Cookie Policy

Effective date: 14 May 2026 · Version 1.0

The short version: we set one cookie, and only when a practitioner signs into the dashboard. We don't track you, we don't run analytics, we don't sell advertising. Clients browsing a practitioner's booking page don't receive any cookies from Therapybook at all.

1. What is a cookie?

A cookie is a small text file that a website asks your browser to store. The browser sends it back to the site on every subsequent request, so the site can recognise you (e.g. to keep you signed in across pages). Cookies set by the site you're actually visiting are first-party cookies; cookies set by an embedded third party (an ad network, an analytics provider) are third-party cookies.

2. The cookie we set

Name	Purpose	Category	Lifetime	Properties
`__session`	Identifies your signed-in dashboard session. Set when a practitioner completes the magic-link sign-in or finishes signup; cleared on sign-out.	Strictly necessary (no consent required under PECR / ePrivacy).	7 days (sliding window — refreshed on each request).	HttpOnly, Secure, SameSite=Lax, host-only.

HttpOnly means JavaScript on the page cannot read the cookie value — only the server can. Secure means it is only sent over HTTPS. SameSite=Lax means it isn't sent on cross-site requests except top-level navigations. Host-only (no Domain attribute) means it is scoped to the exact hostname that set it — it does not bleed across subdomains or to your custom domain.

3. What we don't set

We do not set, and do not knowingly allow any third party to set:

Analytics cookies. No Google Analytics, no Plausible, no Fathom — nothing tracking your behaviour.
Advertising cookies. No remarketing pixels, no Facebook conversion tags, no ad-network IDs.
Cross-site tracking cookies. No Segment, no Mixpanel, no Hotjar, no session-replay tools.
Browser fingerprinting. We do not combine device, language, and screen-size signals to identify visitors across sessions.
Third-party cookies on the public booking surface. A client visiting a practitioner's booking page is anonymous to us. We don't issue them a cookie.

If you spot a cookie set by the platform that isn't in this policy, please tell us — that would be a bug.

4. Cookies set by Stripe

If you (the practitioner) click Connect Stripe in your dashboard, you'll be redirected to Stripe's domain to complete Stripe Connect onboarding. Stripe sets its own cookies on its own domain to operate that flow; those cookies are governed by Stripe's privacy notice, not by us.

If a client pays for a booking via Stripe Checkout, the same applies for the duration of the Checkout redirect. Once the client returns to the booking page, no Stripe cookie is present in our domain.

5. Your choices

Modern browsers let you block all cookies, block third-party cookies, or clear cookies on exit. We support all of these.

Public booking pages work with cookies entirely disabled. Clients can book a session without giving consent to any storage.
The practitioner dashboard needs __session to function. If you block it, you'll be signed out after each page load. There is no workaround for this — sessions intrinsically require some form of per-browser identifier.

You can clear the dashboard cookie at any time by clicking Sign out, or from your browser's settings panel.

6. Local storage and similar technologies

The dashboard uses a small amount of localStorage to remember interface preferences (e.g. the most-recent week shown on the bookings calendar). This is not a tracking technology and is not transmitted to our servers; it stays on your device until you clear it.

7. Changes to this policy

For non-material changes (clarifying wording, fixing typos) we may publish the updated policy without prior notice. For material changes (a new cookie, a new category) we will give you at least 30 days' notice by email and update the “Effective date” above.

8. Contact

Questions about cookies on the platform? Email support@clientbooking.pages.dev.