Cookie Policy
Last updatedMay 29, 2026
1. What Are Cookies
Cookies are small text files placed on your device. We also use related techniques (localStorage, sessionStorage, IndexedDB). For brevity all are called "cookies" below.
2. Categories We Use
Strictly Necessary (always active — no consent required):
•
•
•
•
• Cloudflare bot mitigation —
Analytics — only with your consent:
•
• Cloudflare performance metrics —
Marketing — not used: thMenu does not currently set marketing or advertising cookies.
•
__thmenu_session — authentication session token•
__thmenu_csrf — CSRF double-submit token•
thmenu_cookie_consent — your cookie preference (localStorage)•
NEXT_LOCALE — selected language• Cloudflare bot mitigation —
__cf_bm (30 min) and cf_clearance (up to 30 days). Essential for the security of the information-society service you explicitly requested (ePrivacy Art. 5(3) exemption; EDPB Guidelines 2/2023 §3.1).Analytics — only with your consent:
•
ph_* — PostHog anonymous usage analytics (set only after Analytics consent).• Cloudflare performance metrics —
_cfuvid and similar. These do NOT fall within the ePrivacy 5(3) exemption (CNIL SAN-2024-013); loaded only after explicit consent.Marketing — not used: thMenu does not currently set marketing or advertising cookies.
3. Third-Party Recipients
When a category is enabled, cookies may be received and processed by:
• Cloudflare Inc. — security and performance
• PostHog Inc. — product analytics
• Stripe, Inc. — payment processing (checkout pages only)
• Sentry — error monitoring (PII-scrubbed)
Each operates under EU SCC 2021/914 Module 2 + EDPB Recommendations 01/2020 supplementary measures.
• Cloudflare Inc. — security and performance
• PostHog Inc. — product analytics
• Stripe, Inc. — payment processing (checkout pages only)
• Sentry — error monitoring (PII-scrubbed)
Each operates under EU SCC 2021/914 Module 2 + EDPB Recommendations 01/2020 supplementary measures.
4. Lifetime
Session cookies expire when you close your browser. Persistent cookies remain up to 13 months. Your consent record is stored for 13 months then we re-prompt (matching ICO + CNIL guidance).
5. Managing Cookies
Change your decision at any time:
• via the persistent Cookie Preferences button in the footer (reopens the banner);
• via your browser settings;
• by emailing dpo@synaltix.io.
Withdrawal is as easy as giving consent (GDPR Art. 7(3); KVKK md. 5).
• via the persistent Cookie Preferences button in the footer (reopens the banner);
• via your browser settings;
• by emailing dpo@synaltix.io.
Withdrawal is as easy as giving consent (GDPR Art. 7(3); KVKK md. 5).
6. The Consent Banner
On your first visit and whenever the policy version is bumped, the banner offers three equally weighted controls — Reject all, Customize, Accept all — with the same size, border and colour contrast (EDPB Guidelines 03/2022 §3.2; CNIL SAN-2022-024/025/026; KVKK Çerez Rehberi June 2022 §4).
7. Evidence and Accountability
Each decision mirrors to
POST /api/consent/log and persists in public.consent_logs with a pseudonymous device fingerprint (daily-salted SHA-256), app surface, locale and policy version. The table is RLS-protected for service-role-only reads (Supabase migration 20260524000002). We demonstrate GDPR Art. 7(1) / KVKK md. 5 compliance without retaining raw IPs or User-Agents.8. Legal Basis (Jurisdiction Summary)
• EU/EEA: ePrivacy Directive 2002/58 Art. 5(3); GDPR Art. 6(1)(a) and Art. 7.
• UK: PECR Reg. 6; UK GDPR Art. 6(1)(a).
• Türkiye: KVKK md. 5/1 and 5/2(f); KVK Kurulu Çerez Uygulamaları Hakkında Rehber (Haziran 2022).
• California: CCPA/CPRA — GPC treated as a legally binding opt-out (Cal. Code Reg. §7025).
• UK: PECR Reg. 6; UK GDPR Art. 6(1)(a).
• Türkiye: KVKK md. 5/1 and 5/2(f); KVK Kurulu Çerez Uygulamaları Hakkında Rehber (Haziran 2022).
• California: CCPA/CPRA — GPC treated as a legally binding opt-out (Cal. Code Reg. §7025).