Cookie Policy
Effective 30 June 2026
·Version 1
⚠️ DRAFT v0.1 — pending legal review. This document has not yet been reviewed by counsel and may change before formal publication. By using InstaTable, you agree to the terms as published at the time of your access.
Cookie Policy
This Cookie Policy explains how InstaTable (InstaTable Limited, in formation, "we", "us", "our") uses cookies and similar tracking technologies on our websites and applications, what each category does, and how you can control them.
It supplements our Privacy Policy, which explains in more detail how we handle personal information.
1. What are cookies and similar technologies?
A cookie is a small text file stored on your device by your browser when you visit a website. Cookies let websites remember you between visits — for example, to keep you signed in, remember your language preference, or measure how the site is being used.
We also use related technologies that work similarly to cookies, including:
- Local storage and session storage — key-value data your browser stores for a specific site.
- IndexedDB — a small in-browser database used for offline behaviour and performance.
- Pixel tags / web beacons — tiny images embedded in pages or emails that record that they were loaded.
- SDK identifiers — IDs generated by third-party SDKs (e.g. analytics, marketing).
For simplicity, we refer to all of these as "cookies" in this policy.
Cookies can be:
- First-party — set by InstaTable when you visit instatable.net, app.instatable.net, op.instatable.net or book.instatable.net.
- Third-party — set by another organisation whose code we load on our pages (e.g. Google Analytics, Meta Pixel, Cashfree).
They can also be:
- Session cookies — deleted when you close the browser.
- Persistent cookies — stored for a set period (e.g. 1 hour to 24 months) or until you delete them.
2. Categories of cookies we use
We group cookies into four categories. Only Strictly necessary cookies are always on. The other three categories require your consent and can be toggled off at any time via the cookie banner or the "Cookie preferences" link in our footer.
2.1 Strictly necessary cookies (always on)
These are essential for the Platform to work. Without them, you would not be able to sign in, complete a booking, or use the dashboard securely.
| Purpose | Examples |
|---|---|
| Authentication and session | Supabase Auth session token, refresh token |
| Security and abuse prevention | CSRF token, rate-limit identifier, anti-bot signal |
| Routing on the right subdomain | Domain and subdomain preference cookies |
| Cookie-consent record | Your consent choices and timestamp |
| Booking widget state | In-progress booking step, party-size selection |
We rely on the "strictly necessary" exemption from consent requirements in NZ guidance under the Privacy Act 2020, PIPEDA implied consent for obvious uses, and GDPR Article 5(3) ePrivacy for these cookies.
2.2 Functional cookies (optional)
These remember your preferences to give you a smoother experience.
| Purpose | Examples |
|---|---|
| Remembering UI preferences | Sidebar collapsed state, theme, table density |
| Remembering language and region | Locale code, country selection |
| Remembering the last restaurant you booked with | Restaurant slug |
Disabling functional cookies will not break the Platform but you may have to set preferences each time.
2.3 Analytics cookies (optional, consent required)
These help us understand how people use the Platform so we can improve it. Analytics is off by default and only loaded after you accept.
| Provider | Purpose | Typical retention |
|---|---|---|
| Google Analytics 4 | Page views, sessions, traffic sources, feature usage, performance metrics | 14 months |
| Vercel Analytics (if enabled) | Web vitals and basic page-view counts | 30 days |
| Sentry (if enabled) | Error and performance traces | 30–90 days |
Where possible we configure IP anonymisation and disable ad-personalisation signals.
2.4 Marketing cookies (optional, consent required)
These help us measure the effectiveness of our marketing and, occasionally, show you InstaTable adverts elsewhere.
| Provider | Purpose | Typical retention |
|---|---|---|
| Meta Pixel (Facebook / Instagram) | Conversion tracking from our marketing site, lookalike audience building | Up to 24 months |
| LinkedIn Insight (if used) | Conversion tracking from LinkedIn ads | Up to 24 months |
Marketing cookies are off by default and only set after you accept.
3. Third-party cookies you may encounter
Some pages load embedded content or scripts from third parties. Those parties set their own cookies governed by their own privacy policies:
- Google Fonts — font delivery (no advertising cookies; minimal request logs).
- Google Analytics 4 — analytics, when consent is given.
- Meta Pixel — marketing attribution, when consent is given.
- Cashfree — payment processing on checkout flows.
- Supabase — authentication session cookies (strictly necessary).
- Twilio / WhatsApp Business (when enabled) — message delivery telemetry.
We do not control these third parties and we are not responsible for their cookies. We aim to load third-party scripts only after you give the relevant consent.
4. How long cookies last
Cookies last from the duration of a single session (a few minutes) to up to 24 months for some analytics and marketing identifiers. You can delete cookies at any time via your browser settings.
5. How to manage your cookie choices
5.1 Via our cookie banner
When you first visit our sites, we present a cookie banner with three options:
- Accept all — turn on functional, analytics and marketing cookies.
- Reject non-essential — keep only strictly-necessary cookies on.
- Customise — choose each category individually.
You can change your choices at any time by clicking "Cookie preferences" in the footer of any page.
5.2 Via your browser
All modern browsers let you view, block and delete cookies. You can also enable a "Do Not Track" or Global Privacy Control (GPC) signal. Helpful links:
Disabling all cookies may break the Platform — you may not be able to sign in or complete a booking.
5.3 Via opt-out tools
For some advertising and analytics cookies you can also opt out at:
6. Do Not Track and Global Privacy Control
We honour Global Privacy Control (GPC) as a valid opt-out signal for non-essential cookies. If your browser sends a GPC signal, we will treat that as a rejection of analytics and marketing cookies on your visit.
The "Do Not Track" header is treated identically.
7. Cookies in emails
Marketing and transactional emails we send may contain tiny tracking pixels that record whether an email was opened and which links were clicked. This helps us and our Tenants measure deliverability. You can disable email tracking by configuring your email client to block remote images.
8. Children
We do not knowingly use cookies to collect personal information from children under 16. See section 13 of our Privacy Policy.
9. Changes to this Cookie Policy
We may update this Cookie Policy from time to time to reflect changes in technology, regulation or our practices. We will update the effective date at the top and, for material changes, notify you in advance via the cookie banner or by email.
10. Contact
Questions or complaints about cookies should go to privacy@instatable.net.
Questions about this document?
privacy@instatable.netSee also: Privacy · Terms · Cookies · Acceptable Use