 platform. | Up to 1 year |
Intentsify | Intent-based advertising delivery and audience measurement using third-party intent signals. | Up to 1 year |
6sense | Account identification, audience measurement, and account-based marketing advertising. | Up to 2 years |
Salesforce (Marketing Cloud Account Engagement / Pardot) | Identifies returning visitors, tracks marketing engagement, and attributes conversions for marketing automation. | Up to 2 years |
Acast | Podcast and audio advertising delivery and campaign performance measurement. | Up to 1 year |
We may periodically engage additional advertising and social-media partners. Their cookies will be disclosed in our Cookie Preferences center and will load only with your consent where required.
6. Your Privacy Rights by Jurisdiction
The rights available to you depend on where you are located. We honor rights requests from residents of all jurisdictions below. To exercise any right, adjust your Cookie Preferences (Section 9) or contact [email protected].
6.1 European Economic Area (GDPR)
- Right of access -- Request a copy of the personal data we hold.
- Right to rectification -- Request correction of inaccurate or incomplete data.
- Right to erasure -- Request deletion where no overriding legitimate reason exists for continued processing.
- Right to restriction -- Request restricted processing in defined circumstances.
- Right to data portability -- Request a machine-readable copy of data you provided to us.
- Right to object -- Object to processing based on legitimate interests or to direct marketing.
- Right to withdraw consent -- Withdraw consent at any time via the Cookie Preferences center. Withdrawal does not affect prior lawful processing.
- Right to lodge a complaint -- Lodge a complaint with your national data protection supervisory authority.
6.2 United Kingdom (UK GDPR and PECR)
UK residents have equivalent rights under UK GDPR. PECR specifically requires prior consent for all non-essential cookies. You may lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint. Our UK representative (UK GDPR Art. 27, if applicable): Acquia LTD, Davidson House, Forbury Square, Reading, Berkshire RG1 3EU, United Kingdom, +44 (0)1865 520 011
6.3 California (CCPA / CPRA)
- Right to Know -- Know what personal information we collect, use, disclose, sell, or share, and for what purposes.
- Right to Delete -- Request deletion of personal information we collected from you, subject to exceptions.
- Right to Correct -- Request correction of inaccurate personal information.
- Right to Opt-Out of Sale or Sharing -- Direct us not to sell or share your personal information, including for cross-context behavioral advertising. Exercise this via: (a) Cookie Preferences center; (b) "Do Not Sell or Share My Personal Information" link in our website footer; or (c) a Global Privacy Control (GPC) signal.
- Right to Limit Sensitive Personal Information -- Where we collect sensitive personal information (for example, precise geolocation via advertising tools), limit its use to specified purposes.
- Right to Non-Discrimination -- We will not discriminate against you for exercising CCPA/CPRA rights.
Submit California rights requests to [email protected] or via the "Do Not Sell or Share" footer link. Authorized agents may act with written authorization.
6.4 Other US State Privacy Laws
State / Law | Effective Date | Key Rights Relevant to Cookies |
|---|---|---|
Virginia (VCDPA) | Jan 1, 2023 | Access, delete, correct, portability; opt out of targeted advertising, sale, and profiling. |
Colorado (CPA) | Jul 1, 2023 | Access, delete, correct, portability; opt out of targeted advertising and sale. GPC honored. |
Connecticut (CTDPA) | Jul 1, 2023 | Access, delete, correct, portability; opt out of targeted advertising, sale, and profiling. GPC honored. |
Utah (UCPA) | Dec 31, 2023 | Access, delete; opt out of sale and targeted advertising. |
Texas (TDPSA) | Jul 1, 2024 | Access, delete, correct, portability; opt out of sale, targeted advertising, and profiling. |
Oregon (OCPA) | Jul 1, 2024 | Access, delete, correct, portability; opt out of targeted advertising, sale, and profiling. GPC honored. |
Montana (MCDPA) | Oct 1, 2024 | Access, delete, correct, portability; opt out of sale and targeted advertising. |
Indiana (INCDPA) | Jan 1, 2026 | Access, delete, correct, portability; opt out of sale and targeted advertising. |
Delaware, Iowa, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey, Tennessee, and others | Various 2025-2026 | Substantially similar rights including opt-out of targeted advertising and sale. |
For all US residents with applicable rights: opt out by adjusting Cookie Preferences, using the "Do Not Sell or Share" footer link, or sending a valid GPC signal.
6.5 Canada (PIPEDA and Quebec Law 25)
We obtain meaningful consent for non-essential cookies and allow withdrawal at any time. Under Quebec's Law 25 we disclose profiling functionality and, where applicable, conduct privacy impact assessments and provide information about automated decision-making.
6.6 Brazil (LGPD)
Rights include: confirmation and access; correction; anonymization, blocking, or deletion; portability; deletion of consent-based data; information about sharing; right to know consequences of denying consent; and withdrawal of consent. Legal basis for advertising cookies: consent (Art. 7(I) LGPD). Legal basis for required cookies: legitimate interest (Art. 7(IX) LGPD). Contact [email protected] to exercise rights.
6.7 Australia
We handle cookie-collected personal information in accordance with the Australian Privacy Principles (APPs): notifying you of collection, limiting use to stated purposes, and maintaining reasonable security. Contact [email protected] for access or correction requests, or lodge a complaint with the OAIC at oaic.gov.au.
6.8 Other Jurisdictions
Our cookie practices also respect applicable requirements under the laws of Japan (APPI), Singapore (PDPA), India (DPDPA 2023), and other jurisdictions from which our Websites are accessed. Contact [email protected] for jurisdiction-specific inquiries.
7. Children's Privacy
7.1 Children Under 13 (COPPA)
Our Websites are directed to business professionals and are not intended for children under 13. We do not knowingly collect personal information from children under 13 through cookies or any other means. If you are a parent or guardian and believe we have inadvertently collected personal information from your child, contact [email protected] immediately. We will promptly delete such information.
7.2 GDPR and Children's Consent
Under GDPR, valid consent cannot be given by children below the minimum age set by each EU Member State (between 13 and 16 years). Our Websites are directed to business professionals. If we become aware of processing involving a child below the applicable age threshold, we will promptly address it.
7.3 Educational Customers
Customers deploying Acquia products in educational environments may have obligations under applicable educational privacy laws. Please consult legal counsel and contact your Acquia account team regarding privacy-compliant platform configurations for educational use cases.
8. International Data Transfers
We are headquartered in the United States. When personal data collected through cookies is transferred outside the EEA, the UK, or other jurisdictions with data-transfer restrictions, we rely on one or more of the following mechanisms:
- Standard Contractual Clauses (SCCs) -- We use the European Commission's 2021 SCCs for transfers from the EEA to countries without an adequacy decision, including the US.
- EU-US Data Privacy Framework (DPF) -- For service providers self-certified under the DPF, we may rely on the DPF adequacy decision.
- UK International Data Transfer Agreement (IDTA) / Addendum -- For transfers from the UK, we use the ICO's IDTA or the UK Addendum to the EU SCCs.
- Adequacy decisions -- For transfers to countries with an EU or UK adequacy decision (e.g., Canada, Japan), we rely on that decision.
- Consent -- Where you provide prior consent to advertising cookies involving cross-border transfers, consent under Art. 49(1)(a) GDPR may serve as an additional basis.
A list of key data processors and applicable transfer mechanisms is available on request from [email protected].
9. How Can I Control Cookies?
9.1 Cookie Preferences Center (TrustArc)
When you first visit our Websites, our TrustArc cookie banner lets you accept all cookies, reject all non-essential cookies, or choose by category. You may change your choices at any time via the "Cookie Preferences" link in our website footer. Preferences are stored by TrustArc; clearing browser cookies or using a different browser or device resets them.
9.2 Browser Controls
Most browsers let you accept, refuse, or delete cookies through their settings menus. Blocking all cookies may impair functionality on our Websites.
9.3 Global Privacy Control (GPC)
Where required by applicable law (including California, Colorado, Connecticut, Oregon, and other states), we treat a GPC signal as a valid opt-out from the sale or sharing of personal information and from targeted advertising for that browser/device. GPC signals are processed automatically.
9.4 "Do Not Sell or Share" Link
California residents (and residents of other states with equivalent opt-out rights) may also use the "Do Not Sell or Share My Personal Information" link in our website footer, or reject the Advertising category in Cookie Preferences.
9.5 Interest-Based Advertising Industry Opt-Outs
- Digital Advertising Alliance (US): optout.aboutads.info
- Network Advertising Initiative (US): optout.networkadvertising.org
- European Interactive Digital Advertising Alliance: youronlinechoices.eu
- Canadian Digital Advertising Alliance: youradchoices.ca
9.6 Mobile Advertising Identifiers
Limit interest-based advertising via your device's privacy settings (iOS: Settings > Privacy & Security > Tracking; Android: Settings > Privacy > Ads).
9.7 Do Not Track (DNT)
No common industry standard for DNT has been adopted; our Websites do not currently respond to DNT signals. We do honor the Global Privacy Control as described in Section 9.3.
10. Cookie Data Retention
Session cookies expire when you close your browser. Persistent cookies remain on your device until their expiry date or until deleted. Indicative retention periods for each provider are shown in Section 5. Actual retention may vary based on the specific cookie, provider version, and configured settings. To request deletion of personal data associated with your browser, see your applicable rights in Section 6 or contact [email protected].
11. Updates to This Cookie Policy
We may update this policy to reflect changes in the cookies we use, changes in applicable law, or for operational or regulatory reasons. When we do, we revise the "Last updated" date at the top. For material changes, we may provide additional notice through our cookie banner or other means.
12. Contact Information
- Email: [email protected]
- Postal: Acquia, Inc., 53 State Street, 10th Floor, Boston, MA 02109, USA
- EU/EEA Representative (GDPR Art. 27): Acquia Sarl, 7 rue Meyerbeer, 75009 Paris, France, +33 01 42 46 79 92
- UK Representative (UK GDPR Art. 27): Acquia LTD, Davidson House, Forbury Square, Reading, Berkshire RG1 3EU, United Kingdom, +44 (0)1865 520 011
- Data Protection Officer (if applicable): Privacy Team, [email protected]
For more information about how we handle personal information generally, see our Privacy Policy at acquia.com/privacy-policy.