GIWAHS Cookie Policy
Document: 28 · Legal & Compliance Pack Version: 1.0 – Founder Draft (pre-publication) Status: Authored by AI under Doc 09 Autonomous Execution Standard. MUST be reviewed and signed off by qualified legal counsel (NZ, EU/UK, US, AU) before being published on giwahs.com or referenced from the cookie banner. Effective Date: To be inserted on publication. Last Updated: To be inserted on publication. Cross-references: Doc 24 (Privacy Policy §9), Doc 25 (Terms of Service), Doc 29 (DPA), Doc 31 (Subprocessor Register).
Order of precedence: Doc 24 §9 references this Cookie Policy. Where they overlap, the more specific provision in this Cookie Policy governs.
1. What This Policy Covers
This Policy explains how Whaitiri Black Limited, a company incorporated in New Zealand, trading as GIWAHS (the “Company”, “GIWAHS”, “we”) uses cookies and similar tracking technologies on https://giwahs.com and any GIWAHS subdomain (the “Platform”), the categories of cookies we use, the providers behind them, your choices, and how those choices interact with applicable consent law:
- EU GDPR + ePrivacy Directive (Article 5(3) — consent required for non-essential cookies);
- UK GDPR + PECR 2003 (consent required for non-essential cookies);
- California CCPA/CPRA (opt-out of “sale/share” — GIWAHS does not sell, but we honour Global Privacy Control where presented);
- NZ Privacy Act 2020 (transparency obligations under Information Privacy Principles 3, 5, 6);
- Australia Privacy Act 1988 + APP 1 (open and transparent management of information).
2. What Cookies Are
A cookie is a small text file placed on your device when you visit a website. We also use localStorage, sessionStorage, service-worker caches, and first-party tracking pixels where relevant. In this Policy, “cookies” means all such technologies collectively.
Cookies are categorised by: - First-party (set by giwahs.com) vs third-party (set by a partner). - Session (deleted when the browser closes) vs persistent (retained for a defined lifetime). - Strictly necessary vs Functional vs Analytics vs Marketing.
3. Categories of Cookies We Use
3.1 Strictly necessary (always on — no consent required)
Without these, the Platform cannot be authenticated, secured, or operated. They cannot be disabled through the cookie banner. Disabling them in your browser will break login, checkout, and most paid features.
| Name (pattern) | Provider | Purpose | Type | Lifetime |
|---|---|---|---|---|
sb-access-token, sb-refresh-token |
Supabase (first-party via giwahs.com) | Maintain your authenticated session, refresh access tokens | HTTP-only cookie | 1 hour (access) / 30 days (refresh) |
__stripe_mid, __stripe_sid |
Stripe (third-party, set during checkout) | Fraud-prevention and session continuity inside Stripe Checkout / Customer Portal | Cookie | 1 year (mid) / 30 min (sid) |
cf_clearance, __cf_bm |
Cloudflare (first-party via giwahs.com) | Bot management, DDoS mitigation, edge security | Cookie | 30 min (bm) / 30 days (clearance) |
XSRF-TOKEN |
GIWAHS (first-party) | CSRF protection for authenticated POST/PUT/DELETE requests | Cookie | Session |
giwahs_consent_v1 |
GIWAHS (first-party) | Remembers your cookie consent choices | localStorage | 12 months |
3.2 Functional (consent-based outside strictly necessary jurisdictions; opt-in in EU/UK)
Improve usability by remembering your preferences. Disabling them does not break the Platform but resets settings on every visit.
| Name | Provider | Purpose | Lifetime |
|---|---|---|---|
giwahs_pref_theme |
GIWAHS (first-party) | Remember dark/light theme preference | 12 months |
giwahs_pref_lang |
GIWAHS (first-party) | Remember language selection | 12 months |
giwahs_recent_org |
GIWAHS (first-party) | Remember last-active organisation for multi-org users | 30 days |
3.3 Analytics (consent-based; currently disabled on production)
At the time of writing, REACT_APP_ANALYTICS_PROVIDER=none (see /app/frontend/.env) — no analytics cookies are set in production. This table documents what may be enabled in future, subject to a renewed consent flow.
| Name (pattern) | Provider | Purpose | Lifetime |
|---|---|---|---|
_ph_* |
PostHog (planned, EU region) | Privacy-respecting product analytics (page views, funnel events). IP anonymised. No cross-site tracking. | 12 months |
_ga, _ga_* |
Google Analytics 4 (only if explicitly enabled — currently NOT in use) | Aggregated visitor analytics. IP truncated. Consent Mode v2 enforced. | 2 years (_ga) / 24 months (_ga_*) |
If/when analytics is enabled, this Policy will be updated and consent re-requested.
3.4 Marketing (consent-based; currently disabled)
We currently do not run advertising pixels or remarketing tags on giwahs.com. We do not sell or share personal information for cross-context behavioural advertising. If this changes, this Policy will be updated and a fresh consent prompt issued.
3.5 Third-party embedded content
- Stripe Checkout / Customer Portal sets its own strictly-necessary cookies when you’re inside the Stripe-hosted flow (Section 3.1 above). Their cookies are governed by https://stripe.com/cookies-policy/legal.
- YouTube/Vimeo embeds, if any, set cookies only on play. We use
youtube-nocookie.comprivacy-enhanced mode where available. - Cloudflare Turnstile (if deployed on signup / contact forms): privacy-preserving CAPTCHA. No cookies set when in pure-JS challenge mode.
4. Legal Basis & Consent
4.1 EU / UK / EEA / Switzerland
Strictly-necessary cookies (Section 3.1) are deployed on the basis of legitimate interest and the ePrivacy “strictly necessary” exemption — no prior consent required. All other categories (3.2–3.4) require prior, freely-given, specific, informed, unambiguous consent captured via the cookie banner. Consent is recorded with a timestamp in giwahs_consent_v1. You can withdraw consent at any time — see Section 5.
4.2 California, Colorado, Virginia, Connecticut, Utah, Texas, etc.
We do not sell or share personal information for cross-context behavioural advertising. We honour the Global Privacy Control (GPC) signal as a valid opt-out where state law requires.
4.3 New Zealand
Under NZ Privacy Act 2020, we provide transparent notice (this Policy) of cookies that may collect personal information, the purposes for which they are used, and the categories of recipients (Section 5 / Doc 31).
4.4 Australia
Under APP 1 and APP 3, we collect cookie-derived data only by lawful and fair means, only for the purposes disclosed in this Policy and Doc 24.
5. Your Choices
5.1 Cookie banner (EU/UK/EEA/Switzerland)
On first visit you will see a cookie banner with three primary actions: - Accept all — enables all categories. - Reject non-essential — enables only strictly-necessary cookies. - Customise — granular toggle per category.
The banner remains accessible at any time via the footer link “Cookie settings”.
5.2 Outside the EU/UK
The same controls are available via the footer “Cookie settings” link, even where prior consent is not legally required.
5.3 Browser controls
You can also block or delete cookies at any time using your browser settings. Most browsers offer: - Block all cookies, block third-party cookies, or block specific domains; - Clear cookies on close; - Private-browsing mode that discards cookies on session end.
Blocking strictly-necessary cookies will break login, checkout, and security features.
5.4 Global Privacy Control (GPC)
We treat a GPC header as a valid signal to (a) reject non-essential cookies for the session, and (b) treat the visitor as having opted out of any “sale/share” under US state law.
5.5 Do Not Track (DNT)
Industry-wide DNT support is inconsistent. We do not currently rely on the DNT header on its own. Use the cookie banner or GPC.
6. Children
The Platform is intended for business users 18+. We do not knowingly set non-essential cookies for visitors we identify as children under 16.
7. Changes
We will publish material changes to this Policy with at least 14 days’ prior notice via in-app banner. The “Last Updated” date reflects the most recent revision. If we add a new non-essential cookie category, we will re-prompt for consent in jurisdictions that require it.
8. Contact
- Cookie questions: privacy@giwahs.com
- Data subject / consumer rights: see Doc 24 §8.
End of Document 28.