AI-Assisted Translation Notice: This document is an AI-assisted translation provided for convenience. The Hebrew version at /he/legal/cookies is the legally binding version. In case of discrepancy between the Hebrew original and this translation, the Hebrew version controls. For clarification in your language: legal@shahar-teamim.co.il
Translation Precedence Clause: In case of discrepancy between the Hebrew original and a translation, the Hebrew version controls. "במקרה של סתירה בין הגרסה העברית המקורית לתרגום, הגרסה העברית גוברת." "في حالة وجود تعارض بين النسخة العبرية الأصلية والترجمة، تسود النسخة العبرية." "В случае расхождений между оригиналом на иврите и переводом, версия на иврите имеет преимущественную силу."
Cookies Policy — Shahar: Flavors from the Heart
Last updated: 2026-04-18 Status: DRAFT — requires attorney review before publication Target URL: /en/legal/cookies
1. What Are Cookies
Cookies are tiny text files that browsers store on your device when you visit a website. They allow the site to remember preferences, manage sessions, and collect analytical information.
In addition to cookies, we also use:
- localStorage / sessionStorage — local browser storage for the shopping cart and temporary data.
- Pixels / Tags — marketing pixels (by consent only).
- Web beacons — in marketing emails to monitor opens.
2. Legal Basis
Under Amendment 13 to the Protection of Privacy Law, 5741-1981 (effective 14/08/2025), explicit and active consent (Opt-in) is required before loading non-essential cookies. A pre-checked checkbox or "continued use = consent" is no longer lawful.
3. Cookie Inventory
Classified into 4 categories:
3.1 Essential Cookies — No Consent Required
| Name | Provider | Purpose | Lifetime |
|---|---|---|---|
sb-access-token | Supabase (shahar-teamim.co.il) | Session auth | Until logout |
sb-refresh-token | Supabase | Session renewal | 30 days |
sha-cart (localStorage) | shahar-teamim.co.il | Shopping cart storage | Until browser cleared |
sha-locale | shahar-teamim.co.il | Interface language (he/en/ar/ru) | 1 year |
csrf_token | shahar-teamim.co.il | CSRF protection | Session |
i4u_session | Invoice4U (at checkout only) | Payment processing | Session |
3.2 Functional Cookies — Consent Required
| Name | Provider | Purpose | Lifetime |
|---|---|---|---|
sha-theme | shahar-teamim.co.il | Light/dark preference | 1 year |
sha-recent-orders | shahar-teamim.co.il | Quick view order history | 30 days |
3.3 Analytics Cookies — Consent Required
| Name | Provider | Purpose | Lifetime |
|---|---|---|---|
_ga | Google Analytics 4 | Unique user identification | 2 years |
_ga_XXXXXX | Google Analytics 4 | Session state | 2 years |
_gid | Google Analytics 4 | Session ID | 24 hours |
ph_* (if embedded) | PostHog | Session replay, funnels | 1 year |
3.4 Marketing Cookies — Consent Required
| Name | Provider | Purpose | Lifetime |
|---|---|---|---|
_fbp | Meta (Facebook Pixel) | Ad retargeting | 90 days |
fr | Meta | Relevance/attribution | 90 days |
_gcl_au | Google Ads | Conversion tracking | 90 days |
IDE | Google DoubleClick | Ad serving | 13 months |
Note: Marketing pixels (Meta, Google Ads) are activated only if an active marketing campaign is running. Default — off.
4. Consent Management
- First visit: A banner at the bottom of the screen with 3 buttons — "Accept all" / "Reject non-essential" / "Customize".
- Customize: A modal with 4 toggles for categories (essential permanently ON).
- Blocked before consent: Functional/analytics/marketing cookies will not load before the user has chosen.
- Saving choice: In localStorage (
sha-consent) and server-side. - Duration: 6 months then consent is re-requested (GDPR best practice; Israel does not mandate an exact duration).
- Changing choice: "Manage cookies" link in the footer → opens the modal.
- Non-consent does not block service: You can order and pay with essential cookies only.
See separate document: cookie-consent-banner-spec.md for full technical specification.
5. Third-Party Cookies — Processing Agreements
| Provider | DPA / Agreement | Processing location | Transfer basis |
|---|---|---|---|
| Google (Analytics, Ads) | Google Data Processing Addendum | USA | SCCs + Data Privacy Framework |
| Meta (Facebook Pixel) | Meta Data Processing Terms | USA | SCCs |
| PostHog | PostHog DPA | EU | — (no cross-border transfer) |
| Supabase | Supabase DPA | EU | SCCs |
6. Revoking Consent
- Via the site: "Manage cookies" in the footer → uncheck → save.
- Via browser: Cookies can be deleted through browser settings. See instructions:
- Direct opt-out:
- Google Analytics: https://tools.google.com/dlpage/gaoptout
- Meta: https://www.facebook.com/ads/preferences
7. Do Not Track
When a browser sends DNT=1, we do not load analytics/marketing cookies, even without explicit consent.
8. Changes
Updates to this policy will be published on this page with a "last updated" date. For a material change (new vendor, new category) — we will request fresh consent.
9. Contact
Email: privacy@shahar-teamim.co.il Suggested subject: "Cookie inquiry"
DRAFT NOTE: The cookie list is accurate but implementation-dependent. A live cookie audit must be performed after deployment (Chrome DevTools → Application → Cookies) and the list updated if additional cookies are loaded.