Cookie policy
Cookies we use on our public sites, customer portal, and developer console: strictly necessary, performance, functional, and marketing categories.
Important. This is a sample / template cookie policy. The binding policy for a specific engagement is the one referenced in the signed Master Services Agreement.
1. What cookies are
Cookies are small text files placed on your device when you visit a website. Similar technologies include local storage, session storage, IndexedDB, pixel tags, and SDK identifiers. This policy covers all of them collectively as "cookies".
2. Categories we use
| Category | Purpose | Consent |
|---|---|---|
| Strictly necessary | Login session, CSRF protection, language preference, load balancer routing | Not required (essential) |
| Performance / analytics | Aggregated usage measurement, error reporting, performance monitoring | Required in EU/EEA/UK/CH |
| Functional | Saved preferences (theme, density), recently viewed items, tooltip dismissals | Required in EU/EEA/UK/CH |
| Marketing | Conversion tracking, retargeting, social-media pixels (only on public marketing pages) | Required in EU/EEA/UK/CH/CA |
3. Specific cookies
The list below is illustrative; the live cookie inventory is maintained in our consent banner and may evolve.
_session— necessary — session login (httpOnly, Secure, SameSite=Lax) — duration 30 min idle, 8h max_csrf— necessary — CSRF protection (httpOnly, Secure) — session_lang— necessary — language preference — 12 months_consent— necessary — your consent record — 12 months_ga/_ga_*— analytics — Google Analytics 4 — 24 months_pa— analytics — internal pageview anonymized — 13 monthstheme— functional — UI theme (light/dark) — 12 monthsdensity— functional — UI density preference — 12 months_fbp/_li_uid— marketing — only on /marketing/ pages — 90 days
4. Managing cookies
You can manage your preferences via the cookie banner or the link in our footer (Cookie preferences). You can also use your browser settings to block or delete cookies; note that blocking strictly-necessary cookies may break login or core functionality.
5. Do Not Track and GPC
We honor Global Privacy Control (GPC) signals as an opt-out from sale/sharing under CCPA/CPRA. We do not currently rely on the older Do Not Track header for legal-basis decisions.
6. Third parties
Some cookies are set by third parties (e.g., analytics, video embeds, error reporting). We list each third party in the consent banner with link to their privacy policy. These third parties act as Processors under our DPA.
7. Changes
This policy is updated when our cookie inventory changes. The live inventory in the consent banner is the canonical reference.
8. Contact
Questions about cookies: privacy@merch.am.