Cookie
Policy.Every cookie set by bespoke-business.com — first-party or third-party — categorized as functional, preferences, statistics, or marketing. Functional cookies load without consent; the rest are opt-in through the consent banner.
Off by default. On by your action.
What a
cookieactually is.
A cookie is a small text file your browser stores when you visit a website. It can hold a session identifier, a preference, an analytics tag, or — depending on the cookie's purpose and the consent given — a marketing identifier. Cookies expire after a set duration or on logout, whichever comes first.
- First-party cookie
- Set by bespoke-business.com itselfFor session, preferences, and our own measurement.
- Third-party cookie
- Set by an embedded serviceAnalytics, scheduling, payment processors, chat widget.
- Session cookie
- Deleted when you close the tabHolds only what's needed for the current visit.
- Persistent cookie
- Stored for a set durationStated in the register below. Maximum 13 months.
Four categories.
One opt-inper category.
Cookies are grouped into four categories on the consent banner. Functional cookies load without consent because the site cannot function without them. The other three are off by default and load only on opt-in.
Functional
Required for the site to operate. Session integrity, CSRF protection, page-load language. Loaded without consent. Cannot be disabled.
Preferences
Remember your choices — viewport scale, accepted-language, font-size. Opt-in. Off by default; sensible defaults apply when off.
Statistics
Anonymous, aggregated measurement. Page views, referrer, device class. Opt-in. We rely on server-side measurement when off.
Marketing
Attribution for campaigns and ad-platform conversion. Opt-in. The site is operable with no marketing cookies at all.
Every cookie,
listed —by name.
The register below names every cookie that may be set when you visit the site, with its purpose, party, category, and duration. Cookies that load only on a specific page (e.g., scheduling widget) appear only when that page is visited.
| Cookie | Party | Category | Purpose | Duration |
|---|---|---|---|---|
| bbd_session | First | FUNCTIONAL | Session integrity. Maintains your tab-state across page loads. Required. | Session |
| bbd_csrf | First | FUNCTIONAL | CSRF token for form submissions. Required for security. | Session |
| bbd_consent | First | FUNCTIONAL | Remembers your consent selections from the banner. Required to honor opt-outs. | 12 months |
| bbd_locale | First | PREFERENCES | Remembers your preferred language and locale. | 12 months |
| bbd_theme | First | PREFERENCES | Remembers light or dark mode preference where applicable. | 12 months |
| _ga | Third · Google | STATISTICS | Distinguishes anonymous visitors for aggregate analytics. | 13 months |
| _ga_* | Third · Google | STATISTICS | Per-property session state for GA4. | 13 months |
| __hssc | Third · HubSpot | STATISTICS | Session tracking for form-engagement attribution. | 30 minutes |
| __hstc | Third · HubSpot | STATISTICS | Aggregate visitor identification across sessions. | 13 months |
| hubspotutk | Third · HubSpot | MARKETING | Cross-session visitor identifier for CRM matching. | 13 months |
| _fbp | Third · Meta | MARKETING | Conversion attribution for Meta advertising. Loads only on landing pages tagged for paid campaigns. | 90 days |
| li_at / lidc | Third · LinkedIn | MARKETING | Conversion attribution for LinkedIn campaigns. Loads only on tagged pages. | 12 months |
Cookies vary by page.
Functional and preferences cookies appear on every page. Statistics cookies appear only when you have opted in. Marketing cookies appear only when you have opted in AND visit a page tagged for a paid campaign. The register lists every cookie that may be set; the actual set on any page is a subset.
The four
third partiesthat may set cookies.
Third-party cookies are set by services embedded on the site. Each provider has its own privacy policy governing what it does with the data; the firm has signed a Data Processing Agreement with each one, and consent for those cookies is opt-in.
| Provider | What It Does on the Site | Cookie Category | Their Policy |
|---|---|---|---|
| GA4 — anonymized, aggregated site analytics | STATISTICS | policies.google.com/privacy | |
| HUBSPOT | Form intake, CRM matching, basic page analytics | STATISTICS · MKTG | legal.hubspot.com |
| META | Conversion attribution on paid-campaign landing pages | MARKETING | facebook.com/privacy |
| Conversion attribution on paid-campaign landing pages | MARKETING | linkedin.com/legal/privacy-policy |
WHY THESE FOUR
The four providers above are the only third-party services that set cookies on the site. Other embedded services (Stripe, Calendly) do not set cookies on bespoke-business.com — they operate within their own domains and any cookies they set are governed by their own policies, applied within those domains.
DATA PROCESSING AGREEMENTS
The firm has executed a DPA with each provider. Where data crosses jurisdictions, Standard Contractual Clauses (SCCs) or the UK IDTA apply. Provider review is annual; certifications, breach history, and DPA terms are revisited each year.
Adjacent
technologies, listedfor completeness.
Cookies are not the only client-side storage mechanism. The site uses two adjacent technologies — browser local storage and a small number of analytics pixels — under the same consent rules as the cookies they replace or complement.
- Local Storage
- Same rules as cookiesUsed to persist preferences between visits where local storage is more reliable than a cookie. Cleared with browser data.
- Tracking Pixels
- Marketing category1×1 images that confirm an email or ad impression. Opt-in. Loaded only on pages tagged for paid campaigns.
- Server Logs
- Not client-sideStandard access logs (IP, user-agent, URL, status) retained for security purposes; not subject to cookie consent.
How to
turn things on,off, or off again.
The consent banner appears on first visit and remembers your selections via the bbd_consent cookie. To change selections later, use the "Cookie Preferences" link in the site footer or your browser's privacy controls.
First visit · banner
The consent banner appears the first time you visit. Three buttons: "Accept All," "Reject Non-Essential," and "Customize." All three are equally prominent — no dark patterns.
Return visit · footer link
The site footer carries a "Cookie Preferences" link on every page. Clicking it reopens the banner with your current selections — adjust any category, save, and the new selection takes effect on next page load.
Browser-level
Every modern browser supports clearing cookies and local storage per-site or globally. Clearing the site's data resets your consent state; the banner reappears on the next visit.
Withdrawing consent does not delete data already collected.
Revoking consent stops further collection but does not retroactively delete data collected before revocation. To request deletion of data already collected, use the Right to Erasure in the Privacy Policy.
Browser signals
we honor —and the ones we don't.
The site honors Global Privacy Control (GPC) signals as a binding opt-out from Statistics and Marketing categories. The legacy Do Not Track (DNT) header is not honored as a binding signal because the specification was never finalized — the consent banner remains the authoritative source for the firm.
- Global Privacy Control (GPC)
- Honored as binding opt-outTreated as if the visitor had selected "Reject Non-Essential" in the banner.
- Do Not Track (DNT)
- Surfaced in the bannerThe DNT header pre-selects the "reject" option, but the banner remains the source of truth.
When a new
cookieis added.
The register is updated when a new cookie is added or a deprecated cookie is removed. Material changes (a new third-party provider, a new marketing cookie) trigger a banner notice and a 30-day review window before the new cookie loads.
- New First-Party Cookie
- Register update + log entryNo banner reset for functional or preferences cookies.
- New Third-Party Cookie
- Banner reset · 30-day noticeVisitors re-consent. New cookies do not load until consent is given.
- Deprecated Cookie
- Removed from registerLog entry with date of removal. No reset required.
Cookie
questionsgo to privacy@.
The Data Protection Officer inbox handles cookie questions alongside the rest of the privacy portfolio. For consent-banner faults, write with the URL, the browser and version, and a screenshot if you have one — the engineering team will respond inside 48 hours.
Cookies, banner faults,register corrections.
If a cookie appears on the site that is not in the register above, please report it. The register is meant to be exhaustive; gaps get fixed inside one business day.
privacy@bespoke-business.com →- Privacy
- Privacy Policy →Full data-handling notice
- Terms
- Terms of Use →Site-use terms
- Third Parties
- See RegisterProvider policies linked above
- Legal
- legal@bespoke-business.comPolicy-interpretation questions
Off by default.
On by youraction.
The cookie register is meant to be exhaustive. If you spot a cookie on the site that isn't listed, the inbox above will hear about it from you and the engineering team will reconcile within one business day.