← Back to home · Privacy policy · Retention · ROPA
Cookie Policy
Version 1.0 — 17 June 2026
This policy explains the cookies and other online identifiers (e.g. localStorage entries, request-log IP addresses, user-agent strings) that TravelCS sets or receives, the purpose of each, and your control over non-essential categories. It supplements our Privacy Policy and the Retention Schedule.
1. Legal framework
Setting or reading information on a visitor's device requires either strict necessity (ePrivacy Directive Art. 5(3) exemption) or freely given, specific, informed and unambiguous consent (Art. 4(11) / Art. 7 GDPR). Pre-ticked boxes, cookie walls and implied consent are not valid bases. Consent choices are logged in public.consent_logs with the policy version, choice and a hashed visitor id.
2. Cookie and identifier inventory
| Category | Name | Purpose | Provider | Retention | Lawful basis |
|---|---|---|---|---|---|
| Essential | sb-access-token, sb-refresh-token | Authenticate signed-in users; maintain a session across requests. | TravelCS (first-party) | Session + 7-day refresh window | Art. 6(1)(b) contract; ePrivacy Art. 5(3) strictly necessary exemption |
| Essential | travelcs_visitor_id | Opaque random ID used to deduplicate consent log entries and CSRF tokens. | TravelCS (first-party, localStorage) | 12 months | ePrivacy Art. 5(3) strictly necessary exemption |
| Essential | travelcs_consent | Stores the visitor's consent choices so the banner is not shown again. | TravelCS (first-party, localStorage) | 12 months | ePrivacy Art. 5(3) strictly necessary exemption |
| Preferences | travelcs_theme, travelcs_locale | Remember UI preferences (theme, language). | TravelCS (first-party, localStorage) | 12 months | Art. 6(1)(a) consent |
| Analytics | Aggregate request logs (no client cookie) | Server-side aggregate counts (pageviews per route, error counts). No cross-site identifier; no client cookie set. | TravelCS (first-party, server-side) | 90 days (see /retention §R9) | Art. 6(1)(f) legitimate interest (security and debugging) |
| Marketing | (none currently set) | TravelCS does not currently load third-party advertising or remarketing tags. | — | — | Would require Art. 6(1)(a) consent + ePrivacy Art. 5(3) opt-in before being set. |
3. IP addresses and user agents on landing forms
Landing-page lead forms (e.g. waitlist, demo request) record the submitter's IP address and user-agent in public.leads for fraud / abuse detection and to evidence the source of the submission. This is processed under Art. 6(1)(f) legitimate interest; the data is purged 12 months after capture (see /retention §R2). No third-party analytics, advertising or fingerprinting trackers are loaded on these pages.
4. Your choices
- Banner: on first visit you are asked to Accept, Reject or Customise non-essential categories. Rejecting is as easy as accepting.
- Change at any time: clear the
travelcs_consentlocalStorage entry from your browser, or use the "Cookie preferences" link in the site footer (where shown) to re-open the banner. - Browser controls: all major browsers allow blocking or deleting cookies and localStorage entries from their privacy settings.
5. Sub-processors
We do not embed third-party advertising or social trackers. Server-side sub-processors that may receive request metadata (Supabase, Lovable, hosting providers) are listed at /sub-processors; each is bound by Art. 28 GDPR data processing agreements.
6. Changes
We will update the version number above and re-prompt for consent if the categories of non-essential trackers change materially.
7. Contact
Questions: dpo@travelcs.ai.