What cookies are
Cookies are small text files that websites store in your browser. They are used for authentication, preferences, analytics, and marketing. Similar technologies (local storage, session storage, web beacons, pixels, SDKs) work the same way for the purposes of this policy.
Categories we use
Strictly necessary
Required for the platform to function. No consent required under GDPR or ePrivacy. These include the auth session, CSRF token, the consent state itself, and language preference. Disabling these will break sign-in and core checkout.
Performance and analytics
Help us understand which pages and features people use so we can improve them. Consent required in EEA and UK. Includes Cloudflare bot detection and our internal product analytics.
Functional
Remember the preferences you set: theme, layout, recently viewed items in the admin. Used under consent or legitimate interest.
Marketing
Consent-required, opt-in only. Mercemur itself does not run advertising cookies on mercemur.com today. If a merchant enables advertising on their storefront, that merchant discloses those cookies in their own cookie notice.
Cookie inventory
A summary of cookies set by Mercemur or by third parties we integrate. The full internal compliance inventory is maintained in our SOC 2 appendix.
| Name | Set by | Category | Purpose | Duration | Host | GDPR class |
|---|---|---|---|---|---|---|
| mercemur_session | Mercemur | Strictly Necessary | Auth session | Session | .mercemur.com | Exempt |
| mercemur_csrf | Mercemur | Strictly Necessary | CSRF token | Session | .mercemur.com | Exempt |
| mercemur_consent | Mercemur | Strictly Necessary | Consent state | 12 months | .mercemur.com | Exempt |
| mercemur_locale | Mercemur | Strictly Necessary | Language preference | 12 months | .mercemur.com | Exempt |
| __cf_bm | Cloudflare | Performance | Bot detection | 30 min | .mercemur.com | Consent in EEA |
| _ph_* | Product analytics | Analytics | Product usage | 12 months | .mercemur.com | Consent |
Consent mechanics
- First-visit banner with granular per-category toggles. Strictly necessary cookies are always on; other categories are off by default in the EEA and UK.
- "Save preferences", "Accept all", and "Reject all" buttons are given equal visual weight. Pre-ticked boxes are prohibited under GDPR.
- Consent log retained for 13 months per CNIL guidance: decision, timestamp, IP truncated to /24, user agent.
- We honor "Do Not Track" and "Global Privacy Control" signals where browsers send them.
Re-manage your consent
You can change your cookie preferences at any time. Open the consent banner from the footer link "Manage cookies", or click below:
The button reopens the consent banner via the global window.dispatchEvent(new Event("mercemur:consent:open")) hook the chrome layer listens for.
Browser controls
You can also block or delete cookies in your browser settings. Blocking strictly necessary cookies will prevent sign-in and checkout from working.
- Cookie settings in Google Chrome
- Cookie settings in Firefox
- Cookie settings in Safari
- Cookie settings in Microsoft Edge
Do Not Track and GPC
We honor the Global Privacy Control signal. The Do Not Track header has no standardized semantics, so we treat it as a request to disable non-essential cookies, matching our GPC handling.
Changes to this policy
Material changes trigger a banner re-prompt and a public post. Current version 1.0, effective May 30, 2026.
Contact
For cookie-related questions, write to support@mercemur.com. For everything else privacy-related, see our Privacy Policy.