Cookie Policy
Effective date: 14 May 2026 · Version 2.0
What Are Cookies?
Cookies are small text files stored on your device when you visit a website. “Similar technologies” include local storage, session storage, and pixels. We use a minimal set of these technologies, described below.
Our Approach
We use two categories: (1) strictly necessary cookies that are required for the Service to function, and (2) optional analytics cookies that are set only after you affirmatively consent via the cookie banner. We do not use advertising, behavioural-tracking, social-media, or cross-site tracking cookies.
You can update your choices at any time from the “Cookie preferences” link in the footer.
Strictly Necessary Cookies
These cookies are required to authenticate you, secure the session, and process payments. They cannot be disabled. Their legal basis under GDPR is the “strictly necessary” exemption in Art. 5(3) of the ePrivacy Directive.
| Cookie | Set by | Purpose | Duration |
|---|---|---|---|
| sb-*-auth-token | truebluehorizon.com | Supabase authentication session | Session |
| sb-*-auth-token-code-verifier | truebluehorizon.com | OAuth PKCE flow CSRF protection | Session |
| __stripe_mid, __stripe_sid, m | stripe.com | Stripe fraud-prevention during checkout | Up to 1 year |
| __cf_bm | cloudflare.com | Bot-management for our CDN | 30 minutes |
| tbh-cookie-consent (localStorage) | truebluehorizon.com | Remembers your analytics consent choice | Until browser storage is cleared |
Where possible, authentication cookies are set as httpOnly and Secure, and use SameSite=Lax or stricter.
Optional Analytics Cookies
Set only after you accept analytics in the consent banner. They help us understand which marketing pages perform and where users encounter friction.
| Cookie | Set by | Purpose | Duration |
|---|---|---|---|
| _ga | google-analytics.com (GA4) | Distinguishes unique visitors | 2 years |
| _ga_* | google-analytics.com (GA4) | Stores session state for GA4 | 2 years |
We have signed Google's Data Processing Terms and configure GA4 with IP anonymisation. The GA4 script loads with analytics storage denied by default; it upgrades to granted only after you consent, so no analytics data is collected or stored for visitors who decline or have not yet chosen.
Local Storage
We use your browser's local storage to remember non-sensitive preferences such as theme (light/dark) and unit system (metric/imperial). Local storage data stays on your device unless you choose to sync it to your account. We treat local storage subject to the same transparency and consent standards as cookies.
Browser Signals
Global Privacy Control (GPC). We respect the intent of the GPC signal. Because we do not sell or share personal information, GPC has no effect on our core data practices. We do not currently read the GPC header to automatically suppress the consent banner; you can always decline analytics via the banner or the Cookie preferences link in the footer.
Do Not Track (DNT). DNT is not a finalised standard and we do not read it programmatically. You can manage your analytics preference at any time using the Cookie preferences link in the footer.
What We Don't Use
True Blue Horizon does not use:
- Third-party advertising or retargeting cookies
- Cross-site tracking pixels or fingerprinting
- Embedded social-media widgets that load tracking cookies
- Session-replay tools
Managing Cookies
You can change your analytics-cookie choice at any time via the Cookie preferenceslink in the footer. You can also manage cookies through your browser's settings. Note that blocking strictly necessary cookies will prevent you from signing in to the Service.
Changes & Contact
We may update this policy. Material changes will be notified via the cookie banner. Questions: privacy@truebluehorizon.com. See also our Privacy Policy.