Cookie Policy
Version: 2.0 Effective date: 17 May 2026 Supersedes: version dated March 2026
This Cookie Policy supplements the Privacy Policy and is issued in accordance with Article 4(5) of Directive 2002/58/EC (the "ePrivacy Directive") as transposed by Greek Law 4727/2020 and with the guidance of the Hellenic Data Protection Authority on cookies of 25 February 2020 (Decision 1/2020).
It describes the cookies, similar technologies and browser-storage items used across the TabbPay landing site (tabbpay.com), the dashboard and guest ordering application (app.tabbpay.com) and the TabbPay Staff application (collectively, the "Platform").
1. Classification
The Platform uses two categories of cookies and similar technologies:
- Strictly necessary — required for the Platform to deliver a service that the user has actively requested (authentication, session integrity, language preference, recording of the consent decision itself). These are used without consent in accordance with Article 4(5)(c) of the ePrivacy Directive.
- Optional — analytics and operational error replay. These are inactive by default and only become active after the user has selected Accept on the consent banner. Selecting Reject prevents the corresponding scripts from being loaded.
No advertising cookies, behavioural-profiling cookies, or cross-site tracking technologies are used.
2. Strictly Necessary Cookies and Storage
| Identifier | Type | Surface | Purpose | Duration |
|---|---|---|---|---|
__session | Cookie (httpOnly, Secure) | Dashboard, Staff | Clerk authentication session token | End of browser session |
__client_uat | Cookie | Dashboard, Staff | Clerk client-side authentication timestamp | End of browser session |
__tabbpay_dt | Cookie (httpOnly, Secure, SameSite=Strict) | Guest ordering app | HMAC-signed device-binding token; enables the Platform to associate a returning device with its open table session and to enforce per-table device limits | 3 hours |
tabbpay_locale | Cookie | Landing site | Persists the user's language preference (Greek or English) | 1 year |
tabbpay_cookie_consent | localStorage | All surfaces | Records the user's consent decision (accepted or rejected) so the banner is not re-displayed on each visit | Until cleared by the user |
tabbpay_session | localStorage | Guest ordering app | Active table-session reference (session identifier, venue identifier, table identifier, expiry timestamp) | Until session expiry (typically 3 hours) |
tabbpay_device_id | localStorage | Guest ordering app | Random UUID identifying the browser device; allows session continuity if the tab is closed and reopened | Persistent for the device |
tabbpay_device_token | localStorage | Guest ordering app | Mirror of __tabbpay_dt for use by client-side fetch logic | Until session expiry |
tabbpay_cart | localStorage | Guest ordering app | Items currently in the Guest's basket | Until checkout or session expiry |
tabbpay_locale | localStorage | Guest ordering app | Language preference for the ordering interface | Persistent for the device |
tabbpay_split_claims_<splitId> | localStorage | Guest ordering app | Portions of a split bill claimed by the present device | Until bill is settled |
tabbpay_last_venue_id | Cookie | Dashboard | Restores the most recently used venue when a Business Customer signs in again | 400 days |
tabbpay_dash_rt | sessionStorage | Dashboard | Short-lived refresh token used to recover from Clerk-handshake errors | End of browser tab |
tabbpay_dash_org_sync_v1 | sessionStorage | Dashboard | Organisation-sync retry counter (internal state) | End of browser tab |
tabbpay_selected_plan | localStorage | Sign-up flow | Plan selected by the prospective Business Customer prior to completing sign-up | Until sign-up completes |
tabbpay_business_shape | localStorage | Sign-up flow | Business legal form selected by the Business Customer during the onboarding wizard | Until onboarding completes |
| Service Worker registration | Browser cache | Staff | Service worker that enables push notifications on the Staff app | Until the Staff member uninstalls or the worker is unregistered |
3. Optional Cookies and Storage
The following technologies are loaded only after the user has actively selected Accept on the consent banner. They are not loaded — and no associated cookie is set — if the user selects Reject or has not yet expressed a preference.
| Identifier | Type | Surface | Purpose | Provider |
|---|---|---|---|---|
| Vercel Web Analytics | Cookieless first-party measurement (no persistent identifiers; hashed daily) | Landing site | Aggregate page-view counts and referrer attribution | Vercel Inc. |
| Sentry session replay | Cookie and in-memory buffer | Landing site, Dashboard, Staff | Records replay of the user interaction immediately preceding an unhandled error, with form inputs and text content masked at source by the replay SDK | Functional Software, Inc. (Sentry) |
Sentry error reporting (without replay) operates on the legal basis of legitimate interest (Article 6(1)(f) GDPR) and runs irrespective of the consent decision. It is configured with sendDefaultPii: false and a beforeSend hook that removes known sensitive fields from error payloads. The replay capability is the only Sentry feature that requires consent.
4. How to Manage or Withdraw Consent
In accordance with the HDPA's 2020 cookie guidance (Decision 1/2020), consent may be withdrawn as easily as it was given:
- Via the in-product control. A "Cookie Preferences" link is provided in the footer of every TabbPay surface (landing site, dashboard, Staff app). Selecting it clears the persisted decision and re-displays the consent banner so that a fresh selection may be made.
- Via the browser. The consent decision is recorded in
localStorageunder the keytabbpay_cookie_consent. The browser's "clear site data" function will remove this entry along with all other Platform storage.
The optional analytics and replay technologies may also be blocked at the network layer through the browser's tracking-protection settings or privacy-focused browser extensions.
Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.
5. Contact
Questions regarding this Cookie Policy may be addressed to privacy@tabbpay.com.
See also the full Privacy Policy.