SetVenue Cookie Policy

Last updated: 2026-06-11

Plain-English Summary

SetVenue sets only strictly necessary first-party cookies — the small set needed to keep you signed in, defend the site against cross-site request forgery, and operate the Service. We do not run Google Analytics, Meta Pixel, Plausible Analytics, Mixpanel, Segment, Amplitude, PostHog, Hotjar, FullStory, LogRocket, or any other third-party tracking, advertising, or session-replay tool. Because every cookie we set is necessary for the Service you requested, we do not show a cookie consent banner — under the EU ePrivacy Directive (Art. 5(3)), as interpreted in Article 29 Working Party Opinion 04/2012 on Cookie Consent Exemption (WP194), strictly-necessary cookies are exempt from prior consent. You stay in control of your browser's cookie settings at all times.

This summary is provided for convenience. The numbered sections below are the operative text and control in any conflict.

1. What Cookies Are

Cookies are small text files that a website places on your device's browser when you visit. They allow a site to remember information about your visit — such as that you are signed in, that you have submitted a form, or that you are mid-way through an OAuth handshake — across pages and across visits. Other technologies behave similarly, including localStorage, sessionStorage, IndexedDB, and HTTP Set-Cookie headers; for the purposes of this Policy, "cookies" includes those technologies where the same privacy considerations apply.

Cookies can be:

• First-party (set by setvenue.com) or third-party (set by another domain on a page you visit on setvenue.com);
• Session cookies (deleted when you close your browser) or persistent cookies (kept until they expire or you clear them);
• Strictly necessary (without them the site cannot function or cannot function securely) or non-essential (analytics, marketing, behavioral tracking).

This Policy explains which cookies SetVenue sets today and why. It supplements our Privacy Policy, which describes how we handle personal information generally.

Users: SetVenue is not intended for children under the age of 18 (see Terms of Service). We do not knowingly engage in any cookie-based tracking of children under 13 within the meaning of the Children's Online Privacy Protection Act, 15 U.S.C. §§ 6501–6506.

2. Cookies SetVenue Sets

Every cookie SetVenue itself sets is a first-party, strictly-necessary cookie within the meaning of ePrivacy Directive Art. 5(3), as interpreted in Article 29 Working Party Opinion 04/2012 on Cookie Consent Exemption (WP194) — i.e., cookies strictly necessary to provide a service the user explicitly requested. We do not load any non-essential cookies. The current inventory is:

Local storage. The Service uses your browser's localStorage and sessionStorage for client-side state that is broader than "preferences," and we want to be accurate about it: when you sign in, a signed-in user identity object (your user ID, name, and email) is stored in localStorage so the interface can render your account state; other keys hold insurance-certificate records you upload through the insurance flow (including policy numbers), favorites, listing-comparison and cart selections, saved searches, in-progress form drafts, a rebooking-prefill object (sessionStorage), and a last-activity timestamp used for session-idle handling. These items live on your device and are not sent to our servers as cookies (the data they mirror — e.g., your account profile — also exists server-side under the Privacy Policy). You can clear them at any time through your browser's storage controls; signing out clears the identity object.

3. Third-Party Services

SetVenue itself does not set any third-party advertising or analytics cookie. We do not use:

• Google Analytics, Google Tag Manager, or any Google advertising tag;
• Meta Pixel / Facebook Pixel or any Meta business tool;
• Plausible Analytics, Mixpanel, Segment, Amplitude, PostHog, Heap, or any equivalent product analytics tool;
• Hotjar, FullStory, LogRocket, Microsoft Clarity, Smartlook, Mouseflow, or any session-replay, screen-recording, scroll-tracking, or mouse-movement-tracking tool;
• Any advertising network, retargeting tag, affiliate tracker, or third-party social-login widget that would set cookies on your device on setvenue.com. (SetVenue does offer a redirect-based "Continue with Google" sign-in: the sign-in happens on Google's own pages, and that flow does not set Google cookies on setvenue.com.)

A small number of third-party services that we use to operate the Service may set their own cookies in specific, narrow contexts:

3.1 Stripe (payments)

SetVenue uses Stripe to process payments. On pages that load Stripe payment components, Stripe.js sets its own fraud-prevention cookies — __stripe_mid (~1 year) and __stripe_sid (~30 minutes) — first-party on the setvenue.com domain (they are listed in the § 2 inventory above). If you are redirected to a Stripe-hosted surface, Stripe may additionally set cookies under Stripe's own domain, governed by Stripe's privacy and cookie policies. We do not read or share in Stripe's cookies beyond their payment-security function.

• Stripe Privacy Policy: https://stripe.com/privacy
• Stripe Cookie Policy: https://stripe.com/legal/cookies

3.2 Cloudflare (DNS and email routing only — no cookies)

SetVenue uses Cloudflare for DNS resolution for setvenue.com and for inbound email routing (e.g., forwarding mail sent to setvenue.com addresses). Cloudflare does not proxy or serve the Service's web traffic, and no Cloudflare cookie (such as __cf_bm or cf_clearance) is set on setvenue.com. If SetVenue later places Cloudflare in front of Service traffic, this Policy will be updated to disclose any resulting cookies before that change ships.

• Cloudflare Privacy Policy: https://www.cloudflare.com/privacypolicy/

3.3 Supabase (authentication and database)

SetVenue uses Supabase for authentication and as its primary database. As described in § 2 above, Supabase's client libraries set authentication cookies (sb-*) on the setvenue.com domain (long-lived cookie shells, up to 400 days, carrying regularly rotating tokens; not HttpOnly because the Supabase browser client manages them via script). These cookies are strictly necessary for maintaining your authenticated session. Their content is governed in part by Supabase's published behavior; SetVenue is the controller of the personal data those tokens reference.

• Supabase Privacy Policy: https://supabase.com/privacy

4. Why We Do Not Show a Cookie Consent Banner

Under ePrivacy Directive 2002/58/EC, Article 5(3), the consent requirement for storing information on a user's terminal equipment does not apply to a cookie that is strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service. The Article 29 Working Party's Opinion 04/2012 on Cookie Consent Exemption (WP194) explains that authentication cookies, user-input cookies, security cookies (including CSRF tokens), and load-balancing or session-state cookies fall within this exemption.

Every cookie SetVenue sets falls within that exemption:

• ds-session, admin-session, host-session, and sb-* — authentication state for the service the user explicitly requested (signing in).
• csrf-token — security cookie defending state-changing requests against CSRF.
• gcal_oauth_state, gcal_writeback_state, mscal_oauth_state — transient security state for an OAuth handshake the user explicitly initiated.
• __stripe_mid / __stripe_sid (set by Stripe.js on payment pages) — payment-security and fraud-prevention cookies strictly necessary for the payment the user requested.

Because no cookie set on setvenue.com requires consent under Art. 5(3), and because SetVenue does not load any third-party analytics, advertising, or behavioral-tracking cookies, a cookie consent banner is not legally required and is not displayed. This posture is consistent with the "no consent for strictly-necessary" rule and is the position SetVenue has chosen to occupy by design.

If you are in the European Economic Area, the United Kingdom, or another jurisdiction with an Art. 5(3)-equivalent regime, the same analysis applies. If you are in California or another U.S. state with a Consumer Privacy Act, the relevant disclosure requirements are addressed below in § 7.

5. Future Changes

SetVenue's current posture is "strictly-necessary cookies only, no consent banner." We do not currently plan to add advertising, marketing, or third-party behavioral-tracking cookies. If that ever changes:

• We will update this Policy to identify any new cookie or category, what it does, and who sets it, before the cookie is deployed in production.
• We will display a consent banner that meets the EDPB's Guidelines 05/2020 on Consent (specific, informed, freely-given, unambiguous, as easy to withdraw as to give) before loading any non-essential cookie.
• We will not pre-check any optional consent. The default state will be "no non-essential cookies."
• We will publish the change on this page with a refreshed Effective date.

If we adopt a privacy-respecting, cookieless server-side analytics product (for example, Vercel Analytics' cookieless edge logs or a comparable tool), we will update this Policy to disclose that processing even though no cookie is involved — consistent with the disclosure commitments in § 1 and § 8 of this Policy, which cover browser-side processing whether or not a cookie is the mechanism.

6. Your Choices

Even though SetVenue's cookies are strictly necessary and do not require consent, you retain full control of cookie storage on your device.

6.1 Browser controls

All major browsers let you view, block, or delete cookies. Useful starting points (navigate to these from your browser address bar; do not click them from inside an email client):

• Chrome: chrome://settings/cookies
• Safari (macOS): Safari → Settings → Privacy → Manage Website Data
• Firefox: about:preferences#privacy
• Edge: edge://settings/content/cookies

Blocking SetVenue's strictly-necessary cookies will break sign-in, checkout, OAuth-based calendar integrations, and CSRF-protected actions. This is the trade-off inherent in the strictly-necessary category (ePrivacy Art. 5(3); Art. 29 WP Opinion 04/2012 (WP194)) — a cookie is strictly necessary only because the service cannot function without it.

6.2 Do Not Track

SetVenue does not currently respond to browser "Do Not Track" (DNT) signals because no consistent industry standard for DNT has been adopted (as expressly recognized by Cal. Bus. & Prof. Code § 22575(b)(5)).

6.3 Global Privacy Control (GPC)

SetVenue parses the Sec-GPC request header and the navigator.globalPrivacyControl browser property and treats a present signal as a valid opt-out of the "sale" and "sharing" of personal information and as a withdrawal of analytics consent, consistent with Cal. Civ. Code § 1798.135(b)(1) and the CPPA regulations at 11 C.C.R. § 7025. Because SetVenue does not sell or "share" personal information and loads no non-essential or third-party tracking cookies, a GPC signal does not change what we collect today; the parser ensures that if our practices ever change, a GPC opt-out is honored automatically. This is consistent with the Privacy Policy § 4.6.

6.4 Right to opt out of "sale" or "sharing"

SetVenue does not sell or share personal information for cross-context behavioral advertising within the meaning of Cal. Civ. Code § 1798.140(ad) or (ah). See our Privacy Policy for the full opt-out rights disclosure under the California Consumer Privacy Act and other applicable state privacy laws.

6.5 Withdrawal of any future consent

If we ever rely on your consent to load a non-essential cookie, you will be able to withdraw that consent at any time without affecting the lawfulness of processing that occurred before withdrawal. Withdrawal will be as easy as giving consent (per GDPR Art. 7(3)).

7. Statutory Disclosures

This Policy is intended to satisfy:

• EU / EEA / UK: ePrivacy Directive 2002/58/EC Art. 5(3) (consent for non-strictly-necessary cookies — not triggered here because SetVenue loads only strictly-necessary cookies), as interpreted in Article 29 Working Party Opinion 04/2012 on Cookie Consent Exemption (WP194); GDPR Art. 13–14 (information notice); EDPB Guidelines 05/2020 on Consent (if and when consent becomes required in the future).
• California: Cal. Bus. & Prof. Code § 22575 (CalOPPA — disclosure of categories of personally identifiable information collected, third parties with which it may be shared, and the operator's response to "Do Not Track" signals); Cal. Civ. Code §§ 1798.100–1798.199.100 (CCPA / CPRA — see Privacy Policy); Cal. Civ. Code § 1798.135 (right to opt out of sale or sharing).
• California — wiretap: Cal. Penal Code § 631 / § 632 (CIPA). SetVenue does not use any session-replay, screen-recording, scroll-tracking, mouse-movement-tracking, keystroke-logging, or other behavioral-monitoring technology that could give rise to wiretap claims under Javier v. Assurance IQ, LLC, No. 21-16351, 2022 WL 1744107 (9th Cir. May 31, 2022).
• United States — federal: FTC Act § 5 (deceptive or unfair trade practices) — this Policy represents only what SetVenue actually does; we do not make affirmative claims about features (analytics opt-in, footer preference manager) that are not present in the codebase.

8. Updates to This Policy

We will update this Policy whenever we add, remove, or materially change a cookie — and we commit to transparent disclosure of any materially new browser-side storage or processing mechanism (localStorage, server-side measurement, or similar), whether or not a cookie is the mechanism. Material updates will be reflected by:

• a refreshed "Effective date" at the top of this Policy;
• where required by law or by the nature of the change, a banner prompt or in-product notice; and
• where the change introduces a non-essential cookie, fresh consent obtained through a renewed banner prompt before the cookie is loaded.

We will give reasonable advance notice of material changes that affect any future consent.

9. Contact

For cookie-related questions or to exercise any of the rights described in our Privacy Policy:

• Email: privacy@setvenue.com
• Postal: Set Venue LLC, 6927 Willis Ave, Van Nuys, CA 91405