Cookie Policy

Last updated: [DATE]. Effective: [DATE].

Template draft — final review required. This document has been drafted to be comprehensive but has not yet been reviewed by an attorney licensed in your jurisdiction. Before going live, replace every [BRACKETED] placeholder with the corresponding real value (legal entity name, state, address, support email, governing-law venue, etc.) and have an attorney confirm it covers the laws applicable to your business and your customers' locations.

This Cookie Policy explains how [LEGAL ENTITY NAME] ("MyTradeCrate", "we") uses cookies and similar technologies on the MyTradeCrate marketing site, web application, and customer portal. It is part of and incorporated into our Privacy Policy.

1. What Are Cookies?

Cookies are small text files saved to your device when you visit a website. They let the site remember actions and preferences (such as keeping you signed in). Similar technologies include localStorage, sessionStorage, and pixel tags; we refer to all of these collectively as "cookies" in this policy.

2. Cookies We Use

Strictly Necessary (always on)

These cookies are required for the Service to function. We cannot turn them off because the site will not work properly without them.

Authentication session (Supabase Auth cookies) — keep you signed in for up to one (1) year unless you sign out.
Customer portal session (portal_session) — used by your end-customers when they open a portal link; thirty (30) day expiry; HTTP-only; SameSite=Strict.
OAuth state (qbo_oauth_state, google_oauth_state, and similar) — short-lived; CSRF protection for OAuth flows.
Cookie-consent record (mytradecrate:cookie-consent in localStorage) — stores your cookie preference so we don't show the banner on every visit.
CSRF tokens — short-lived per-form tokens to protect against cross-site request forgery.

Optional (only with your consent)

We currently do not load any optional cookies. If we add product analytics or session-replay tooling in the future (for example, to understand which features customers actually use), those cookies will load only after you click "Accept" in our cookie banner. We do not use third-party advertising or cross-site tracking cookies.

3. Third-Party Cookies

Most third-party providers' cookies are set on their own domains, not ours. For example, when you open Stripe-hosted Checkout, Stripe's cookies are set on stripe.com; Stripe's privacy and cookie policy applies in that context. Similar provisions apply when you use Google, Intuit, or other third-party integrations.

4. How to Control Cookies

Cookie banner. The first time you visit you can choose "Accept" or "Reject optional." Selecting reject means we only set strictly-necessary cookies.
Change your choice. Clear the mytradecrate:cookie-consent entry from your browser's local storage and the banner will reappear.
Browser controls. Every modern browser lets you block or delete cookies. Consult your browser's help for details. Blocking strictly-necessary cookies will sign you out and break the application.
Do Not Track / Global Privacy Control. Where applicable law requires, we honor the GPC signal. We do not respond to DNT because the standard has been deprecated.

5. Updates

If we change which cookies we use, we will update this page and the "Last updated" date above and, for material changes, will notify you in-app.

6. Contact

Questions about cookies and tracking: [PRIVACY EMAIL].