Cookie policy.
This is the policy we operate by. We publish it openly so prospective clients and partners can see how we work before they engage us. Final binding terms are negotiated and attached to each engagement.
What a cookie is.
A "cookie" is a small text file a website stores on your device so it can recognise you on later visits or remember a setting you have chosen. In this Policy we use "cookie" broadly to also cover similar technologies — localStorage, sessionStorage, and server-side equivalents — that perform the same function.
This Policy is a companion to the Privacy Policy. It exists separately because regulators (ICO, CNIL, DPC) expect a dedicated cookie-inventory page even when the inventory is short.
What we set — first-party inventory.
This Site sets exactly one first-party cookie, and only after you have made an active choice in the consent banner:
| Name | Purpose | Lifetime | Category |
|---|---|---|---|
| sr_consent_v1 | Records your cookie-banner choices so we do not re-prompt on every page | 180 days from last choice | Strictly necessary |
The same value is mirrored to localStorage under the key sr_consent_v1 so the choice survives if your browser blocks first-party cookies but allows storage.
We set no other cookies. No session cookies (the Site has no login). No preference cookies. No analytics or advertising cookies.
Third-party cookies.
None. No analytics provider, no advertising network, no embed (YouTube, Twitter, LinkedIn) loads on the Site at the time of this Policy version. If that ever changes:
- This page is updated with the new entry.
- The consent-record version is incremented.
- Every visitor is re-prompted on their next page load.
Other third-party asset fetches (not cookies).
The Site fetches two categories of assets from outside hosts. Neither sets a cookie:
| Service | What | Cookie? | Data |
|---|---|---|---|
| Bunny Fonts | Font CDN (replaces Google Fonts) | No | Ephemeral edge logs; EU-hosted (Slovenia) |
| Hosting CDN | Serves HTML / CSS / JS / images | No | Standard HTTP logs — IP, UA, request. 90-day retention |
Photo-credit links go to pexels.com, where Pexels' own policies apply. We do not load Pexels content; we only link.
Consent categories.
Our consent UI is built around four standard categories so future additions are immediately compliant. Today, only the first has any active cookie:
- Strictly necessary — Yes (sr_consent_v1). Cannot be turned off.
- Functional — None active. Reserved for user-preference cookies (language, theme).
- Analytics — None active. Reserved for aggregate, privacy-respecting usage measurement.
- Marketing — None active and none planned. Declining this category is treated as a CCPA "Do Not Sell or Share My Personal Information" signal.
The four-category split mirrors the IAB Europe TCF v2.2 model and the Google Consent Mode v2 categories. Our consent engine emits a gtag('consent', 'update', …) call on every choice so any future Google tag respects it automatically.
How we ask for consent.
On a first visit (no sr_consent_v1 set, GPC not enabled), a bottom-anchored banner appears with three equally-weighted buttons:
[Reject non-essential] [Customise] [Accept all]
Following CNIL / EDPB guidance: "Accept all" and "Reject non-essential" use the same visual treatment; non-essential categories default to off; no category is pre-checked; the banner has no close (×) — closing is a choice; "Customise" opens a preference modal where each category can be toggled individually.
Changing or withdrawing your consent.
Three equally easy paths:
- Click Cookie preferences in the footer (or the Do Not Sell or Share My Personal Information link, which opens the same modal).
- Click the floating ✓ chip at the bottom-left of any page.
- Clear cookies for this domain in your browser; the banner re-appears.
The consent engine exposes a small JS API on window.srConsent:
window.srConsent.get() // current consent record or null
window.srConsent.has('analytics') // boolean
window.srConsent.accept() // grant all
window.srConsent.reject() // deny all non-essential
window.srConsent.open() // open the modal
window.srConsent.on(cb) // subscribe to changes
window.srConsent.reset() // clear and reloadGlobal Privacy Control and Do Not Track.
We honour Global Privacy Control (navigator.globalPrivacyControl === true). If your browser sends GPC, the banner does not appear and we record an automatic decline of analytics and marketing categories. Showing a banner on top of a GPC signal would be a dark pattern, so we do not.
For Californians: GPC is a recognised opt-out signal under the CCPA / CPRA. You do not need to take further action to exercise your "Do Not Sell or Share" right if your browser sends GPC. The legacy DNT: 1 header is honoured the same way on older browsers.
Consent version and re-prompt.
The current consent record version is 1. Material changes to this Policy or the cookie inventory bump the version (CFG.version in consent.js), which invalidates every stored consent record and triggers a re-prompt. We commit to bumping the version on: adding any new cookie or storage technology; adding any new third-party script that processes personal data; changing the categorisation of an existing cookie; or any material rewrite affecting your rights.
Changes to this policy.
When we update this Policy the "Updated" date changes, the consent-record version bumps for material changes, and the bottom-of-page changelog records what changed.
Questions.
Email privacy@summitreachsoft.com with a specific cookie or service name and we will tell you exactly what it does and why we set it (today, the honest answer for nearly everything is "we don't set it").
Questions about this policy?
The text above describes how SUMMIT REACH LLC operates, in plain English. The final binding agreement between you and SUMMIT REACH LLC is whatever is signed at the bottom of your engagement, alongside this policy.
Questions or proposed changes? Email legal@summitreachsoft.com.