Cookie Policy

Effective: 2026-05-17Last updated: 2026-05-17

This Cookie Policy describes how LORA English Remote Academy uses cookies and similar client-side technologies on the Tier One English platform. It is a companion to our Privacy Policy and should be read together with it.

Plain-English summary

We use six first-party cookies. Four are strictly necessary or required to deliver functionality you have specifically requested (such as attributing a campaign click to your eventual signup); these are set without separate consent. Two record your decision on our consent banner. With your explicit consent we also load Meta Pixel and Vercel Analytics + Speed Insights; with consent declined, none of those load. We do not use Google Analytics, behavioral profiling, or retargeting cookies. The detailed inventory is in Section 4.

Contents
  1. 1. Overview
  2. 2. What Cookies and Similar Technologies Are
  3. 3. Categories of Cookies and How We Classify Ours
  4. 4. Cookies We Set
  5. 5. Local Storage and IndexedDB
  6. 6. Third-Party Cookies
  7. 7. Marketing-Attribution and Analytics Scripts We Load with Your Consent
  8. 8. Consent and Legal Basis
  9. 9. International Data Transfers
  10. 10. Managing Cookies in Your Browser
  11. 11. Updates to This Policy
  12. 12. Contact

1. Overview

This Cookie Policy explains how LORA English Remote Academy (Business Registration Number 650-94-02234), the operator of the Tier One English platform (collectively, "we", "us", or the "Company"), uses cookies and similar client-side technologies on our website, dashboard, and related services (the "Service").

This Policy is a companion document to our Privacy Policy. Where the Privacy Policy describes the full set of personal information we collect and how we process it, this Policy focuses specifically on cookies, local storage, and similar technologies stored on your device. In case of any inconsistency between the two, the Privacy Policy controls.

By using the Service, you consent to the use of cookies as described below. Cookies that are strictly necessary to operate the Service are set automatically. Cookies that are not strictly necessary are set only where they are required to deliver functionality you have specifically requested (for example, attribution of a campaign click you initiated) or where you have granted opt-in consent via our cookie banner (for marketing-attribution scripts and product analytics). We do not use cookies for retargeting or third-party advertising-network audience matching.

2. What Cookies and Similar Technologies Are

A cookie is a small text file that a website stores in your browser. The browser sends the cookie back to the website on every subsequent request, allowing the site to recognize your session, remember settings, or attribute a visit. A cookie has a name, a value, an expiry, a scope (the domain and path it applies to), and a set of flags that control how it can be read.

Cookies are commonly classified as either session cookies (deleted when you close your browser) or persistent cookies (stored until they expire or you delete them). They are also classified as either first-party (set by the website you are visiting) or third-party (set by another domain whose content is embedded in the page, such as an OAuth iframe or a video player).

Beyond cookies, modern browsers offer other client-side storage: localStorage and sessionStorage (key-value strings tied to an origin), and IndexedDB (a structured database tied to an origin). We use both of these for the purposes described in Section 5. While these are not technically cookies, they are governed by the same data-protection principles, and we treat them with the same care.

3. Categories of Cookies and How We Classify Ours

The European data-protection community generally recognizes four categories of cookies. We use this taxonomy to be clear about what we set and, just as importantly, what we do not set.

  • Strictly necessary cookies are required for the Service to function. They support sign-in sessions, signup-flow consent threading, security, and the prevention of fraud or abuse. Without them you cannot use the Service.
  • Functional cookies remember choices you have made or attribute an action you have initiated (for example, recording that you arrived through a specific campaign link). They improve usability but the Service can technically run without them.
  • Analytics cookies measure how visitors use a website at scale. We do not set persistent analytics cookies. With your opt-in consent we load Vercel Analytics (anonymized page-view metrics, no persistent cookie) and Vercel Speed Insights (anonymized performance pings, no cookie). Both stop firing the moment you withdraw consent.
  • Advertising or marketing cookies are used to attribute conversions or build cross-site profiles. With your opt-in consent we load Meta Pixel (Facebook/Instagram conversion-attribution script) which sets `_fbp` and may read `_fbc` on its own facebook.com domain; without consent it is not loaded. We do not embed Google Analytics, Google Ads, LinkedIn Insight Tag, TikTok Pixel, or any retargeting or cross-site audience-matching script. We do not sell, rent, or share cookie-derived data with advertisers or data brokers.

4. Cookies We Set

The following cookies are set directly by Tier One English on our own domain. Each entry lists the cookie's name, the purpose for which it is set, its expiry, and the category it falls under.

  • Authentication session cookie. Set by our authentication library (Better Auth) when you sign in. Identifies your signed-in session so you do not have to re-enter your password on every request. Marked HTTP-only, secure, and same-site, which prevents access by client-side scripts and from cross-site contexts. Expires after 7 days of inactivity. Category: strictly necessary.
  • pipa-consent. Set during signup to thread your consent selections (Privacy, Terms, third-party transfers, marketing) across the multi-step registration flow before the consents are recorded permanently in our database. The cookie is deleted as soon as your account is created. Lifetime: 10 minutes from issuance. Category: strictly necessary.
  • tt_consent. Records your decision on our cookie banner — `granted` or `denied`. Read on every server-rendered page to decide whether to load Meta Pixel and Vercel Analytics/Speed Insights. Lifetime: 365 days. Category: strictly necessary (records a consent decision required by PIPA).
  • tt_vid. Anonymous visitor identifier assigned on first page view, used solely to bind your banner decisions to an auditable consent log entry (PIPA Article 22-2 requires us to be able to demonstrate consent if challenged). Marked HTTP-only, secure, and SameSite=Lax. The cookie carries only a random identifier — never an email, name, or other personal identifier. Lifetime: 365 days. Category: strictly necessary (compliance audit obligation).
  • __ttrk. Set when you click a campaign tracking link (URLs of the form /r/{slug}). Stores the numeric identifier of the campaign so that, if you sign up later in the same session, we can attribute the signup to the correct campaign. Marked HTTP-only, secure, and SameSite=Lax. Expires after 30 days. Category: functional.
  • tier_session. Set on your first interaction with a campaign tracking link to assign you a randomly generated session identifier. This lets us reconstruct the full chain of campaign-link clicks within a single visitor session and link it to a later signup, if any. Marked HTTP-only, secure, and SameSite=Lax. Expires after 30 days. Category: functional.

Additionally, when you grant marketing consent via our banner, Meta Pixel loads on your browser and sets its own first-party cookies under our domain — `_fbp` (browser identifier, ~90 days) and, if you arrived via a Facebook/Instagram ad, `_fbc` (click identifier, ~90 days). These are set and read by the Meta Pixel script we load; we do not set them directly. They are removed if you withdraw consent and clear your browser cookies.

We do not set any other first-party cookies. If you find a cookie under our domain that is not listed above, please report it to privacy@tieroneenglish.com so we can investigate.

5. Local Storage and IndexedDB

We use the following non-cookie client-side storage in your browser. This data is not transmitted to our servers on every request the way cookies are; it is read and written by code running in your browser tab and is sent to our servers only when needed to recover an in-progress action.

  • Exam and exercise session state (localStorage). When you start a diagnostic test or a timed exercise, your in-progress answers and the absolute end time of any countdown are persisted in localStorage so that a refresh, a tab crash, or a brief network interruption does not destroy your work. The state is cleared when you submit or abandon the session.
  • Marketing attribution parameters (localStorage). When you arrive through a link with UTM parameters or a referrer, those parameters are captured once on landing and stored in localStorage so that they can be sent with your eventual signup. Cleared after signup.
  • In-progress audio recordings (IndexedDB). While you are recording answers for a speaking exercise or a diagnostic test, the recorded audio is buffered in IndexedDB so that it survives a tab refresh. Recordings older than 24 hours are automatically deleted by the application; you may also clear them at any time through your browser's site-data settings.

We do not store cohort identifiers, profile information, or any personal information beyond what is described above in localStorage or IndexedDB. Anything you can see in the dashboard is fetched fresh from our servers on each visit, gated by your authentication session.

6. Third-Party Cookies

When you interact with certain features, third-party services may set their own cookies under their own domains. These are governed by the third party's privacy policy, not ours, and we have only limited visibility into their behavior.

  • Toss Payments (https://www.tosspayments.com/). When you reach the checkout step, Toss embeds its payment widget. Toss may set its own cookies for fraud prevention, session continuity within its widget, and regulatory compliance. We do not control these cookies.
  • Google Sign-In (https://www.google.com/). If you choose to sign in with Google, you are redirected to Google's sign-in flow, where Google sets its own authentication cookies on its own domains. We never receive or read these cookies; we only receive the OAuth identity token Google returns to us after you authenticate.
  • Kakao Sign-In (https://www.kakao.com/). If you choose to sign in with Kakao, the same applies as for Google: Kakao sets its own cookies during its OAuth flow on its own domains, and we never read them.
  • BunnyWay video delivery (https://bunny.net/). Recorded live classes and curriculum video are delivered through Bunny.net. Their video player and CDN may set short-lived cookies for token validation, signed-URL handling, and player state. These cookies are scoped to Bunny.net's domains, not ours.

The following infrastructure providers do not set cookies on your device under our setup: Vercel hosting (server-rendered responses do not set tracking cookies), Sentry error reporting (server-side capture only, no client tags), and Axiom log aggregation (server-side only).

Vercel Analytics and Vercel Speed Insights, which we load only with your marketing consent, do not set persistent cookies; they use anonymized in-memory pings/fetches. They are nevertheless treated here as part of our consented tracking set because they involve a third-party processor (Vercel) receiving data about your interaction with the Service.

Meta Pixel, when loaded after you grant consent, sets the first-party cookies described in Section 4 (`_fbp`, optionally `_fbc`) and may communicate with `facebook.com` on its own domain; cookies set on facebook.com are governed by Meta's own privacy policy.

7. Marketing-Attribution and Analytics Scripts We Load with Your Consent

To measure the effectiveness of our advertising and understand how the Service is used, we load a small number of third-party scripts — only after you grant marketing consent on our cookie banner. Until you accept, none of these are loaded; if you decline or later withdraw consent, they are unloaded on the next page reload.

  • Meta Pixel (Facebook/Instagram conversion attribution). Operated by Meta Platforms, Inc. Loaded in your browser to record a `PageView` event when you grant consent, and conversion events (sign-up, checkout initiation, purchase) when you take those actions. The script sets first-party `_fbp` and may read `_fbc` (see Section 4). The data sent to Meta is described in our Privacy Policy, Section 9.
  • Meta Conversions API (server-to-server). Server-side counterpart to the Pixel that deduplicates the same conversion events. Receives a hashed email, a hashed internal user identifier, your IP, your user agent, and the event name, ID, and (for purchases) value — all hashed where Meta requires hashing. Fires only if you have marketing consent recorded. Disclosed as a subprocessor in our Privacy Policy, Section 9.
  • Vercel Analytics (web analytics). Operated by Vercel, Inc. Collects anonymized page-view metrics in-memory; no persistent cookie is set. Loaded only with your marketing consent.
  • Vercel Speed Insights (performance metrics). Operated by Vercel, Inc. Collects anonymized real-user performance metrics via short-lived pings; no persistent cookie is set. Loaded only with your marketing consent.

To be equally explicit about what we do NOT use, at any consent level: we do not use Google Analytics, Google Ads, or any other Google advertising or audience product. We do not use LinkedIn Insight Tag, Twitter (X) advertising pixels, TikTok Pixel, Pinterest Tag, or any other social-platform advertising script. We do not use Hotjar, FullStory, Mouseflow, Heap, Mixpanel, Amplitude, or any session-replay or behavioral-analytics product. We do not use cross-site cookie syndication, retargeting, or audience-matching services. We do not sell, rent, or share cookie-derived data with advertisers, data brokers, or any third party for their own marketing purposes.

You can revoke marketing consent at any time by clicking "Cookie settings" in the footer of any page; this reopens the banner and your new decision takes effect on the next page load. We will update this Section and notify you through the Service before introducing any new tracking script beyond those listed above.

8. Consent and Legal Basis

Under the Personal Information Protection Act of the Republic of Korea (개인정보 보호법, "PIPA"), the processing of personal information requires a lawful basis. We rely on the following bases for the cookies we set:

  • Strictly necessary cookies (authentication session, pipa-consent, tt_consent, tt_vid): performance of a contract and compliance with a legal obligation under PIPA Article 15(1)(4) and 15(1)(2). These cookies either deliver the Service you have requested or record/audit your consent decisions as PIPA requires.
  • Functional cookies for campaign attribution (__ttrk, tier_session): legitimate interests under PIPA Article 15(1)(6). The processing is limited to attributing actions you have initiated by clicking one of our links, the data is not used for cross-site profiling, and your fundamental rights are not overridden.
  • Marketing-attribution and analytics scripts (Meta Pixel, Meta Conversions API, Vercel Analytics, Vercel Speed Insights): explicit opt-in consent under PIPA Article 15(1)(1) and Article 22-2. None of these load until you click "Accept" on our cookie banner; you may withdraw consent at any time via "Cookie settings" in the footer.
  • Where the European General Data Protection Regulation (GDPR) applies because you are accessing the Service from the European Economic Area, the same scripts are justified as either strictly necessary (Article 6(1)(b)), based on legitimate interests (Article 6(1)(f)), or based on your explicit consent (Article 6(1)(a)).

We display a cookie consent banner on your first visit and on every visit until you record a decision. The banner permits Accept or Decline; declining does not affect your ability to use the Service. Your decision is stored in the `tt_consent` cookie and is also written to our server-side audit log linked only to the anonymous `tt_vid` identifier (not to any account or personal information), so we can demonstrate compliance under PIPA Article 22-2 if required. The audit log entry includes only your decision, the policy version in effect at the time, the source (banner or settings reopener), your IP, your user agent, and the timestamp.

Your overall privacy consent (to the Privacy Policy and to specific data-processing activities at signup) is collected separately at account creation and recorded with timestamp, IP address, user agent, and policy version. You may review or withdraw your overall consent at any time by following the procedures in our Privacy Policy, Section 14.

9. International Data Transfers

Our first-party cookies are set and read on our own domains, and the data they carry is processed by infrastructure located primarily in the United States (Vercel, Neon, Upstash). Section 10 of our Privacy Policy describes these transfers in full detail, including the items transferred, the recipient countries, and the legal bases.

Third-party cookies set during OAuth sign-in (Google, Kakao) and during checkout (Toss Payments) are governed by the relevant third party's own privacy policy and are not transferred to us. Cookies set by Bunny.net are processed on Bunny.net infrastructure in the European Union (Slovenia).

10. Managing Cookies in Your Browser

All major browsers let you view, block, or delete cookies on a per-site or global basis. The links below take you to the official settings documentation for each browser. Please note that the links are operated by the browser vendors and are not under our control.

  • Google Chrome: https://support.google.com/chrome/answer/95647
  • Apple Safari (macOS and iOS): https://support.apple.com/guide/safari/manage-cookies-sfri11471
  • Mozilla Firefox: https://support.mozilla.org/kb/clear-cookies-and-site-data-firefox
  • Microsoft Edge: https://support.microsoft.com/microsoft-edge/delete-cookies-in-microsoft-edge-63947406-40ac-c3b8-57b9-2a946a29ae09

If you block or delete the authentication session cookie, you will be signed out and will not be able to sign back in until you allow the cookie. If you block the pipa-consent cookie during signup, the multi-step signup flow will fail and you will not be able to create an account. If you block the campaign attribution cookies (__ttrk, tier_session), the Service will continue to function normally; only our ability to attribute the visit to a specific campaign will be lost.

You can also use private browsing or incognito mode in your browser, which automatically discards all cookies when the window is closed. The Service is fully usable in this mode, with the side effect that you will need to sign in each time you open a new private window.

11. Updates to This Policy

We may update this Cookie Policy from time to time to reflect changes in the cookies we set, the third-party services we use, or applicable law. Where the change is material and adversely affects your rights, we will provide notice through the Service or by email at least seven (7) days before the effective date, in line with the Act on the Regulation of Terms and Conditions (약관규제법). Non-material changes (clarifications, link updates, typographical corrections) take effect upon posting.

Your continued use of the Service after the effective date constitutes acceptance of the amended Policy.

12. Contact

For any questions, requests, or complaints regarding this Cookie Policy or our use of cookies, please contact us:

LORA English Remote Academy (Tier One English) Business Registration Number: 650-94-02234 Representative: Chanhee So Address: 19, Hakdong-ro 2-gil, Gangnam-gu, Seoul (Nonhyeon-dong, Sail Building), Republic of Korea Privacy inquiries: privacy@tieroneenglish.com General support: support@tieroneenglish.com Legal and compliance: legal@tieroneenglish.com