Cookies Policy Effective Date: 8 June 2026
Last Updated: 8 June 2026
Jurisdictional Scope: United Kingdom, United States, European Union/EEA, and Other Territories
IMPORTANT LEGAL DISCLAIMER: This Cookies Policy is provided as a comprehensive compliance template. It is not legal advice. Data protection and electronic communications laws are complex, jurisdiction-specific, and subject to change. You should consult a qualified data protection attorney or privacy professional to adapt this policy to your specific business activities, data processing practices, and target jurisdictions.

1. Introduction and Scope

This Cookies Policy explains how we use cookies and similar tracking technologies on our website, mobile applications, and digital services (collectively, the “Services”). It describes the types of technologies we deploy, the purposes for which we use them, how we comply with jurisdiction-specific legal requirements, and how you can exercise control over these technologies.
We operate in a multi-jurisdictional environment. Visitors to our Services may be subject to the laws of the United Kingdom, the United States, the European Union and European Economic Area, Canada, Brazil, Australia, and other territories. This policy is designed to meet the strictest applicable standards while providing clear, territory-specific disclosures where legal requirements diverge.
By accessing or using our Services, you acknowledge that you have read and understood this Cookies Policy. If you do not agree with our use of cookies as described herein, you must adjust your browser settings, use our consent management tools, or discontinue use of the Services.

2. What Are Cookies and Similar Technologies

Cookies are small text files that websites, applications, and online services place on your computer, mobile device, or other terminal equipment when you visit. They are widely used to make websites work efficiently, to improve user experience, and to provide information to website operators.
In addition to traditional browser cookies, we and our partners may use other similar technologies, including:
  • Web Beacons (Pixels): Tiny graphic images embedded in web pages or emails that allow us to monitor user activity.
  • Local Storage and Session Storage: Mechanisms within HTML5 that allow websites to store data in your browser beyond the scope of traditional cookies.
  • Device Fingerprinting: Techniques that collect configuration information about your device (screen resolution, browser plugins, fonts, time zone) to create a unique identifier.
  • Software Development Kits (SDKs): Code libraries embedded in mobile applications that perform tracking functions similar to web cookies.
  • URL Tracking Parameters: Identifiers appended to links that allow cross-site tracking without traditional cookie storage.
For the purposes of this policy, the term “cookies” encompasses all of the above technologies unless otherwise specified.

3. Categories of Cookies We Use

We classify cookies into the following categories. The legal treatment of each category varies by jurisdiction, as detailed in Section 4.

3.1 Strictly Necessary Cookies

These cookies are essential for the operation of our Services. They enable core functionality such as user authentication, session management, shopping cart retention, security protocols, fraud prevention, and load balancing. Without these cookies, services you have explicitly requested cannot be provided.
Examples:
  • Session cookies that maintain your login state across pages
  • Authentication tokens that verify your identity
  • Security cookies that detect repeated failed login attempts and bot traffic
  • Load-balancing cookies that distribute server traffic
  • Cookies that remember items in your shopping cart during checkout
Legal Status: These cookies are generally exempt from consent requirements across all jurisdictions, though they must still be disclosed.

3.2 Functional / Preference Cookies

These cookies enable enhanced functionality and personalization. They remember choices you make (such as language preference, region selection, font size, accessibility settings, or video player preferences) and provide customized features.
Examples:
  • Language and localization settings
  • Accessibility preferences (contrast modes, text size)
  • User interface customization settings
  • Remembering whether you have dismissed informational banners
Legal Status: These cookies require consent under UK PECR, EU ePrivacy Directive, and similar frameworks. Under the UK’s Data (Use and Access) Act 2025, certain appearance/interface customization cookies may be exempt if used solely for that purpose and not combined with other tracking.

3.3 Performance / Analytics Cookies

These cookies collect information about how visitors use our Services. They help us understand which pages are most popular, how users navigate between pages, whether they encounter error messages, and how long they spend on each section. This data is aggregated and anonymized where possible.
Examples:
  • Google Analytics, Matomo, Adobe Analytics
  • Hotjar, Crazy Egg, or similar behavior analytics tools
  • A/B testing and multivariate testing cookies
  • Error logging and performance monitoring cookies
Legal Status: Under the EU ePrivacy Directive and traditional UK PECR, these cookies require explicit opt-in consent. However, under the UK’s Data (Use and Access) Act 2025 (in force from 5 February 2026), statistical (analytics) cookies used solely by the website operator to collect statistical information are now exempt from consent requirements, provided they are not used simultaneously for advertising or other non-exempt purposes. In the United States, these cookies generally do not require opt-in consent but may be subject to opt-out rights under state privacy laws if they collect personal information.

3.4 Targeting / Advertising Cookies

These cookies track browsing habits across websites to build a profile of your interests. They are used to deliver relevant advertisements, limit the number of times you see an ad, measure ad campaign effectiveness, and enable retargeting.
Examples:
  • Meta (Facebook) Pixel, Google Ads conversion tracking
  • Programmatic advertising identifiers
  • Social media tracking pixels (Twitter/X, LinkedIn, TikTok)
  • Affiliate marketing tracking pixels
  • Cross-site tracking cookies placed by advertising networks
Legal Status: These cookies always require consent under UK and EU frameworks. In the United States, you generally have the right to opt out of the sale or sharing of personal information for cross-context behavioral advertising under laws such as the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

3.5 Social Media and Embedded Content Cookies

These cookies are set by third-party social media platforms and content providers when you interact with embedded content (videos, posts, widgets, share buttons) on our Services.
Examples:
  • YouTube embedded video cookies
  • Twitter/X timeline widgets
  • Instagram embeds
  • Social sharing button cookies
Legal Status: These generally require consent under UK/EU frameworks. In the US, they are subject to general privacy notice requirements.

4. Jurisdiction-Specific Legal Frameworks

4.1 United Kingdom

Governing Laws: Privacy and Electronic Communications Regulations (PECR), UK GDPR, Data Protection Act 2018, and the Data (Use and Access) Act 2025 (DUAA).
Key Requirements:
  • PECR Regulation 6 requires that you be clearly informed about why cookies are being stored or accessed on your device, and that we obtain your consent before doing so, unless a specific exemption applies.
  • Valid Consent Standard: Consent must meet the UK GDPR Article 4(11) standard: freely given, specific, informed, and unambiguous. Pre-ticked boxes, implied consent through continued browsing, and bundled consent are invalid.
  • Equal Prominence: Our cookie banner must present “Accept All” and “Reject All” options with equal visual prominence. The reject option must be just as easy to find and use as the accept option.
  • Granularity: You must be able to consent by purpose or category separately. A single “Accept All” button without granular options is unlikely to satisfy regulatory expectations.
  • Prior Blocking: Non-essential cookies must be blocked until valid consent is obtained. They cannot fire on the first page load before you make a choice.
  • Withdrawal: You must be able to withdraw consent as easily as you gave it, at any time, through a persistent preference link.
  • New Exemptions (DUAA 2025, effective 5 February 2026): The DUAA introduced three new categories of cookies exempt from consent:
    1. Statistical cookies used solely to collect statistical information about user interaction with the website, where the information is used only by the website operator
    2. Appearance cookies used to customize or adapt the display to user preferences (font size, color scheme, accessibility settings)
    3. Emergency assistance cookies used to identify user location for emergency services
    Critical Caveat: These exemptions apply only when the cookies are used solely for the specified purpose. If an analytics cookie also feeds into advertising targeting, it does not qualify.
  • Expanded Scope: The DUAA expands PECR to cover organizations that “instigate” the storage or access of information on your device, even if a third party technically sets the cookie. This catches tag managers, marketing platforms, and analytics services.
  • Penalties: The DUAA raised maximum PECR fines to UK GDPR levels: up to £17.5 million or 4% of global annual turnover, whichever is higher. Previously, the maximum was £500,000.
  • Complaints Procedure: From 19 June 2026, we must maintain a formal data protection complaints procedure.
How We Comply in the UK: We deploy a cookie consent banner before any non-essential cookies are placed. We provide granular category controls, equal Accept/Reject prominence, and a persistent preference center. We conduct regular cookie audits to ensure that exempt cookies genuinely qualify and that third-party scripts do not fire without consent. We maintain timestamped consent records for audit purposes.

4.2 United States

Governing Laws: There is no comprehensive federal cookie law. Requirements derive from:
  • California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA)
  • California Privacy Protection Agency (CPPA) regulations (updated regulations effective 1 January 2026)
  • State comprehensive privacy laws in Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and others (now totaling more than 20 states)
  • Children’s Online Privacy Protection Act (COPPA) for users under 13
  • Sector-specific laws (HIPAA for health data, GLBA for financial data)
Key Requirements:
  • Opt-Out Model: The US generally follows an opt-out model rather than an opt-in model. We may place most cookies without prior affirmative consent, but we must provide clear notice and the right to opt out of certain activities.
  • Sale and Sharing: Under CCPA/CPRA, you have the right to opt out of the “sale” of personal information and the “sharing” of personal information for cross-context behavioral advertising. Targeting and advertising cookies that facilitate these activities must be disclosed, and we must provide a “Do Not Sell or Share My Personal Information” link.
  • Disclosure: We must provide a clear privacy notice describing the categories of personal information collected, the purposes of collection, the categories of third parties with whom information is shared, and the specific pieces of personal information collected about you.
  • Sensitive Personal Information: If cookies collect sensitive personal information (precise geolocation, health information, racial or ethnic origin, etc.), we may be required to obtain opt-in consent or limit use to specific purposes.
  • Penalties: As of 2026, CCPA administrative fines are $2,663 per unintentional violation and $7,988 per intentional violation. The revenue threshold for CCPA applicability is $26,625,000 in annual gross revenue.
  • New 2026 CPPA Regulations: These include requirements for annual cybersecurity audits (for certain businesses), risk assessments for high-risk processing, and rules for Automated Decision-Making Technology (ADMT).
  • DELETE Act: California’s Data Broker Delete Request and Opt-out Platform is now live, allowing consumers to submit deletion requests to registered data brokers at once.
How We Comply in the US: We provide comprehensive privacy notices disclosing our cookie practices. We honor browser-based opt-out signals such as the Global Privacy Control (GPC) where required by state law. We maintain a “Do Not Sell or Share My Personal Information” link for California residents. We do not knowingly collect personal information from children under 13 in violation of COPPA.

4.3 European Union and European Economic Area (EU/EEA)

Governing Laws: ePrivacy Directive (2002/58/EC, as amended), General Data Protection Regulation (GDPR 2016/679), and national implementing laws.
Key Requirements:
  • Prior Consent: Article 5(3) of the ePrivacy Directive requires prior, informed consent before storing or accessing information on your device, unless the cookie is strictly necessary for the transmission of a communication or the provision of an explicitly requested service.
  • No Legitimate Interest: You cannot rely on “legitimate interest” under GDPR Article 6 as a legal basis for non-essential cookies. Consent is the only valid basis.
  • Planet49 Standard: The Court of Justice of the EU (CJEU) ruled in Case C-673/17 (Planet49) that:
    • Pre-ticked checkboxes do not constitute valid consent
    • Consent must be active and specific
    • You must be informed of cookie duration and third-party access
    • The requirement applies regardless of whether the data constitutes personal data
  • EDPB Guidelines: The European Data Protection Board (EDPB) Guidelines 2/2023 (finalized October 2024) expanded the scope of Article 5(3) beyond cookies to include tracking pixels, URL tracking, IP-only tracking, and device fingerprinting.
  • Equal Prominence: The EDPB Cookie Banner Task Force and major fines (including a €325 million fine against Google and €150 million fine against Shein by France’s CNIL in 2025) have established that “Reject” must be as easy as “Accept.” Buried or low-visibility reject options are non-compliant.
  • Cookie Walls: The EDPB has stated that access to services should not be made conditional on consent to non-essential cookies. “Consent-or-pay” models are only permissible if a genuinely equivalent free alternative is offered (EDPB Opinion 08/2024).
  • Consent Records: We must maintain auditable records demonstrating that consent was freely given, specific, informed, and unambiguous.
  • Re-Prompting: Many national regulators recommend re-requesting consent after approximately 6 to 12 months, or when processing purposes change significantly.
  • Penalties: Fines can reach up to €20 million or 4% of global annual turnover under GDPR. National ePrivacy implementations carry separate penalty frameworks that are being harmonized upward under the proposed ePrivacy Regulation.
Country-Specific Nuances:
  • Germany: Section 25 of the Telecommunications Telemedia Data Protection Act (TTDSG) implements the ePrivacy Directive. Cookie walls are generally not permitted unless users can close the banner in a single step and continue using the site.
  • France: The CNIL has been particularly aggressive in enforcement, distinguishing between first-party analytics with limited data sharing and third-party analytics. Granular consent by purpose is strictly required.
  • Belgium: The Belgian Data Protection Authority (BDPA) requires “Accept all” and “Reject all non-essential cookies” buttons on the same banner layer, not buried in a second step. Essential cookies should be limited to no more than 6 months.
  • Italy: The Garante emphasizes that closing a banner with an “X” button must default to no consent for optional cookies. Re-prompting after approximately 6 months is acceptable.
  • Netherlands: The Dutch DPA has formally warned over 200 websites and issued significant fines for pre-ticked consent boxes.
How We Comply in the EU/EEA: We implement a consent management platform (CMP) that blocks all non-essential cookies and trackers before consent is obtained. We provide granular, category-level consent choices with equal prominence for acceptance and rejection. We record consent metadata (timestamp, categories accepted, banner version, user signal) for accountability. We respect browser-based consent signals where technically feasible.

4.4 Canada

Governing Law: Personal Information Protection and Electronic Documents Act (PIPEDA) and provincial laws (Alberta’s PIPA, BC’s PIPA, Quebec’s Law 25).
Key Requirements:
  • PIPEDA requires knowledge and consent for the collection, use, and disclosure of personal information in the course of commercial activities.
  • Quebec’s Law 25 (in force since 2023) requires explicit consent for cookies that collect personal information and mandates that privacy policies be provided in clear language.
  • You have the right to withdraw consent, subject to legal or contractual restrictions.
How We Comply in Canada: We provide clear notice of cookie practices and obtain consent where required by applicable provincial laws.

4.5 Brazil

Governing Law: Lei Geral de Proteção de Dados (LGPD).
Key Requirements:
  • LGPD requires transparent information about data processing and a legal basis for processing personal data.
  • While LGPD does not have a specific cookie law, the National Data Protection Authority (ANPD) has indicated that cookies collecting personal data require a legal basis, typically consent or legitimate interest.
  • Consent must be free, informed, and unambiguous.
How We Comply in Brazil: We provide clear disclosures and obtain consent for non-essential cookies that process personal data.

4.6 Australia

Governing Law: Privacy Act 1988 (as amended by the Privacy Legislation Amendment Act 2024) and the Australian Privacy Principles (APPs).
Key Requirements:
  • The Privacy Act requires notification of collection of personal information.
  • The 2024 amendments introduced enhanced notice requirements and strengthened enforcement powers for the Office of the Australian Information Commissioner (OAIC).
  • There is no specific cookie consent requirement, but transparency and fair handling are required.
How We Comply in Australia: We disclose our cookie practices in our privacy policy and ensure that any personal information collected via cookies is handled in accordance with the APPs.

4.7 Singapore, South Africa, and Other Jurisdictions

Singapore (PDPA): Requires consent for the collection, use, and disclosure of personal data, with exceptions for deemed consent in certain circumstances. We provide notice and obtain consent where required.
South Africa (POPIA): Requires informed consent for processing personal information, subject to justification. We comply through transparency and consent mechanisms.
Other Territories: For visitors from jurisdictions not explicitly listed here, we apply the standards of the EU/EEA framework as our baseline, ensuring that our practices meet or exceed local requirements.

5. How We Obtain and Manage Consent

5.1 Consent Mechanism

When you first visit our Services, we present a cookie banner or consent dialog. The specific mechanism depends on your detected or selected jurisdiction:
  • UK and EU/EEA Visitors: We present an opt-in banner that blocks all non-essential cookies until you actively provide consent. You can accept all categories, reject all non-essential categories, or customize your choices by category. We do not use pre-ticked boxes, implied consent, or “cookie walls” that force acceptance.
  • US Visitors: We present a notice banner informing you that we use cookies and explaining your rights under applicable state laws. We provide a link to our privacy settings where you can opt out of the sale or sharing of personal information and manage cookie preferences.
  • Other Visitors: We default to the UK/EU opt-in standard unless local law permits a less stringent approach.

5.2 Consent Recordkeeping

We maintain timestamped records of consent events, including:
  • The date and time of consent or preference update
  • The cookie categories accepted or rejected
  • The banner version and policy version in effect at the time
  • The user signal (e.g., “Accept All,” “Reject All,” “Customized”)
  • The geographic region detected (where technically feasible)
These records are maintained for accountability and to demonstrate compliance in the event of a regulatory inquiry.

5.3 Withdrawing Consent

You may withdraw or modify your cookie consent at any time by:
  • Clicking the “Cookie Settings” or “Privacy Settings” link in the footer of our website
  • Using the floating preference icon (where available)
  • Adjusting your browser settings as described in Section 7
If you withdraw consent, we will stop placing the relevant non-essential cookies and will delete or anonymize data collected under that consent where legally permissible. Strictly necessary cookies may continue to operate.

6. Third-Party Cookies and Partners

We allow select third parties to place cookies on your device through our Services. These third parties have their own privacy and cookie policies, and we encourage you to review them.
Categories of Third Parties:
  • Analytics Providers: Google Analytics, Matomo, Adobe Analytics
  • Advertising Networks: Google Ads, Meta, Programmatic platforms
  • Social Media Platforms: Twitter/X, LinkedIn, TikTok, Instagram, YouTube
  • Functional Services: Live chat providers, customer support platforms, video hosting services
  • Affiliate Partners: Networks that track conversions for commission purposes
Under UK PECR (as expanded by the DUAA), we are responsible for cookies that we “instigate” third parties to set on our behalf, even if we do not directly control the technical placement. We implement contractual and technical safeguards to ensure that third-party partners respect your consent choices.

7. How to Manage, Delete, and Block Cookies

7.1 Browser Controls

Most web browsers allow you to manage cookies through their settings. You can typically:
  • View cookies stored on your device
  • Delete individual cookies or all cookies
  • Block all cookies from being placed
  • Block third-party cookies specifically
  • Set alerts to notify you when a cookie is being placed
Please note: If you block all cookies, including strictly necessary cookies, our Services may not function correctly. You may be unable to log in, complete purchases, or access personalized features.

7.2 Industry Opt-Out Tools

You can opt out of interest-based advertising from participating companies through:

7.3 Mobile Device Controls

On mobile devices, you can manage tracking through:
  • iOS: Settings > Privacy & Security > Tracking
  • Android: Settings > Privacy > Ads

7.4 Email Tracking

If you receive marketing emails from us, they may contain tracking pixels that tell us when you open the email or click a link. You can disable image loading in your email client to prevent this tracking, or unsubscribe from marketing communications using the link provided in each email.

8. Data Retention Periods

We and our third-party partners retain cookie data only for as long as necessary to fulfill the purposes described in this policy.
  • Strictly Necessary Cookies: Typically retained for the duration of your session or up to 12 months for persistent security or authentication cookies.
  • Functional Cookies: Generally retained for up to 12 months, or until you clear your browser data.
  • Analytics Cookies: Retained for up to 24 months, after which data is aggregated or deleted.
  • Advertising Cookies: Retained for up to 13 months (in line with EU ePrivacy recommendations), or shorter periods depending on partner policies.
Specific retention periods are detailed in our Cookie Table, available through our Cookie Settings panel.

9. Changes to This Cookies Policy

We may update this Cookies Policy from time to time to reflect changes in technology, legal requirements, or our business practices. When we make material changes, we will:
  • Update the “Last Updated” date at the top of this policy
  • Notify you through a banner or email where required by law
  • Provide a summary of key changes in our preference center
We encourage you to review this policy periodically. Your continued use of the Services after changes are posted constitutes your acknowledgment of the modified policy.

10. Contact Information

If you have questions, concerns, or complaints about this Cookies Policy or our cookie practices, please contact us:

Data Protection / Privacy Officer

Visit the contact page

UK-Specific Complaints: You have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) at www.ico.org.uk.
EU/EEA-Specific Complaints: You have the right to lodge a complaint with your local Data Protection Authority. A list of EU DPAs is available through the European Data Protection Board.
US-Specific Inquiries: California residents may contact us regarding CCPA/CPRA rights. Under the new CPPA regulations effective 2026, we will maintain a formal complaints handling procedure.

11. Cookie Table (Illustrative)

Table

Cookie Name Provider Category Purpose Retention Jurisdictional Notes
session_id First-Party Strictly Necessary Maintains login session Session Exempt globally
auth_token First-Party Strictly Necessary Authentication security 7 days Exempt globally
cart_items First-Party Strictly Necessary Shopping cart persistence 30 days Exempt globally
language_pref First-Party Functional Remember language choice 12 months Requires consent in UK/EU; notice in US
font_size First-Party Functional / Appearance Accessibility customization 12 months Potentially exempt under UK DUAA if sole purpose
_ga Google Analytics Google Analytics tracking 24 months Exempt under UK DUAA (sole purpose); requires consent in EU
_fbp Meta Advertising Facebook Pixel retargeting 90 days Requires opt-in in UK/EU; opt-out in US
gads_conversion Google Advertising Conversion tracking 30 days Requires opt-in in UK/EU; opt-out in US
affiliate_click Third-Party Advertising Affiliate attribution 30 days Requires consent in UK/EU (DUAA instigation rule)