Cookies Policy
DRAFT — not lawyer-reviewed. Planning artifact for internal review and counsel polish. Do not publish, link from the marketing site, or present to users until reviewed by qualified legal counsel.
Product alignment: Default categories match CONTEXT.md and PLAN.md — Essential cookies always on; Functional default on (opt-out); Analytics and Marketing default off (opt-in). See also privacy-policy.md Section 22.
Document control
| Field | Value |
|---|---|
| Version | DRAFT-1 |
| Effective date (planned) | TBD — upon counsel approval and product launch |
| Last updated (draft) | 2026-05-19 |
| Last reviewed by counsel | Never (not yet) |
| Anchored to product features as of | 2026-05-19 |
| Governing entity | 3rdSpace, Inc. ("3rdSpace," "we," "us," "our") |
| Primary domains | the3rd-space.com (marketing site + host platform); future consumer app domains TBD |
| Related policies | Privacy Policy, Terms of Service, Acceptable Use Policy |
Table of contents
- 1. Introduction and scope
- 2. Who this policy applies to
- 3. What cookies and similar technologies are
- 4. How we use cookies — overview by category
- 5. Default settings and your choices
- 6. Cookie Preference Center (Account Settings)
- 7. Marketing-site cookie banner
- 8. Legal bases for processing
- 9. First-party cookie inventory
- 10. Third-party services overview
- 11. Stripe
- 12. Firebase and Google Cloud
- 13. Sentry
- 14. Cloudflare Turnstile
- 15. SendGrid
- 16. Google Analytics 4
- 17. Affiliate and campaign attribution
- 18. Smart TV and public surfaces
- 19. Local storage and related APIs
- 20. Browser controls
- 21. Do Not Track and Global Privacy Control
- 22. United States notices
- 23. EEA, UK, and Switzerland (future)
- 24. Other regions
- 25. Children
- 26. Security uses
- 27. Retention
- 28. Changes to this policy
- 29. Contact
- 30. Definitions
- Appendix A — Master cookie register
- Appendix B — Change log
- Appendix C — Counsel checklist
- Appendix D — Engineering notes
- Appendix E — FAQ
1. Introduction and scope
This Cookies Policy explains how 3rdSpace, Inc. uses cookies, pixels, tags, local storage, session storage, IndexedDB, and similar technologies (together, "cookies" or "cookie technologies") on:
- the marketing website at
https://the3rd-space.com; - the host platform (authenticated SaaS for organizations, brands, and locations);
- public tools (contact form, Smart TV pairing at
/tv/, demo/sales mode, future lead forms); and - the future consumer app (policy will be updated before release).
Read this together with our Privacy Policy and Terms of Service. If there is a conflict between a summary in the marketing banner and this policy, this policy controls.
Illustrative tables. Cookie names and durations marked (illustrative until production cookie audit) are placeholders until engineering completes a live-environment audit with counsel.
2. Who this policy applies to
3rdSpace operates a dual-sided platform: a B2B host platform (current focus) and a future B2C consumer app. Cookie practices may differ slightly between surfaces; we will segment disclosures in the consumer app privacy label and update this policy before app store submission.
This policy applies to:
| Audience | Examples |
|---|---|
| Host organization users | Owners, Admins, Managers, Employees using the dashboard |
| Prospective hosts | Visitors on /pricing, /signup, demo flows |
| Affiliates | Participants in the Affiliate Marketing tool (L1+ cookie attribution) |
| Anonymous visitors | Marketing pages before sign-in |
| Smart TV operators | Staff pairing a display via /tv/ |
| Future consumer app users | When the B2C app launches |
| Support and sales prospects | Contact form submitters, demo/sales flows |
Roles and billing. Users with Owner or Admin roles manage billing (Stripe) and may encounter additional essential cookies during Checkout. Managers and Employees use the same Preference Center for their own account.
Host customers' end consumers. Data about your customers may be processed in your CRM and tools; cookies on websites you publish through Website Services are your responsibility to disclose. This policy covers 3rdSpace-operated domains and embeds we control.
3. What cookies and similar technologies are
A cookie is a small text file stored on your computer or mobile device when you visit a site. First-party cookies are set by the3rd-space.com. Third-party cookies are set by another domain (for example stripe.com, google.com, sentry.io, cloudflare.com).
We also use:
- Local Storage — persists until cleared; used for UI state and consent mirrors;
- Session Storage — cleared when the tab closes;
- IndexedDB — structured client storage for offline-capable features (limited at launch);
- Pixels / beacons — 1×1 images or scripts recording opens/clicks (SendGrid, future ads);
- SDK identifiers — mobile advertising IDs in the future app (disclosed in app store privacy labels).
4. How we use cookies — overview by category
4.1 Essential (strictly necessary) — always on
You cannot disable essential cookies in the Cookie Preference Center. They support:
- Firebase Authentication sessions and token refresh;
- CSRF and session fixation protections;
- active organization / brand / location context in the dashboard;
- Stripe Checkout, billing portal embeds, and fraud signals;
- Cloudflare Turnstile on
/contact, demo email gates, and rate-limited endpoints; 3rdspace_cookie_consent_v1and signed-in consent records (to avoid repeated prompts);- Smart TV device pairing identifiers on
/tv/; - invite-code and abuse-prevention rate limiting.
4.2 Functional — default ON, opt-out available
Functional cookies remember non-critical preferences:
- light/dark theme (also stored on your user profile in Firestore);
- first day of week for calendars;
- collapsed sidebar, table column widths, recently viewed lists;
- dismissed product tours and changelog modals.
4.3 Analytics — default OFF, opt-in required
Analytics cookies measure aggregated product and marketing performance. Default: off until you opt in via Account Settings or a future granular banner. Planned vendor: Google Analytics 4 on the marketing site post-consent. In-app analytics may use first-party event logs without third-party ad cookies unless you opt in.
4.4 Marketing — default OFF, opt-in required
Marketing cookies attribute visits to campaigns:
- UTM parameters from Email System / SMS / Campaign Manager links;
- QR Code Generator and short-link slugs;
- Affiliate Marketing L1 cookie window attribution;
- future conversion pixels (none enabled at US launch by default).
Marketing cookies do not equal marketing email/SMS consent (separate checkbox at sign-up).
5. Default settings and your choices
| Category | Marketing site (anonymous) | Signed-in platform | Disable? |
|---|---|---|---|
| Essential | On | On | No |
| Functional | Minimal | On by default | Yes |
| Analytics | Off | Off | Yes (opt-in) |
| Marketing | Off | Off | Yes (opt-in) |
We do not pre-check analytics or marketing toggles. Essential cookies remain active if you opt out of all optional categories.
6. Cookie Preference Center (Account Settings)
Path: Account → Settings → Privacy → Cookie preferences
Features:
- Toggles: Functional, Analytics, Marketing (Essential read-only).
- Links to
/cookiesand/privacy. - Save → writes
cookiePreferenceson your user document + updates client script guards. - Shows policy version DRAFT-1 and timestamp.
- Reset to defaults: Functional on; Analytics off; Marketing off.
Withdrawing consent stops new non-essential writes; clear browser data to remove existing third-party cookies.
7. Marketing-site cookie banner
US-friendly first-visit banner (Q-P1-28):
We use cookies to improve your experience. [Got it] · [Privacy policy]
- Sets
3rdspace_cookie_consent_v1(planned 12 months). - Got it ≠ analytics/marketing opt-in.
- Essential + Turnstile still load for protected forms.
- Upgrade to geo-gated UI if ≥5% EEA/UK traffic (Section 23).
8. Legal bases for processing
| Category | GDPR (future EU) | US (summary) |
|---|---|---|
| Essential | Contract; legitimate interests (security) | Service necessity |
| Functional | Consent when not strictly necessary | Notice + choice |
| Analytics | Consent | Opt-in where required |
| Marketing | Consent | Opt-in; distinct from TCPA/email consent |
9. First-party cookie inventory
Verified names will replace illustrative rows after audit.
| Cookie / storage key | Provider | Purpose | Duration | Type |
|---|---|---|---|---|
3rdspace_cookie_consent_v1 | 3rdSpace, Inc. | Stores marketing-site banner acknowledgment and version | 12 months (planned) | HTTP (first-party) |
3rdspace_session | 3rdSpace, Inc. | Authenticated session binding (illustrative name) | Session | HTTP (first-party) |
3rdspace_csrf | 3rdSpace, Inc. | CSRF token for mutating requests | Session | HTTP (first-party) |
3rdspace_org_ctx | 3rdSpace, Inc. | Active organization selector | 30 days (planned) | HTTP (first-party) |
3rdspace_theme | 3rdSpace, Inc. | Theme mirror when functional cookies enabled | 1 year (planned) | Local Storage |
3rdspace_affiliate | 3rdSpace, Inc. | Affiliate attribution window (marketing category) | 30 days (planned) | HTTP (first-party) |
tv_device_id | 3rdSpace, Inc. | Smart TV pairing device binding | 1 year (planned) | HTTP (first-party) |
demo_session | 3rdSpace, Inc. | Isolated demo/sales mode session | 24 hours (planned) | HTTP (first-party) |
3rdspace_misc_01 (illustrative until production cookie audit) | 3rdSpace, Inc. | UI state | Session | HTTP (first-party) |
3rdspace_misc_02 (illustrative until production cookie audit) | 3rdSpace, Inc. | Calendar week start | 1 hour | HTTP (third-party) |
3rdspace_misc_03 (illustrative until production cookie audit) | 3rdSpace, Inc. | Feature flags cache | 1 day | Local Storage |
3rdspace_misc_04 (illustrative until production cookie audit) | 3rdSpace, Inc. | Banner dismiss | 7 days | Session Storage |
3rdspace_misc_05 (illustrative until production cookie audit) | 3rdSpace, Inc. | UI state | 30 days | IndexedDB |
3rdspace_misc_06 (illustrative until production cookie audit) | 3rdSpace, Inc. | Calendar week start | 90 days | HTTP (first-party) |
3rdspace_misc_07 (illustrative until production cookie audit) | 3rdSpace, Inc. | Feature flags cache | 1 year | HTTP (third-party) |
3rdspace_misc_08 (illustrative until production cookie audit) | 3rdSpace, Inc. | Banner dismiss | 2 years | Local Storage |
3rdspace_misc_09 (illustrative until production cookie audit) | 3rdSpace, Inc. | UI state | 400 days | Session Storage |
3rdspace_misc_10 (illustrative until production cookie audit) | 3rdSpace, Inc. | Calendar week start | Session | IndexedDB |
3rdspace_misc_11 (illustrative until production cookie audit) | 3rdSpace, Inc. | Feature flags cache | 1 hour | HTTP (first-party) |
3rdspace_misc_12 (illustrative until production cookie audit) | 3rdSpace, Inc. | Banner dismiss | 1 day | HTTP (third-party) |
10. Third-party services overview
| Vendor | Role | Cookie category typically | Opt-out via |
|---|---|---|---|
| Stripe | Subscriptions, credits, Connect payouts | Essential (checkout) | Cannot disable during payment |
| Firebase / Google | Auth, hosting, maps (if used) | Essential | Cannot disable while signed in |
| Sentry | Errors, performance, optional replay | Essential / Analytics* | Preference Center for non-essential features |
| Cloudflare Turnstile | Bot protection | Essential on gated forms | Cannot submit form without challenge |
| SendGrid | Transactional + campaign email | Usually none on site; pixels in email | Email unsubscribe |
| Google Analytics 4 | Marketing site analytics | Analytics | Opt-in only |
*Sentry replay sampling classified per final counsel review.
11. Stripe
Provider: Stripe, Inc..
Table: illustrative until production cookie audit.
| Cookie / storage key | Provider | Purpose | Duration | Type |
|---|---|---|---|---|
__stripe_01 (illustrative until production cookie audit) | Stripe, Inc. | Payment session and Checkout state | Session | HTTP (first-party) |
__stripe_02 (illustrative until production cookie audit) | Stripe, Inc. | Stripe Radar fraud prevention | 1 hour | HTTP (third-party) |
__stripe_03 (illustrative until production cookie audit) | Stripe, Inc. | 3D Secure authentication | 1 day | Local Storage |
__stripe_04 (illustrative until production cookie audit) | Stripe, Inc. | Remember payment method in Customer Portal | 7 days | Session Storage |
__stripe_05 (illustrative until production cookie audit) | Stripe, Inc. | Connect onboarding session | 30 days | IndexedDB |
__stripe_06 (illustrative until production cookie audit) | Stripe, Inc. | Payment session and Checkout state | 90 days | HTTP (first-party) |
__stripe_07 (illustrative until production cookie audit) | Stripe, Inc. | Stripe Radar fraud prevention | 1 year | HTTP (third-party) |
__stripe_08 (illustrative until production cookie audit) | Stripe, Inc. | 3D Secure authentication | 2 years | Local Storage |
__stripe_09 (illustrative until production cookie audit) | Stripe, Inc. | Remember payment method in Customer Portal | 400 days | Session Storage |
__stripe_10 (illustrative until production cookie audit) | Stripe, Inc. | Connect onboarding session | Session | IndexedDB |
__stripe_11 (illustrative until production cookie audit) | Stripe, Inc. | Payment session and Checkout state | 1 hour | HTTP (first-party) |
__stripe_12 (illustrative until production cookie audit) | Stripe, Inc. | Stripe Radar fraud prevention | 1 day | HTTP (third-party) |
__stripe_13 (illustrative until production cookie audit) | Stripe, Inc. | 3D Secure authentication | 7 days | Local Storage |
__stripe_14 (illustrative until production cookie audit) | Stripe, Inc. | Remember payment method in Customer Portal | 30 days | Session Storage |
__stripe_15 (illustrative until production cookie audit) | Stripe, Inc. | Connect onboarding session | 90 days | IndexedDB |
__stripe_16 (illustrative until production cookie audit) | Stripe, Inc. | Payment session and Checkout state | 1 year | HTTP (first-party) |
12. Firebase and Google Cloud
Provider: Google LLC.
Table: illustrative until production cookie audit.
| Cookie / storage key | Provider | Purpose | Duration | Type |
|---|---|---|---|---|
firebase_01 (illustrative until production cookie audit) | Google LLC | Firebase Auth ID token persistence | Session | HTTP (first-party) |
firebase_02 (illustrative until production cookie audit) | Google LLC | Session refresh | 1 hour | HTTP (third-party) |
firebase_03 (illustrative until production cookie audit) | Google LLC | Firebase Hosting CDN affinity | 1 day | Local Storage |
firebase_04 (illustrative until production cookie audit) | Google LLC | App Check device attestation | 7 days | Session Storage |
firebase_05 (illustrative until production cookie audit) | Google LLC | Google Maps embed (if enabled on host sites) | 30 days | IndexedDB |
firebase_06 (illustrative until production cookie audit) | Google LLC | Firebase Auth ID token persistence | 90 days | HTTP (first-party) |
firebase_07 (illustrative until production cookie audit) | Google LLC | Session refresh | 1 year | HTTP (third-party) |
firebase_08 (illustrative until production cookie audit) | Google LLC | Firebase Hosting CDN affinity | 2 years | Local Storage |
firebase_09 (illustrative until production cookie audit) | Google LLC | App Check device attestation | 400 days | Session Storage |
firebase_10 (illustrative until production cookie audit) | Google LLC | Google Maps embed (if enabled on host sites) | Session | IndexedDB |
firebase_11 (illustrative until production cookie audit) | Google LLC | Firebase Auth ID token persistence | 1 hour | HTTP (first-party) |
firebase_12 (illustrative until production cookie audit) | Google LLC | Session refresh | 1 day | HTTP (third-party) |
firebase_13 (illustrative until production cookie audit) | Google LLC | Firebase Hosting CDN affinity | 7 days | Local Storage |
firebase_14 (illustrative until production cookie audit) | Google LLC | App Check device attestation | 30 days | Session Storage |
firebase_15 (illustrative until production cookie audit) | Google LLC | Google Maps embed (if enabled on host sites) | 90 days | IndexedDB |
firebase_16 (illustrative until production cookie audit) | Google LLC | Firebase Auth ID token persistence | 1 year | HTTP (first-party) |
13. Sentry
Provider: Functional Software, Inc. (Sentry).
Table: illustrative until production cookie audit.
| Cookie / storage key | Provider | Purpose | Duration | Type |
|---|---|---|---|---|
sentry_01 (illustrative until production cookie audit) | Functional Software, Inc. (Sentry) | Error event correlation ID | Session | HTTP (first-party) |
sentry_02 (illustrative until production cookie audit) | Functional Software, Inc. (Sentry) | Release health session | 1 hour | HTTP (third-party) |
sentry_03 (illustrative until production cookie audit) | Functional Software, Inc. (Sentry) | Performance trace linkage | 1 day | Local Storage |
sentry_04 (illustrative until production cookie audit) | Functional Software, Inc. (Sentry) | Session replay (if enabled) | 7 days | Session Storage |
sentry_05 (illustrative until production cookie audit) | Functional Software, Inc. (Sentry) | User feedback attachment | 30 days | IndexedDB |
sentry_06 (illustrative until production cookie audit) | Functional Software, Inc. (Sentry) | Error event correlation ID | 90 days | HTTP (first-party) |
sentry_07 (illustrative until production cookie audit) | Functional Software, Inc. (Sentry) | Release health session | 1 year | HTTP (third-party) |
sentry_08 (illustrative until production cookie audit) | Functional Software, Inc. (Sentry) | Performance trace linkage | 2 years | Local Storage |
sentry_09 (illustrative until production cookie audit) | Functional Software, Inc. (Sentry) | Session replay (if enabled) | 400 days | Session Storage |
sentry_10 (illustrative until production cookie audit) | Functional Software, Inc. (Sentry) | User feedback attachment | Session | IndexedDB |
sentry_11 (illustrative until production cookie audit) | Functional Software, Inc. (Sentry) | Error event correlation ID | 1 hour | HTTP (first-party) |
sentry_12 (illustrative until production cookie audit) | Functional Software, Inc. (Sentry) | Release health session | 1 day | HTTP (third-party) |
sentry_13 (illustrative until production cookie audit) | Functional Software, Inc. (Sentry) | Performance trace linkage | 7 days | Local Storage |
sentry_14 (illustrative until production cookie audit) | Functional Software, Inc. (Sentry) | Session replay (if enabled) | 30 days | Session Storage |
sentry_15 (illustrative until production cookie audit) | Functional Software, Inc. (Sentry) | User feedback attachment | 90 days | IndexedDB |
sentry_16 (illustrative until production cookie audit) | Functional Software, Inc. (Sentry) | Error event correlation ID | 1 year | HTTP (first-party) |
14. Cloudflare Turnstile
Provider: Cloudflare, Inc..
Table: illustrative until production cookie audit.
| Cookie / storage key | Provider | Purpose | Duration | Type |
|---|---|---|---|---|
cf_turnstile_01 (illustrative until production cookie audit) | Cloudflare, Inc. | Challenge token validation | Session | HTTP (first-party) |
cf_turnstile_02 (illustrative until production cookie audit) | Cloudflare, Inc. | Bot management signal | 1 hour | HTTP (third-party) |
cf_turnstile_03 (illustrative until production cookie audit) | Cloudflare, Inc. | Widget completion state | 1 day | Local Storage |
cf_turnstile_04 (illustrative until production cookie audit) | Cloudflare, Inc. | Privacy-preserving attestation | 7 days | Session Storage |
cf_turnstile_05 (illustrative until production cookie audit) | Cloudflare, Inc. | Rate-limit coordination | 30 days | IndexedDB |
cf_turnstile_06 (illustrative until production cookie audit) | Cloudflare, Inc. | Challenge token validation | 90 days | HTTP (first-party) |
cf_turnstile_07 (illustrative until production cookie audit) | Cloudflare, Inc. | Bot management signal | 1 year | HTTP (third-party) |
cf_turnstile_08 (illustrative until production cookie audit) | Cloudflare, Inc. | Widget completion state | 2 years | Local Storage |
cf_turnstile_09 (illustrative until production cookie audit) | Cloudflare, Inc. | Privacy-preserving attestation | 400 days | Session Storage |
cf_turnstile_10 (illustrative until production cookie audit) | Cloudflare, Inc. | Rate-limit coordination | Session | IndexedDB |
cf_turnstile_11 (illustrative until production cookie audit) | Cloudflare, Inc. | Challenge token validation | 1 hour | HTTP (first-party) |
cf_turnstile_12 (illustrative until production cookie audit) | Cloudflare, Inc. | Bot management signal | 1 day | HTTP (third-party) |
cf_turnstile_13 (illustrative until production cookie audit) | Cloudflare, Inc. | Widget completion state | 7 days | Local Storage |
cf_turnstile_14 (illustrative until production cookie audit) | Cloudflare, Inc. | Privacy-preserving attestation | 30 days | Session Storage |
cf_turnstile_15 (illustrative until production cookie audit) | Cloudflare, Inc. | Rate-limit coordination | 90 days | IndexedDB |
cf_turnstile_16 (illustrative until production cookie audit) | Cloudflare, Inc. | Challenge token validation | 1 year | HTTP (first-party) |
15. SendGrid
Provider: Twilio SendGrid.
Table: illustrative until production cookie audit.
| Cookie / storage key | Provider | Purpose | Duration | Type |
|---|---|---|---|---|
sg_01 (illustrative until production cookie audit) | Twilio SendGrid | No browser cookie on site at launch (expected) | Session | HTTP (first-party) |
sg_02 (illustrative until production cookie audit) | Twilio SendGrid | Email open tracking pixel (host campaigns) | 1 hour | HTTP (third-party) |
sg_03 (illustrative until production cookie audit) | Twilio SendGrid | Click-tracking redirect parameter | 1 day | Local Storage |
sg_04 (illustrative until production cookie audit) | Twilio SendGrid | Subscription preference token in email links | 7 days | Session Storage |
sg_05 (illustrative until production cookie audit) | Twilio SendGrid | Webhook delivery — server-side only | 30 days | IndexedDB |
sg_06 (illustrative until production cookie audit) | Twilio SendGrid | No browser cookie on site at launch (expected) | 90 days | HTTP (first-party) |
sg_07 (illustrative until production cookie audit) | Twilio SendGrid | Email open tracking pixel (host campaigns) | 1 year | HTTP (third-party) |
sg_08 (illustrative until production cookie audit) | Twilio SendGrid | Click-tracking redirect parameter | 2 years | Local Storage |
sg_09 (illustrative until production cookie audit) | Twilio SendGrid | Subscription preference token in email links | 400 days | Session Storage |
sg_10 (illustrative until production cookie audit) | Twilio SendGrid | Webhook delivery — server-side only | Session | IndexedDB |
sg_11 (illustrative until production cookie audit) | Twilio SendGrid | No browser cookie on site at launch (expected) | 1 hour | HTTP (first-party) |
sg_12 (illustrative until production cookie audit) | Twilio SendGrid | Email open tracking pixel (host campaigns) | 1 day | HTTP (third-party) |
sg_13 (illustrative until production cookie audit) | Twilio SendGrid | Click-tracking redirect parameter | 7 days | Local Storage |
sg_14 (illustrative until production cookie audit) | Twilio SendGrid | Subscription preference token in email links | 30 days | Session Storage |
sg_15 (illustrative until production cookie audit) | Twilio SendGrid | Webhook delivery — server-side only | 90 days | IndexedDB |
sg_16 (illustrative until production cookie audit) | Twilio SendGrid | No browser cookie on site at launch (expected) | 1 year | HTTP (first-party) |
16. Google Analytics 4
Provider: Google LLC.
Table: illustrative until production cookie audit.
| Cookie / storage key | Provider | Purpose | Duration | Type |
|---|---|---|---|---|
_ga_01 (illustrative until production cookie audit) | Google LLC | Distinguish users (_ga) | Session | HTTP (first-party) |
_ga_02 (illustrative until production cookie audit) | Google LLC | Session state (ga<container>) | 1 hour | HTTP (third-party) |
_ga_03 (illustrative until production cookie audit) | Google LLC | Campaign attribution | 1 day | Local Storage |
_ga_04 (illustrative until production cookie audit) | Google LLC | Consent Mode default denied until opt-in | 7 days | Session Storage |
_ga_05 (illustrative until production cookie audit) | Google LLC | Google Signals (disabled unless configured) | 30 days | IndexedDB |
_ga_06 (illustrative until production cookie audit) | Google LLC | Distinguish users (_ga) | 90 days | HTTP (first-party) |
_ga_07 (illustrative until production cookie audit) | Google LLC | Session state (ga<container>) | 1 year | HTTP (third-party) |
_ga_08 (illustrative until production cookie audit) | Google LLC | Campaign attribution | 2 years | Local Storage |
_ga_09 (illustrative until production cookie audit) | Google LLC | Consent Mode default denied until opt-in | 400 days | Session Storage |
_ga_10 (illustrative until production cookie audit) | Google LLC | Google Signals (disabled unless configured) | Session | IndexedDB |
_ga_11 (illustrative until production cookie audit) | Google LLC | Distinguish users (_ga) | 1 hour | HTTP (first-party) |
_ga_12 (illustrative until production cookie audit) | Google LLC | Session state (ga<container>) | 1 day | HTTP (third-party) |
_ga_13 (illustrative until production cookie audit) | Google LLC | Campaign attribution | 7 days | Local Storage |
_ga_14 (illustrative until production cookie audit) | Google LLC | Consent Mode default denied until opt-in | 30 days | Session Storage |
_ga_15 (illustrative until production cookie audit) | Google LLC | Google Signals (disabled unless configured) | 90 days | IndexedDB |
_ga_16 (illustrative until production cookie audit) | Google LLC | Distinguish users (_ga) | 1 year | HTTP (first-party) |
17. Affiliate and campaign attribution
Affiliate Marketing L1 uses a first-party cookie plus UTM/slug encoding to attribute conversions within a configurable window (default 30 days planned). Campaign Manager, QR tools, and Email/SMS links preserve UTM parameters. These cookies fall under the Marketing category and require opt-in.
18. Smart TV and public surfaces
The /tv/ playback client sets a device cookie on first load when unpaired, enabling pairing codes and schedule sync. Classified Essential for that feature. Demo/sales mode uses isolated demo_session cookies with no real PII in seed data.
19. Local storage and related APIs
Besides HTTP cookies, we may store:
- consent mirrors (
localStorage.cookiePreferences— illustrative key); - draft form autosave (tool-specific);
- offline queue for failed writes (future).
Clearing site data in the browser removes these alongside cookies.
20. Browser controls
All major browsers let you block or delete cookies. Instructions:
| Browser | Path |
|---|---|
| Chrome | Settings → Privacy and security → Third-party cookies |
| Firefox | Settings → Privacy & Security → Cookies and Site Data |
| Safari | Settings → Privacy → Manage Website Data |
| Edge | Settings → Cookies and site permissions |
Blocking essential cookies for the3rd-space.com may prevent login and payment.
21. Do Not Track and Global Privacy Control
Do Not Track (DNT): Browsers may send a DNT header. There is no industry-wide standard for how sites must respond. 3rdSpace does not treat DNT alone as a global opt-out of analytics or marketing cookies. Use the Cookie Preference Center or marketing-site flows instead.
Global Privacy Control (GPC): Where state law requires honoring GPC as an opt-out of sale/sharing, we will implement as described in the Privacy Policy. US launch relies on opt-in for analytics/marketing cookies regardless of GPC unless counsel directs otherwise.
22. United States notices
Launch scope: US-hosted businesses, USD, English UI. State laws (California CPRA, Colorado CPA, Connecticut CTDPA, Virginia VCDPA, Utah UCPA, and others) may grant rights to access, delete, and opt out of certain processing.
- Sale / sharing: We do not sell personal information as defined in our Privacy Policy.
- Sensitive data: We do not use cookies to collect sensitive categories intentionally.
- Opt-out: Analytics and marketing cookies are off by default; opt in via Preference Center.
- Authorized agents: Contact privacy@the3rd-space.com with proof of authorization.
23. EEA, UK, and Switzerland (future)
Not active at US launch. When we expand or EU/UK traffic exceeds thresholds:
- Deploy granular consent (Reject all / Accept all / Customize).
- Map categories to ePrivacy + GDPR standards.
- Maintain Records of Processing Activities for cookie vendors.
- Execute DPAs with Stripe, Google, Cloudflare, Sentry, SendGrid.
- Honor withdrawal of consent as quickly as technical feasibility allows.
24. Other regions
Visitors outside the US and future EU markets receive US-default cookie behavior until we publish region-specific notices.
25. Children
Not directed to children under 13. Birthday gating at sign-up. Do not opt children into marketing cookies.
26. Security uses
Essential cookies support CSRF, Turnstile, session binding, Stripe Radar, and rate limits per CONTEXT Q-CR-20 and Q-CR-33.
27. Retention
Cookie lifetimes match tables above. Consent records retained while account is active + legal limitation periods. Aggregated analytics may be retained indefinitely after de-identification.
28. Changes to this policy
Material changes communicated at least 30 days before effect via in-app banner and email. Continued use after notice constitutes acceptance unless you object in writing per Terms (Q-CR-25). Version history in Appendix B.
29. Contact
- Email: privacy@the3rd-space.com (TBD before launch)
- Privacy requests: Account → Settings → Privacy
- Mail: 3rdSpace, Inc., [address TBD]
30. Definitions
Cookie — Small text file placed by a site or embed.
Essential — Strictly necessary to provide the service you request.
Functional — Preferences that improve UX but are not strictly necessary.
Analytics — Measurement of usage in aggregate.
Marketing — Attribution and campaign effectiveness.
Preference Center — Account → Settings → Privacy → Cookie preferences.
Illustrative row — Placeholder until production cookie audit confirms name and duration.
Appendix A — Master illustrative cookie register
A.1 3rdSpace first-party
| Cookie / storage key | Provider | Purpose | Duration | Type |
|---|---|---|---|---|
3rdspace_01 (illustrative until production cookie audit) | 3rdSpace, Inc. | Session | Session | HTTP (first-party) |
3rdspace_02 (illustrative until production cookie audit) | 3rdSpace, Inc. | Consent | 1 hour | HTTP (third-party) |
3rdspace_03 (illustrative until production cookie audit) | 3rdSpace, Inc. | Org context | 1 day | Local Storage |
3rdspace_04 (illustrative until production cookie audit) | 3rdSpace, Inc. | Affiliate | 7 days | Session Storage |
3rdspace_05 (illustrative until production cookie audit) | 3rdSpace, Inc. | TV device | 30 days | IndexedDB |
3rdspace_06 (illustrative until production cookie audit) | 3rdSpace, Inc. | Session | 90 days | HTTP (first-party) |
3rdspace_07 (illustrative until production cookie audit) | 3rdSpace, Inc. | Consent | 1 year | HTTP (third-party) |
3rdspace_08 (illustrative until production cookie audit) | 3rdSpace, Inc. | Org context | 2 years | Local Storage |
3rdspace_09 (illustrative until production cookie audit) | 3rdSpace, Inc. | Affiliate | 400 days | Session Storage |
3rdspace_10 (illustrative until production cookie audit) | 3rdSpace, Inc. | TV device | Session | IndexedDB |
3rdspace_11 (illustrative until production cookie audit) | 3rdSpace, Inc. | Session | 1 hour | HTTP (first-party) |
3rdspace_12 (illustrative until production cookie audit) | 3rdSpace, Inc. | Consent | 1 day | HTTP (third-party) |
3rdspace_13 (illustrative until production cookie audit) | 3rdSpace, Inc. | Org context | 7 days | Local Storage |
3rdspace_14 (illustrative until production cookie audit) | 3rdSpace, Inc. | Affiliate | 30 days | Session Storage |
3rdspace_15 (illustrative until production cookie audit) | 3rdSpace, Inc. | TV device | 90 days | IndexedDB |
3rdspace_16 (illustrative until production cookie audit) | 3rdSpace, Inc. | Session | 1 year | HTTP (first-party) |
3rdspace_17 (illustrative until production cookie audit) | 3rdSpace, Inc. | Consent | 2 years | HTTP (third-party) |
3rdspace_18 (illustrative until production cookie audit) | 3rdSpace, Inc. | Org context | 400 days | Local Storage |
3rdspace_19 (illustrative until production cookie audit) | 3rdSpace, Inc. | Affiliate | Session | Session Storage |
3rdspace_20 (illustrative until production cookie audit) | 3rdSpace, Inc. | TV device | 1 hour | IndexedDB |
A.2 Stripe
| Cookie / storage key | Provider | Purpose | Duration | Type |
|---|---|---|---|---|
__stripe_01 (illustrative until production cookie audit) | Stripe, Inc. | Checkout | Session | HTTP (first-party) |
__stripe_02 (illustrative until production cookie audit) | Stripe, Inc. | Radar | 1 hour | HTTP (third-party) |
__stripe_03 (illustrative until production cookie audit) | Stripe, Inc. | 3DS | 1 day | Local Storage |
__stripe_04 (illustrative until production cookie audit) | Stripe, Inc. | Portal | 7 days | Session Storage |
__stripe_05 (illustrative until production cookie audit) | Stripe, Inc. | Checkout | 30 days | IndexedDB |
__stripe_06 (illustrative until production cookie audit) | Stripe, Inc. | Radar | 90 days | HTTP (first-party) |
__stripe_07 (illustrative until production cookie audit) | Stripe, Inc. | 3DS | 1 year | HTTP (third-party) |
__stripe_08 (illustrative until production cookie audit) | Stripe, Inc. | Portal | 2 years | Local Storage |
__stripe_09 (illustrative until production cookie audit) | Stripe, Inc. | Checkout | 400 days | Session Storage |
__stripe_10 (illustrative until production cookie audit) | Stripe, Inc. | Radar | Session | IndexedDB |
__stripe_11 (illustrative until production cookie audit) | Stripe, Inc. | 3DS | 1 hour | HTTP (first-party) |
__stripe_12 (illustrative until production cookie audit) | Stripe, Inc. | Portal | 1 day | HTTP (third-party) |
__stripe_13 (illustrative until production cookie audit) | Stripe, Inc. | Checkout | 7 days | Local Storage |
__stripe_14 (illustrative until production cookie audit) | Stripe, Inc. | Radar | 30 days | Session Storage |
__stripe_15 (illustrative until production cookie audit) | Stripe, Inc. | 3DS | 90 days | IndexedDB |
__stripe_16 (illustrative until production cookie audit) | Stripe, Inc. | Portal | 1 year | HTTP (first-party) |
__stripe_17 (illustrative until production cookie audit) | Stripe, Inc. | Checkout | 2 years | HTTP (third-party) |
__stripe_18 (illustrative until production cookie audit) | Stripe, Inc. | Radar | 400 days | Local Storage |
__stripe_19 (illustrative until production cookie audit) | Stripe, Inc. | 3DS | Session | Session Storage |
__stripe_20 (illustrative until production cookie audit) | Stripe, Inc. | Portal | 1 hour | IndexedDB |
A.3 Firebase / Google
| Cookie / storage key | Provider | Purpose | Duration | Type |
|---|---|---|---|---|
firebase_01 (illustrative until production cookie audit) | Google LLC | Auth | Session | HTTP (first-party) |
firebase_02 (illustrative until production cookie audit) | Google LLC | Hosting | 1 hour | HTTP (third-party) |
firebase_03 (illustrative until production cookie audit) | Google LLC | App Check | 1 day | Local Storage |
firebase_04 (illustrative until production cookie audit) | Google LLC | Auth | 7 days | Session Storage |
firebase_05 (illustrative until production cookie audit) | Google LLC | Hosting | 30 days | IndexedDB |
firebase_06 (illustrative until production cookie audit) | Google LLC | App Check | 90 days | HTTP (first-party) |
firebase_07 (illustrative until production cookie audit) | Google LLC | Auth | 1 year | HTTP (third-party) |
firebase_08 (illustrative until production cookie audit) | Google LLC | Hosting | 2 years | Local Storage |
firebase_09 (illustrative until production cookie audit) | Google LLC | App Check | 400 days | Session Storage |
firebase_10 (illustrative until production cookie audit) | Google LLC | Auth | Session | IndexedDB |
firebase_11 (illustrative until production cookie audit) | Google LLC | Hosting | 1 hour | HTTP (first-party) |
firebase_12 (illustrative until production cookie audit) | Google LLC | App Check | 1 day | HTTP (third-party) |
firebase_13 (illustrative until production cookie audit) | Google LLC | Auth | 7 days | Local Storage |
firebase_14 (illustrative until production cookie audit) | Google LLC | Hosting | 30 days | Session Storage |
firebase_15 (illustrative until production cookie audit) | Google LLC | App Check | 90 days | IndexedDB |
firebase_16 (illustrative until production cookie audit) | Google LLC | Auth | 1 year | HTTP (first-party) |
firebase_17 (illustrative until production cookie audit) | Google LLC | Hosting | 2 years | HTTP (third-party) |
firebase_18 (illustrative until production cookie audit) | Google LLC | App Check | 400 days | Local Storage |
firebase_19 (illustrative until production cookie audit) | Google LLC | Auth | Session | Session Storage |
firebase_20 (illustrative until production cookie audit) | Google LLC | Hosting | 1 hour | IndexedDB |
A.4 Sentry
| Cookie / storage key | Provider | Purpose | Duration | Type |
|---|---|---|---|---|
sentry_01 (illustrative until production cookie audit) | Sentry | Error | Session | HTTP (first-party) |
sentry_02 (illustrative until production cookie audit) | Sentry | Replay | 1 hour | HTTP (third-party) |
sentry_03 (illustrative until production cookie audit) | Sentry | Performance | 1 day | Local Storage |
sentry_04 (illustrative until production cookie audit) | Sentry | Error | 7 days | Session Storage |
sentry_05 (illustrative until production cookie audit) | Sentry | Replay | 30 days | IndexedDB |
sentry_06 (illustrative until production cookie audit) | Sentry | Performance | 90 days | HTTP (first-party) |
sentry_07 (illustrative until production cookie audit) | Sentry | Error | 1 year | HTTP (third-party) |
sentry_08 (illustrative until production cookie audit) | Sentry | Replay | 2 years | Local Storage |
sentry_09 (illustrative until production cookie audit) | Sentry | Performance | 400 days | Session Storage |
sentry_10 (illustrative until production cookie audit) | Sentry | Error | Session | IndexedDB |
sentry_11 (illustrative until production cookie audit) | Sentry | Replay | 1 hour | HTTP (first-party) |
sentry_12 (illustrative until production cookie audit) | Sentry | Performance | 1 day | HTTP (third-party) |
sentry_13 (illustrative until production cookie audit) | Sentry | Error | 7 days | Local Storage |
sentry_14 (illustrative until production cookie audit) | Sentry | Replay | 30 days | Session Storage |
sentry_15 (illustrative until production cookie audit) | Sentry | Performance | 90 days | IndexedDB |
sentry_16 (illustrative until production cookie audit) | Sentry | Error | 1 year | HTTP (first-party) |
sentry_17 (illustrative until production cookie audit) | Sentry | Replay | 2 years | HTTP (third-party) |
sentry_18 (illustrative until production cookie audit) | Sentry | Performance | 400 days | Local Storage |
sentry_19 (illustrative until production cookie audit) | Sentry | Error | Session | Session Storage |
sentry_20 (illustrative until production cookie audit) | Sentry | Replay | 1 hour | IndexedDB |
A.5 Cloudflare Turnstile
| Cookie / storage key | Provider | Purpose | Duration | Type |
|---|---|---|---|---|
cf__01 (illustrative until production cookie audit) | Cloudflare, Inc. | Challenge | Session | HTTP (first-party) |
cf__02 (illustrative until production cookie audit) | Cloudflare, Inc. | Bot score | 1 hour | HTTP (third-party) |
cf__03 (illustrative until production cookie audit) | Cloudflare, Inc. | Challenge | 1 day | Local Storage |
cf__04 (illustrative until production cookie audit) | Cloudflare, Inc. | Bot score | 7 days | Session Storage |
cf__05 (illustrative until production cookie audit) | Cloudflare, Inc. | Challenge | 30 days | IndexedDB |
cf__06 (illustrative until production cookie audit) | Cloudflare, Inc. | Bot score | 90 days | HTTP (first-party) |
cf__07 (illustrative until production cookie audit) | Cloudflare, Inc. | Challenge | 1 year | HTTP (third-party) |
cf__08 (illustrative until production cookie audit) | Cloudflare, Inc. | Bot score | 2 years | Local Storage |
cf__09 (illustrative until production cookie audit) | Cloudflare, Inc. | Challenge | 400 days | Session Storage |
cf__10 (illustrative until production cookie audit) | Cloudflare, Inc. | Bot score | Session | IndexedDB |
cf__11 (illustrative until production cookie audit) | Cloudflare, Inc. | Challenge | 1 hour | HTTP (first-party) |
cf__12 (illustrative until production cookie audit) | Cloudflare, Inc. | Bot score | 1 day | HTTP (third-party) |
cf__13 (illustrative until production cookie audit) | Cloudflare, Inc. | Challenge | 7 days | Local Storage |
cf__14 (illustrative until production cookie audit) | Cloudflare, Inc. | Bot score | 30 days | Session Storage |
cf__15 (illustrative until production cookie audit) | Cloudflare, Inc. | Challenge | 90 days | IndexedDB |
cf__16 (illustrative until production cookie audit) | Cloudflare, Inc. | Bot score | 1 year | HTTP (first-party) |
cf__17 (illustrative until production cookie audit) | Cloudflare, Inc. | Challenge | 2 years | HTTP (third-party) |
cf__18 (illustrative until production cookie audit) | Cloudflare, Inc. | Bot score | 400 days | Local Storage |
cf__19 (illustrative until production cookie audit) | Cloudflare, Inc. | Challenge | Session | Session Storage |
cf__20 (illustrative until production cookie audit) | Cloudflare, Inc. | Bot score | 1 hour | IndexedDB |
A.6 SendGrid
| Cookie / storage key | Provider | Purpose | Duration | Type |
|---|---|---|---|---|
sg__01 (illustrative until production cookie audit) | Twilio SendGrid | Email pixel | Session | HTTP (first-party) |
sg__02 (illustrative until production cookie audit) | Twilio SendGrid | Click track | 1 hour | HTTP (third-party) |
sg__03 (illustrative until production cookie audit) | Twilio SendGrid | Email pixel | 1 day | Local Storage |
sg__04 (illustrative until production cookie audit) | Twilio SendGrid | Click track | 7 days | Session Storage |
sg__05 (illustrative until production cookie audit) | Twilio SendGrid | Email pixel | 30 days | IndexedDB |
sg__06 (illustrative until production cookie audit) | Twilio SendGrid | Click track | 90 days | HTTP (first-party) |
sg__07 (illustrative until production cookie audit) | Twilio SendGrid | Email pixel | 1 year | HTTP (third-party) |
sg__08 (illustrative until production cookie audit) | Twilio SendGrid | Click track | 2 years | Local Storage |
sg__09 (illustrative until production cookie audit) | Twilio SendGrid | Email pixel | 400 days | Session Storage |
sg__10 (illustrative until production cookie audit) | Twilio SendGrid | Click track | Session | IndexedDB |
sg__11 (illustrative until production cookie audit) | Twilio SendGrid | Email pixel | 1 hour | HTTP (first-party) |
sg__12 (illustrative until production cookie audit) | Twilio SendGrid | Click track | 1 day | HTTP (third-party) |
sg__13 (illustrative until production cookie audit) | Twilio SendGrid | Email pixel | 7 days | Local Storage |
sg__14 (illustrative until production cookie audit) | Twilio SendGrid | Click track | 30 days | Session Storage |
sg__15 (illustrative until production cookie audit) | Twilio SendGrid | Email pixel | 90 days | IndexedDB |
sg__16 (illustrative until production cookie audit) | Twilio SendGrid | Click track | 1 year | HTTP (first-party) |
sg__17 (illustrative until production cookie audit) | Twilio SendGrid | Email pixel | 2 years | HTTP (third-party) |
sg__18 (illustrative until production cookie audit) | Twilio SendGrid | Click track | 400 days | Local Storage |
sg__19 (illustrative until production cookie audit) | Twilio SendGrid | Email pixel | Session | Session Storage |
sg__20 (illustrative until production cookie audit) | Twilio SendGrid | Click track | 1 hour | IndexedDB |
A.7 GA4
| Cookie / storage key | Provider | Purpose | Duration | Type |
|---|---|---|---|---|
_ga_01 (illustrative until production cookie audit) | Google LLC | User | Session | HTTP (first-party) |
_ga_02 (illustrative until production cookie audit) | Google LLC | Session | 1 hour | HTTP (third-party) |
_ga_03 (illustrative until production cookie audit) | Google LLC | Campaign | 1 day | Local Storage |
_ga_04 (illustrative until production cookie audit) | Google LLC | User | 7 days | Session Storage |
_ga_05 (illustrative until production cookie audit) | Google LLC | Session | 30 days | IndexedDB |
_ga_06 (illustrative until production cookie audit) | Google LLC | Campaign | 90 days | HTTP (first-party) |
_ga_07 (illustrative until production cookie audit) | Google LLC | User | 1 year | HTTP (third-party) |
_ga_08 (illustrative until production cookie audit) | Google LLC | Session | 2 years | Local Storage |
_ga_09 (illustrative until production cookie audit) | Google LLC | Campaign | 400 days | Session Storage |
_ga_10 (illustrative until production cookie audit) | Google LLC | User | Session | IndexedDB |
_ga_11 (illustrative until production cookie audit) | Google LLC | Session | 1 hour | HTTP (first-party) |
_ga_12 (illustrative until production cookie audit) | Google LLC | Campaign | 1 day | HTTP (third-party) |
_ga_13 (illustrative until production cookie audit) | Google LLC | User | 7 days | Local Storage |
_ga_14 (illustrative until production cookie audit) | Google LLC | Session | 30 days | Session Storage |
_ga_15 (illustrative until production cookie audit) | Google LLC | Campaign | 90 days | IndexedDB |
_ga_16 (illustrative until production cookie audit) | Google LLC | User | 1 year | HTTP (first-party) |
_ga_17 (illustrative until production cookie audit) | Google LLC | Session | 2 years | HTTP (third-party) |
_ga_18 (illustrative until production cookie audit) | Google LLC | Campaign | 400 days | Local Storage |
_ga_19 (illustrative until production cookie audit) | Google LLC | User | Session | Session Storage |
_ga_20 (illustrative until production cookie audit) | Google LLC | Session | 1 hour | IndexedDB |
Appendix B — Change log (draft)
| Version | Date | Summary |
|---|---|---|
| DRAFT-0 | 2026-05-11 | Skeleton outline |
| DRAFT-1 | 2026-05-19 | Comprehensive draft for counsel review |
Appendix C — Counsel review checklist
- Essential vs functional split valid under ePrivacy (future EU).
- GA4 loads only post-consent; Consent Mode v2 defaults denied.
- Stripe cookie list matches Checkout + Customer Portal + Connect flows.
- Sentry replay disclosure matches production sample rate and masking.
- Turnstile listed as subprocessor; data processing terms referenced.
- Affiliate cookie duration matches tool spec (30-day default).
- Smart TV cookie scoped essential for /tv/ only.
- Banner text not deceptive; Got it does not imply analytics opt-in.
- Preference Center satisfies CPRA opt-out timing.
- Host-published sites disclaimer — host responsibility for extra cookies.
- No pre-checked analytics/marketing anywhere.
- 30-day notice aligns with constructive continuation (Q-CR-25).
- Contact email and postal address finalized.
- Relationship to Privacy Policy Section 7 (service providers).
- SendGrid email pixels distinguished from site cookies.
- Demo mode cookies cannot cross into production tenant.
- Internal tier org-3rdspace uses same consent UX.
- Cookie policy version stored in acceptance ledger with ToS/Privacy.
- MDX publication at /cookies matches repo version.
- Cross-border transfer language consistent with DPA stub.
Appendix D — Product engineering mapping notes
D.1 Consent storage
Firestore users/{uid}.cookiePreferences + 3rdspace_cookie_consent_v1 for anonymous.
Test plan: Verify in staging with devtools Application tab and network filter before prod.
D.2 Script gating
GA4 and marketing tags wrapped in consent guard; essential SDKs load unconditionally.
Test plan: Verify in staging with devtools Application tab and network filter before prod.
D.3 Single domain
the3rd-space.com only at launch — cookie scope covers /dashboard and marketing routes.
Test plan: Verify in staging with devtools Application tab and network filter before prod.
D.4 HttpOnly session
Session cookies must be HttpOnly + Secure + SameSite=Lax minimum.
Test plan: Verify in staging with devtools Application tab and network filter before prod.
D.5 Turnstile endpoints
/contact, demo email gate, invite join — per Q-CR-20.
Test plan: Verify in staging with devtools Application tab and network filter before prod.
D.6 Rate limits
Contact 5/hr/IP + 3/hr/email hash — cookies not used for quota (server-side).
Test plan: Verify in staging with devtools Application tab and network filter before prod.
D.7 Affiliate L1
Marketing category; 30-day window; slug + cookie dual attribution.
Test plan: Verify in staging with devtools Application tab and network filter before prod.
D.8 Affiliate L2
Server-side attribution may reduce marketing cookie reliance.
Test plan: Verify in staging with devtools Application tab and network filter before prod.
D.9 Smart TV
tv_device_id essential; no analytics on playback page by default.
Test plan: Verify in staging with devtools Application tab and network filter before prod.
D.10 Stripe Portal
Third-party iframe cookies during payment-method update only.
Test plan: Verify in staging with devtools Application tab and network filter before prod.
D.11 Firebase Auth
Essential; 1-hour email verification links separate from cookies.
Test plan: Verify in staging with devtools Application tab and network filter before prod.
D.12 Theme preference
Functional cookie + Firestore profile field — opt-out stops cookie mirror.
Test plan: Verify in staging with devtools Application tab and network filter before prod.
D.13 Export job
Privacy export uses signed GCS URL — no tracking cookies in email link.
Test plan: Verify in staging with devtools Application tab and network filter before prod.
D.14 Sentry PII
Scrubbing rules before production; replay off unless counsel approves.
Test plan: Verify in staging with devtools Application tab and network filter before prod.
D.15 GA4 env var
Tracking ID in env; disabled in dev/staging without explicit flag.
Test plan: Verify in staging with devtools Application tab and network filter before prod.
D.16 EU geo gate
Cloudflare or analytics geo signal triggers banner variant ≥5% EU traffic.
Test plan: Verify in staging with devtools Application tab and network filter before prod.
D.17 GPC handler
Future middleware hook on marketing site.
Test plan: Verify in staging with devtools Application tab and network filter before prod.
D.18 Cookie audit CI
Optional automated scan in release pipeline.
Test plan: Verify in staging with devtools Application tab and network filter before prod.
D.19 Version bump
DRAFT-1 → publish increments cookiesPolicyVersion.
Test plan: Verify in staging with devtools Application tab and network filter before prod.
D.20 AUP cross-link
Abuse prevention cookies referenced in Acceptable Use Policy.
Test plan: Verify in staging with devtools Application tab and network filter before prod.
Appendix E — Frequently asked questions
E.1 Why can't I disable essential cookies?
Answer: They are required for login, security, billing, and abuse prevention.
E.2 Does Got it enable Google Analytics?
Answer: No. Analytics requires a separate opt-in.
E.3 Are functional cookies shared with advertisers?
Answer: No.
E.4 Does marketing cookie opt-in subscribe me to email?
Answer: No — separate marketing consent.
E.5 How do I delete cookies?
Answer: Browser clear-site-data for the3rd-space.com or sign out for session cookies.
E.6 What if I block all cookies?
Answer: You may not be able to sign in, pay, or submit contact/demo forms.
E.7 Does Stripe set third-party cookies?
Answer: Yes during Checkout/Portal; see Section 11.
E.8 Is Sentry session replay on?
Answer: Only if enabled in production config; default planning is minimal.
E.9 GA4 inside the dashboard?
Answer: Planned for marketing site first; in-app uses first-party unless you opt into analytics cookies involving Google.
E.10 How long is consent stored?
Answer: 12 months for banner cookie; account preferences until you change them.
E.11 Affiliate cookies — PII?
Answer: Pseudonymous IDs for attribution, not direct identity.
E.12 Turnstile on contact form?
Answer: Yes — essential bot protection.
E.13 SendGrid website cookies?
Answer: Generally none; email pixels are separate.
E.14 Host customer websites?
Answer: Hosts disclose their own cookies on sites they publish.
E.15 Do Not Track?
Answer: We do not uniformly honor DNT; use Preference Center.
E.16 Global Privacy Control?
Answer: Honored where legally required; US launch uses opt-in defaults.
E.17 EU visitor before EU launch?
Answer: US defaults apply; geo UI if traffic threshold met.
E.18 Policy change notice?
Answer: 30 days for material changes.
E.19 Who to contact?
Answer: privacy@the3rd-space.com (TBD).
E.20 Where is signed-in consent stored?
Answer: User profile in Firestore.
E.21 Can Admins change my cookie choices?
Answer: No — per-user preference.
E.22 Org-level cookie policy?
Answer: No — consent is per user account.
E.23 Demo mode tracking?
Answer: Isolated session; no production analytics.
E.24 Smart TV analytics?
Answer: Off by default on /tv/.
E.25 QR scan cookies?
Answer: Marketing category when tracking campaigns.
E.26 Internal staff accounts?
Answer: Same Preference Center UX.
E.27 Mobile app cookies?
Answer: Updated policy before app store release.
E.28 Cross-device sync?
Answer: Preferences sync via account when signed in.
E.29 Incognito mode?
Answer: Cookies cleared when window closes; consent re-prompted.
E.30 Shared computer?
Answer: Sign out after use; clear cookies if needed.
E.31 Billing without marketing cookies?
Answer: Yes — Stripe essential cookies only during payment.
E.32 Withdraw consent effect?
Answer: Stops new non-essential cookies; clear browser for old ones.
E.33 Children?
Answer: Service not for under-13; do not enable marketing cookies for minors.
E.34 California rights?
Answer: See Section 22 and Privacy Policy.
E.35 Cookie policy version?
Answer: DRAFT-1 dated 2026-05-19.
E.36 Illustrative table rows?
Answer: Replaced after production cookie audit.
E.37 Twilio SMS cookies?
Answer: SMS does not set site cookies; links may carry UTM.
E.38 Cloudflare CDN?
Answer: Turnstile only at launch; full CDN cookies TBD if enabled.
E.39 IndexedDB?
Answer: Limited use; disclosed in Section 19.
E.40 Session replay privacy?
Answer: Sentry masks inputs per configuration.
E.41 Future ad pixels?
Answer: Would require marketing opt-in and policy update.
22.1 State-specific reference (non-exhaustive)
California: CPRA — right to opt out of sale/share; analytics/marketing cookies off by default.
Colorado: CPA — universal opt-out mechanisms; GPC consideration.
Connecticut: CTDPA — similar opt-out rights.
Virginia: VCDPA — data protection assessments for high-risk processing.
Utah: UCPA — business-friendly notice standard.
Texas: TDPSA — applies to certain processors; review at scale.
Oregon: OCPA — effective 2024; consent for sensitive data.
Montana: MCDPA — consumer opt-out rights.
Delaware: DPDPA — 2025 effective; harmonize notices.
New Jersey: DPL — 2025; align with CPRA-style rights.
23.1 Future GDPR / ePrivacy implementation checklist
- Prior consent before non-essential cookies (except strictly necessary).
- Equal prominence Accept / Reject / Customize.
- No cookie walls denying service for refusing analytics.
- Record consent timestamp, version, and channel.
- Data Processing Agreements with all subprocessors setting cookies.
- Transfer mechanisms (SCCs) for US-hosted processors.
- Cookie policy in local languages when UI localized.
- ICO / CNIL guidance on analytics cookies (legitimate interest vs consent — counsel decides).
- Right to erasure includes consent logs where not legally required to retain.
Version: DRAFT-1
Last updated (draft): 2026-05-19
Last reviewed by counsel: never (not yet)
Anchored to product features as of: 2026-05-19