Politika kolačića
Verzija v1.0 · Sinhronizuj listu živih kolačića posle svakog release-a.
# MeniQR Cookie Policy **Effective date:** 4 May 2026 **Version:** v1.0 This Cookie Policy supplements the **Privacy Policy**. It describes how MeniQR and selected partners use cookies and comparable technologies (**tags**, **local storage**, **session storage**, certain **SDK identifiers** in downstream native shells if Restaurants ship hybrid containers—subject to Restaurant’s embedding scope). English capitalised terms align with Privacy Policy terminology unless clarified here. --- ## 1. What cookies are A **cookie** is a small file or storage slot deposited on your device enabling stateful features (sessions, remembered locale, hardened auth rotation). Equivalent technologies emulate similar outcomes. Cookies may be: - **First-party** — set directly by domains MeniQR controls (`meniqrr.com` or subdomains Restaurants white-label attach—then dual roles apply cautiously subject to Annex). - **Third-party** — set via embedded assets (payments, CDN diagnostics, analytic pixels if deliberately enabled—not default silent surveillance). --- ## 2. How we use consent (where required) Certain non-essential cookies require **prior valid consent** in jurisdictions prescribing opt-in regimes (marketing pixels, discretionary analytics overlays). Essentials for explicit user-requested authenticated flows often rely on **technical necessity**. Our registration screen may expose **marketing** opt-ins distinctly from essential legal acknowledgements (**do not intertwine illegally**). If you withhold optional consent: - Authenticated Panels may degrade non-core conveniences lacking storage (e.g. losing saved column widths). - Public digital menu surfaces stay largely functional minus optional analytics granularity. Consent may be revoked via cookie preference UI (**when surfaced**) or clearing browser cookies—understanding destructive UX side-effects. Children’s deceptive dark-pattern bundling forbidden. --- ## 3. Categories | Category | Purpose | Typical examples | Default on first anonymous load* | |---------|---------|-----------------|--------------------------------| | **Strictly necessary / security / auth/session** | Supabase/session integrity, login CSRF/session replay resistance, brute-force pacing heuristics, anti-bot challenges if rolled out | `sb-*` auth-related cookies emitted by hosted Supabase subdomain used by deployment; ephemeral session bridging | **YES** | | **Locale / UX preference** | language selection memory per next-intl / UI standards | locale preference cookie/name patterns like `NEXT_LOCALE` equivalents | Usually **YES** (lightweight usability) unless jurisdiction demands consent—then downgrade to ephemeral | | **Load balancing / platform resilience** | edge routing coherence | infra vendor cookies if used | YES | | **Analytics (optional aggregates)** | product improvement, anomaly detection overlays | hypothetical `_ga-*` ONLY if Restaurants enable integration / MeniQR later ships built-in dashboards | **CONDITIONAL consent** | \*Defaults depend on lawful configuration—the table states architecturally intended layering; rollout teams must reconcile with PDP Law / ePrivacy-aligned counsel. Exact cookie **names expire** evolve with releases; infra teams SHOULD maintain CSV inventory synchronised quarterly. --- ## 4. Persistence | Persistence | Explanation | |-----------|-------------| | **Session** | Purged closing browser/tab (unless restored session feature) | | **Persistent (short)** | Operational windows (hours–few weeks)—locale, beta flags | | **Persistent (long)** | Minimal; marketing preference proof **≤ statutory proof retention** (~3–24 months jurisdictions vary) | --- ## 5. Third parties & Restaurants’ overlays Stripe or similar PSP iframe flows may impose **their** cookies—we do not unify them under our Policy text; PSP policies govern. Restaurants injecting **their** tracking into white-label storefronts MUST configure consent banners ethically and lawfully—we may suspend configs violating deceptive patterns or illegal surveillance. --- ## 6. Controlling cookies (browser/OS) Broad guidance: - Chromium: Site settings → Cookies - Safari: Preferences → Privacy - Firefox: Preferences → Privacy & Security Enterprise-managed browsers overriding storage may degrade login reliability. Incognito/private windows shorten persistence. --- ## 7. Signals (GPC etc.) Industry **global privacy controls** signalling “do not sell/share” semantics (US-state legacy phrasing unlikely inside Serbia MVP) honoured only where tech integration exists pragmatically—not currently default—placeholder for multinational evolution. Serbia Commissioner guidance on equivalent browser-level revocation should be mirrored when articulated. --- ## 8. Policy updates & inventory maintenance Quarterly infra review aligns: - Canonical cookie register JSON / CSV - Automated scanner diff on staging before prod deploy tagging Breaking reclassifications forcing new consent resets trigger **privacy changelog** excerpt. --- ## 9. Cookie contact / questions **privacy@meniqrr.com** For operational cookie misconfigurations disrupting login: **support@meniqrr.com** --- ### Appendix A – illustrative technical cookie families (NON-EXHAUSTIVE — verify prod) Consult live DevTools snapshot per environment; infra must scrub stale rows each release: | Tentative cookie / header family | Typical role | |---------------------------------|-------------| | `sb-*` session / refresh artefacts | Secure Supabase session integrity | | `NEXT_LOCALE` or equivalent locale storage | Persist language choice | If advanced analytics activates: append rows with expiry, classification, lawful basis annotation.