Cookie Policy
Cookie Policy
Effective date: [EFFECTIVE_DATE] Controller: YOU BABY STUDIO L.L.C, Office 214, Mohamed Sultan Matar Markhan Al Ketbi Building, Al Safa 1, Dubai, United Arab Emirates Privacy contact: [PRIVACY_EMAIL]
โ ๏ธ LEGAL REVIEW REQUIRED. Wording in this file must be reconciled with the final list of SDKs and analytics vendors actually deployed. The GDPR / ePrivacy Directive requirement for opt-in, granular consent applies to EU visitors, and UAE PDPL Art. 6 likewise requires consent to be specific, clear, unambiguous and freely given. Neither regime allows an "implied consent" banner.
This Cookie Policy explains how YOU BABY STUDIO L.L.C uses cookies and similar technologies (local storage, session storage, pixels, SDK identifiers) on [DOMAIN]. It is part of our Privacy Policy.
1. What cookies are
A "cookie" is a small text file that a website stores on your device. Similar technologies include HTML5 local storage, session storage, and identifier values set by mobile or JavaScript SDKs. For simplicity this Policy refers to all of them as "cookies".
2. Categories of cookies we use
We group cookies into four categories aligned with the IAB TCF v2.2 and the EDPB guidelines on cookie consent:
| Category | Required consent? | Purpose |
|---|---|---|
| Strictly necessary | No โ legal basis is "strictly necessary" (GDPR Art. 6(1)(b) / (f); UAE PDPL Art. 4 contractual necessity; ePrivacy exemption) | Run the Service at all: authentication, session, CSRF protection, load-balancing, security |
| Preferences | Yes in the EU/UK/UAE, otherwise off by default | Remember your language, theme, font size |
| Analytics | Yes โ off by default for EU/UK/UAE users; on only after affirmative consent | Aggregate, de-identified usage measurement via [ANALYTICS_VENDOR] |
| Marketing / advertising | None currently deployed. If ever enabled, strict opt-in required everywhere. | n/a |
3. Current cookie / storage table
The table below is authoritative as of the Effective Date. Engineering must keep it
in sync with production โ see
TECHNICAL_COMPLIANCE_CHECKLIST.md ยงB.
| Name | Storage | Category | Purpose | Max lifetime | Party |
|---|---|---|---|---|---|
refresh_token | HTTP-only cookie (Secure, SameSite=Lax) | Strictly necessary | Renew authenticated sessions | 30 days | First party |
access_token | localStorage (short-lived JWT) | Strictly necessary | Authenticated API requests | 15 min | First party |
cookies_accepted | localStorage | Strictly necessary | Record consent choice + policy version | 12 months | First party |
cookies_preferences | localStorage (JSON of category flags) | Strictly necessary | Enforce your granular consent | 12 months | First party |
lang | localStorage | Preferences | Remember interface language | 12 months | First party |
theme | localStorage | Preferences | Light / dark / auto | 12 months | First party |
onboarding_seen_v1 | localStorage | Preferences | Do not show onboarding again | Permanent until cleared | First party |
__ph_* (example, only if PostHog is chosen) | Cookie + localStorage | Analytics โ opt-in | Anonymous event tracking, cohorts | 13 months | Third party (PostHog, Inc.) |
_ga, _ga_* (example, only if GA4 is chosen) | Cookie | Analytics โ opt-in | Anonymous usage stats | 13 months | Third party (Google LLC) |
No cross-site tracking โ none of the cookies listed above are used for behavioural advertising or cross-site profiling.
4. Your choices
4.1 In the app
The first time you visit [DOMAIN] the Cookie Banner asks you to choose:
- Accept all โ enables every category above.
- Reject all โ disables Preferences, Analytics and Marketing; only Strictly necessary cookies remain.
- Manage preferences โ granular per-category toggles.
You can change your choice at any time via the "Cookie settings" link in the footer.
4.2 In your browser
You can also configure your browser to block or delete cookies. Note that disabling strictly-necessary cookies will break authentication and we will be unable to serve the Service.
4.3 Global Privacy Control (GPC)
If your browser sends a valid GPC signal we treat it as an automatic opt-out of analytics and of any future advertising cookies for your session and as the "Do Not Sell or Share" opt-out for California residents.
5. Consent record
When you make a cookie choice we store, for audit purposes:
- A random session identifier for your browser;
- The categories you enabled/disabled;
- The Policy version you saw;
- Timestamp (UTC);
- Approximate country (derived from IP) โ so we can show the regulator that EU users were given opt-in controls.
6. Do we respond to "Do Not Track"?
We do not react to the legacy browser "Do Not Track" header because its meaning is not settled in US law. We do honour GPC as explained above.
7. Updates
We will post a new Effective Date and, where the list of analytics / advertising SDKs changes, re-prompt you for consent.
8. Contact
Questions about cookies: [PRIVACY_EMAIL].
YOU BABY STUDIO L.L.C ยท Version [EFFECTIVE_DATE]
This document is provided in English, the governing language of this site. An Arabic translation may be available on request; in case of conflict the English version prevails.