Cookie & Tracking Policy

Version 1.0 Effective 3/1/2026

Cookie & Tracking Policy

Effective Date: March 1st, 2026
Version: 1.1
Last Updated: February 9th, 2026

1. Introduction

This Cookie & Tracking Policy explains how the Lekki Rewards Portal ("the Portal") uses cookies and similar tracking technologies.

This policy should be read in conjunction with our Privacy Policy, which provides detailed information about how we collect, use, and protect your personal data.

Scope: This policy applies to the Lekki Rewards Portal (web). For tracking technologies used in the Lekki mobile app and Lekki for Business mobile app (iOS and Android), see the "Mobile App Tracking Technologies" section of our Privacy Policy.

2. What Are Cookies?

Cookies are small text files stored on your device (computer, tablet, smartphone) when you visit a website. They help websites remember your preferences, improve your experience, and provide analytics to website operators.

Types of Cookies:

  • Session Cookies: Temporary cookies deleted when you close your browser
  • Persistent Cookies: Remain on your device for a set period or until manually deleted
  • First-Party Cookies: Set by the Portal (lekki-rewards.com)
  • Third-Party Cookies: Set by external services (e.g., Google Analytics)

3. Cookies We Use

We use two categories of cookies. Neither category requires a cookie consent banner under applicable Dutch and EU law. No consent banner is displayed.

These cookies are strictly necessary for the Portal to function. They cannot be disabled.

Cookie Name Purpose Duration Type
auth_token User authentication and session management Session First-party
csrf_token Security protection against cross-site request forgery Session First-party
session_id Maintain user session across pages Session First-party
firebaseIdToken Firebase Authentication token Session (token expiry) First-party
language_pref Remember language selection (English/Dutch) 12 months First-party
theme_pref Remember light/dark mode preference 12 months First-party
dashboard_layout Remember dashboard widget configuration 12 months First-party
table_settings Remember table sorting and filtering preferences 12 months First-party

Legal Basis: Legitimate interest (GDPR Article 6(1)(f)) — strictly necessary for service delivery.

Exemption from consent: Under the ePrivacy Directive (2002/58/EC) Article 5(3), as implemented by the Dutch Telecommunications Act (Telecommunicatiewet) Article 11.7a, cookies that are strictly necessary for delivering an information society service explicitly requested by the user are exempt from consent requirements. Preference cookies (language, theme, layout) fall within this exemption because they store user-initiated settings that are integral to the service the user requested.

These cookies help us understand how merchants use the Portal to improve functionality. They are configured with privacy-protective measures that qualify them for the Dutch analytics cookie exemption.

Cookie Name Purpose Duration Type
_ga Google Analytics 4 — distinguish users 2 years Third-party (configured as first-party equivalent)
_ga_* Google Analytics 4 — session tracking 2 years Third-party (configured as first-party equivalent)
_gid Google Analytics — distinguish users 24 hours Third-party (configured as first-party equivalent)

What We Track (aggregate statistics only):

  • Page views and navigation patterns
  • Feature usage (loyalty builder, campaign manager, menu upload)
  • Session duration and frequency
  • Device type and browser information
  • Error rates and performance metrics

Privacy-Protective Configuration:

  • IP addresses are anonymized before storage (Google Analytics setting anonymize_ip: true)
  • Data sharing with Google for advertising or benchmarking purposes is disabled
  • Google Signals is disabled
  • User-ID features are not used for cross-device tracking
  • Data retention is set to the minimum period offered by the provider
  • No data is combined with data from other Google services

Legal Basis: Legitimate interest (GDPR Article 6(1)(f)) — improving service quality based on aggregate usage data.

Exemption from consent: The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) has confirmed that analytics cookies do not require consent when they have minimal privacy impact. This exemption applies when: (1) the analytics are first-party or configured to function as first-party; (2) IP addresses are anonymized; (3) no data is shared with the analytics provider for their own purposes; and (4) data is used only for aggregate statistical analysis. Our Google Analytics 4 configuration satisfies all four conditions.

Reference: Autoriteit Persoonsgegevens guidance on analytical cookies — https://www.autoriteitpersoonsgegevens.nl/themas/internet-telefoon-tv-en-post/cookies#faq

Opt-Out: Despite no legal requirement for consent, we respect your choice. You can opt out of Google Analytics tracking at any time using the Google Analytics Opt-out Browser Add-on: https://tools.google.com/dlpage/gaoptout

4. Third-Party Services

We use the following third-party service that may set cookies:

4.1 Google Analytics 4 (GA4)

Under the GDPR and Dutch Telecommunications Act, our use of cookies is lawful without a consent banner:

Essential Cookies (including preference cookies):

  • Legal Basis: ePrivacy Directive Article 5(3) exemption — strictly necessary for the explicitly requested service
  • GDPR Basis: Legitimate interest (Article 6(1)(f)) — necessary for service delivery, security, and user-requested functionality
  • No Consent Required: Always active

Analytics Cookies (privacy-protective configuration):

  • Legal Basis: Dutch Telecommunications Act Article 11.7a — analytics with minimal privacy impact are exempt from consent under Dutch DPA guidance
  • GDPR Basis: Legitimate interest (Article 6(1)(f)) — aggregate data used to improve service quality
  • No Consent Required: Always active with the privacy-protective measures described in §3.2

Why no consent banner?
We do not display a cookie consent banner because all cookies used on the Portal fall within recognized legal exemptions. Displaying a consent banner for exempt cookies would be misleading as it implies consent is required when legally it is not. If we introduce cookies in the future that require consent (such as advertising or retargeting cookies), we will implement a consent mechanism at that time and update this policy accordingly.

6.1 Browser Settings

You can control cookies through your browser settings:

  • Chrome: Settings → Privacy and security → Cookies and other site data
  • Firefox: Settings → Privacy & Security → Cookies and Site Data
  • Safari: Preferences → Privacy → Manage Website Data
  • Edge: Settings → Cookies and site permissions → Manage and delete cookies

Note: Blocking essential cookies may prevent the Portal from functioning properly.

6.2 Google Analytics Opt-Out

You can opt out of Google Analytics tracking at any time:

6.3 Future Changes

If we introduce cookies that require consent in the future (e.g., advertising or retargeting cookies), we will:

  1. Update this Cookie Policy with at least 30 days advance notice
  2. Implement a GDPR-compliant consent mechanism with granular control
  3. Never activate consent-requiring cookies without your explicit opt-in
Cookie Category Retention Period Deletion Method
Session Cookies Deleted when browser closes Automatic
Essential Cookies 12 months maximum Automatic expiration
Analytics Cookies 24 hours to 2 years Automatic expiration or manual deletion

8. Updates to This Policy

8.1 Change Notification

  • Portal Notifications: In-app alerts for material changes
  • Email Updates: Notifications sent to registered email addresses
  • Version History: Previous versions available for reference
  • Advance Notice: 30-day notice period for significant changes

8.2 Your Options

  • Review Changes: Compare new and previous policy versions
  • Opt Out of Analytics: Use the Google Analytics opt-out add-on at any time

9. Contact Information

Email: privacy@lekki-rewards.com
Subject Line: Cookie Policy Question
Response Time: Within 72 hours

9.2 Privacy Contact

Email: privacy@lekki-rewards.com
Role: Privacy contact point for data subjects
Available For: Cookie and tracking technology questions

9.3 Supervisory Authority

You have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens):

GDPR & ePrivacy Directive Compliance:

  • Essential cookies classified correctly under ePrivacy Article 5(3) exemption
  • Preference cookies (language, theme, layout) classified as essential — user-initiated, first-party, non-tracking
  • Analytics cookies configured with minimal privacy impact (IP anonymization, no data sharing, aggregate-only)
  • Analytics cookie exemption documented per Dutch DPA guidance
  • No consent-requiring cookies in use — no consent banner needed
  • Clear information about all cookie purposes and retention periods
  • Voluntary opt-out mechanism provided for analytics (Google Opt-out Add-on)
  • Cookie policy linked in footer (always accessible)
  • Commitment to implement consent mechanism if consent-requiring cookies are introduced

Dutch Telecommunications Act Compliance:

  • No marketing/advertising cookies in use
  • Analytics cookies qualify for Dutch DPA exemption (4 conditions satisfied)
  • Cookie policy available in accessible location (footer link)
  • Future-proofed: consent mechanism commitment if marketing cookies are introduced

This Cookie Policy explains how the Lekki Rewards Portal uses cookies. All cookies currently in use are exempt from consent requirements under applicable Dutch and EU law. You can manage cookies through your browser settings or opt out of analytics tracking using the Google Analytics Opt-out Browser Add-on.

Lekki Rewards is a trade name of Kalantrix, vennootschap onder firma (VoF)

© 2026 Kalantrix. All rights reserved.