Cookie Policy
- Version
- 2026-05-v7
- Last updated
- Last reviewed
- (next review due )
- Reading time
- ~18 min · or read the 30-second summary below
- Tip
- Use your browser’s Print → Save as PDF to keep a copy. Print styles strip the navigation, banner and contents list automatically.
1. About this Policy
This Cookie Policy explains how Inteleforge Limited, trading as The SBK Dance (“we,” “our,” “us”), uses cookies and similar technologies on thesbkdance.com and any subdomain we operate under that domain (the “Service”). It should be read alongside our Privacy Policy and our Terms of Service.
2. Who we are (legal entity, DPO, EU representative)
Companies Act 2006 §82 disclosure. Inteleforge Limited is registered in England & Wales under company number 16661156. Registered office: 34 moray close, Darlington, DL1 3TH, United Kingdom.
Data Protection Officer (DPO). We have not appointed a Data Protection Officer. Our processing does not meet the threshold conditions in Article 37 UK GDPR (large- scale systematic monitoring of public spaces, large-scale special-category processing, or core public-authority activity). Privacy questions are handled by our Privacy & Compliance Officer at support@thesbkdance.com.
Territorial scope. The Service is operated from the United Kingdom and is available globally. UK data-protection law (UK GDPR + Data Protection Act 2018) governs the controller’s processing. Where users are located outside the UK, additional national privacy laws may also apply to their personal data (for example EU/EEA GDPR for users in the European Economic Area, CCPA/CPRA for users in California, LGPD for users in Brazil, DPDP Act for users in India); users may exercise their statutory rights directly with the controller using the contact details above.
3. Applicable laws
This Policy is provided to comply with our obligations under:
- the UK Data (Use and Access) Act 2026 (the “2026 Act”);
- the UK Privacy and Electronic Communications Regulations 2003 (PECR) - “reg.” in this Policy refers to a regulation of PECR;
- the UK General Data Protection Regulation (UK GDPR);
- the Data Protection Act 2018; and
- the EU GDPR - applies whenever you access the Service from the EEA, since the Service is offered without geo- restriction. Articles 13 and 14 EU GDPR apply alongside their UK equivalents in that case.
4. What are cookies and similar technologies?
A cookie is a small text file placed on your device when you visit a website. Some cookies are deleted when you close your browser (“session”); others remain for a set period (“persistent”).
We also use related browser storage that does the same job a cookie would, even though it isn’t technically a cookie:
- localStorage - a small key/value store in your browser that survives across page loads. We use it to remember your consent choice and to cache the navigation bar so it shows the right state instantly on refresh.
- sessionStorage - like localStorage but wiped when you close the tab.
Where the term “cookie” appears below it should be read to include those equivalents.
5. Categories of cookies we use
We classify the cookies on the Service into five categories. Strictly Necessary (5.1) and Payment & Fraud Prevention (5.5) are exempt from the consent requirement under reg. 6(4) PECR and the “Recognised Legitimate Interests” provisions of Schedule 4 of the 2026 Act (which permits limited processing for fraud prevention, security and other listed grounds without separate consent). Functional (5.2), Marketing / Personalisation (5.3) and Analytics (5.4) only fire after you have given affirmative opt-in consent.
One important nuance about the consent banner. Categories 5.2 (Functional) and 5.3 (Marketing / Personalisation) currently share one banner toggle labelled “Functional cookies”. This is because the only Marketing cookies we set come from the Google Maps SDK, and Google bundles Maps’ functional code with its own personalisation cookies - we cannot enable the first without the second. Accepting Functional therefore enables both. If you want a stricter setting, decline Functional: the Maps panels are replaced with a placeholder and the rest of the site continues to work.
- 5.1 Strictly Necessary - always on
- 5.2 Functional - opt-in (one banner toggle, shared with 5.3)
- 5.3 Marketing / Personalisation - opt-in (shares the Functional toggle, see note above)
- 5.4 Analytics - opt-in (we don’t currently run any)
- 5.5 Payment & Fraud Prevention - only on checkout / subscription pages
5.1 Strictly Necessary (Essential)
These cookies are required to authenticate you, keep you signed in, prevent cross-site request forgery, protect our backend from automated abuse, and remember your consent choices. They contain no advertising or cross-site tracking content.
| Name | Provider | Purpose | Duration / TTL |
|---|---|---|---|
| sb-access-token | Inteleforge Limited (set by our server; auth handled by Supabase Inc.) | Short-lived signed JWT proving your identity on each request. HttpOnly & Secure (in production); never exposed to JavaScript. | 1 hour |
| sb-refresh-token | Inteleforge Limited / Supabase Inc. | Long-lived rolling token used to re-issue the access token without making you sign in again. Re-stamped on every successful refresh; cleared on Logout or after a year of inactivity. HttpOnly & Secure. | 1 year (rolling) |
| csrf-token | Inteleforge Limited | Prevents cross-site request forgery on form submissions and mutating API calls. | Session (cleared when the browser closes) |
| sub-tier | Inteleforge Limited | Short render hint (“pro” or “free”) so the page can show the correct paywall state without a server round-trip. Authoritative state always re- checked server-side. | 24 hours |
| __cf_bm | Cloudflare Inc. (in front of *.supabase.co) | Bot-management token issued by Cloudflare on every request to our Supabase backend. Detects and blocks automated abuse of our authentication and database APIs. We cannot disable this without losing Cloudflare protection on the Supabase tier. | 30 minutes |
| CookieConsent | Cookiebot / Usercentrics A/S (Denmark) | Records the choice you made on our cookie banner so we don’t ask you again on every page. Cookiebot also processes your IP address (for region detection and audit) and a browser fingerprint solely for consent-record integrity. This is a consent-management function, not analytics - Cookiebot does not measure your behaviour beyond your consent choice. | 1 year |
| userlang | Cookiebot / Usercentrics A/S | Remembers the language of the consent banner so it is shown in the correct locale on subsequent visits. | Session |
| hcaptcha session cookies | hCaptcha (Intuition Machines, Inc.) under hcaptcha.com | Set ONLY when you submit our signup or sign-in form and Supabase Auth presents a bot challenge. Live for the duration of the challenge and are wiped when you successfully authenticate. | Session |
| cookie_consent (localStorage) | Inteleforge Limited | Mirror of your banner choices stored in browser localStorage so the in-app paywall and Maps gate can read it without a network round-trip. Never sent to our servers. | Persists in localStorage until you click “Cookie Settings” (which clears it) or you clear your browser’s site data |
| ems-auth-user-cache (localStorage) | Inteleforge Limited | Cached subset of your profile (id, email, name, role, avatar URL) so the navigation bar and page chrome render the right state instantly on refresh. Stored in browser localStorage; never sent to our servers. | Wiped immediately on Logout. If you stay signed in, a 24-hour TTL is applied on every read - values older than 24h are ignored and re-fetched. The localStorage entry itself is overwritten on the next refresh. |
5.2 Functional cookies (opt-in)
The only Functional storage we set ourselves is ems_ip_location in browser localStorage, which caches the rough city/region derived from your IP address (geolocation done by our own server - no third- party IP-lookup vendor) so the maps view is centred on your area without re-querying our server on every page load. Set only after you grant Functional consent; overwritten after one hour; never sent back to our servers.
5.3 Marketing / Personalisation cookies (opt-in)
When you accept Functional consent, the Google Maps JavaScript SDK loads. Loading the SDK causes Google to set its own cookies under google.com for personalisation, advertising and consent-state tracking across Google services. We do not run advertising on this Service ourselves, but Google’s SDK bundles these cookies with the Maps functionality - we cannot opt out of them while showing you a working map. We therefore disclose them honestly as Marketing cookies. If you prefer not to receive them, decline Functional consent: the maps are replaced with a placeholder and the rest of the site continues to work.
You can also manage Google’s cookies directly: see section 9 below for links to Google’s Ad Settings and data-deletion tools.
| Name | Provider | Purpose | Duration |
|---|---|---|---|
| NID | Google LLC (google.com) | Personalisation and ad targeting on Google-owned properties. Set by the Maps SDK once Functional consent is granted. See Google’s cookie policy. | 6 months |
| 1P_JAR | Google LLC (google.com) | Cross-Google-service request counters and experiment bucketing. | 1 month |
| OGP / OGPC | Google LLC (google.com) | Stores Google’s own product UI preferences (Search, Maps, YouTube layout). Not specific to our Service. | 1 month |
| CONSENT | Google LLC (google.com) | Records your consent state on Google’s own services. Separate from this Service’s consent banner - accepting or rejecting on our banner does not change your Google-side consent, and vice versa. | 2 years |
| SOCS | Google LLC (google.com) | Records your acceptance of Google’s non-essential cookies on Google services. | 13 months |
Until you grant Functional consent, the Maps panels on the homepage, /events, /maps, /teachers and individual event pages render a static placeholder with a “Cookie Settings” button that re-opens the banner. The location autocomplete on the homepage falls back to a plain text input - typing a city name still works because we geocode it on our servers.
5.4 Analytics & performance (opt-in)
We do not currently run any analytics tool on the Service. (Cookiebot in section 5.1 records your consent choice but does not measure your behaviour, and is therefore listed as Strictly Necessary, not Analytics.) If we add an analytics tool, this Policy will be updated and we will re-prompt you for consent before any new cookie is set.
5.5 Payment & fraud prevention (Stripe)
On any page that loads Stripe - including checkout, the subscription manage page and any future page that embeds Stripe Elements - our payment processor Stripe Payments UK Limited sets its own cookies under js.stripe.com, m.stripe.com and m.stripe.network for fraud prevention (Stripe Radar), 3-D Secure step-up authentication and PCI-compliant payment processing. They are governed by Stripe’s own Cookie Policy (stripe.com/cookies-policy/legal). We do not control them; if you block them, card payments may fail or fall back to a friction-heavy 3-D Secure path. Apple Pay and Google Pay flows that bypass Stripe’s iframe may still succeed.
| Name | Provider | Purpose | Duration |
|---|---|---|---|
| __stripe_mid | Stripe (js.stripe.com) | Long-lived merchant-scoped device identifier used by Stripe Radar to recognise your device across checkouts on this Service. | 1 year |
| __stripe_sid | Stripe (js.stripe.com) | Short-lived session identifier paired with __stripe_mid. | 30 minutes |
| m | Stripe (m.stripe.com) | Stripe Radar device fingerprint used by 3-D Secure step-up and fraud scoring. | 2 years |
| _mf | Stripe (m.stripe.network) | Machine fingerprint signal for Radar. | 1 year |
| _ab | Stripe (m.stripe.network) | Anti-bot heuristic flag. | 1 year |
| id | Stripe (m.stripe.network) | Anonymous device identifier for Radar. | 1 year |
| 1 | Stripe (m.stripe.network) | Iframe-execution sentinel (page-load counter). | Session |
6. Lawful basis & consent
Strictly Necessary cookies (5.1) are dropped on the basis of reg. 6(4) PECR - they are strictly necessary to provide the Service you have requested. No consent is required for these.
Functional and Marketing cookies (5.2 & 5.3) require your prior, freely-given, specific, informed and unambiguous consent, captured through the cookie banner on your first visit. The banner has two equally-prominent buttons (Accept All and Reject All) and a tertiary Manage preferences button which expands an inline panel of toggles for granular control. Until you make a choice, no Functional or Marketing cookie is set; the corresponding feature (Maps) is replaced with a placeholder.
Analytics cookies (5.4) - none are currently set. If we add any, the same opt-in process applies.
Payment & fraud prevention cookies (5.5) rely on the Recognised Legitimate Interests basis introduced by Schedule 4 of the 2026 Act - a new ground introduced by the Act that allows certain narrowly- listed processing (including fraud prevention and security) without a separate consent step. They only fire on pages where you have actively initiated a transaction or a subscription change.
Withdrawing consent. You can withdraw or change your consent at any time using the methods in section 7. Withdrawal does not affect the lawfulness of processing already carried out under your prior consent. Withdrawing Functional consent stops new third-party scripts from loading on subsequent navigations, but cookies already set in your previous session remain in your browser’s cookie jar until they expire naturally or you clear them via your browser settings. Per-cookie persistence after withdrawal:
| Cookie | Persistence after withdrawal | How to clear immediately |
|---|---|---|
| NID | Up to 6 months | Google data and privacy |
| 1P_JAR | Up to 1 month | |
| OGP / OGPC | Up to 1 month | |
| CONSENT | Up to 2 years | |
| SOCS | Up to 13 months | |
| __stripe_mid | Up to 1 year | Stripe privacy contact |
| __stripe_sid | Up to 30 minutes | |
| m | Up to 2 years | |
| _mf, _ab, id | Up to 1 year | |
| 1 | Session (cleared on tab close) | |
| __cf_bm | Up to 30 minutes | Cloudflare privacy |
| CookieConsent, userlang | Up to 1 year | Cookiebot privacy |
7. How to manage your preferences
The fastest way to change your consent on this Service:
Clicking the button clears your current consent record and re-opens the banner with all toggles reset to off.
- Map placeholders. Each blocked map area also includes a Cookie Settings button so you don’t need to scroll back to the footer.
- Global Privacy Control (GPC). If your browser exposes the GPC signal - either via the
navigator.globalPrivacyControlJavaScript API or theSec-GPC: 1HTTP header used by Brave, Firefox with the GPC extension, and DuckDuckGo browser - we honour it as a refusal of non-essential cookies. The 2026 Act recognises GPC as a valid withdrawal-of-consent signal. You can still override the signal by clicking Accept All on our banner. - Browser controls. All major browsers let you block, delete or restrict cookies. Refer to your browser’s help pages (Chrome, Firefox, Safari, Edge). Note that blocking Strictly Necessary cookies will prevent you from signing in.
- Sign out. Clicking Logout deletes the auth tokens (
sb-access-token,sb-refresh-token) on the server and clears them from your device, AND wipes theems-auth-user-cachelocalStorage entry. Note thatcsrf-token,sub-tier,cookie_consentand third-party cookies are not wiped by Logout - use your browser’s “clear cookies” tool for a full reset. - Subject rights. Under UK GDPR you may request access, rectification, erasure, restriction, objection or portability of your personal data. See our Privacy Policy for the full list and how to exercise them.
8. International transfers
Some of our processors are based outside the UK. Where personal data is transferred internationally we rely on UK adequacy regulations, “data bridge” instruments designated under section 17A of the 2026 Act, the UK International Data Transfer Addendum (IDTA) or the supplementary safeguards described in our Privacy Policy. The processors and instruments are:
| Recipient | Data location | Transfer instrument | Onward transfers |
|---|---|---|---|
| Stripe Payments UK Ltd. | United Kingdom | Intra-UK; no international instrument needed. | Stripe may make onward transfers to its US affiliate; those are governed by Stripe’s SCCs as part of Stripe’s own controllership. |
| Cloudflare Inc. | United States | UK International Data Transfer Addendum (IDTA) | - |
| Google LLC | United States | UK-US Data Bridge under s.17A of the 2026 Act | - |
| Cookiebot A/S | Denmark | EEA adequacy decision | Some processing may occur at parent Usercentrics GmbH (Germany); also EEA-internal. |
| Supabase Inc. | EU-West (database); US (corporate) | EU adequacy decision for the database tier; UK IDTA for the corporate tier | - |
| Intuition Machines, Inc. (hCaptcha) | United States | UK IDTA | - |
9. Third-party privacy controls
We do not control the cookies set by third parties. To exercise your rights against those processors directly:
- Google - Account & Privacy, Ad Settings, cookie reset tool.
- Stripe - Privacy Center, privacy contact form.
- Cloudflare - privacy policy.
- Cookiebot / Usercentrics - privacy policy.
- hCaptcha - privacy policy, data subject contact.
10. Data Protection Impact Assessment (DPIA)
We have completed and maintain an internal DPIA covering each cookie listed in this Policy, in line with Article 35 UK GDPR and section 65 of the 2026 Act. The DPIA records, for each cookie: the categories of personal data involved; the purpose, lawful basis and necessity; the retention period; the residual risk after mitigations; and the international-transfer instrument relied on.
The DPIA is owned and signed off by our Privacy & Compliance Officer (support@thesbkdance.com). It was last reviewed on . The next review is scheduled for ; if you are reading this Policy after that date and the dates have not been refreshed, please write to us - we want to know the review reminder failed.
The processing was assessed as low residual risk after mitigations (HttpOnly & Secure flags on session tokens, consent-gated loading of third-party SDKs, no analytics, no advertising of our own). Reviews are also triggered ad-hoc whenever a new cookie-setting vendor is added or material UK data law changes take effect - never relying on the calendar alone.
A redacted summary is available on written request to support@thesbkdance.com.
11. Records of Processing Activities (ROPA)
We maintain Records of Processing Activities under Article 30 UK GDPR, as carried forward and modernised by Schedule 6 of the 2026 Act. The recipient list reflected in our ROPA is identical to the international-transfers table in section 8 above, with these additional fields recorded internally for each recipient: the categories of data subjects, the categories of personal data, the purpose of the transfer, the security measures in place, and the agreed retention / deletion schedule.
A summary extract covering cookie-setting vendors is also available in machine-readable form at /api/transparency and as a human-readable page at /transparency. External cookie scanners (Cookiebot, OneTrust, Termly) can fetch the JSON endpoint to reconcile our published inventory against their own scan.
12. Children
The Service is not directed at children under 13. We do not knowingly collect personal data from anyone under 13; if you become aware that a child under 13 has provided personal data without verifiable parental consent, please contact support@thesbkdance.com and we will delete the data without undue delay. The Service does not currently include an age-verification step at signup; we rely on contractual representations, parent/guardian oversight, and prompt deletion on notice to honour this commitment.
For users aged 13–17, the ICO’s Age-Appropriate Design Code applies. We do not show advertising and do not run analytics, so the heightened risks the Code targets (profiling, nudge marketing, dark patterns) do not arise on the Service.
13. Accessibility
We aim to meet WCAG 2.2 AA on the cookie banner and on this Policy. The banner exposes the two consent buttons with equal visual weight and identical keyboard focus treatment; the Manage preferences expander uses native checkboxes with associated labels. We have not yet commissioned an external accessibility audit - this is a self-attestation. If you encounter a barrier when managing your cookie preferences, please email support@thesbkdance.com and we will resolve it without requiring you to give consent.
14. Changes to this Policy
We may update this Cookie Policy when our practices, providers or regulatory obligations change. The “Last updated” date at the top reflects the latest material revision; minor editorial changes are made without re-prompting consent. For material changes (a new vendor, a new category of cookie, a new lawful basis) we will publish a new version, bump the version stamp at the top of this Policy, and announce the change via in-app notice on your next visit. Withdrawing and re-collecting consent for material changes is a manual operational step in our process; if you would like to be re-prompted at any time, click Cookie Settings in the footer.
15. Contact & complaints
For questions about this Cookie Policy or to exercise any right:
Inteleforge Limited (trading as The SBK Dance)
Registered office: 34 moray close, Darlington, DL1 3TH, United Kingdom
Company number: 16661156 (England & Wales)
Privacy & Compliance Officer: support@thesbkdance.com
You have the right to lodge a complaint with the UK Information Commissioner’s Office (ico.org.uk) at any time - you do not have to wait for our response. We do however encourage you to raise the issue with us first so we can put it right.
Under the Complaints Handling Duty introduced by the 2026 Act (active from June 2026), we will acknowledge your complaint within 5 working days and provide a substantive reply within 30 days.
16. Version history
Versions 2026-05-v1 through 2026-05-v3 were internal drafts revised on the same day as this Policy was first rewritten for the 2026 Act and are listed for completeness; version 2026-05-v4 was the first version published externally. Each entry shows what materially changed.
| Version | Date | Status | Material changes |
|---|---|---|---|
| 2026-05-v7 | 19 May 2026 | Published (current) | Lifted the EU/EEA geo-block at the Vercel edge. The Service is now available globally. Section 2 (territorial scope) was rewritten to note that UK GDPR governs the controller while additional national privacy laws may also apply to users in their own jurisdictions. Re-consent automation: every existing user is re-prompted at next visit because the policyVersion bumped. |
| 2026-05-v6 | 7 May 2026 | Published (superseded) | Activated EU/EEA geo-block at the Vercel edge to close the Article 27 EU GDPR gap. Traffic from the 27 EU member states + Iceland / Liechtenstein / Norway is redirected to /region-unavailable. Section 2 (territorial scope) updated. Re-consent automation: every existing user is re-prompted at next visit because the policyVersion bumped. |
| 2026-05-v5 | 7 May 2026 | Published (superseded) | Closed 32 user-audit findings: env-driven Companies Act §82 disclosure (now in global footer); reconciled summary with Marketing-cookies reality; derived counts from transparency.ts; per-cookie retention rows; named Privacy & Compliance Officer; honest review-date with next-due stamp; WCAG self-attestation softened; print CSS now exists; schema.org type corrected; metadata block layout fixed; section ordering rebalanced. |
| 2026-05-v4 | 7 May 2026 | Published (superseded) | Recategorised Google Maps cookies as Marketing; fixed ICO escalation timing misstatement; added Companies Act §82 disclosure; GPC honour; retention table; third-party privacy links; children & accessibility sections; TOC; 60-second summary; version history; schema.org structured data. |
| 2026-05-v3 | 7 May 2026 | Internal draft | Added granular Functional/Analytics consent toggles; added DPIA and ROPA sections. |
| 2026-05-v2 | 7 May 2026 | Internal draft | Reconciled with codebase; added 2026 Act references; removed false Vercel Analytics row; added Cloudflare, Cookiebot, hCaptcha, full Stripe and Google cookie disclosures. |
| 2026-05-v1 | 6 May 2026 | Internal draft | Initial version. |