Sthira Me — Cookies Notice
Effective: 17/05/2026 | Version: 1.0
Summary
In short: when you visit sthira.me we use a small number of cookies. The ones that keep the site secure and let our forms work are always on — we cannot run the site without them. Everything else (measuring how the site performs and, if you opt in, our advertising on Meta) only fires after you choose Accept all in the cookie banner. Choose Essentials only and we treat that as your standing answer; the marketing pixel never loads. You can change your mind at any time by clearing site data for sthira.me in your browser, which re-shows the banner on your next visit. No part of our app — the iOS one — uses any of this. The app keeps your practice on your phone.
If you only read one paragraph, that's it. The detail below sets out exactly what each cookie does, who sets it, how long it stays, and how to switch any of them off.
1. What cookies are
Cookies are small text files placed on your device by the websites you visit. They let a site remember things — that you have already seen the cookie banner, that the form you just submitted came from a real human, that you are partway through a journey. Some cookies are set by the site you are visiting (these are called first-party cookies). Others are set by a service the site uses, on a different domain (these are third-party cookies). This notice covers both.
We also describe a few similar technologies below — browser local storage, in particular. Strictly these are not cookies, but PECR and the ICO treat them the same way for consent purposes, so we list them here for completeness.
2. Strictly necessary cookies (no consent required under PECR)
These cookies keep the site secure and allow forms to work. PECR Regulation 6(4) exempts them from prior consent — without them, the site cannot deliver the service you have asked for. We still tell you about them.
| Cookie name | Domain | Purpose | Type | Duration | Provider |
|---|---|---|---|---|---|
__cf_bm |
.sthira.me |
Cloudflare Bot Management — distinguishes humans from automated traffic so we do not show the suggestion form, the waitlist form or the API endpoints to a flood of bots. | First-party (set by Cloudflare for our domain) | 30 minutes (rolling) | Cloudflare, Inc. |
cf_clearance |
.sthira.me |
Set after a Cloudflare challenge (for example a Turnstile interactive check on the suggestion form). Confirms the challenge was passed for the rest of the session. | First-party | Up to 30 days, configurable per-zone | Cloudflare, Inc. |
_cf_chl_* (transient) |
challenges.cloudflare.com |
Short-lived tokens issued during the Cloudflare Turnstile bot challenge that protects /suggest. Cleared as soon as the challenge completes. |
Third-party (Cloudflare challenge subdomain) | Session (until challenge resolves) | Cloudflare, Inc. |
Strictly necessary cookies cannot be switched off in our banner because the site would stop working. You can still block them at the browser level (see §6), but expect forms to refuse to submit and pages to be slower.
3. Functional cookies and similar technologies (consent honoured via banner)
These remember choices you have made — they are not strictly necessary, but the site is much friendlier with them on. They do not feed any advertising network.
| Identifier | Domain | Purpose | Type | Duration | Provider |
|---|---|---|---|---|---|
sthira-cookie-consent (localStorage entry) |
sthira.me |
Records the choice you made in the cookie banner — essentials or all. While this entry is present we do not show you the banner again. |
First-party (browser local storage, not technically a cookie but covered by PECR) | Until you clear site data | Sthira Me Limited |
upviral_user_id8A4$&A |
.sthira.me |
UpViral's referral-tracking cookie. Set when you join the waitlist or arrive via a friend's invite link. Lets the /share page render your personal invite link and credits the right referrer when someone signs up through you. |
Third-party (set on our domain by UpViral's loaded script) | 12 months | UpViral |
Where consent applies (the UpViral cookie is the only one in this section that requires it under PECR — the local-storage record of your choice does not, because it exists only to honour that choice), we treat clicking either button on the banner as your standing answer. The UpViral cookie is loaded on either banner choice because referral tracking is integral to the waitlist programme described on /share. If you prefer the cookie not to load at all, do not use the waitlist or share features, and decline cookies via your browser as set out in §6.
4. Analytics cookies (consent required)
We measure how the website performs so we know which pages help and which do not. We do not run autocapture, we do not run session recording, and we host PostHog on its EU infrastructure (eu.i.posthog.com) so the data does not leave the EU/UK.
For v1.0 the analytics behaviour on sthira.me is as follows:
| Identifier | Domain | Purpose | Type | Duration | Provider |
|---|---|---|---|---|---|
ph_phc_<key>_posthog (localStorage entry) |
sthira.me |
PostHog distinct_id and event queue. Lets us count unique visitors and page paths without using a third-party tracker. Stored in localStorage, not a cookie, per our PostHog config (persistence: 'localStorage'). |
First-party (browser local storage) | 12 months from last visit | PostHog Inc. (EU Cloud) |
PostHog only initialises once a real PostHog project key is set in assets/js/site.js; until then the snippet runs as an inert stub and no data is captured. For the in-app analytics on the iOS app itself, see our Privacy Policy — those are opt-in from v1.1 onwards and default OFF in v1.0.
PostHog does not feed an advertising network. We treat it as functional / analytics rather than marketing for the purposes of the consent gate, but if you choose Essentials only in the banner we still avoid setting any non-essential identifier; PostHog will load only when consent is all once the consent gate is wired through to the PostHog initialiser (planned hardening pre-launch — see §10).
5. Marketing cookies (consent required)
We use the Meta Pixel on sthira.me to measure the effectiveness of our advertising and to build audiences for future Instagram and Facebook campaigns. We do not use the Meta Pixel inside the iOS app.
The Pixel only loads if you click Accept all in the cookie banner. Decline via Essentials only and the Pixel script is never injected — no _fbp cookie, no fbevents.js request, no events sent to Meta. We have deliberately not added the noscript image fallback that Meta's setup wizard recommends, because that fallback fires unconditionally and would break this consent gate.
| Cookie / identifier | Domain | Purpose | Type | Duration | Provider |
|---|---|---|---|---|---|
_fbp |
.sthira.me |
First-party Meta Pixel cookie. Identifies the browser to Meta for ad attribution and audience-building. Only set after Accept all. | First-party (set by Meta Pixel script loaded on consent) | 90 days | Meta Platforms Ireland Ltd. |
_fbc |
.sthira.me |
Stores the click-ID from a Meta ad if you arrived via one, so subsequent events can be matched to that ad. Only set after Accept all and only if a fbclid parameter is present in the URL. |
First-party | 90 days | Meta Platforms Ireland Ltd. |
fr (and related) |
.facebook.com |
Meta's own browser-level cookies, set on facebook.com if you are signed in to Facebook in the same browser. Sthira Me does not set these directly; they are part of how Meta receives Pixel events. |
Third-party | Meta-controlled (typically up to 90 days) | Meta Platforms Ireland Ltd. |
Events the Pixel fires when consent is all: PageView (on every page), ViewContent (on practice / programme / journal pages — pages that declare themselves with data-pixel-content-type on the body element), Lead (when you submit the waitlist form on / or the suggestion form on /suggest), BodyCheckinTap (custom event when you tap a zone on the body check-in demo), ShareClicked (custom event when you generate a share link via /share). Where the event involves your email address we send Meta a one-way SHA-256 hash of your lowercased and trimmed email — never the address itself.
If you choose Essentials only, none of these events fire and no Meta cookies are set.
Pinterest Tag
We use the Pinterest Tag (Tag ID 2613438099413) on sthira.me alongside the Meta Pixel, to measure the effectiveness of our advertising and to build audiences for future Pinterest campaigns. We do not use the Pinterest Tag inside the iOS app.
The Pinterest Tag follows the same consent gate as the Meta Pixel: it only loads if you click Accept all in the cookie banner. Decline via Essentials only and the Pinterest script is never injected — no _pinterest_ct_ua cookie, no s.pinimg.com/ct/core.js request, no events sent to Pinterest. As with Meta, we have deliberately not added the noscript image fallback that Pinterest's setup wizard recommends, because that fallback fires unconditionally and would break the consent gate.
| Cookie / identifier | Domain | Purpose | Type | Duration | Provider |
|---|---|---|---|---|---|
_pinterest_ct_ua |
.sthira.me |
First-party Pinterest Tag cookie. Identifies the browser to Pinterest for ad attribution and audience-building. Only set after Accept all. | First-party (set by Pinterest Tag script loaded on consent) | 1 year | Pinterest Europe Ltd. |
_pin_unauth |
.sthira.me |
First-party Pinterest identifier for unauthenticated visitors (those not signed in to Pinterest). Only set after Accept all. | First-party | 1 year | Pinterest Europe Ltd. |
_routing_id |
.pinterest.com |
Pinterest's own browser-level routing cookie, set on pinterest.com if you are signed in to Pinterest in the same browser. Sthira Me does not set this directly; it is part of how Pinterest receives Tag events. |
Third-party | Pinterest-controlled (session-scoped) | Pinterest Europe Ltd. |
Events the Pinterest Tag fires when consent is all: page (on every page, equivalent to PageView). Future events (Lead on waitlist submit, checkout on subscription) will be added alongside the Meta Pixel equivalents and disclosed here.
If you choose Essentials only, the Pinterest Tag script is never injected — no Pinterest cookies are set and no events are sent.
6. How to manage cookies
Re-opening the banner
We treat your last choice as your standing answer. To revisit it:
- Open your browser's site-settings for sthira.me (in Chrome: lock icon in the address bar → Site settings → Clear data; in Safari: Settings → Privacy → Manage Website Data → search for sthira.me → Remove; in Firefox: Settings → Privacy & Security → Cookies and Site Data → Manage Data → sthira.me → Remove).
- On your next visit to sthira.me, the banner will appear again.
We are working on an in-page "manage cookies" link in the footer to make this a single click — it is on the v1.0.x roadmap (see §10). If you would like us to clear consent on your behalf in the meantime, email our contact form and we will confirm by reply once the next visit will re-show the banner for you.
Browser-level controls
Every modern browser lets you block all cookies, block third-party cookies only, or delete cookies on close. The exact menu paths shift between versions; the canonical guides are:
- Chrome —
chrome://settings/cookies - Safari (macOS / iOS) — Settings → Safari → Privacy & Security
- Firefox — Settings → Privacy & Security → Cookies and Site Data
- Edge —
edge://settings/content/cookies
Blocking strictly-necessary cookies will break parts of the site (forms in particular). Blocking all third-party cookies will not affect the site materially — Meta will simply not receive Pixel events, and Pinterest will not receive Tag events.
Do Not Track and Global Privacy Control
We honour the Global Privacy Control (GPC) signal. If your browser sends Sec-GPC: 1 we treat it as a standing decline of marketing cookies — neither the Meta Pixel nor the Pinterest Tag will load even if you have not interacted with the banner yet. We do not currently honour the older Do Not Track header because it has been deprecated in most browsers and ICO guidance does not require us to.
7. Third-party cookies — who they are and what they do
This is the at-a-glance list of the third parties whose cookies may appear when you use sthira.me. Each one has its own privacy policy; the link goes to the policy as published at the time of writing.
| Provider | Role | Privacy policy |
|---|---|---|
| Cloudflare, Inc. | Edge hosting, bot protection, Turnstile | https://www.cloudflare.com/en-gb/privacypolicy/ |
| UpViral (Mucho Vato Inc.) | Referral tracking on /share and the waitlist |
https://upviral.com/privacy-policy/ |
| PostHog Inc. (EU Cloud) | First-party product analytics | https://posthog.com/privacy |
| Meta Platforms Ireland Ltd. | Marketing pixel — only loaded after Accept all | https://www.facebook.com/privacy/policy/ |
| Kit (formerly ConvertKit) | Email automation — does not set browser cookies on sthira.me, but we list it because it processes the email address you submit to the waitlist. | https://kit.com/privacy |
We do not use Google Analytics, Hotjar, FullStory, or any session-recording tool on sthira.me. We do not use any third-party advertising SDK in the iOS app — the app is local-storage only (see our Privacy Policy for full detail).
8. Cookies we may add later
In the interest of keeping this list honest, here are categories of cookies that are referenced in our analytics or marketing strategy documents but are not yet firing on sthira.me as of the cut date. We will update this notice before any of them go live.
- Buffer / scheduled-posts pixel — if Buffer publishes embeds or pixels via our pages in the future. (As of 2026-05-05 we use Buffer to schedule posts on third-party platforms only; no Buffer code runs on sthira.me.)
- Server-side Conversions API (CAPI) for Meta — currently we send Pixel events client-side only, hashed where they involve email. A move to CAPI would not introduce a new cookie, but it would change the data flow and we will reflect that here.
- A/B testing tool — none in use today. If we add one (PostHog Feature Flags is the most likely candidate, which would not introduce a new cookie) this section will reflect it.
9. Changes to this notice
We will update this notice whenever we:
- add or remove a cookie or similar technology (any change to the inventory above);
- change a cookie's category (for example moving something from "functional" to "marketing");
- change a third-party processor (for example switching analytics providers);
- materially change retention periods.
We will not silently change the consent posture — if we ever introduce a cookie that requires consent in a category not currently in the banner (for example a new "Marketing — third party" category that needs separating from the existing single Marketing toggle), we will re-prompt you for consent the next time you visit. The "last updated" date at the top of this document is the canonical source of when the most recent change landed.
10. Known gaps and planned hardening
We list these openly because the canonical principle of this brand is gratitude — the people reading this notice are entitled to know what we are still working on.
- PostHog consent gate hardening. The current banner gates the Meta Pixel correctly (verified in
assets/js/site.jsloadAdvertisingPixels). The PostHog snippet currently loads regardless of banner choice because the project key is still a placeholder, but the published wording in privacy.html ("PostHog uses a first-party cookie scoped to sthira.me only — it does not track you across other websites") needs the consent gate wired through before the real PostHog key ships, so that Essentials only also suppresses PostHog. Tracked as a v1.0 launch blocker. - Footer "Manage cookies" link. As noted in §6, today the only way to revisit your banner choice is to clear site data. A footer link that re-opens the banner is on the v1.0.x list.
- Granular marketing toggle. The banner today is binary (essentials vs all). If we add a third-party tracker beyond Meta we will split marketing into per-vendor toggles. Until then a single toggle is acceptable per ICO PECR guidance.
- Independent legal review. This document is a draft. Founder + IP firm review and sign before publication.
11. How to contact us
If you have a question about cookies — a specific entry above, an exercise of your rights under UK GDPR (access, erasure, restriction, portability), or anything else — email our contact form. We aim to reply within 7 working days; for any rights request our regulatory deadline is 30 days from receipt and we will confirm our position within that window.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Online: https://ico.org.uk/make-a-complaint/
- Phone: 0303 123 1113
We would be glad of the chance to put a problem right before it gets there.
Sthira Me Limited · Cookies Notice version 1.0.