Legal
Cookie Policy
A plain-English guide to the cookies and similar technologies we use, how to change your choice, and what each category does. Paired with our Privacy Policy.
Effective date: April 18, 2026 · Last updated: April 18, 2026 (v1.2)
1What cookies are
Cookies are small text files placed on your device when you visit a website. They let a site remember things about you between visits — from basic things like your theme preference to aggregate analytics about which pages people visit. Similar technologies such as local storage, tracking pixels, and device fingerprinting are treated the same as cookies in this policy.
Under the EU ePrivacy Directive, UK PECR, and the California CCPA/CPRA, we can only place non-essential cookies after you have given informed consent (or, in California, after we honour an opt-out signal).
2Categories we use
We group cookies into four categories. You can turn each non-essential category on or off — independently — in the preferences panel.
- Strictly necessary — required for the site to function (session, security, remembering your consent choice). These cannot be turned off.
- Analytics — aggregate measurement of how visitors use the site, so we can improve it. We do not build personal profiles from analytics data.
- Marketing — measures advertising performance and supports remarketing. When disabled, we receive either no data, or only privacy-preserving aggregated signals from our ad partners (see §4).
- Preferences — remembers non-essential choices like theme and language across sessions.
3Providers & partners
Below is the current inventory. It is split into two tables — what is set on your device today, and what will be set when each third-party tag is enabled. If you spot a discrepancy, tell us at the email in §9 and we will correct it within 72 hours.
Active today
| Name | Provider | Category | Purpose | Duration |
|---|---|---|---|---|
lm-consent-v1 | Loomaru (first-party) | Necessary | Stores your cookie consent choice so we don't re-prompt. | 12 months |
lm-consent-log-retry-v1 | Loomaru (first-party) | Necessary | Holds a pending audit-log entry if the backend is briefly unreachable at the moment you save your choice. The entry is re-sent on the next page load within the same browser session so the consent record stays complete; once re-sent it is removed. | sessionStorage — lives for the current browser session only. Cleared when the last tab for this site closes. |
lm-signal-toast-dismissed-gpc-v1 / lm-signal-toast-dismissed-dnt-v1 | Loomaru (first-party) | Necessary | Per-signal flag recording that you have already seen the one-shot 'signal honoured' acknowledgement for GPC or DNT, so we do not show it twice. The durable acknowledgement remains visible as a 'Signal active' chip in the Cookie preferences modal. | Persistent (localStorage) — until cleared |
Consent audit record | Loomaru (managed EU-region database) | Necessary | Append-only evidence that you made a consent decision, kept server-side (required by GDPR Art. 7(1)). Stores a cryptographically randomized pseudonymous identifier, a truncated IP prefix (/24 IPv4 or /64 IPv6), a user-agent family string, the referring site origin, and a timestamp. Not a cookie — a database row — but listed here for transparency. | 36 months (automated purge), or sooner on request |
lm-theme | Loomaru (first-party) | Preferences | Remembers your light/dark theme preference. | Persistent (until cleared) |
vlsid (Vercel Analytics) | Vercel Inc. (first-party) | Analytics | Site analytics — counts page views and reconstructs basic visitor flow in aggregate. Loads only after you grant analytics consent. No third-party profiles are built. | Session ID (~24 hours) |
Vercel Speed Insights (storage entry) | Vercel Inc. (first-party) | Analytics | Real-user-monitoring telemetry — records page-load timings and Core Web Vitals (LCP, CLS, INP) so we can improve performance. Loads only after you grant analytics consent. | Session-scoped storage entry |
Dependent on third-party tags
None of the cookies below are set today. They are listed here so you know exactly what will be written if and when we enable each service — and only ever when the matching consent category is granted.
| Name | Provider | Category | Purpose | Duration | Loaded when |
|---|---|---|---|---|---|
_ga, _ga_* | Google Analytics 4 | Analytics | Aggregate visitor counts, session data, engagement metrics. | Up to 2 years | Analytics consent granted + GA4 enabled |
_gcl_* | Google Ads | Marketing | Attributes ad-driven conversions. | Up to 90 days | Marketing consent granted + Google Ads enabled |
_fbp, _fbc | Meta Pixel (Facebook/Instagram) | Marketing | Measures ad performance and builds remarketing audiences. | Up to 90 days | Marketing consent granted + Meta Pixel enabled |
4Google Consent Mode v2
For Google services (Analytics 4, Ads) we use Consent Mode v2. Before any Google tag loads, our page sets defaults for four signals — ad_storage, ad_user_data, ad_personalization, analytics_storage — to denied. When you opt in, these flip to granted. When you opt out, no advertising or analytics cookies are written; Google may still receive privacy-preserving pings with ads_data_redaction turned on, which are aggregated and do not identify you.
5Browser privacy signals (GPC, DNT)
We honour two browser-level privacy signals, symmetrically — whichever your browser sends, the effect is the same: analytics and marketing are off for this site without asking again.
Global Privacy Control (GPC). If your browser sends a GPC signal we treat it as a valid opt-out, as required by California Privacy Regulations §7025 (the 1 January 2026 regulations amendments make recognition of GPC mandatory for covered businesses). You can still open the preferences panel and opt in explicitly, which overrides the GPC signal only for this site.
Do Not Track (DNT). If your browser sends a DNT=1 header (Firefox, Brave, and some older browsers) we treat it as a valid automated objection under GDPR Article 21(5). This follows the Berlin Regional Court judgment of 25 January 2024 (VG Berlin 23 K 37/23), which held that DNT is a technical specification for exercising the right to object to processing based on legitimate interests. Chrome has removed DNT in favour of GPC; both are handled the same way here.
Visible confirmation. When we detect and honour either signal for the first time, a small toast at the top of the page explicitly tells you — so you know the signal was received and applied (CCPA 2026 regulations require visible processing of opt-out preference signals). The toast auto-dismisses after 12 seconds; a durable Signal active chip inside the cookie preferences modal header remains visible whenever the signal is asserted, so the acknowledgement is discoverable at any time.
6Manage your preferences
You can change your choice at any time. There is a permanent Cookie preferences link in the footer of every page, alongside a Your Privacy Choices link that deep-links California residents directly to this control panel (CPRA §1798.135). You can also use the button below. Changes take effect immediately — analytics and advertising tags are granted or revoked on the spot, no reload needed.
If you previously accepted and want to reverse that decision, clicking Withdraw consent in the preferences modal records a distinct withdraw event in our consent audit log. Withdrawal does not affect the lawfulness of any processing that occurred before you withdrew (GDPR Art. 7(3)).
What withdrawal does and does not do. Revoking consent stops new analytics and advertising tags from firing, and we push a Google Consent Mode v2 denied update plus a Meta Pixel revoke immediately. It does not, however, delete cookies a third party may have already written on your device during an earlier consent — browser vendors don't let one site delete another domain's cookies. To remove those you can clear cookies for loomaru.com (and any listed third-party providers) via your browser settings — see §7.
7Browser-level controls
Most browsers let you block or delete cookies through their settings. Blocking all cookies may break parts of the site that rely on strictly-necessary cookies (for example, logging in to the dashboard). Guides:
8Updates to this policy
When we add a new cookie category or a new provider, we bump the consent schema version, clear your stored choice, and re-prompt you. We will not quietly change what you consented to.
Changelog
- 2026-04-18 (v1.2) — Added Do Not Track (DNT) as a symmetric browser signal alongside GPC, per the Berlin Regional Court ruling of 25 Jan 2024 treating DNT as a valid GDPR Art. 21(5) objection. Added a durable "Signal active" chip in the Cookie preferences modal header. Extended the audit-log
methodenum with'dnt'so GPC- and DNT-triggered rows are distinguishable. Banner layer-1 now names recipients (Google Analytics 4, Google Ads, Meta Pixel) directly. - 2026-04-18 (v1.1) — Added visible Global Privacy Control acknowledgement (CPRA 1 Jan 2026 compliance), added "Your Privacy Choices" footer link, disclosed the consent audit record with a 36-month retention policy and automated purge, and added per-category recipient disclosure in the preferences modal.
- 2026-04-18 — First publication. Google Analytics 4, Google Ads, and Meta Pixel are listed as dependent — they are not loaded today.
9Contact
Questions or corrections? Email vadim@loomaru.com. We respond within three business days.