SetVenue Cookie Policy

Last updated: 2026-05-26 Effective date: [EFFECTIVE DATE]

Plain-English Summary

SetVenue sets only strictly necessary first-party cookies — the small set needed to keep you signed in, defend the site against cross-site request forgery, and operate the Service. We do not run Google Analytics, Meta Pixel, Plausible Analytics, Mixpanel, Segment, Amplitude, PostHog, Hotjar, FullStory, LogRocket, or any other third-party tracking, advertising, or session-replay tool. Because every cookie we set is necessary for the Service you requested, we do not show a cookie consent banner — under the EU ePrivacy Directive (Art. 5(3)) and the EDPB's Guidelines 2/2023, strictly-necessary cookies are exempt from prior consent. You stay in control of your browser's cookie settings at all times.

This summary is provided for convenience. The numbered sections below are the operative text and control in any conflict.

1. What Cookies Are

Cookies are small text files that a website places on your device's browser when you visit. They allow a site to remember information about your visit — such as that you are signed in, that you have submitted a form, or that you are mid-way through an OAuth handshake — across pages and across visits. Other technologies behave similarly, including localStorage, sessionStorage, IndexedDB, and HTTP Set-Cookie headers; for the purposes of this Policy, "cookies" includes those technologies where the same privacy considerations apply.

Cookies can be:

• First-party (set by setvenue.com) or third-party (set by another domain on a page you visit on setvenue.com);
• Session cookies (deleted when you close your browser) or persistent cookies (kept until they expire or you clear them);
• Strictly necessary (without them the site cannot function or cannot function securely) or non-essential (analytics, marketing, behavioral tracking).

This Policy explains which cookies SetVenue sets today and why. It supplements our Privacy Policy, which describes how we handle personal information generally.

Users: SetVenue is not intended for children under the age of 18 (see Terms of Service). We do not knowingly engage in any cookie-based tracking of children under 13 within the meaning of the Children's Online Privacy Protection Act, 15 U.S.C. §§ 6501–6506.

2. Cookies SetVenue Sets

Every cookie SetVenue itself sets is a first-party, strictly-necessary cookie within the meaning of ePrivacy Directive Art. 5(3) and EDPB Guidelines 2/2023 ¶¶ 17–24 (i.e., cookies that are "strictly necessary for the provision of a service explicitly requested by the user"). We do not load any non-essential cookies. The current inventory is:

Local storage. A small number of UI features use your browser's localStorage or sessionStorage to remember per-device preferences (for example, a recently-viewed Listing or an in-progress form draft). These items remain on your device, are not transmitted to our servers as cookies, and can be cleared at any time through your browser's storage controls.

Theme preference. Where the Service exposes a light/dark theme toggle, your selection may be stored client-side in localStorage rather than in a cookie. It is purely a UI preference and is not sent to our servers.

3. Third-Party Services

SetVenue itself does not set any third-party advertising or analytics cookie. We do not use:

• Google Analytics, Google Tag Manager, or any Google advertising tag;
• Meta Pixel / Facebook Pixel or any Meta business tool;
• Plausible Analytics, Mixpanel, Segment, Amplitude, PostHog, Heap, or any equivalent product analytics tool;
• Hotjar, FullStory, LogRocket, Microsoft Clarity, Smartlook, Mouseflow, or any session-replay, screen-recording, scroll-tracking, or mouse-movement-tracking tool;
• Any advertising network, retargeting tag, affiliate tracker, or third-party social-login button that would set cookies on your device on setvenue.com.

A small number of third-party services that we use to operate the Service may set their own cookies in specific, narrow contexts:

3.1 Stripe (payments)

SetVenue uses Stripe Connect to process payments. When you initiate a payment, your browser interacts with Stripe surfaces (Stripe Checkout pages and/or Stripe Elements components) that may set Stripe's own cookies for fraud detection and payment security. Those cookies are set by Stripe under Stripe's domain and governed by Stripe's privacy and cookie policies, not by SetVenue. We do not control, read, or share in Stripe's cookies.

• Stripe Privacy Policy: https://stripe.com/privacy
• Stripe Cookie Policy: https://stripe.com/legal/cookies

3.2 Cloudflare (CDN, DNS, and DDoS protection)

SetVenue uses Cloudflare to provide DNS resolution, content-delivery acceleration, and DDoS / bot-management protection in front of the Service. As a standard part of this protection, Cloudflare sets a cookie named __cf_bm (and may set cf_clearance during challenge resolution) on every request that traverses its network. These cookies are set by Cloudflare, on Cloudflare's behalf, to distinguish human traffic from bots; they are strictly necessary for the security and availability of the Service within the meaning of ePrivacy Directive Art. 5(3). SetVenue does not control these cookies, and they are governed by Cloudflare's privacy policy.

• Cloudflare __cf_bm cookie reference: https://developers.cloudflare.com/fundamentals/reference/policies-compliances/cloudflare-cookies/
• Cloudflare Privacy Policy: https://www.cloudflare.com/privacypolicy/

3.3 Supabase (authentication and database)

SetVenue uses Supabase for authentication and as its primary database. As described in § 2 above, Supabase's SSR client sets short-lived authentication cookies (sb-*) on the setvenue.com domain through SetVenue's middleware. These cookies are strictly necessary for maintaining your authenticated session. Their content is governed in part by Supabase's published behavior; SetVenue is the controller of the personal data those tokens reference.

• Supabase Privacy Policy: https://supabase.com/privacy

4. Why We Do Not Show a Cookie Consent Banner

Under ePrivacy Directive 2002/58/EC, Article 5(3), the consent requirement for storing information on a user's terminal equipment does not apply to a cookie that is "strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service." The European Data Protection Board's Guidelines 2/2023 on the Technical Scope of Article 5(3) further clarify (¶¶ 17–24) that authentication cookies, user-input cookies, security cookies (including CSRF tokens), and load-balancing or session-state cookies fall within this exemption.

Every cookie SetVenue sets falls within that exemption:

• ds-session, admin-session, host-session, and sb-* — authentication state for the service the user explicitly requested (signing in).
• csrf-token — security cookie defending state-changing requests against CSRF.
• gcal_oauth_state, gcal_writeback_state, mscal_oauth_state — transient security state for an OAuth handshake the user explicitly initiated.
• __cf_bm (set by Cloudflare) — bot-management cookie strictly necessary for the security and availability of the Service.

Because no cookie set by SetVenue (or by Cloudflare on SetVenue's behalf for site security) requires consent under Art. 5(3), and because SetVenue does not load any third-party analytics, advertising, or behavioral-tracking cookies, a cookie consent banner is not legally required and is not displayed. This posture is consistent with the EDPB's "no consent for strictly-necessary" rule and is the position SetVenue has chosen to occupy by design.

If you are in the European Economic Area, the United Kingdom, or another jurisdiction with an Art. 5(3)-equivalent regime, the same analysis applies. If you are in California or another U.S. state with a Consumer Privacy Act, the relevant disclosure requirements are addressed below in § 7.

5. Future Changes

SetVenue's current posture is "strictly-necessary cookies only, no consent banner." We do not currently plan to add advertising, marketing, or third-party behavioral-tracking cookies. If that ever changes:

• We will update this Policy to identify any new cookie or category, what it does, and who sets it, before the cookie is deployed in production.
• We will display a consent banner that meets the EDPB's Guidelines 05/2020 on Consent (specific, informed, freely-given, unambiguous, as easy to withdraw as to give) before loading any non-essential cookie.
• We will not pre-check any optional consent. The default state will be "no non-essential cookies."
• We will publish the change on this page with a refreshed Effective date.

If we adopt a privacy-respecting, cookieless server-side analytics product (for example, Vercel Analytics' cookieless edge logs or a comparable tool), we will update this Policy to disclose that processing even though no cookie is involved — because § 6 of this Policy already commits us to transparent disclosure of all browser-side processing whether or not a cookie is the mechanism.

TODO (forward-looking, not contractual): If SetVenue later enables a cookieless server-side analytics tool, update this Policy to disclose the data collected, the retention period, and the lawful basis. A consent banner is not required for cookieless server-side analytics that meets the EDPB Guidelines 2/2023 cookieless-measurement criteria, but disclosure remains required.

6. Your Choices

Even though SetVenue's cookies are strictly necessary and do not require consent, you retain full control of cookie storage on your device.

6.1 Browser controls

All major browsers let you view, block, or delete cookies. Useful starting points (navigate to these from your browser address bar; do not click them from inside an email client):

• Chrome: chrome://settings/cookies
• Safari (macOS): Safari → Settings → Privacy → Manage Website Data
• Firefox: about:preferences#privacy
• Edge: edge://settings/content/cookies

Blocking SetVenue's strictly-necessary cookies will break sign-in, checkout, OAuth-based calendar integrations, and CSRF-protected actions. This is the same trade-off described in EDPB Guidelines 2/2023 — a cookie is strictly necessary only because the service cannot function without it.

6.2 Do Not Track

SetVenue does not currently respond to browser "Do Not Track" (DNT) signals because no consistent industry standard for DNT has been adopted (as expressly recognized by Cal. Bus. & Prof. Code § 22575(b)(5)).

6.3 Global Privacy Control (GPC)

TODO — implementation gap (forward-looking). SetVenue does not currently parse the Sec-GPC request header or the navigator.globalPrivacyControl browser property. Because we do not sell or "share" personal information for cross-context behavioral advertising (see Privacy Policy), and because we load no non-essential cookies, GPC has no practical effect on what we collect today. We intend to add explicit GPC parsing in a future release for symbolic compliance with Cal. Civ. Code § 1798.135(b)(1)(A) and CPPA regs at 11 C.C.R. § 7025. Until that release ships, this Policy does not claim that we honor GPC programmatically.

6.4 Right to opt out of "sale" or "sharing"

SetVenue does not sell or share personal information for cross-context behavioral advertising within the meaning of Cal. Civ. Code § 1798.140(ad) or (ah). See our Privacy Policy for the full opt-out rights disclosure under the California Consumer Privacy Act and other applicable state privacy laws.

6.5 Withdrawal of any future consent

If we ever rely on your consent to load a non-essential cookie, you will be able to withdraw that consent at any time without affecting the lawfulness of processing that occurred before withdrawal. Withdrawal will be as easy as giving consent (per GDPR Art. 7(3)).

7. Statutory Disclosures

This Policy is intended to satisfy:

• EU / EEA / UK: ePrivacy Directive 2002/58/EC Art. 5(3) (consent for non-strictly-necessary cookies — not triggered here because SetVenue loads only strictly-necessary cookies); GDPR Art. 13–14 (information notice); EDPB Guidelines 2/2023 on the Technical Scope of Art. 5(3) (strictly-necessary scope); EDPB Guidelines 05/2020 on Consent (if and when consent becomes required in the future).
• California: Cal. Bus. & Prof. Code § 22575 (CalOPPA — disclosure of categories of personally identifiable information collected, third parties with which it may be shared, and the operator's response to "Do Not Track" signals); Cal. Civ. Code §§ 1798.100–1798.199.100 (CCPA / CPRA — see Privacy Policy); Cal. Civ. Code § 1798.135 (right to opt out of sale or sharing).
• California — wiretap: Cal. Penal Code § 631 / § 632 (CIPA). SetVenue does not use any session-replay, screen-recording, scroll-tracking, mouse-movement-tracking, keystroke-logging, or other behavioral-monitoring technology that could give rise to wiretap claims under Javier v. Assurance IQ, LLC, No. 21-16351, 2022 WL 1744107 (9th Cir. May 31, 2022).
• United States — federal: FTC Act § 5 (deceptive or unfair trade practices) — this Policy represents only what SetVenue actually does; we do not make affirmative claims about features (analytics opt-in, GPC honoring, footer preference manager) that are not present in the codebase.

8. Updates to This Policy

We will update this Policy whenever we add, remove, or materially change a cookie. Material updates will be reflected by:

• a refreshed "Effective date" at the top of this Policy;
• where required by law or by the nature of the change, a banner prompt or in-product notice; and
• where the change introduces a non-essential cookie, fresh consent obtained through a renewed banner prompt before the cookie is loaded.

We will give reasonable advance notice of material changes that affect any future consent.

9. Contact

For cookie-related questions or to exercise any of the rights described in our Privacy Policy:

• Email: privacy@setvenue.com
• Postal: Set Venue LLC, 6927 Willis Ave, Van Nuys, CA 91405

Drafting Note (informational, not contractual)

This V7.3.5 PRE-FILLED DRAFT is a Path A rewrite under the 2026-05-26 audit. The prior v5-FINAL text described a product that included Plausible Analytics, a consent banner with Accept / Customize / Marketing toggles, a footer "Manage cookie preferences" link, and programmatic GPC honoring — none of which the codebase implemented. Rather than retrofit the code to match the prior text, SetVenue elected to align the Policy to the actual product posture: strictly-necessary first-party cookies only, no consent banner, no third-party tracking. This rewrite supersedes v5-FINAL in full.