Skip to main content

Draft — pending legal review. This document is a template. It has not yet been reviewed by a UK-qualified solicitor. Do not rely on it for binding agreements until the final version is published.

← Nine Pebbles

Cookies Policy

Last updated: 18 May 2026

1. What cookies are

Cookies are small text files placed on your device when you visit a website. They allow the site to recognise your device on return visits and to function correctly. Similar technologies include local storage, session storage, and service workers — this policy covers all of them.

2. Cookies we use

Nine Pebbles uses a small number of cookies. Most are strictly necessary for the Service to operate. One is optional analytics (Sentry session replay on errors) and only runs after you have explicitly accepted analytics cookies via our consent banner. We do not use advertising cookies.

2.1 Authentication and session

  • Supabase auth cookies (sb-*-auth-token): keep you signed in, store your session refresh token. Required for the Service to function. Expire when the session ends or you sign out.

2.2 Security

  • CSRF protection cookies (set by the framework): prevent cross-site request forgery. Required for any form submission or state-changing API call. Expire at end of session.

2.3 Preferences and feature state

  • Theme and UI preferences (browser local storage): remember your light/dark theme preference and dismissed banners. Persist until you clear browser data.
  • PWA / service worker state: enables offline mode and push notifications, if you have opted in. Managed by your browser.

2.4 Optional analytics (opt-in)

  • Sentry session replay (browser storage only, named sentryReplay_*): records a short replay of the last few seconds before a JavaScript error, with all text, inputs, and media masked. Used to reproduce and fix bugs. Only ever active if you accept analytics cookies in the consent banner. Cleared at end of session.

2.5 Third-party cookies

  • Stripe: when you visit a page that loads Stripe.js (e.g. a checkout page), Stripe sets its own cookies for fraud prevention. See Stripe’s Cookies Policy.
  • GoCardless: when you visit the Direct Debit setup flow, GoCardless may set cookies on its hosted pages. See GoCardless’s Cookie Policy.

3. Consent banner and changing your choice

On your first visit to a public page, we show a small banner asking whether to accept optional analytics cookies. Until you make a choice, no optional cookies or analytics scripts run. You can pick:

  • Accept all — essential plus analytics.
  • Essential only — analytics off.
  • Manage preferences — per-category toggles.

Your choice is stored in your browser’s local storage under nine_pebbles_cookie_consent. To change it later, clear that entry in your browser’s storage settings and reload any public page — the banner will reappear.

4. Managing cookies

Most browsers let you block or delete cookies through their settings. Note that blocking the cookies listed in section 2.1 and 2.2 will prevent the Service from working — you won’t be able to sign in.

For more general guidance, see the ICO’s cookie guidance.

5. Changes to this policy

If we change our cookie practices, we will update this page and the “Last updated” date above. Material changes (e.g. introducing analytics) will be notified in-app with a consent mechanism.

6. Contact

Questions about this policy: [email protected].

This Cookies Policy is a template intended as a starting point. The list of cookies should be verified against your live Service before you rely on this document publicly. Please obtain independent legal advice for UK PECR / GDPR compliance.