Cookie Policy | Reservly

Last updated: April 26, 2026

The short version

Essential cookies, always on. Session, authentication, and security cookies that are strictly necessary for the service.
Functional cookies (language, currency, referral tracking, your cookie-preference choice) are opt-out in the US and opt-in in the EU, UK, Canada, and similar regions — per the banner you see on your first visit.
Analytics and advertising cookies may be activated as Reservly grows (Google Analytics 4 for aggregate traffic; Meta Pixel and Google Ads conversion pixels when we run paid campaigns). Not active today. When activated, all consent-gated, all disclosed below at least 30 days in advance.
Advertising cookies live on our marketing site only. They are never set on Reservly-hosted booking pages. End-user booking data never flows to any advertising platform.
We don’t sell your data. We may "share" marketing-site visitor data with advertising platforms (CCPA/CPRA's term for the measurement and retargeting that paid campaigns rely on) — strictly consent-gated, strictly opt-outable.
We honour Global Privacy Control (GPC). If your browser sends a GPC signal, we treat it as an opt-out — you don't need to click the banner.
Accept and Reject are equal choices. Our cookie banner presents Accept All and Reject All with the same visual prominence — same button size, colour, and style. No dark patterns.

Questions: support@reservly.io.

1. What cookies are

A cookie is a small text file that a website places in your browser. Cookies let a website remember things between visits — that you're logged in, what language you speak, whether you've already seen a banner. Similar technologies include localStorage, sessionStorage, IndexedDB, and tracking pixels. This policy covers all of them; we use "cookies" throughout as shorthand.

2. Who sets cookies on Reservly

Reservly (first-party) sets cookies on reservly.io, app.reservly.io, and Reservly-hosted booking pages.
Third parties that a business or end user interacts with (Stripe, PayPal, Paddle, Google, Microsoft, Zoom, Dropbox, Upstash, Twilio) may set their own cookies or process data when their services are engaged. Those cookies are governed by their own privacy policies, not ours.

Category	What it's for	Required?	Opt-in / opt-out
Essential	Session, authentication, CSRF protection, load balancing	Yes — the service can't run without them	Not a consent item; can't be turned off
Functional	Language preference, currency preference, referral-source tracking (`reservly_ref`), remembering your cookie-preference choice	No	Opt-in for EU / UK / EEA / CH / CA visitors; opt-out (legal default on) for US visitors
Analytics	Aggregated site analytics to understand how visitors use `reservly.io` — which pages perform, where drop-offs happen, which features convert	No	Not currently active. When activated (we anticipate Google Analytics 4), opt-in for EU / UK / EEA / CH / CA; opt-out for US. Details disclosed in § 4.
Advertising / marketing	Conversion-tracking and retargeting pixels for paid advertising campaigns Reservly runs on Meta (Facebook / Instagram), Google, and similar platforms. Limited to the marketing site at `reservly.io` — never set on Reservly-hosted booking pages, and end-user booking data is never shared with advertising platforms.	No	Not currently active. When activated, opt-in for EU / UK / EEA / CH / CA; opt-out for US. GPC honoured as opt-out. Each pixel disclosed in § 4 before it goes live.

Jurisdiction note. "Opt-in" means no non-essential cookie is stored until you actively accept. This applies to EU, UK, EEA, Switzerland, and Canada. Germany additionally requires opt-in for functional cookies with no legitimate-interest exception (TTDSG § 25). France's CNIL guidance requires per-category granularity — you can accept Functional cookies without accepting Analytics cookies, for example. UK residents' cookie rights are governed by PECR (Privacy and Electronic Communications Regulations 2003) as well as UK GDPR.

3a. Email tracking

Reservly's transactional emails (booking confirmations, reminders, account notifications) may include a tracking pixel — a 1×1 transparent image that lets us detect whether an email was opened. This is used solely to assess notification delivery and is not used for advertising profiling.

What we collect: open event (timestamp, approximate location inferred from IP, email client type).
Basis: Legitimate interest (GDPR Art. 6(1)(f)) for operational notification health; emails to Canadian addresses comply with the express or implied consent basis under which the message was sent (CASL).
Opt-out: Disable "Load remote images" in your email client, or request that we disable open tracking for your account by emailing support@reservly.io with subject Email tracking opt-out.
Links in emails may contain unique identifiers that tell us which link you clicked and which notification type triggered the visit. This data is used only to improve notification UX, not for advertising.

4. Our specific cookies

The table below lists every Reservly-set cookie and storage item we use. We keep this list current.

Strictly necessary

Name	Type	Purpose	Duration
`sb-access-token`	Cookie	Supabase auth — keeps your dashboard session active	Session (clears on logout or browser close)
`sb-refresh-token`	Cookie	Supabase auth token refresh	30 days
`reservly-session`	Cookie	Edge-function session state	Session
`reservly-csrf`	Cookie	CSRF token for form submissions	Session

Functional

Name	Type	Purpose	Duration	Consent note
`reservly_lang`	Cookie / localStorage	Remembers the language selected on a booking page	1 year	Opt-in for EU/UK/CA; opt-out default for US
`reservly_currency`	Cookie / localStorage	Remembers the currency a Business has chosen	1 year	Opt-in for EU/UK/CA; opt-out default for US
`reservly_ref`	Cookie	Attribution: remembers the referral source from a `?ref=` URL parameter, scoped per business slug. In EU/UK/CA regions, this cookie is set only after functional consent is granted — it is not pre-populated from the URL.	30 days	Opt-in for EU/UK/CA; opt-out default for US
`reservly_cookie_consent`	Cookie	Stores your cookie-preference choice so the banner doesn't re-appear	12 months	Set on first consent interaction
`reservly_booking_draft`	sessionStorage	Caches partial booking form state so progress is not lost if you navigate mid-flow	Session only (cleared when browser tab closes)	Functional consent; session-scoped

Third-party cookies / sessions

Third-party cookies may appear depending on which services a Business or visitor activates:

Set by	When it appears	Typical purpose	Link
Stripe (`__stripe_*`)	When the Stripe Elements payment form loads on a booking page	Fraud prevention, payment processing	stripe.com/cookies-policy/legal
PayPal (`ts`, `ts_c`, `x-pp-s`)	When a PayPal Commerce button loads on a booking page	Fraud prevention, payment processing	paypal.com/legalhub/privacy
Paddle (`paddlejs`, `paddle_session`)	When the Paddle Checkout overlay loads in the dashboard	Subscription billing, fraud prevention	paddle.com/legal/privacy
Google (`SID`, `HSID`, various)	When you complete Google Calendar / Meet / Drive OAuth	OAuth session, Google security	policies.google.com/technologies/cookies
Microsoft	When you complete Microsoft / Outlook OAuth	OAuth session, Microsoft security	privacy.microsoft.com
Zoom	When you complete Zoom OAuth	OAuth session	zoom.us/en/privacy
Dropbox	When you complete Dropbox OAuth	OAuth session	dropbox.com/privacy
Upstash	Server-side only — Redis-backed rate limiting and session store	Does not set browser cookies; processes request data server-side only	upstash.com/trust/privacy.pdf
Twilio	When an SMS booking confirmation or reminder is sent	No browser cookie; processes phone number and message content server-side	twilio.com/en-us/legal/privacy
Sentry (session replay)	Only if/when Session Replay is enabled to help debug errors — disabled today	Error capture, session replay	sentry.io/privacy

Reservly does not control those third-party cookies. If you don't want them, don't activate the corresponding integration.

When Reservly activates analytics or advertising cookies

Reservly is not currently running paid advertising campaigns and has no analytics or advertising cookies active as of the Last updated date above. We anticipate activating them as Reservly grows. When that happens:

We update this policy at least 30 days in advance. Active subscribers receive email notice; prospective visitors see the update in § 4.
We activate cookies consent-gated. Opt-in for EU / UK / EEA / CH / CA residents; opt-out for the US and other regions, per regional law.
We honour the Global Privacy Control signal as an opt-out — no banner click needed.
We disclose the specific pixels — name, purpose, duration, first-party or third-party — in § 4 above before they go live.
We update the Sub-Processor List to include each advertising platform with 30 days' notice.

The analytics and advertising providers we anticipate activating include Google Analytics 4 (first-party cookies for aggregate marketing-site traffic), Google Ads conversion tracking (when running paid search campaigns), and Meta Pixel (measurement and retargeting when running Facebook / Instagram paid social). Other platforms — TikTok, LinkedIn, and similar — may be added as our marketing mix evolves; each follows the notice process above.

What we will not do, ever:

Sell your personal information for money. "Sell" is a CCPA/CPRA-specific term and this commitment is final.
Set ad pixels on Reservly-hosted booking pages. Ad pixels are limited to the marketing site (reservly.io and marketing subpages). End-user booking data on reservly.io/<business-slug> pages is never shared with advertising platforms.
Use your Reservly subscriber account data (business owner email, subscription details) for cross-context behavioural advertising beyond what the consent banner covers for marketing-site visitors.
Silently introduce new tracking without the notice and disclosure commitments above.

On your first visit to Reservly, you'll see a cookie banner. What it looks like depends on where you are:

European Union, United Kingdom, European Economic Area, Switzerland, and Canada: an opt-in modal. No non-essential cookies are set until you choose a preference. You can accept all, reject all, or choose per-category. "Reject all" is presented with the same visual prominence as "Accept all" — same button size, colour, and style. One click either way.
United States, and most other regions: an opt-out banner at the bottom of the screen. Functional cookies are enabled by default (as US state privacy laws permit), but you can opt out with one click.

Per-category granularity. In the EU, UK, and Canada, you can consent or refuse each category independently — for example, accepting Functional cookies without accepting Analytics or Advertising cookies. This meets CNIL (France) and ICO (UK) guidance requiring genuine per-purpose choice.

CASL (Canada). For Canadian visitors, the consent modal also serves as notice under Canada's Anti-Spam Legislation (CASL) § 8 for any marketing-related tracking triggered by cookie preferences. Purely transactional notifications (booking confirmations, reminders) are sent under CASL § 6(5) implied consent and are not gated on cookie consent.

PECR (United Kingdom). Reservly's cookie consent practices for UK visitors comply with the Privacy and Electronic Communications Regulations 2003 (PECR), which implements the EU ePrivacy Directive in UK law. Storing any non-essential cookie requires prior informed consent under PECR reg. 6, regardless of the UK GDPR lawful basis used for the underlying data processing. The ICO recommends that Accept and Reject options are presented with equal visual prominence; our banner complies with this guidance.

TTDSG (Germany). German visitors should note that Reservly's functional cookies are always presented as opt-in — the Telekommunikation-Telemedien-Datenschutz-Gesetz (TTDSG § 25) does not permit a legitimate-interest exception for storing information on a terminal device. This applies to functional cookies that would qualify as low-risk under other frameworks.

Your preference is stored in the reservly_cookie_consent cookie and respected on every visit.

A Cookie settings link in the site footer allows you to update your preferences at any time. You can also visit /legal/cookies#manage directly. Updating your preferences takes effect immediately; previously set non-essential cookies are deleted if you withdraw consent.

6. Global Privacy Control (GPC)

If your browser sends the Global Privacy Control (GPC) signal on a request, Reservly honours the signal as an opt-out of any non-essential cookies and of any "sale" or "sharing" that might otherwise apply under California or other state privacy laws. You do not need to click the banner — the signal suffices.

Reservly does not sell personal information. Under CCPA/CPRA, "sell" means exchange of personal information for money or equivalent consideration. That's not our business model and never will be.

Reservly may "share" personal information with advertising platforms (Meta, Google, and similar) when we run paid campaigns. Under CCPA/CPRA, "share" is a distinct term that covers cross-context behavioural advertising — the measurement pixels and retargeting that paid acquisition relies on. When active, sharing is limited to marketing-site visitor data (never end-user booking data) and is consent-gated per region.

You can opt out of sharing at any time:

Click "Reject non-essential" in the cookie banner.
Use the Do Not Sell or Share My Personal Information page.
Enable Global Privacy Control in your browser — we honour it automatically.

8. How to manage cookies in your browser

Most browsers let you delete cookies, block specific cookies, or block all cookies. Instructions for the major browsers:

Blocking essential cookies will prevent Reservly from working (you won't be able to stay logged in). Blocking functional cookies will disable things like "remember my language choice" but won't prevent you from using the booking flow.

9. Mobile devices and local storage

Reservly's dashboard and booking pages use localStorage and sessionStorage in the browser for the same purposes as functional cookies — storing language preference, remembering a step in a multi-step booking flow, caching form drafts between reloads. These are treated as equivalent to cookies under this policy and are covered by the same consent mechanics.

We do not currently have native mobile apps, so there is no mobile-device identifier equivalent (no IDFA / GAID). If we add native apps in the future we will update this policy.

Cookie data and localStorage entries that are linked to an identifiable person are personal information and subject to your rights under applicable law (see our Privacy Policy):

Access: You may request a list of the cookies and storage items we hold associated with your account.
Deletion / erasure: You may delete cookies directly in your browser at any time. For server-side cookie preference records, submit a deletion request via support@reservly.io (subject: Cookie data deletion).
Withdrawal of consent: You can withdraw cookie consent at any time via the Cookie settings footer link or /legal/cookies#manage. Withdrawal does not affect the lawfulness of processing based on consent before withdrawal.
Portability: Cookie preference records are minimal (category flags and timestamp). On request, we can provide these in a structured, machine-readable format.

For UK residents, cookie-related complaints may be directed to the Information Commissioner's Office (ICO): ico.org.uk/make-a-complaint or by post to Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. You have the right to complain to the ICO about Reservly's cookie practices under both PECR and UK GDPR.

10. Children

Reservly is not directed at children under 18 (see our Terms of Service § 4.1), and we do not knowingly collect data from children or set cookies for that purpose.

11. Changes to this policy

We will update this policy when we add, change, or remove cookies. The Last updated date at the top reflects the latest revision. Material changes — for example, if we were to introduce analytics or a new third-party cookie — will be announced with a banner on your next visit and an email to active subscribers.

12. Contact

Questions about a specific cookie, a consent choice, or this policy:

Email: support@reservly.io Subject line for cookie-specific questions: Cookies

This Cookie Policy works together with our Privacy Policy and Terms of Service. Where the Privacy Policy describes in more detail how we process personal information, those descriptions apply here too.

Reservly Cookie Policy