Cookie Policy
Foodli — Sicilean S.r.l.
Version 1.0 — March 2026 · Pursuant to Art. 122 Italian Legislative Decree 196/2003 and Garante Resolution no. 231/2021
Data Controller
Sicilean S.r.l. — Via Roma no. 95, 91021 Campobello di Mazara (TP), Italy
VAT 02898760810 | REA TP-204826 | privacy@sicilean.tech | Certified email (PEC): sicilean@pec.it
1. What Cookies Are
Cookies are small text files that a website stores in the user's browser when visiting a page. They may be used to run the site, remember preferences, or collect information about browsing behaviour.
Foodli also uses similar technologies, such as browser localStorage (local browser memory, not transmitted to servers). In this policy we refer to all such technologies collectively as "tracking tools", in line with the Italian Garante guidelines of 10 June 2021 (Resolution no. 231/2021).
2. Types of Cookies Used
2.1 Essential Technical Cookies — no consent required
Required for the platform to work. No consent is required under Art. 122(1) Legislative Decree 196/2003.
| Cookie name | Purpose | Retention | Party |
|---|---|---|---|
sb-[ref]-auth-token | User authentication session. HttpOnly, Secure, SameSite=Lax. Authenticated users only. | Session lifetime | First party (Supabase) |
sb-[ref]-auth-token.0/.1 | Additional session token chunks (large tokens). Authenticated users only. | Session lifetime | First party (Supabase) |
foodli_legal_ok | Caches verified legal compliance status. Avoids a database call on every access to restricted areas, keeping checks transparent and performant. Set only after login and verification of mandatory legal consents. SameSite=Lax, Secure. Authenticated users only. No personal data in the value. | 24 hours | First party (Sicilean) |
Supabase session cookies are set only after login. Public menu visitors do not receive session cookies.
2.2 Consent Preference Cookies — no consent required
| Cookie name | Purpose | Retention | Party |
|---|---|---|---|
sicilean_analytics_consent | Stores the analytics choice (accepted/rejected). Prevents the banner from reappearing unnecessarily. SameSite=Lax, Secure. | 180 days | First party (Sicilean) |
180-day retention follows Garante Resolution no. 231/2021: the banner may be shown again no sooner than every 6 months.
2.3 Analytics Cookies — explicit consent required
Activated only after explicit consent via the banner. Before consent, no analytics cookies are set and no data is sent.
| Cookie name | Purpose | Retention | Provider |
|---|---|---|---|
ph_[key]_posthog | Behavioural analytics: pages visited, UI interactions, errors. Anonymous data. EU servers. | 365 days (or until withdrawn) | PostHog Inc. (EU Cloud) |
• PostHog: EU server (eu.i.posthog.com) — no transfers outside the EEA.
2.4 Planned Cookies (not yet active)
The following cookies are not currently set but are planned for future integrations. This policy will be updated in advance before they are activated, and the cookie banner will be shown again to collect specific new consent.
| Cookie name | Planned purpose | Planned retention | Planned provider |
|---|---|---|---|
_ga | Distinguishes users for Google Analytics. IP anonymised. | 2 years (or until withdrawn) | Google LLC (DPF) |
_ga_[stream-id] | Maintains session state for Google Analytics. | 2 years (or until withdrawn) | Google LLC (DPF) |
• Google Analytics (planned): IP anonymised; Google LLC certified under the EU-US Data Privacy Framework (Decision 2023/1795/EU).
2.5 LocalStorage (technology similar to cookies)
| Key | Purpose | Retention | Transmission |
|---|---|---|---|
foodli_menu_view:{menuId}:{data} | Prevents duplicate counting of menu views. Browser-local only. Public menu visitors. | Expires the next day | Never transmitted |
__ph_opt_in_out_[token] | Technical record of PostHog analytics opt-in/opt-out. Written by the PostHog library as an anti-tracking mechanism: value 0 (opt-out, default before consent) blocks any events from being sent to PostHog servers; value 1 enables tracking only after explicit consent. Updated in real time with banner choices. No personal data in the value. All visitors (including public menu). | Persistent (no expiry) | Never transmitted — client-side only |
localStorage keys are not cookies and are never transmitted to Sicilean or third parties. The __ph_opt_in_out_* key is written by the PostHog library as a technical anti-tracking measure: it is needed so the system remembers opt-out between pages, even before the user interacts with the banner. It is a technology similar to cookies, subject to the same safeguards under Garante Resolution no. 231/2021.
3. Third-Party Cookies
| Third party | Purpose | Consent | Privacy policy |
|---|---|---|---|
| PostHog Inc. | Behavioural analytics (only with consent) | Yes — explicit | posthog.com/privacy |
| Google LLC (planned) | Google Analytics — not yet integrated | — | policies.google.com/privacy |
| Supabase Inc. | Authentication (technical session cookie) | No — technical | supabase.com/privacy |
OAuth provider note: When you sign in with "Sign in with Google/Facebook/Apple", the OAuth provider may set its own cookies in your browser. Those cookies are governed by the providers' privacy policies and are outside Sicilean's control.
4. How to Manage Cookies
4.1 Via the Foodli Banner / Preference Manager
On first visit, a banner lets you:
- Accept analytics cookies (enables PostHog and Google Analytics)
- Reject analytics cookies (you can still use the platform fully)
- Manage preferences at any time via the footer link
Reject and accept are presented with equal visual prominence in the banner, in line with Garante Resolution no. 231/2021.
4.2 Via Browser Settings
You can configure your browser to block or delete cookies. Note: blocking essential technical cookies may break the service (e.g. you may not stay logged in).
- Chrome: chrome://settings/cookies
- Firefox: about:preferences#privacy
- Safari: Settings → Privacy → Manage Website Data
- Edge: edge://settings/cookies
4.3 Direct Analytics Opt-Out
- PostHog: posthog.com/privacy
- Google Analytics: Browser add-on to disable Google Analytics
5. Updates to this Cookie Policy
This Cookie Policy may be updated to reflect technical or legal changes. If material updates affect cookies that require consent, the cookie banner will be shown again. Planned changes: possible Google Analytics integration (already described as future) — the policy will be updated in advance.
Check the version date at the top of this page periodically. The latest version is always available at foodli.app/cookies.
6. Your Rights and Contacts
For any question or to exercise the rights under Arts. 15–22 GDPR:
Email: privacy@sicilean.tech
PEC: sicilean@pec.it
Controller: Sicilean S.r.l. — Via Roma no. 95 — 91021 Campobello di Mazara (TP), Italy
You also have the right to lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it).
Related documents