Cookies

What we set, why.

Last updated 2026-05-16

What cookies are

Cookies are small text files saved by your browser when you visit a site. We use the smallest set we can get away with — no third-party advertising or tracking cookies. The categories below cover everything we set.

Strictly necessary

These keep the site working — signing you in, remembering what’s in your cart, protecting checkout from abuse and storing your CSRF token. You can’t opt out of these without breaking basic functionality. They include the Auth.js session cookie, our cart identifier and a CSRF token.

Preferences

If you change theme or locale settings we store that choice in a cookie so the site remembers it next time. These expire after 12 months of inactivity.

Analytics

We use Google Analytics 4 to understand which pages and products people engage with. Cookies in the _ga / _ga_* family record an anonymous client ID, page views, scroll depth on a few key pages, and ecommerce events (view, add to cart, purchase). IP addresses are truncated by Google before they hit the analytics database.

Analytics cookies only load if you accept them — by default they’re denied via Google’s Consent Mode v2, and you can flip them off any time using the Cookie preferences link.

Third parties

Stripe sets cookies on the checkout page as part of its fraud-prevention (Radar). These are controlled by Stripe under its own privacy notice — see stripe.com/privacy.

Embedded videos (e.g. YouTube) set their own cookies if and when you press play. We don’t embed advertising or social-media tracking pixels.

Managing cookies

You can change your choice anytime — opens the consent panel:

You can also clear or block cookies from your browser settings at any time. Blocking the strictly-necessary ones will sign you out and empty your cart; everything else is safe to block without functional side-effects.

See our privacy policy for the wider story on how we use the data behind these cookies.