Cookie Policy
Last updated 3 June 2026.
This policy explains the cookies and similar storage (localStorage, sessionStorage, pixel beacons) that Raffair uses on raffair.co.uk. It sits alongside our Privacy Policy, which covers the broader picture of what personal data we process and why.
Under the UK Privacy and Electronic Communications Regulations (PECR) and the UK GDPR, we can only set non-essential cookies on your device with your consent. You give that consent — and you can withdraw it — through our cookie banner. To change your choice at any time, use the link, also available in the footer of every page.
Strictly necessary
Required to deliver the platform — auth, security, payments. These can't be switched off because the site won't work without them. We don't ask for consent for these because PECR exempts cookies that are strictly necessary to deliver a service you've explicitly asked for.
| Name | Provider | Purpose | Retention |
|---|---|---|---|
| session | Raffair(first party) | Keeps you signed in. Set after successful login and cleared on log out. | 30 days from last activity |
| raffair_consent | Raffair(first party) | Stores your cookie-banner decision so we don't ask again on every visit. | 13 months |
| cf_clearance / __cf_bm | Cloudflare(third party) | Bot and DDoS protection at the network edge. Without these the site can't tell you apart from automated abuse. | Up to 30 days |
| cf-chl-* | Cloudflare Turnstile(third party) | CAPTCHA-style bot check on signup, login, and password-reset forms. | Session |
| __stripe_mid / __stripe_sid | Stripe(third party) | Fraud detection on the Stripe Checkout iframe when you buy tickets. | Up to 1 year |
Analytics
Help us understand how Raffair is used in aggregate — what pages people read, which steps lose them, how the site performs. We use PostHog hosted in the EU, with autocapture and session replay both turned off.
| Name | Provider | Purpose | Retention |
|---|---|---|---|
| ph_* | PostHog (EU)(third party) | Aggregate product analytics — which pages people read, where they get stuck, how long sessions last. No session replay, no autocapture. | 12 months |
Marketing
Measure the performance of ads we run on Meta (Facebook + Instagram). Without this, conversions from our ads can't be attributed and we can't optimise spend. We use the Meta Pixel (browser) plus the Meta Conversions API (server). Server-side events share an event ID with browser events so Meta dedupes them and we don't double-count.
| Name | Provider | Purpose | Retention |
|---|---|---|---|
| _fbp | Meta(third party) | Identifies the browser to Meta's advertising platform so we can measure whether an ad on Facebook or Instagram led to a ticket purchase. | 90 days |
| fr | Meta(third party) | Same advertising-attribution purpose as `_fbp`. Set only on facebook.com domains. | 90 days |
Withdrawing consent
Use the link at any time. Toggling a category off stops new cookies from being set and disables ongoing tracking. Any cookies already set are cleared on your next page load. You can also clear them yourself through your browser settings.
Contact
For any data-protection question — including subject access, data portability, or to complain about how we've handled your data — email privacy@raffair.co.uk. You also have the right to lodge a complaint with the Information Commissioner's Office.