Transparency Report
Q2 2026 · Last verified 2026-05-07 · Cookie policy version 2026-05-v6
Overview
This page is the public counterpart to our internal privacy audit. We publish it quarterly so users, partners and the UK Information Commissioner’s Office can verify, without contacting us, that the information in our Cookie Policy matches reality.
The data on this page is rendered directly from src/lib/transparency.ts in our public source tree and reflects the state of the Service on 2026-05-07. A machine-readable JSON copy is available at /api/transparency for automated scanners and audit tooling.
1. Cookie counts at a glance
The Service may set up to 22 cookies or equivalent storage entries across a full user journey (no change vs. previous quarter). The total varies per session because Stripe and Google cookies only fire on the pages that need them.
| Category | Count | Lawful basis | Active in this quarter? |
|---|---|---|---|
| Strictly Necessary | 9 | PECR reg. 6(4) | Yes - always |
| Functional (opt-in) | 1 | GDPR consent | Yes - only after Accept |
| Marketing / Personalisation (opt-in) | 5 | GDPR consent | Yes - only after Accept (bundled with Functional toggle) |
| Analytics (opt-in) | 0 | GDPR consent | No - not currently used |
| Payment & fraud | 7 | 2026 Act Sch.4 (Recognised Legitimate Interests) | Yes - only on checkout |
2. Quarterly drift
We track total cookie count over time so any unexpected increase (a vendor adding new cookies in an SDK update, a new feature pulling in a tracker) is immediately visible. Each row is a manual quarterly review checkpoint signed off by the data protection lead.
| Quarter | Total cookies | Note |
|---|---|---|
| Q4 2025 | 18 | Pre-Cookiebot - analytics line later removed (Vercel never installed). |
| Q1 2026 | 22 | Cookiebot CMP added. hCaptcha disclosed. |
| Q2 2026 | 22 | Maps SDK now consent-gated. Vercel-Analytics false claim removed. |
3. Third-party recipients
Every external organisation that may set a cookie on thesbkdance.com, the country it operates from and the legal instrument under which we transfer data to it. Lifted verbatim from the ROPA in our Cookie Policy §9.
| Recipient | Country | Transfer instrument | Cookies |
|---|---|---|---|
| Stripe Payments UK Ltd. | United Kingdom & United States | UK adequacy regulations + Stripe SCCs | __stripe_mid, __stripe_sid, m, _mf, _ab, id, 1 |
| Cloudflare Inc. | United States | UK International Data Transfer Addendum (IDTA) | __cf_bm |
| Google LLC | United States | UK-US Data Bridge under s.17A UK Data (Use and Access) Act 2026 | NID, 1P_JAR, OGP / OGPC, CONSENT, SOCS |
| Cookiebot / Usercentrics A/S | Denmark | EEA adequacy decision | CookieConsent, userlang |
| Supabase Inc. | United States (DB hosted in EU-West) | UK International Data Transfer Addendum (IDTA) + EU adequacy for DB | sb-access-token, sb-refresh-token |
4. Full inventory
Every cookie or equivalent storage entry the Service may set, mirroring the four tables in the Cookie Policy.
| Name | Category | Vendor | Domain | Duration |
|---|---|---|---|---|
| sb-access-token | Strictly Necessary | The SBK Dance / Supabase | thesbkdance.com | 1 hour |
| sb-refresh-token | Strictly Necessary | The SBK Dance / Supabase | thesbkdance.com | 1 year (rolling) |
| csrf-token | Strictly Necessary | The SBK Dance | thesbkdance.com | Session |
| sub-tier | Strictly Necessary | The SBK Dance | thesbkdance.com | 24 hours |
| __cf_bm | Strictly Necessary | Cloudflare Inc. | *.supabase.co | 30 minutes |
| CookieConsent | Strictly Necessary | Cookiebot / Usercentrics A/S | thesbkdance.com | 1 year |
| userlang | Strictly Necessary | Cookiebot / Usercentrics A/S | thesbkdance.com | Session |
| cookie_consent (localStorage) | Strictly Necessary | The SBK Dance | thesbkdance.com | 1 year |
| ems-auth-user-cache (localStorage) | Strictly Necessary | The SBK Dance | thesbkdance.com | 24 hours |
| NID | Marketing | Google LLC | google.com | 6 months |
| 1P_JAR | Marketing | Google LLC | google.com | 1 month |
| OGP / OGPC | Marketing | Google LLC | google.com | 1 month |
| CONSENT | Marketing | Google LLC | google.com | 2 years |
| SOCS | Marketing | Google LLC | google.com | 13 months |
| ems_ip_location (localStorage) | Functional | The SBK Dance | thesbkdance.com | 1 hour |
| __stripe_mid | Payment & fraud | Stripe Payments UK Ltd. | js.stripe.com | 1 year |
| __stripe_sid | Payment & fraud | Stripe Payments UK Ltd. | js.stripe.com | 30 minutes |
| m | Payment & fraud | Stripe Payments UK Ltd. | m.stripe.com | 2 years |
| _mf | Payment & fraud | Stripe Payments UK Ltd. | m.stripe.network | 1 year |
| _ab | Payment & fraud | Stripe Payments UK Ltd. | m.stripe.network | 1 year |
| id | Payment & fraud | Stripe Payments UK Ltd. | m.stripe.network | 1 year |
| 1 | Payment & fraud | Stripe Payments UK Ltd. | m.stripe.network | Session |
5. Compliance posture
- Cookie banner: three equally-prominent choices (Accept All / Reject All / Manage preferences), both default-off toggles in the Manage panel, no dark patterns. Verified by source review on 2026-05-07.
- Consent withdrawal: available from every page via the “Cookie Settings” link in the footer and the in-line CTA on every map placeholder.
- Data Protection Impact Assessment: internal DPIA last reviewed 2026-05-06. Redacted summary available on request to support@thesbkdance.com.
- Records of Processing Activities: maintained per Article 30 UK GDPR; cookie-setting recipients reflected in section 3 above.
- Information Security Management System: internal ISMS aligned with the ISO/IEC 27001:2022 framework; external certification not yet engaged. We will publish the certificate hash on this page once the audit is commissioned and the certificate issued.
- Complaints Handling Duty (UK Data Act 2026, active June 2026): we acknowledge complaints within 5 working days and reply substantively within 30.
6. How to verify this report
- Open browser DevTools → Application → Cookies on thesbkdance.com and reconcile against section 4 above.
- Pull the machine-readable copy at /api/transparency for diffing across quarters.
- Run an external scanner (Cookiebot, OneTrust, Termly). The numbers reported by the scanner should match section 1, allowing for vendor-side new cookies which we capture in the next quarterly review.
For corrections or to flag a cookie we’ve missed, email support@thesbkdance.com.