AI-Assisted Translation Notice: This document is an AI-assisted translation provided for convenience. The Hebrew version at /he/legal/cookies is the legally binding version. In case of discrepancy between the Hebrew original and this translation, the Hebrew version controls. For clarification in your language: legal@shahar-teamim.co.il

Translation Precedence Clause: In case of discrepancy between the Hebrew original and a translation, the Hebrew version controls. "במקרה של סתירה בין הגרסה העברית המקורית לתרגום, הגרסה העברית גוברת." "في حالة وجود تعارض بين النسخة العبرية الأصلية والترجمة، تسود النسخة العبرية." "В случае расхождений между оригиналом на иврите и переводом, версия на иврите имеет преимущественную силу."

Cookies Policy — Shahar: Flavors from the Heart

Last updated: 2026-04-18 Status: DRAFT — requires attorney review before publication Target URL: /en/legal/cookies


1. What Are Cookies

Cookies are tiny text files that browsers store on your device when you visit a website. They allow the site to remember preferences, manage sessions, and collect analytical information.

In addition to cookies, we also use:

  • localStorage / sessionStorage — local browser storage for the shopping cart and temporary data.
  • Pixels / Tags — marketing pixels (by consent only).
  • Web beacons — in marketing emails to monitor opens.

2. Legal Basis

Under Amendment 13 to the Protection of Privacy Law, 5741-1981 (effective 14/08/2025), explicit and active consent (Opt-in) is required before loading non-essential cookies. A pre-checked checkbox or "continued use = consent" is no longer lawful.

3. Cookie Inventory

Classified into 4 categories:

3.1 Essential Cookies — No Consent Required

NameProviderPurposeLifetime
sb-access-tokenSupabase (shahar-teamim.co.il)Session authUntil logout
sb-refresh-tokenSupabaseSession renewal30 days
sha-cart (localStorage)shahar-teamim.co.ilShopping cart storageUntil browser cleared
sha-localeshahar-teamim.co.ilInterface language (he/en/ar/ru)1 year
csrf_tokenshahar-teamim.co.ilCSRF protectionSession
i4u_sessionInvoice4U (at checkout only)Payment processingSession

3.2 Functional Cookies — Consent Required

NameProviderPurposeLifetime
sha-themeshahar-teamim.co.ilLight/dark preference1 year
sha-recent-ordersshahar-teamim.co.ilQuick view order history30 days

3.3 Analytics Cookies — Consent Required

NameProviderPurposeLifetime
_gaGoogle Analytics 4Unique user identification2 years
_ga_XXXXXXGoogle Analytics 4Session state2 years
_gidGoogle Analytics 4Session ID24 hours
ph_* (if embedded)PostHogSession replay, funnels1 year

3.4 Marketing Cookies — Consent Required

NameProviderPurposeLifetime
_fbpMeta (Facebook Pixel)Ad retargeting90 days
frMetaRelevance/attribution90 days
_gcl_auGoogle AdsConversion tracking90 days
IDEGoogle DoubleClickAd serving13 months

Note: Marketing pixels (Meta, Google Ads) are activated only if an active marketing campaign is running. Default — off.

4. Consent Management

  • First visit: A banner at the bottom of the screen with 3 buttons — "Accept all" / "Reject non-essential" / "Customize".
  • Customize: A modal with 4 toggles for categories (essential permanently ON).
  • Blocked before consent: Functional/analytics/marketing cookies will not load before the user has chosen.
  • Saving choice: In localStorage (sha-consent) and server-side.
  • Duration: 6 months then consent is re-requested (GDPR best practice; Israel does not mandate an exact duration).
  • Changing choice: "Manage cookies" link in the footer → opens the modal.
  • Non-consent does not block service: You can order and pay with essential cookies only.

See separate document: cookie-consent-banner-spec.md for full technical specification.

5. Third-Party Cookies — Processing Agreements

ProviderDPA / AgreementProcessing locationTransfer basis
Google (Analytics, Ads)Google Data Processing AddendumUSASCCs + Data Privacy Framework
Meta (Facebook Pixel)Meta Data Processing TermsUSASCCs
PostHogPostHog DPAEU— (no cross-border transfer)
SupabaseSupabase DPAEUSCCs

6. Revoking Consent

7. Do Not Track

When a browser sends DNT=1, we do not load analytics/marketing cookies, even without explicit consent.

8. Changes

Updates to this policy will be published on this page with a "last updated" date. For a material change (new vendor, new category) — we will request fresh consent.

9. Contact

Email: privacy@shahar-teamim.co.il Suggested subject: "Cookie inquiry"


DRAFT NOTE: The cookie list is accurate but implementation-dependent. A live cookie audit must be performed after deployment (Chrome DevTools → Application → Cookies) and the list updated if additional cookies are loaded.