Cookie Policy
This Cookie Policy explains how Secure Payment Ltd, trading as Halsworth & Hayes, uses cookies and similar technologies on halsworthhayes.shop. It should be read alongside our Privacy Policy and Terms & Conditions. The policy is written to comply with Regulation 6 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 as amended (“PECR”) and the consent standard of the United Kingdom General Data Protection Regulation (“UK GDPR”).
1. What cookies are
Cookies are small text files placed on your device when you visit a website. They are read on subsequent visits to remember preferences, keep you signed in, secure transactions, measure traffic, or deliver advertising. We also use comparable technologies such as pixels, web beacons, software development kits, local and session storage objects, IndexedDB entries, server log identifiers and limited browser fingerprints, all of which we describe collectively in this policy as “cookies” for ease of reading. The same legal regime under PECR Regulation 6 applies to each of these technologies regardless of the name we have given them.
Some cookies last only for the duration of a single browsing session and are deleted when you close the tab (“session cookies”). Others remain on your device for a defined period and are read on each subsequent visit (“persistent cookies”). The maximum lifespan we apply to any persistent cookie set directly by us is 24 months, after which it is overwritten or removed.
1A. Who is the data controller
The data controller for personal data processed through cookies on this storefront is Secure Payment Ltd, trading as Halsworth & Hayes, Companies House number 16138815, registered at Lytchett House, 13 Freeland Park, Wareham Road, Poole, Dorset, BH16 6FA, England. You may contact us about cookies and tracking at contact@halsworthhayes.shop.
2. Our legal basis for using cookies
Under PECR, we may store information on, or read information from, your device only if the cookie is “strictly necessary” for a service you have requested, or you have given prior consent. Consent must be freely given, specific, informed and unambiguous and meet the standard set out in Article 4(11) UK GDPR. Strictly necessary cookies load by default. All other categories load only after you accept them through our cookie banner. You may withdraw consent at any time using the “Cookie preferences” link in the footer.
3. First-party and third-party cookies
First-party cookies are set directly by halsworthhayes.shop. Third-party cookies are set by service providers operating on our behalf (for example Shopify, Stripe, Cloudflare, Google) and may be governed additionally by their own privacy notices. Disabling third-party cookies in your browser does not affect strictly necessary first-party cookies that are essential for the site to function.
4. Categories of cookies we use
4.1 Strictly necessary
These cookies are essential for the site, the basket and the checkout to operate. They cannot be switched off and they do not store information that personally identifies you for marketing purposes. They rely on Article 6(1)(b) UK GDPR (performance of a contract) and the strictly necessary exception in PECR Regulation 6(4).
| Cookie | Provider | Purpose | Lifespan |
|---|---|---|---|
| _shopify_y, _y | Shopify (first-party) | Unique visitor identifier used for storefront load balancing | 1 year |
| _shopify_s, _s | Shopify (first-party) | Session identifier | 30 minutes |
| cart, cart_sig, cart_ts | Shopify (first-party) | Persisting basket contents and integrity signature | 2 weeks |
| secure_customer_sig, _secure_session_id | Shopify (first-party) | Authenticated customer session and CSRF protection | Session / 24 hours |
| checkout_token, checkout | Shopify (first-party) | Persisting checkout state | 4 weeks |
| __cf_bm, cf_clearance | Cloudflare (third-party) | Bot management and DDoS mitigation | 30 minutes / 30 days |
| __stripe_mid, __stripe_sid | Stripe (third-party) | Fraud prevention and 3-D Secure tokenisation | 1 year / 30 minutes |
| ts, ts_c, l7_az, x-pp-s | PayPal (third-party) | PayPal session and fraud prevention during checkout | Session up to 3 years |
| cookie_consent, cc_state | Halsworth & Hayes (first-party) | Recording your consent choices | 12 months |
4.2 Functional
Functional cookies remember preferences such as language, currency, recently viewed products and saved sizing. They load only with consent.
| Cookie | Provider | Purpose | Lifespan |
|---|---|---|---|
| currency, locale_bar_accepted | Shopify (first-party) | Selected currency and locale | 1 year |
| recently_viewed | Halsworth & Hayes (first-party) | Browsing history within the storefront | 30 days |
| wishlist_token | Halsworth & Hayes (first-party) | Persisting your wish list across sessions | 6 months |
4.3 Analytics
Analytics cookies help us understand how visitors use the site so we can improve it. They load only with consent.
| Cookie | Provider | Purpose | Lifespan |
|---|---|---|---|
| _ga | Google Analytics 4 (third-party) | Distinguishing unique users | 2 years (we set 14 months retention server-side) |
| _ga_<container-id> | Google Analytics 4 (third-party) | Persisting session state | 2 years |
| _gid | Google Analytics (third-party) | Distinguishing users for 24 hours | 24 hours |
| _gat | Google Analytics (third-party) | Throttling request rate | 1 minute |
| _shopify_sa_p, _shopify_sa_t | Shopify Analytics (first-party) | Marketing attribution within Shopify | 30 minutes |
| klaviyo_email_open, __kla_id | Klaviyo (third-party) | Newsletter open and click measurement | 2 years |
We have configured Google Analytics with IP anonymisation, signals disabled, and a 14-month event-data retention setting.
4.4 Marketing and targeting
Marketing cookies measure advertising effectiveness and help us reach visitors with relevant communications. They load only with consent. If you have not seen the cookies below in your browser, it is because the corresponding channel is not currently active.
| Cookie | Provider | Purpose | Lifespan |
|---|---|---|---|
| _fbp | Meta Platforms (third-party) | Conversion and audience measurement | 90 days |
| _fbc | Meta Platforms (third-party) | Last-click identifier from Meta ads | 90 days |
| _ttp | TikTok (third-party) | Conversion measurement (only if TikTok pixel is active) | 13 months |
| tracker pixel in marketing emails | Klaviyo (third-party) | Tracking email opens and click-through | Per-message |
5. How to manage and withdraw consent
- Cookie banner: use the “Cookie preferences” link in the footer to re-open the banner and amend your selection at any time. Your withdrawal takes effect immediately.
- Browser controls: all major browsers allow you to block or delete cookies. Useful guides are published by Chrome, Firefox, Safari, and Edge.
- Industry opt-outs: Google Analytics opt-out add-on (tools.google.com/dlpage/gaoptout); Your Online Choices (youronlinechoices.com/uk); Network Advertising Initiative (optout.networkadvertising.org); Digital Advertising Alliance (optout.aboutads.info).
- Marketing emails: use the unsubscribe link in any newsletter. Transactional messages necessary for your order will continue to be sent.
6. Do Not Track and Global Privacy Control
There is no consistent industry standard for Do Not Track (“DNT”) browser signals, so we do not currently respond to DNT headers. We do treat the Global Privacy Control (GPC) signal, where present, as a valid opt-out of the “sale” or “sharing” of personal information within the meaning of the California Consumer Privacy Act, as amended by the CPRA, and we mirror that opt-out in the consent state for non-essential cookies.
7. Consequences of refusing or disabling cookies
If you refuse strictly necessary cookies the basket, the secure checkout and the customer login may not work. Refusing functional cookies will reset your language, currency or wish list between sessions. Refusing analytics or marketing cookies will not affect access to the storefront, but it limits our ability to improve the site or measure the relevance of campaigns.
8. International transfers
Several of the cookie providers above are based outside the United Kingdom, principally in the United States and the European Union. Where personal data is transferred internationally we rely on UK adequacy regulations, the UK Extension to the EU–US Data Privacy Framework, the ICO’s International Data Transfer Agreement, or the EU Standard Contractual Clauses with the UK Addendum, supported by Transfer Impact Assessments. Full detail is available in section 6 of our Privacy Policy.
8A. Records of consent and accessibility
Where you accept, refuse or amend cookie preferences, our consent management platform stores the resulting state, the timestamp, the version of this policy in force and a hashed identifier so we can demonstrate compliance with PECR and Article 7 UK GDPR. These records are retained for 12 months. The cookie banner is operable by keyboard, exposes ARIA labels for assistive technologies, and aims to meet WCAG 2.2 AA. If you experience any difficulty with the consent interface, please contact us and we will record your preference manually.
9. Changes to this policy
We review this Cookie Policy at least every twelve months and whenever we add, remove or materially change a cookie provider. The version and effective date are shown at the top of the page. Where changes are material we will re-prompt for consent through the banner.
10. Contact
For any question about this policy or the cookies we use, please write to contact@halsworthhayes.shop. You may also lodge a complaint with the Information Commissioner’s Office at ico.org.uk if you believe our use of cookies is unlawful.
Related policies: Privacy Policy · Terms & Conditions · Refund Policy · Returns & Exchanges · Shipping & Delivery.