Cookie Policy

1. Scope

This Cookie Policy applies to the restaurant’s public website, to the administration panel where browser cookies are used for authentication and session security, and to future tenant sites in the SaaS version of the platform. It must be read together with the Privacy Policy and is linked from the footer of all public pages.

2. Project baseline

The project code follows a “necessary only” architecture as a baseline: the administration panel’s authentication and session cookies are used for staff access; security-related cookies may be used for session protection and CSRF-type protections; language preference cookies or consent-state cookies may be used if enabled later; analytics and marketing tags are not currently wired into the runtime code, so they are not presented as active by default.

If the deployment uses only necessary cookies, this notice states that clearly. If analytics, advertising, pixels, or third-party embedded content are enabled in the future, the cookie notice and the consent manager will be updated before activation.

3. Strictly necessary cookies

These include cookies required to keep administrator users authenticated; protect the integrity and security of the session; remember essential technical preferences such as language or consent status; securely route essential requests. In Spain and the EEA, these cookies may be used without prior consent when they are genuinely necessary for the service requested by the user.

4. Functional cookies

They are used only if the site enables optional convenience features, for example storing non-essential interface preferences, remembering design choices that are not strictly required, or enhancing embedded experiences requested by the user. In Spain and the EEA, whether consent is required depends on the specific case; if there is doubt, these cookies are treated conservatively and activated only after the user’s choice.

5. Third-party embedded content

Future embeds—maps, videos, social widgets, or booking widgets—may trigger storage or tracking by third parties. When that happens, this notice will honestly identify the category; the embed will be blocked or replaced with a click-to-activate placeholder when appropriate; the public site will avoid silent third-party tracking on page load.

6. Banner and consent requirements

When the project activates optional categories, the cookie layer will follow the strictest operational baseline: a first layer of choice with “accept all,” “reject all non-essential,” and “manage preferences” options; give rejection prominence comparable to acceptance; do not use pre-ticked boxes; do not treat continued browsing, scrolling, or closing the banner as consent; make withdrawal as easy as acceptance; keep proof of consent status where required; avoid deceptive designs, asymmetric friction, or manipulative language.

The safest product baseline for this project is: necessary only by default; optional categories disabled until explicit opt-in; the consent manager remains accessible from the footer or from another persistent legal access point.

7. Cookie register

This policy is supported by an internal cookie register that records, at a minimum: cookie name, provider, purpose, category, duration, whether it is first- or third-party, whether it depends on consent, and whether it is active in the current deployment. Vendors such as Google Analytics, Google Ads, or Meta Pixel are only listed in the register if they are actually enabled and if their cookies or identifiers are actually present.

8. Supplemental notice for the U.S.

For publications directed to the U.S., rights at the state level vary by jurisdiction. If the service carries out a legally relevant sale or sharing of personal information, or cross-context behavioral advertising, opt-out rights will be honored where enforceable. Browser-level privacy signals such as Global Privacy Control will be honored when legally applicable.

If the service does not carry out a sale or sharing in that sense, this notice will state so, instead of pretending that an opt-out right applies to a non-existent practice.

9. Supplemental notice for Ukraine

For publications directed to Ukraine, this notice aligns with the main privacy policy and local legislation, maintaining the EEA’s strict baseline whenever the same deployment also serves residents in the EEA. The practical operational rule for this multilingual project is: maintain the EEA-equivalent consent standard as the default on the public site, without weakening the banner for non-EEA languages in the same shared deployment.

10. Changes to this policy

When this policy changes, the date shown at the top of the page will be updated. If the changes introduce new tracking technologies, notice will be provided and the consent manager will be updated before activation.

11. Contact

Questions about this cookie policy may be directed to the controller using the contact details shown at the end of this page. In SaaS mode, the tenant responsible for the specific site is identified in its own notice.