Cookie Policy
A full inventory of what we store on your device, why we store it, how long it persists, who else can see it, and the granular controls you have over every single category. Written in plain English where possible — with the precision required by ePrivacy Directive, GDPR, PIPEDA, and CCPA.
Effective · January 2026
What Is a Cookie
A cookie is a small text fragment placed on your device by a website. Cookies allow sites to remember you across visits — for sign-in continuity, language preference, cart contents, fraud prevention, and aggregated analytics.
Cookies cannot read other files on your device, cannot install software, cannot execute code, and cannot access your camera, microphone, contacts, or other system resources. They are passive identifiers — useful only insofar as the server that set them chooses to honour them on subsequent visits.
This Policy also covers similar technologies that perform cookie-like functions: localStorage, sessionStorage, IndexedDB, web beacons (1×1 pixels), HTTP ETags, service workers, and device fingerprinting heuristics. We use the term "cookie" throughout for brevity.
Why We Use Cookies
To keep you signed in across page navigations without re-entering credentials on every click.
To remember your locale (en-CA, de-DE, fr-CA), currency, theme preference, and shipping region so the catalogue renders correctly without forcing you to reselect every visit.
To preserve your shopping cart between sessions so that returning the next day finds the same items waiting.
To prevent cross-site request forgery (CSRF) attacks on every form submission and authenticated action — a security-critical use that cannot be disabled.
To detect and block fraudulent transactions through pattern analysis and device-fingerprint signals, protecting both you and the Company from card-not-present fraud.
To measure aggregated usage — total page views, navigation paths, search-result effectiveness — so we can identify and fix UX dead-ends and improve the catalogue.
Only with your explicit opt-in: to remember you for personalized product recommendations and to send marketing communications via channels you have authorized.
Categories We Use
Strictly Necessary — Session, CSRF token, cart contents, authentication tokens, load-balancing affinity, and security-challenge state. These cannot be disabled because the site will not function without them. Lifetime: session-only (cleared when browser closes) except cart cookies which persist for thirty (30) days.
Preferences — Locale, currency, theme (dark / light / system), accessibility settings (reduced-motion, high-contrast), and acknowledged-banner state. Improves your experience but is not strictly required. Lifetime: 365 days.
Analytics — Anonymized usage signals (page hits, click paths, scroll depth, A/B test bucket assignment) collected via a self-hosted analytics layer. We do not use Google Analytics, Adobe Analytics, or any third-party adtech analytics. Lifetime: 365 days. You may opt out at any time without losing any functionality.
Marketing — Only set if you explicitly opt in via the consent banner or account settings. Used to remember promotional preferences and to attribute the source of acquisition for first-touch attribution. Lifetime: 90 days. Includes no cross-site tracking and no behavioural advertising.
Performance / CDN — Set by our content-delivery network (Cloudflare) to route requests to the nearest edge node, mitigate denial-of-service attacks, and identify abusive bots. Lifetime: 30 minutes (rolling).
Third-Party Cookies
We deliberately keep third-party cookies to a strict minimum. The only third parties that may set cookies via our service are:
Stripe / PayPal / Coinbase Commerce — during checkout only, to process payment securely and protect against payment fraud. These cookies are set only on the checkout pages and are essential to completing a transaction.
Google Maps / OpenStreetMap — only on the contact page where the location map is embedded. If you do not load the contact page these cookies are never set. The map can be replaced with a static-image fallback on request.
We do not embed third-party social-network widgets (Facebook Like, Twitter / X share, LinkedIn share), third-party advertising trackers (Google Ads, Meta Pixel, TikTok Pixel), session-replay tools (Hotjar, FullStory, LogRocket), or any third-party adtech of any kind on any page of the service.
All third-party sub-processors that set cookies are listed in our sub-processor register at threadprocessor.corp/sub-processors with their processing location, data categories, and applicable contractual safeguards.
How to Control Cookies
Cookie banner — On your first visit you are presented with a clear consent banner offering granular per-category controls (Necessary always on; Preferences, Analytics, Marketing each independently toggleable). The banner is fully GDPR-compliant: no pre-ticked boxes, equal prominence to "Accept All" and "Reject All", and clear granular options.
Account settings — Open Settings → Privacy from your account menu to adjust consent at any time. Changes take effect immediately and apply across all devices signed into your account.
Withdrawal of consent — You may withdraw consent for any non-necessary category at any time, as easily as you gave it. Withdrawal does not affect the lawfulness of processing before withdrawal.
Browser controls — All modern browsers allow you to view, block, or delete cookies via browser settings. Help pages for major browsers: chrome.google.com/help, support.mozilla.org, support.apple.com/safari, support.microsoft.com/edge.
Do Not Track — We honour the Global Privacy Control (GPC) signal. When a browser sends GPC: 1, we treat it as an opt-out of analytics and marketing cookies regardless of prior consent state.
Disabling necessary cookies will break sign-in, cart persistence, checkout, and security features. Disabling preference cookies will reset locale and theme each visit. Disabling analytics or marketing cookies has no functional impact on the service.
Retention Periods
Session cookies expire when you close the browser.
Persistent preference cookies expire after 365 days and are renewed each time you visit.
Analytics cookies expire after 365 days; collected data is retained in aggregated form for 26 months.
Marketing cookies expire after 90 days; engagement data is retained for 12 months.
Security cookies (CSRF tokens, fraud-prevention) expire on a per-request or per-session basis and are never retained longer than necessary for their security function.
Once a cookie expires it is automatically deleted by your browser. You can manually delete cookies at any time through your browser settings without waiting for expiry.
International Transfers
Some cookie data may be transmitted to our processors located outside your country of residence (commonly Canada, the United States, and the European Union). All transfers are protected by Standard Contractual Clauses, the UK International Data Transfer Agreement, or adequacy decisions as applicable. See our Privacy Policy for the full international-transfer framework.
Children
The service is not directed to children under sixteen (16) and we do not knowingly serve cookies to children. If you believe a child has been served cookies in violation of this policy, contact dpo@threadprocessor.corp and we will purge the associated data.
Changes to This Policy
We may update this Cookie Policy as our processing changes — for example, when adding or removing a sub-processor that sets cookies, or when introducing a new feature with cookie implications.
Material changes (new categories, new third parties, expanded retention) are announced via banner on your next visit and require renewed consent before the change applies.
Minor changes (clarifications, typo corrections, updated example URLs) are noted by updating the Effective Date at the top of this page.
Contact
General cookie questions: privacy@threadprocessor.corp
Formal data-subject requests, consent-history exports, or complaints: dpo@threadprocessor.corp
Security vulnerability reports: security@threadprocessor.corp (PGP key on file)
We aim to respond within seven (7) business days and to resolve all formal requests within thirty (30) days as required by applicable privacy law.