The cookies, named one by one.

A cookie is a small text file a website asks your browser to store. The browser sends it back on later visits, so the site can recognise the browser without asking the user to identify themselves.

Cookies have an owner (the domain that set them), a name, a value, and an expiry. The same browser feature also covers related local-storage mechanisms (Web Storage, IndexedDB). We do not use those on elofyn.com today; if that changes, this notice changes.

These cookies are set by the elofyn.com origin. They run whether or not you accept analytics, because the site cannot work or remember your consent choice without them. Under GDPR Article 6(1)(f) and the corresponding legitimate-use ground in DPDP Act section 7, these are strictly-necessary cookies and do not require separate consent.

elofyn_consent. Records the choice you made in the consent banner (accept-all, reject-non-essential, or per-category) and the date that choice was made, so we do not ask again on every page. Twelve-month expiry. Cleared when you clear cookies in your browser, or when you change your choice via the “manage cookies” link in the footer.

Session cookies set by the framework or the host. Some standard web infrastructure may set short-lived session cookies for the request itself (load-balancer stickiness, CSRF protection on the contact form). They expire when you close the browser and contain no personal data we can read.

If you accept analytics in the consent banner, we load Google Analytics 4 (GA4) and it writes two cookies on the elofyn.com origin. If you decline, the GA4 script is never loaded and these cookies are not written.

_ga. A pseudonymous identifier that lets GA4 tell one browser from another so the same visit is not counted twice. We configure the property with IP-address anonymisation on and Google Signals off, so GA4 does not receive your full IP and does not link your visits to a Google account. Default expiry two years; we shorten it to thirteen months so the cookie cannot outlive a once-a-year visitor by much.

_ga_<container-id>. GA4’s per-property session state. The <container-id> is the public measurement ID of our GA4 property. Same configuration and expiry as _ga.

We do not run Google Ads, AdSense, the Facebook pixel, or any other advertising or remarketing tag. We do not use GA4 audiences for ad targeting; the property is read-only for us.

We mention this because so many sites do and we want the absence to be on the record.

No advertising cookies, no remarketing pixels, no cross-site tracking, no fingerprinting, no session replay, no heatmap. No third-party fonts (we self-host Geist, Geist Mono, and Instrument Serif). No embedded widgets that would set their own cookies in iframes. Nothing in the page calls out to a network you have not explicitly accepted.

The first time you visit elofyn.com from a new browser, we ask whether to load analytics. The banner is the only thing on the page until you choose.

Accept analytics loads GA4 and writes the two cookies above. Your IP is anonymised and your visits are not linked to a Google account.

Decline does nothing. No analytics, no GA4 cookies, no third-party requests beyond what your browser issues on its own. Site behaviour is identical for declined and accepted visitors except that we cannot count the declined visit.

Your choice is stored in the elofyn_consentcookie described above. You can change it at any time via the “Manage cookies” link in the footer, which re-opens the banner with your current choice pre-selected. Changing from accept to decline clears the GA4 cookies on the next page load.

Every major browser lets you block or delete cookies. The banner choice on elofyn.com is the most precise control we offer, but browser-level blocking is more thorough and we respect it.

We honour the Global Privacy Control signal (GPC, the modern successor to Do Not Track) sent in the Sec-GPC request header. If your browser sends GPC, we treat the visit as a decline regardless of whether you have used the banner, and we never load GA4. Older Do Not Track signals (DNT) are treated the same way.

Clearing cookies in the browser also clears your consent choice, so the banner will appear again on your next visit.

elofyn_consent expires after twelve months. The banner re-appears at the end of that window so you get a fresh choice rather than an old one carried indefinitely.

_ga and _ga_<container-id> expire after thirteen months, the shortest expiry consistent with year-over-year reporting in GA4.

Session cookies set by the framework or host expire when you close the browser.

Under the EU ePrivacy Directive as implemented in national law, the UK Privacy and Electronic Communications Regulations, and India’s Digital Personal Data Protection Act 2023, non-essential cookies require informed consent before they are set. Strictly-necessary cookies do not.

We treat the analytics cookies as non-essential and set them only after the banner records your consent under GDPR Article 6(1)(a) and DPDP Act section 6. The consent-state cookie itself is strictly necessary — we need somewhere to record the choice you made, or we would have to ask again on every page.

If we add, remove, or change a cookie, we update this page and the last-updated date at the top. Material changes — a new processor, a new category of cookie — are summarised in the journal.

Send questions about cookies via the contact form. Mark the subject “Cookies” and we will answer in plain language.

If a sentence here is unclear to you, write and we will improve the language.