This Cookies Policy explains what cookies and similar technologies Supplio uses, what they do, and how you can manage them. It supports our Privacy Policy and is written to comply with the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) and the UK GDPR.
1. What are cookies?
Cookies are small text files that a website saves on your device when you visit. They let the website remember things like your sign-in state, your preferences and which pages you have viewed. We use the word "cookies" loosely here to also cover similar technologies such as browser local-storage entries and session-storage entries used for the same purposes.
2. How we use cookies
We use as few cookies as possible. On supplio.co.uk(the marketing site) we use only cookies that are strictly necessary to make the site work, plus — if you opt in — privacy-friendly aggregate analytics. In the Supplio platform at app.supplio.co.uk we use only cookies that are strictly necessary to keep you signed in securely and to remember your preferences.
We do not use cookies for cross-site advertising, behavioural profiling for marketing, or to share your activity with social networks or ad networks. We do not place any third-party advertising tags on our sites.
3. Marketing-site cookies (supplio.co.uk)
3.1 Strictly necessary
These cookies are required for the site to work. They do not need your consent under PECR Regulation 6(4).
| Name | Purpose | Type | Duration |
|---|---|---|---|
__Host-csrf | Anti-CSRF token protecting the contact form and Stripe Checkout flow. | First-party, session | Browser session |
cookie-consent | Remembers your cookie preferences so we don't ask again on every page. | First-party, persistent | 12 months (rolling) |
3.2 Analytics (opt-in)
We use privacy-friendly aggregate analytics to understand which pages perform well and what we should improve. Analytics cookies are onlyset if you opt in via the cookie banner. The analytics provider does not build individual visitor profiles, does not set advertising cookies, and IP addresses are anonymised at the source. The provider respects the "Do Not Track" (DNT) and Global Privacy Control (GPC) signals.
When you opt in, the analytics provider may set a small number of first-party cookies such as an anonymous visitor identifier and a session timer. The current provider and the exact cookie names will be listed here as soon as the integration is enabled in production.
3.3 Stripe Checkout
When you start the checkout flow, you are redirected to Stripe's payment pages oncheckout.stripe.com. Stripe sets its own cookies on that domain to prevent fraud and enable the checkout to function. These are governed by Stripe's cookie policy.
4. Platform cookies (app.supplio.co.uk)
All cookies and local-storage entries used in the platform are strictly necessary to keep you signed in, to keep the platform secure, and to remember your settings.
| Name | Purpose | Type | Duration |
|---|---|---|---|
access_token | Your signed-in session token, used to authenticate API requests. HttpOnly and Secure. | First-party, persistent | Up to 24 hours |
refresh_token | Allows the platform to renew your session in the background without making you log in again. HttpOnly and Secure; only sent to the authentication endpoint. | First-party, persistent | Up to 7 days |
auth_token (mirror) | A non-HttpOnly mirror used to synchronise sign-out across multiple browser tabs. | First-party, persistent | Up to 24 hours |
tenant_id (local-storage) | Remembers which workspace you last used so we can route you correctly after sign-in. | First-party, local-storage | Until you clear browser data |
supplio_cookie_consent (local-storage) | Records your in-product cookie preferences. | First-party, local-storage | Until you clear browser data |
Draft entries (e.g. addSupplier:<tenant>:<variant>) | Saves a working draft of long forms so you don't lose work if the page reloads. | First-party, local-storage | 7 days, then auto-expired |
auth_code (session-storage) | Holds the one-time authorisation code from a sign-in link while we exchange it for a session. Removed immediately after exchange. | First-party, session-storage | Browser session |
5. Other technologies
- Server-side logs capture your IP address, user-agent and request path for security and audit purposes. See the Privacy Policy for retention.
- Web fonts(Inter, Poppins) are loaded through Next.js's built-in self-hosting pipeline; they do not set cookies or report back to a third-party font server while in use.
6. Your choices
- Cookie banner:on first visit to the marketing site you are asked whether to accept all cookies, reject non-essential cookies, or customise your preferences. Your choice is honoured straight away — no page reload required.
- Change your mind: use the Cookie settings link in the footer of every page to change your preferences. Withdrawing consent is as easy as giving it.
- Browser controls: most browsers let you block or delete cookies through their settings. Blocking strictly necessary cookies may prevent the site or platform from working.
- Do Not Track / GPC: if your browser sends a DNT or GPC signal, our analytics will treat it as a refusal of consent.
7. Changes to this Cookies Policy
We may update this Cookies Policy if our use of cookies changes. The "Last updated" date at the top reflects the most recent change.
8. Contact
Cookies questions? Email privacy@supplio.co.uk.