Cookies notice

A cookie is a small text file a website stores on your device. Related technologies — local storage, session storage, and pixels — serve similar purposes and, under the UK Privacy and Electronic Communications Regulations (PECR), are subject to the same rules as cookies.

PECR requires informed consent before non-essential cookies are set. Our default is to set none. The only items this site places on your device are those strictly necessary to deliver what you asked for — for example, keeping you signed in to the client portal.

Strictly necessary

Required for the site to work. These are set without consent because PECR permits them for an information-society service explicitly requested by the user. If you disable them, parts of the site will break.

Preference

Remembers a choice you made, such as a reduced-motion preference. We only set these if you interact with a feature that needs one.

Analytics

Not currently used. If we ever introduce privacy-preserving analytics, they will be aggregated, self-hosted, and documented here before a single event is collected. Opt-in consent will be requested on first visit.

Advertising / tracking

Never used. We do not run ad-tech pixels, cross-site trackers, or behavioural profiling.

Below is the exhaustive list. Where a cookie is third-party, the named provider is responsible for its contents under their own privacy notice; we act as a joint or separate controller as set out in their terms.

sb-access-token · Strictly necessary · first-party

Session token issued by our authentication provider (Supabase) when you sign in to the client portal. HttpOnly, Secure, SameSite=Lax. Expires when your session ends or after 60 minutes of inactivity.

sb-refresh-token · Strictly necessary · first-party

Companion refresh token used to quietly renew your portal session without forcing a new sign-in. HttpOnly, Secure, SameSite=Lax. Expires after 14 days of inactivity.

nb-prefers-reduced-motion · Preference · first-party

Stored only if you toggle reduced motion in-page. Contains a boolean flag. SameSite=Lax. Expires after 12 months.

__stripe_mid · Strictly necessary · third-party (Stripe)

Set by Stripe on the checkout iframe for fraud prevention on card payments. Not set unless you start a Stripe checkout. Governed by Stripe's cookie notice.

__stripe_sid · Strictly necessary · third-party (Stripe)

Short-lived session id that pairs with the above. Same scope and provenance.

The public marketing site sets no cookies on first visit. Portal and Stripe cookies only appear once you sign in or begin a payment.

Every modern browser lets you view, delete and block cookies. The vendor-published instructions below are authoritative, and we link to them rather than duplicating them.

• Chrome — Settings → Privacy and security → Cookies and other site data.
• Safari — Settings → Privacy → Manage Website Data.
• Firefox — Settings → Privacy & Security → Cookies and Site Data.
• Edge — Settings → Cookies and site permissions → Manage and delete cookies and site data.

Blocking strictly-necessary cookies will stop you from signing in to the portal. Blocking preference cookies will not affect access but will reset choices each visit.

We respect Global Privacy Control (GPC) signals. If your browser sends GPC, we treat it as a valid objection to non-essential processing under Art. 21 UK GDPR. Because we do not set non-essential cookies by default, the practical effect today is that GPC is recorded and honoured automatically.