Skip to main content

Cookie Policy

Effective: 24 April 2026|
v3.3
Download PDF
Also available in:Turkish (TR)

Cookie Policy

Version 3.3  |  Effective date: 24 April 2026

SummitBridge Horizon Ltd — Companies House No. 16419201 — ICO Registration ZC112810 — 71-75 Shelton Street, Covent Garden, London WC2H 9JQ.

This Cookie Policy explains how we use cookies, local storage, and similar technologies on summitbridgehorizon.co.uk and app.summitbridgehorizon.co.uk. It complies with the UK Privacy and Electronic Communications Regulations 2003 (PECR), UK GDPR, the EU ePrivacy Directive, German TDDDG §25, French CNIL guidance, and Turkish KVKK.

1. What We Mean by “Cookies”

Cookies are small text files stored on your device. In this policy, the term also covers localStorage, sessionStorage, and server-set tokens used for comparable purposes. We treat every client-side storage technology as subject to the same consent rules as cookies (PECR Regulation 6 / TDDDG §25).

2. Your Consent

On your first visit, we display a consent banner with three equally-prominent choices:

  • Accept all — enables functional, analytics, and (if ever deployed) marketing categories.
  • Reject optional — only strictly necessary technologies are used.
  • Customise — choose each optional category individually.

The “Accept all” and “Reject optional” buttons have identical visual weight. No pre-ticked boxes and no “close” shortcut that implies acceptance. This satisfies CNIL guidance and TDDDG §25.

Your preference is recorded in your browser’s localStorage under the key sbh_consent_token together with a unique audit token in the form ct_<timestamp>_<random> and is also logged server-side against that token. The preference is valid for 12 months, after which we ask again.

3. Global Privacy Control (GPC)

We honour the Global Privacy Control browser signal. When navigator.globalPrivacyControl is true, we automatically:

  • Disable all analytics storage (Google Analytics 4).
  • Disable all marketing/advertising storage (none are currently deployed).
  • Keep only strictly necessary storage.
  • Display a notice in the banner confirming that GPC was detected.

This approach is consistent with CCPA/CPRA (California) and the EU ePrivacy Directive.

4. What We Actually Set

4.1 Strictly Necessary (always on)

Required for the website, checkout, and customer portal to function. No consent is required under PECR Regulation 6(4).

NameTypePurposeProviderMax Duration
sbh-portalHTTP cookie (HttpOnly, Secure)Customer portal session JWTSummitBridge Horizon7 days
sbh-tenantHTTP cookie (HttpOnly, Secure)Tenant (B2B) authentication JWTSummitBridge HorizonSession / up to 7 days
sbh-session-idHTTP cookieChat/support session continuitySummitBridge HorizonSession
next-auth.session-tokenHTTP cookie (HttpOnly, Secure)Admin panel authentication (NextAuth)SummitBridge Horizon30 days
sbh_refHTTP cookieReferral attribution (set only if visitor arrives via a referral link)SummitBridge Horizon90 days
sbh_consent_token (and sbh_consent_token_id)localStorageYour cookie consent choice + audit tokenSummitBridge Horizon12 months
__cf_bmHTTP cookieCloudflare bot management (infrastructure security)Cloudflare30 minutes

4.2 Functional (opt-in)

Enhance your experience but are not required for the site to work.

NameTypePurposeProviderMax Duration
sbh-cartlocalStorageShopping cart contents across page loadsSummitBridge HorizonUntil you clear your browser data
sbh-chat-*localStorageAI chat widget message history (this browser only)SummitBridge HorizonSession
ab_variantHTTP cookieStable A/B test variant for UI experimentsSummitBridge Horizon7 days

4.3 Analytics (opt-in)

Help us understand aggregate usage. Disabled by default, disabled automatically when GPC is signalled, and only set after explicit consent.

NamePurposeProviderMax Duration
_gaGoogle Analytics 4 — anonymised visitor identificationGoogle Ireland Limited2 years
_ga_*GA4 session stateGoogle Ireland Limited2 years

4.4 Marketing (opt-in)

We currently set no marketing or advertising cookies. If we introduce conversion-measurement or advertising pixels in the future, this section and the consent banner will be updated before any such technology is loaded, and your marketing consent choice will govern whether the pixel initialises.

5. First-Party and Third-Party

Strictly necessary, functional, and consent-record storage is first-party (set by SummitBridge Horizon). The following third parties may set cookies described above, and we act as joint/independent controllers with them where applicable:

  • Cloudflare, Inc. — bot management and network security. Privacy policy: cloudflare.com/privacypolicy
  • Stripe Payments Europe Ltd — only during checkout. Privacy policy: stripe.com/privacy
  • Google Ireland Limited — Google Analytics 4, only after consent. Privacy policy: policies.google.com/privacy

We do not currently use any advertising or conversion-tracking network. No third-party marketing pixel is loaded on the site.

6. Managing Your Preferences

You can change your choices at any time by:

  • Clicking the Cookie Settings link in the website footer.
  • Clearing cookies and localStorage for our domains in your browser settings — the banner will then reappear.
  • Enabling Global Privacy Control in a browser that supports it.

Disabling strictly necessary storage will break sign-in, checkout, and the portal.

7. Legal Basis

  • Strictly necessary: PECR Regulation 6(4) exemption — no consent required.
  • Functional, analytics, marketing: your consent under PECR Regulation 6 and UK GDPR Article 6(1)(a). You may withdraw consent at any time.
  • Special categories: we do not process special category data via cookies.

8. International Transfers

Our infrastructure runs on Hostinger International Ltd servers in Germany (EU). Cookie-related data stays within the EEA except where a third-party service explicitly listed above transfers data to the United States under the UK International Data Transfer Addendum (IDTA) or EU Standard Contractual Clauses.

9. German Visitors (TDDDG §25)

For visitors from Germany, storing or reading information on your device (cookies, localStorage, sessionStorage) requires prior consent for anything outside the strictly necessary category. “Accept all” and “Reject optional” are given equal visual weight on the banner and in the preferences panel. There is no close-without-choosing shortcut.

10. Consent Records and Retention

Each consent event is recorded with: a unique consent token, timestamp, locale, GPC signal state, and the categories you accepted or declined. We keep this record for 3 years to evidence compliance under UK GDPR Article 7(1) and retain the ability to respond to audits by supervisory authorities.

11. Changes to This Policy

We update this Cookie Policy when we add, remove, or materially change any cookie or similar technology. Material changes trigger a new consent request via the banner. The version and effective date at the top of this document are authoritative.

12. Contact and Complaints

Cookie and privacy queries: [email protected]

General: [email protected]

You have the right to lodge a complaint with the UK Information Commissioner’s Office: ico.org.uk — 0303 123 1113. EU residents may contact their national supervisory authority.

This document is maintained by SummitBridge Horizon Ltd (Companies House: 16419201). For questions, contact [email protected].