Tracking
Cookie Policy
Provided pursuant to Art. 122 of Italian Legislative Decree 196/2003, the Italian Data Protection Authority's Decision of 10 June 2021, Articles 6 and 7 GDPR and EDPB Guidelines 03/2022.
Last updated: May 28, 2026
1. Data Controller
The Controller is Cladegrove · di Fabio Ariotti, sole proprietorship with registered office in Trino (VC), Italy. VAT IT02782390021. Full identification and contact details are provided in the Privacy Policy.
2. What cookies are
Cookies are small text files that visited websites save on the user's device. Together with other similar technologies (local storage, session storage, pixel tags) they allow the browsing state to be maintained, security to be enforced and analytics or marketing measurement to be performed.
3. Categories of cookies and similar technologies
The Cladegrove platform groups cookies and similar technologies into three categories. Only the "Necessary" category is loaded by default; the others require your prior consent through the cookie banner.
3.1 Strictly necessary (always on)
These technologies are essential to deliver the Service and to comply with security and authentication requirements. Their use is based on Art. 122 D.Lgs. 196/2003 and does not require consent.
| Name | Type · Provider | Purpose | Duration |
|---|---|---|---|
sb-* | HTTP cookie (HttpOnly, Secure, SameSite=Lax) · first-party · Supabase Auth | Authenticated session: access token and refresh token rotated on each refresh. | Access ~1 hour; refresh up to 30 days; cleared on sign-out. |
cg_ref | HTTP cookie (HttpOnly, Secure, SameSite=Lax) · first-party · Cladegrove | Credits the referring account when you arrive from a /ref/<handle> link and complete registration. | Up to 30 days; deleted on registration or rejection. |
cg_recovery | HTTP cookie (HttpOnly, Secure, SameSite=Lax) · first-party · Cladegrove | Single-use authorisation for the password-reset page. | Minutes; deleted on password change. |
cladegrove-consent | localStorage · first-party · Cladegrove | Stores your cookie-banner choices (per-category accept/reject + timestamp). | Until revoked via "Cookie preferences" or cleared from the browser. |
cladegrove-sidebar-collapsed | localStorage · first-party · Cladegrove | Remembers whether the side panel is expanded or collapsed. | Until cleared. |
cladegrove-generator-cols-desktop, cladegrove-generator-cols-mobile | localStorage · first-party · Cladegrove | Remembers the number of tiles per row in the Single-shot grid (separate value for desktop and mobile). | Until cleared. |
cladegrove-wardrobe-archive-cols | localStorage · first-party · Cladegrove | Remembers the column density of the Wardrobe archive grid (desktop only). | Until cleared. |
__cf_bm | HTTP cookie (HttpOnly, Secure, SameSite=None) · third-party · Cloudflare, Inc. | Anti-bot challenge token set by the Cloudflare proxy in front of the Cladegrove origin (see Privacy Policy §6). Required to distinguish humans from automated traffic. | ~30 minutes per visit. |
3.2 Analytics (consent required)
On consent, this category loads the providers listed below. Nothing in this category is initialised before you accept the Analytics category in the cookie banner. Legal basis: Art. 6.1.a GDPR + Art. 122 D.Lgs. 196/2003 (consent).
| Name | Type · Provider | Purpose | Duration |
|---|---|---|---|
| Vercel Analytics | Beacons, no cookie · first-party · Vercel Inc. | Aggregated page views, referrers and basic session data. | n/a (no client-side cookie). |
| Vercel Speed Insights | Beacons, no cookie · first-party · Vercel Inc. | Core Web Vitals measured on real visits. | n/a (no client-side cookie). |
Google Tag Manager (container GTM-MVWMN3VF) | Script loader · third-party · Google LLC | Container that delivers the Google Analytics 4 tag. A built-in tag blocklist (gtm.blocklist: ['html','img','jsm']) prevents Custom HTML, Image and JS-Variable tags from executing inside the container. | No cookie set by GTM itself. |
_ga | HTTP cookie · third-party · Google LLC (Google Analytics 4, property G-NXBWSESG8P) | Distinguishes unique users for aggregated traffic analytics. | 2 years. |
_ga_NXBWSESG8P | HTTP cookie · third-party · Google LLC (GA4 property-specific) | Maintains the analytics session state for the GA4 property above. | 2 years. |
_gid | HTTP cookie · third-party · Google LLC (GA4) | Distinguishes users within a 24-hour window. | 24 hours. |
3.3 Marketing (consent required)
Reserved for advertising and remarketing pixels (e.g. Meta Pixel, TikTok Pixel) that may be added in the future. No marketing technology is currently active; this category is listed for transparency. If activated, it will be loaded only after your consent and this Cookie Policy will be updated accordingly. Legal basis: Art. 6.1.a GDPR + Art. 122 D.Lgs. 196/2003 (consent).
3.4 Stripe checkout (separate domain)
Card payments are processed on checkout.stripe.com, operated by Stripe Payments Europe, Ltd. Cladegrove does not embed Stripe.js Elements on its pages: when you click "Checkout" you are redirected to the Stripe-hosted page and back. Stripe may set its own cookies (e.g. __stripe_mid, __stripe_sid, m) on the stripe.com domain during that flow. Those cookies are governed by Stripe's cookie policy and are not set on the cladegrove.com domain.
4. How to give, withdraw or change your consent
On your first visit you are presented with a cookie banner with three equally prominent options: Accept all, Reject all, and Customize(per-category toggles). The buttons are placed on the same first layer with equal visual weight, in line with EDPB Guidelines 03/2022 on deceptive design patterns and the Italian Garante's 10 June 2021 cookie guidelines. Necessary cookies are always on and cannot be disabled. No cookie or similar technology requiring consent is loaded before you make a choice.
You can withdraw or change your choice at any time by clicking "Cookie preferences" in the footer of any page. Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal.
5. Global Privacy Control (GPC) and U.S. visitors
Some browsers and extensions transmit a Global Privacy Control signal (HTTP header Sec-GPC: 1 and the corresponding navigator.globalPrivacyControl property). GPC is recognised as a valid opt-out request under California Civ. Code §1798.135(b), the Colorado Privacy Act, the Connecticut Data Privacy Act and other U.S. state laws.
When we detect a GPC signal on first visit, we treat it as an explicit opt-out and the Analytics and Marketing categories are recorded as disabled without showing the banner. The Strictly necessary category remains active because it is required to run the platform. You can override this default at any time by opening "Cookie preferences" in the footer and enabling specific categories. Your manual choice takes precedence over the GPC signal for this device.
Independently of GPC, we do not sell or share personal information for cross-context behavioural advertising. See Privacy Policy §13 for the full U.S. state-law notice.
6. How to manage cookies from the browser
You can also delete or block cookies directly from your browser settings:
Disabling session/authentication cookies makes it impossible to access the protected area.
7. Data subject rights and complaints
You can exercise the rights set out in Articles 15–22 GDPR by writing to privacy@cladegrove.comor to the Controller's PEC FabioAriotti@Pec.It. You may also lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it).
8. Updates
This Cookie Policy may be updated when new technologies are introduced or when their purpose changes. The updated version is published on this page with a new "Last updated" date.