Cookie Policy
June 2026 · Version 1.0
Applies to: helmwms.com · thedespatchcompany.com · heyvoila.io · heyneuro.io
1. Introduction
This Cookie Policy explains how The Despatch Company Ltd and its associated product brands ("we", "us", "our") use cookies and similar tracking technologies when you visit any of the websites listed above.
We are committed to transparency about the cookies we use, why we use them, and your choices. This policy should be read alongside our Privacy Policy, which is available on each website listed above.
This policy is drafted to comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR), as amended.
2. Who We Are
The data controller responsible for the websites covered by this policy is The Despatch Company Ltd.
Registered address: Unit 76, Warfield Road, Driffield, YO25 9FQ
Company number: 09615192
ICO registration number: A8116774
Data protection enquiries: privacy@thedespatchcompany.com
The websites covered by this policy are operated under the following product brands:
Helm (helmwms.com): Warehouse and fulfilment management software for ecommerce businesses.
The Despatch Company (thedespatchcompany.com): Multi-carrier shipping and courier management platform.
Voila (heyvoila.io): Order management and fulfilment automation software.
Neuro (heyneuro.io): AI-powered intelligence and automation layer for ecommerce operations.
3. What Are Cookies?
Cookies are small text files placed on your device (computer, tablet, or mobile phone) when you visit a website. They allow websites to function correctly, work more efficiently, and provide useful information to website operators.
We use the term "cookies" in this policy to refer collectively to cookies and similar tracking technologies, including web beacons, pixels, tags, scripts, and browser local storage.
Cookies may be:
Session cookies — deleted automatically when you close your browser.
Persistent cookies — retained on your device for a defined period or until manually deleted.
First-party cookies — set directly by us on our websites.
Third-party cookies — set by technology partners whose tools are embedded on our pages.
4. Legal Basis for Using Cookies
Under PECR and UK GDPR, we may only place non-essential cookies on your device with your prior, freely given, specific, informed, and unambiguous consent. Strictly necessary cookies are exempt from this requirement as they are essential for website operation.
When you first visit any of our websites, a cookie consent banner will appear. You can accept all cookies, decline non-essential cookies, or customise your preferences by category. You can withdraw or update your consent at any time via the "Manage Cookies" link in the footer of any of our websites.
Strictly Necessary — Legal basis: PECR Reg. 6(4), consent not required. Essential for website operation. Cannot be disabled via our consent tool.
Performance & Analytics — Legal basis: Consent (UK GDPR Art. 6(1)(a)). Active consent required. Helps us understand and improve website performance.
Functional — Legal basis: Consent (UK GDPR Art. 6(1)(a)). Active consent required. Enables enhanced features such as live chat.
Marketing & Targeting — Legal basis: Consent (UK GDPR Art. 6(1)(a)). Active consent required. Supports sales identification and business development.
5. Cookie Categories Explained
5.1 Strictly Necessary Cookies
These cookies are essential for our websites to function and cannot be disabled via our consent tool. They are typically set in response to actions such as logging in, setting your privacy preferences, or submitting a form. You can configure your browser to block them, but doing so may prevent parts of our websites from working.
5.2 Performance and Analytics Cookies
These cookies allow us to count visits and measure traffic flows to analyse and improve the performance of our websites. They help us understand which pages attract the most interest, where visitors come from, and how people navigate through our sites. Where practicable, information collected via analytics cookies is aggregated and anonymised. Consent is required before these cookies are placed.
5.3 Functional Cookies
These cookies enable additional functionality and personalisation features, such as live chat widgets, form pre-fill, A/B testing, and user preference storage. They may be set by us or by third-party providers whose services are embedded in our pages. If you decline these cookies, some features may be unavailable or may not work as expected. Consent is required before these cookies are placed.
5.4 Marketing and Targeting Cookies
These cookies support our marketing and sales activities. In particular, they enable us to identify the organisations (not individuals) visiting our websites, based on IP address matching and browser-based tracking. This data is used to support outbound sales outreach and to measure the effectiveness of our marketing. Consent is required before these cookies are placed.
6. Detailed Cookie Information
The following lists all cookies currently in use on our websites, organised by service provider. This list is reviewed and updated periodically. We will seek fresh consent before deploying any new consent-based cookie.
6.1 Strictly Necessary Cookies
PHPSESSID (Our websites) — Maintains your session state as you navigate between pages. Automatically deleted when you close your browser. Expiry: Session.
csrf_token / XSRF-TOKEN (Our websites) — Prevents cross-site request forgery (CSRF) attacks by verifying that form submissions originate from our website. Expiry: Session.
cookie_consent (Our websites) — Records your cookie consent preferences to prevent the consent banner from displaying on every visit. Expiry: 12 months.
__cf_bm (Cloudflare) — Bot-management cookie used by Cloudflare to distinguish legitimate human visitors from automated or malicious traffic. Expiry: 30 minutes.
_cfuvid (Cloudflare) — Used by Cloudflare to identify individual users sharing an IP address for the purpose of applying rate-limiting controls. Expiry: Session.
6.2 HubSpot — Marketing, Analytics & Functional
We use HubSpot for CRM data capture, marketing automation, website analytics, live chat, and conversion tracking. HubSpot is operated by HubSpot, Inc., based in the United States.
__hstc (HubSpot, Marketing) — Primary HubSpot tracking cookie. Records the visitor's source, number of visits, and time between visits across sessions. Expiry: 13 months.
hubspotutk (HubSpot, Marketing) — Stores the visitor's identity token for form submission deduplication and CRM lead attribution. Expiry: 13 months.
__hssc (HubSpot, Analytics) — Tracks session activity (page views) within a single visit to populate HubSpot's analytics reports. Expiry: 30 minutes.
__hssrc (HubSpot, Analytics) — Detects whether the browser has been restarted in order to identify the start of a new session. Expiry: Session.
__hs_opt_out (HubSpot, Strictly Necessary) — Records that the visitor has opted out of HubSpot's tracking cookies. Expiry: 13 months.
hs_ab_test (HubSpot, Functional) — Records which A/B test variant has been shown to the visitor to ensure a consistent experience during the session. Expiry: Session.
hs-messages-is-open (HubSpot, Functional) — Stores whether the HubSpot live chat widget is currently open or closed. Expiry: 30 minutes.
hs-messages-hide-welcome-message (HubSpot, Functional) — Prevents the chat widget welcome message from reappearing after it has been dismissed. Expiry: 1 day.
messagesUtk (HubSpot, Functional) — Identifies returning chat visitors to link them with their prior conversation history in HubSpot. Expiry: 13 months.
__hs_cookie_cat_pref (HubSpot, Strictly Necessary) — Stores the visitor's cookie consent category preferences when set via HubSpot's consent banner. Expiry: 13 months.
HubSpot processes data in the United States. See Section 9 for transfer safeguards. HubSpot privacy policy: legal.hubspot.com/privacy-policy
6.3 Google Analytics 4 — Analytics
We use Google Analytics 4 (GA4) to analyse visitor behaviour across our websites. IP anonymisation is enabled in our GA4 configuration. GA4 is operated by Google LLC, based in the United States.
_ga (Google) — Core GA4 cookie. Assigns a randomly generated Client ID to distinguish unique visitors and persist tracking across browsing sessions. Expiry: 2 years.
_ga_[Property ID] (Google) — Property-specific session cookie. Maintains session state and records the number of sessions per user for the specific GA4 property. Expiry: 2 years.
_gid (Google) — Assigns a unique visitor identifier to distinguish users. Refreshed every 24 hours. Expiry: 24 hours.
_gat_gtag_[ID] (Google) — Throttles the rate of requests to Google Analytics servers, typically when deployed via Google Tag Manager. Expiry: 1 minute.
Google processes data in the United States. See Section 9 for transfer safeguards. Google privacy policy: policies.google.com/privacy
6.4 Mouseflow — Analytics (Session Recording)
We use Mouseflow to record anonymous visitor sessions, including mouse movements, clicks, scroll behaviour, and form interactions. This helps us identify usability issues and improve our websites. Mouseflow is configured to mask sensitive input fields and all personal data entered into forms.
_mf_bsession (Mouseflow) — Session-level cookie that links individual page views within a single visit to a single session recording. Expiry: 30 minutes.
_mf_uid (Mouseflow) — Persistent browser identifier used to link session recordings across multiple visits from the same device. Expiry: 1 year.
Mouseflow ApS is headquartered in Denmark (EU/EEA). Data is stored within the EU/EEA; no transfers to third countries occur. Mouseflow privacy policy: mouseflow.com/privacy/
6.5 Lead Forensics — Marketing (B2B Visitor Identification)
We use Lead Forensics to identify the organisations visiting our websites. Lead Forensics uses IP address matching and browser-based tracking to look up the company associated with your visit in its proprietary business database, enabling our sales team to identify and follow up with potential business customers.
Important: Lead Forensics identifies organisations, not individual persons. No individual-level personal data (such as your name, email address, or job title) is captured through this tool alone. However, if you access our websites from a corporate network, your employer's business identity may be recorded.
_lf_id (Lead Forensics) — Assigns a unique visitor identifier to attribute multiple visits from the same browser to an identified organisation over time. Expiry: 2 years.
_lf_s (Lead Forensics) — Session-scoped cookie linking individual page views within a single visit to an organisation identification record. Expiry: 30 minutes.
_lf_uid (Lead Forensics) — Unique user-level identifier linking browser sessions to organisation identification data held by Lead Forensics. Expiry: 1 year.
Lead Forensics Limited is a UK-based company. All processing is conducted within the UK under UK GDPR. Lead Forensics privacy policy: leadforensics.com/privacy-policy/
6.6 Additional and Future Tools
We may integrate additional third-party tools from time to time. Before any new tracking technology is deployed, this Cookie Policy will be updated, and where consent is required, the consent banner will be refreshed so you can make an informed choice before any new cookies are placed. We recommend checking this page periodically.
7. Managing Your Cookie Choices
7.1 Our Cookie Consent Tool
When you first visit any of our websites, a cookie consent banner will appear. You may accept all cookies, decline non-essential cookies, or customise your preferences by category. Your preferences are stored in a strictly necessary cookie so you are not re-prompted on each visit. You can update or withdraw your consent at any time by clicking "Manage Cookies" or "Cookie Settings" in the footer of any of our websites. Withdrawal of consent takes effect immediately and does not affect the lawfulness of any processing carried out before withdrawal.
7.2 Browser-Level Controls
Most modern web browsers allow you to manage cookies through their settings. You can configure your browser to block all cookies, delete cookies on exit, alert you before a cookie is placed, or accept or block cookies on a site-by-site basis. Note that restricting cookies may impair the functionality of our websites. Browser-specific guidance is available for Google Chrome, Mozilla Firefox, Apple Safari, Microsoft Edge, and Opera.
7.3 Third-Party Opt-Out Mechanisms
You may also opt out of specific third-party tracking directly. Please note that opt-out tools may themselves set an opt-out cookie on your device; you should not delete this cookie or your preference will be lost.
Google Analytics: Browser add-on at tools.google.com/dlpage/gaoptout
HubSpot: Decline via our consent tool, or contact us to request processing opt-out.
Mouseflow: Global opt-out at mouseflow.com/opt-out/
Lead Forensics: Opt-out at leadforensics.com/privacy-policy/
Your Online Choices (multi-network): youronlinechoices.eu
Network Advertising Initiative: optout.networkadvertising.org
8. Third-Party Services and Linked Websites
Our websites may include links to third-party websites, apps, or embedded services. Each operates under its own privacy and cookie policies, which we do not control and for which we accept no responsibility. We encourage you to review the privacy notice of any third-party service before interacting with it.
Where third-party scripts are embedded in our websites (for example, HubSpot or Google Tag Manager), those providers may independently collect data about your visit in accordance with their own terms. We maintain data processing agreements with each of our third-party providers to ensure appropriate safeguards are in place.
9. International Data Transfers
Some of our third-party cookie providers process personal data outside the United Kingdom and/or the European Economic Area (EEA). Where this occurs, we ensure that appropriate safeguards are in place in accordance with UK GDPR Chapter V.
HubSpot, Inc. (United States) — EU–US Data Privacy Framework (DPF) and UK Extension to the DPF. Standard Contractual Clauses (SCCs) as supplementary safeguard.
Google LLC (GA4) (United States) — EU–US Data Privacy Framework (DPF) and UK Extension. Standard Contractual Clauses (SCCs) for residual UK-to-US transfers.
Mouseflow ApS (Denmark, EU/EEA) — No transfer outside the EEA. The UK–EU adequacy decision applies to UK-originating data flows.
Lead Forensics Limited (United Kingdom) — No international transfer. All processing conducted within the UK under UK GDPR.
You may request a copy of the applicable transfer mechanism documentation by contacting us at privacy@thedespatchcompany.com.
10. Changes to This Cookie Policy
We review and update this Cookie Policy periodically to reflect changes to the cookies we use, applicable law, or our business operations. The version number and date at the top of this document indicate when it was last updated.
Where we make material changes — in particular, where new consent-based cookies are introduced — we will notify you via our cookie consent banner and invite you to review and re-confirm your preferences before any new cookies are placed.
We recommend checking this page regularly. Continued use of our websites following notification of material changes will constitute acknowledgement of the updated policy; however, fresh consent will always be sought where required by law before any new consent-based cookies are set.
11. Contact Us and Your Rights
For any questions about this Cookie Policy, or to exercise your data subject rights under UK GDPR (including the right of access, rectification, erasure, restriction, data portability, or the right to object), please contact us:
Email: privacy@thedespatchcompany.com
Post: The Despatch Company Ltd, Unit 76, Warfield Road, Driffield, YO25 9FQ
We aim to respond to all requests within one calendar month. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):
ICO website: ico.org.uk
ICO helpline: 0303 123 1113
ICO address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF