GIWAHS — trading as Whaitiri Black Limited Whaitiri Black Limited · Review draft
/ GIWAHS Founder Vault · Review draft

GIWAHS Cookie Policy

Document: 28 · Legal & Compliance Pack Version: 1.0 – Founder Draft (pre-publication) Status: Authored by AI under Doc 09 Autonomous Execution Standard. MUST be reviewed and signed off by qualified legal counsel (NZ, EU/UK, US, AU) before being published on giwahs.com or referenced from the cookie banner. Effective Date: To be inserted on publication. Last Updated: To be inserted on publication. Cross-references: Doc 24 (Privacy Policy §9), Doc 25 (Terms of Service), Doc 29 (DPA), Doc 31 (Subprocessor Register).

Order of precedence: Doc 24 §9 references this Cookie Policy. Where they overlap, the more specific provision in this Cookie Policy governs.


1. What This Policy Covers

This Policy explains how Whaitiri Black Limited, a company incorporated in New Zealand, trading as GIWAHS (the “Company”, “GIWAHS”, “we”) uses cookies and similar tracking technologies on https://giwahs.com and any GIWAHS subdomain (the “Platform”), the categories of cookies we use, the providers behind them, your choices, and how those choices interact with applicable consent law:

2. What Cookies Are

A cookie is a small text file placed on your device when you visit a website. We also use localStorage, sessionStorage, service-worker caches, and first-party tracking pixels where relevant. In this Policy, “cookies” means all such technologies collectively.

Cookies are categorised by: - First-party (set by giwahs.com) vs third-party (set by a partner). - Session (deleted when the browser closes) vs persistent (retained for a defined lifetime). - Strictly necessary vs Functional vs Analytics vs Marketing.

3. Categories of Cookies We Use

3.1 Strictly necessary (always on — no consent required)

Without these, the Platform cannot be authenticated, secured, or operated. They cannot be disabled through the cookie banner. Disabling them in your browser will break login, checkout, and most paid features.

Name (pattern) Provider Purpose Type Lifetime
sb-access-token, sb-refresh-token Supabase (first-party via giwahs.com) Maintain your authenticated session, refresh access tokens HTTP-only cookie 1 hour (access) / 30 days (refresh)
__stripe_mid, __stripe_sid Stripe (third-party, set during checkout) Fraud-prevention and session continuity inside Stripe Checkout / Customer Portal Cookie 1 year (mid) / 30 min (sid)
cf_clearance, __cf_bm Cloudflare (first-party via giwahs.com) Bot management, DDoS mitigation, edge security Cookie 30 min (bm) / 30 days (clearance)
XSRF-TOKEN GIWAHS (first-party) CSRF protection for authenticated POST/PUT/DELETE requests Cookie Session
giwahs_consent_v1 GIWAHS (first-party) Remembers your cookie consent choices localStorage 12 months

3.2 Functional (consent-based outside strictly necessary jurisdictions; opt-in in EU/UK)

Improve usability by remembering your preferences. Disabling them does not break the Platform but resets settings on every visit.

Name Provider Purpose Lifetime
giwahs_pref_theme GIWAHS (first-party) Remember dark/light theme preference 12 months
giwahs_pref_lang GIWAHS (first-party) Remember language selection 12 months
giwahs_recent_org GIWAHS (first-party) Remember last-active organisation for multi-org users 30 days

3.3 Analytics (consent-based; currently disabled on production)

At the time of writing, REACT_APP_ANALYTICS_PROVIDER=none (see /app/frontend/.env) — no analytics cookies are set in production. This table documents what may be enabled in future, subject to a renewed consent flow.

Name (pattern) Provider Purpose Lifetime
_ph_* PostHog (planned, EU region) Privacy-respecting product analytics (page views, funnel events). IP anonymised. No cross-site tracking. 12 months
_ga, _ga_* Google Analytics 4 (only if explicitly enabled — currently NOT in use) Aggregated visitor analytics. IP truncated. Consent Mode v2 enforced. 2 years (_ga) / 24 months (_ga_*)

If/when analytics is enabled, this Policy will be updated and consent re-requested.

3.4 Marketing (consent-based; currently disabled)

We currently do not run advertising pixels or remarketing tags on giwahs.com. We do not sell or share personal information for cross-context behavioural advertising. If this changes, this Policy will be updated and a fresh consent prompt issued.

3.5 Third-party embedded content

4. Legal Basis & Consent

4.1 EU / UK / EEA / Switzerland

Strictly-necessary cookies (Section 3.1) are deployed on the basis of legitimate interest and the ePrivacy “strictly necessary” exemption — no prior consent required. All other categories (3.2–3.4) require prior, freely-given, specific, informed, unambiguous consent captured via the cookie banner. Consent is recorded with a timestamp in giwahs_consent_v1. You can withdraw consent at any time — see Section 5.

4.2 California, Colorado, Virginia, Connecticut, Utah, Texas, etc.

We do not sell or share personal information for cross-context behavioural advertising. We honour the Global Privacy Control (GPC) signal as a valid opt-out where state law requires.

4.3 New Zealand

Under NZ Privacy Act 2020, we provide transparent notice (this Policy) of cookies that may collect personal information, the purposes for which they are used, and the categories of recipients (Section 5 / Doc 31).

4.4 Australia

Under APP 1 and APP 3, we collect cookie-derived data only by lawful and fair means, only for the purposes disclosed in this Policy and Doc 24.

5. Your Choices

5.1 Cookie banner (EU/UK/EEA/Switzerland)

On first visit you will see a cookie banner with three primary actions: - Accept all — enables all categories. - Reject non-essential — enables only strictly-necessary cookies. - Customise — granular toggle per category.

The banner remains accessible at any time via the footer link “Cookie settings”.

5.2 Outside the EU/UK

The same controls are available via the footer “Cookie settings” link, even where prior consent is not legally required.

5.3 Browser controls

You can also block or delete cookies at any time using your browser settings. Most browsers offer: - Block all cookies, block third-party cookies, or block specific domains; - Clear cookies on close; - Private-browsing mode that discards cookies on session end.

Blocking strictly-necessary cookies will break login, checkout, and security features.

5.4 Global Privacy Control (GPC)

We treat a GPC header as a valid signal to (a) reject non-essential cookies for the session, and (b) treat the visitor as having opted out of any “sale/share” under US state law.

5.5 Do Not Track (DNT)

Industry-wide DNT support is inconsistent. We do not currently rely on the DNT header on its own. Use the cookie banner or GPC.

6. Children

The Platform is intended for business users 18+. We do not knowingly set non-essential cookies for visitors we identify as children under 16.

7. Changes

We will publish material changes to this Policy with at least 14 days’ prior notice via in-app banner. The “Last Updated” date reflects the most recent revision. If we add a new non-essential cookie category, we will re-prompt for consent in jurisdictions that require it.

8. Contact


End of Document 28.