Legal
Cookie Policy
Effective date: 25 May 2026 · BRANTELO OÜ · Tallinn, Estonia
This Policy is issued pursuant to Article 5(3) of EU ePrivacy Directive 2002/58/EC and GDPR Regulation (EU) 2016/679. It describes every cookie deployed on brantelo.com, the legal basis for each, and your rights and choices.
1. Introduction & Scope
This Cookie Policy ("Policy") is issued by BRANTELO OÜ (registry code 17282632), a private limited company incorporated under Estonian law with its registered office at Tornimäe tn 5, 10145 Tallinn, Estonia ("Brantelo", "we", "us", "our").
This Policy explains, in accordance with Article 13 of the EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679), Article 5(3) of the EU ePrivacy Directive (2002/58/EC as amended by 2009/136/EC), and applicable national implementing legislation, what cookies and similar tracking technologies are deployed on brantelo.com (the "Platform"), why we use them, and what rights you have in relation to them.
This Policy forms part of and should be read together with our Privacy Policy (brantelo.com/privacy) and Terms of Service (brantelo.com/terms). Terms defined in the Privacy Policy or Terms of Service have the same meaning when used in this Policy.
2. What Are Cookies & Similar Technologies
Cookies are small text files placed on your device (computer, smartphone, or tablet) by a web server when you visit a website. Cookies are widely used to make websites function correctly, to improve user experience, and to provide information to the operators of websites.
Cookies may be classified by their lifespan: Session cookies are temporary and are automatically deleted when you close your browser. Persistent cookies remain on your device for a defined period of time or until you manually delete them.
Cookies may also be classified by their origin: First-party cookies are set by the domain you are visiting (in this case, brantelo.com) and are controlled by Brantelo. Third-party cookies are set by a domain other than the one you are visiting — for example, Google Analytics cookies set by google-analytics.com — and are controlled by those third parties.
In addition to cookies, websites may use related technologies such as web beacons (pixel tags), local storage (localStorage/sessionStorage), and fingerprinting techniques. Brantelo does not use web beacons, fingerprinting, or any tracking technology beyond the cookies expressly described in this Policy.
3. Legal Basis for Cookie Usage
Under the EU ePrivacy Directive (Article 5(3)) and GDPR, we may only place cookies on your device where we have a valid legal basis to do so. Brantelo operates on the following legal bases:
Strictly Necessary Cookies — Legal Basis: Legitimate Interest (GDPR Art. 6(1)(f)) / Technical Necessity. Strictly necessary cookies are essential for the Platform to function. Without them, core services such as account authentication and session management cannot operate. These cookies do not require your consent under Recital 25 of the ePrivacy Directive, as they are strictly necessary to deliver the information society service you have explicitly requested. You cannot opt out of strictly necessary cookies without ceasing use of the relevant feature of the Platform.
Analytics Cookies — Legal Basis: Consent (GDPR Art. 6(1)(a)). Analytics cookies are placed only with your freely given, specific, informed, and unambiguous consent, obtained through the Cookie Consent Banner displayed on your first visit to the Platform. Consent is recorded in a consent cookie (cookie_consent) and linked to your browsing session. You may withdraw your consent at any time with effect for the future; withdrawal does not affect the lawfulness of processing based on consent prior to withdrawal.
No other categories of cookies — including advertising, retargeting, social media, or profiling cookies — are deployed on the Platform.
4. Cookies We Use
The following table provides a complete inventory of all cookies currently deployed on the Platform. This inventory is reviewed and updated whenever the Platform's cookie usage changes materially.
| Cookie Name | Category | Controller | Purpose | Duration |
|---|---|---|---|---|
| customer_session | Strictly Necessary | Brantelo | Authenticates and maintains the session of a logged-in customer (B2C Buyer). Stores an encrypted, server-validated token. Not accessible to JavaScript (HttpOnly flag). Prevents session hijacking. | 30 days (rolling) |
| seller_session | Strictly Necessary | Brantelo | Authenticates and maintains the session of a verified Seller logged into the Seller Dashboard. HttpOnly, SameSite=Lax. Automatically invalidated on sign-out or after 30 days of inactivity. | 30 days (rolling) |
| b2b_session | Strictly Necessary | Brantelo | Authenticates and maintains the session of a verified B2B Buyer logged into the wholesale portal. HttpOnly, SameSite=Lax. No personal data is stored in the cookie payload — only a server-validated identifier. | 30 days (rolling) |
| cookie_consent | Strictly Necessary | Brantelo | Records your cookie consent decision (accepted / declined) so the consent banner is not repeatedly displayed. Required for GDPR-compliant consent management. Does not contain personal data. | 365 days |
| _ga | Analytics | 3rd Party | Google Analytics 4 — distinguishes unique visitors by assigning a randomly generated client ID. Used to generate aggregate, anonymised reports on Platform usage. IP anonymisation is enabled; no cross-site tracking. | 2 years |
| _ga_[ID] | Analytics | 3rd Party | Google Analytics 4 — maintains and stores session state for a specific GA4 measurement ID. Works in conjunction with _ga to count sessions and pageviews per property. | 2 years |
| _gid | Analytics | 3rd Party | Google Analytics — distinguishes users across a single 24-hour session. Expires daily. Used for short-term session counting in aggregate analytics reports. | 24 hours |
5. Strictly Necessary Cookies — Detailed Description
5.1 Session Authentication Cookies (customer_session, seller_session, b2b_session). These three first-party cookies serve the sole purpose of maintaining authenticated sessions for the three categories of registered Platform users: B2C Buyers, Sellers, and B2B Buyers respectively. Each cookie contains an encrypted, server-side-validated session token. No personal data (name, email, financial data) is stored within the cookie payload itself. The tokens are validated against server-side session records on every request.
All three session cookies are set with the HttpOnly flag, preventing access by client-side JavaScript and mitigating cross-site scripting (XSS) attacks. They are additionally set with the SameSite=Lax attribute, providing protection against cross-site request forgery (CSRF) attacks. Session cookies expire 30 days after creation on a rolling basis (refreshed with each authenticated request) and are immediately invalidated upon sign-out.
5.2 Consent Record Cookie (cookie_consent). This first-party persistent cookie stores a boolean value representing your consent decision (accepted or declined) in relation to optional analytics cookies. It is set upon interaction with the Cookie Consent Banner. Its purpose is purely administrative — to prevent the Banner from being re-displayed on every page visit and to enable Brantelo to demonstrate consent status in the event of a regulatory inquiry. The cookie contains no personal data beyond the consent decision itself and a timestamp.
6. Analytics Cookies — Detailed Description
6.1 Google Analytics 4 (_ga, _ga_[ID], _gid). Brantelo uses Google Analytics 4 ("GA4"), a web analytics service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. GA4 is deployed exclusively with your prior consent. If you decline optional cookies via the Cookie Consent Banner, GA4 scripts are not loaded and no analytics cookies are set.
GA4 assigns a randomly generated client identifier (_ga) to your browser to distinguish unique visitors. This identifier does not directly identify you as a natural person; it is pseudonymous. GA4 reports are received by Brantelo in aggregated, statistical form showing page views, session durations, geographic regions (country/city level), device types, and referral sources. Brantelo uses this data solely to improve the Platform's functionality and user experience.
IP Anonymisation: Brantelo has enabled IP anonymisation within the GA4 configuration. The last octet of IPv4 addresses and the last 80 bits of IPv6 addresses are masked before any geographic lookup is performed. Full IP addresses are never stored by Google in connection with Brantelo's GA4 property.
6.2 International Transfer — Google Analytics. Google LLC is headquartered in the United States. The transmission of analytics data to Google involves an international transfer of data outside the European Economic Area (EEA). This transfer is governed by the Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into Google's data processing terms. Brantelo has assessed this transfer and concluded that, in combination with IP anonymisation and the pseudonymous nature of the data, an adequate level of protection is maintained.
6.3 Google Analytics Opt-Out. In addition to withdrawing consent via the Cookie Consent Banner, you may prevent GA4 data collection entirely by installing the Google Analytics Opt-Out Browser Add-On available at tools.google.com/dlpage/gaoptout. This add-on instructs the GA4 JavaScript (gtag.js) not to share information with Google Analytics about visit activity.
7. Cookies We Do NOT Use
For transparency and to address common concerns, Brantelo expressly confirms that the following categories of cookies and tracking technologies are NOT used on the Platform:
- Advertising or retargeting cookies (e.g. Google Ads, Meta Pixel, DoubleClick) — we do not run behavioural advertising campaigns through the Platform.
- Social media tracking cookies (e.g. Facebook, LinkedIn, Twitter/X, TikTok "Like" or "Share" buttons that set third-party cookies).
- Cross-site tracking or fingerprinting technologies that build persistent profiles of your browsing behaviour across multiple websites.
- Affiliate tracking cookies or cookies placed by third-party commercial partners.
- Heat-mapping or session-recording tools (e.g. Hotjar, FullStory, Microsoft Clarity).
- A/B testing or personalisation cookies that alter the content displayed to different users based on profiling.
8. Your Rights & Consent Management
8.1 Right to Withdraw Consent. Where cookies are deployed on the basis of your consent (currently: analytics cookies), you have the right to withdraw that consent at any time, without detriment. Withdrawal of consent does not affect the lawfulness of any processing that occurred based on your consent prior to withdrawal. To withdraw consent, use any of the methods described in Section 8.2.
8.2 How to Manage Your Cookie Preferences. You may manage your cookie preferences through the following mechanisms:
- Cookie Consent Banner: On your first visit to the Platform, a Cookie Consent Banner is displayed. You may accept or decline optional (analytics) cookies at this point. Your choice is recorded in the cookie_consent cookie.
- Browser Settings: You may configure your browser to block, restrict, or delete cookies at any time. Note that blocking strictly necessary cookies will impair your ability to log in and use authenticated features of the Platform.
- Google Analytics Opt-Out Add-On: Available at tools.google.com/dlpage/gaoptout — prevents GA4 data collection independently of cookie settings.
- Google's Advertising Settings: Visit adssettings.google.com to manage Google's use of your information for personalisation purposes across Google services.
8.3 Right to Access & Erasure. You have the right to request information about the personal data processed in connection with cookies, and to request erasure of such data, subject to the conditions and exceptions set out in our Privacy Policy (brantelo.com/privacy). To exercise these rights, contact sales@brantelo.com with the subject line "Cookie Data Request".
8.4 Right to Lodge a Complaint. If you believe that Brantelo's use of cookies does not comply with applicable law, you have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) at www.aki.ee, or with the data protection supervisory authority of your EU Member State of habitual residence.
9. Browser Cookie Management — Instructions
The following official resources provide step-by-step instructions for managing cookies in the most commonly used web browsers. Brantelo is not responsible for the content of these external resources, which may change without notice.
If you use a browser not listed above, please consult that browser's official documentation for cookie management instructions.
Google Chrome
support.google.com/chrome/answer/95647
Mozilla Firefox
support.mozilla.org/kb/cookies-information-websites-store-on-your-computer
Apple Safari (macOS)
support.apple.com/guide/safari/manage-cookies-sfri11471
Apple Safari (iOS)
support.apple.com/en-gb/HT201265
Microsoft Edge
support.microsoft.com/microsoft-edge/delete-cookies-in-microsoft-edge-63947406
Opera
help.opera.com/en/latest/web-preferences/#cookies
10. Data Retention & Cookie Lifespans
The specific lifespan of each cookie is set out in the Cookie Inventory table in Section 4. In general terms:
- Strictly necessary session cookies (customer_session, seller_session, b2b_session) expire after 30 days of inactivity or upon sign-out, whichever is earlier. They are not retained beyond this period.
- The consent record cookie (cookie_consent) is retained for 365 days to avoid requiring you to restate your preference on every visit. It is refreshed upon any subsequent interaction with the consent management interface.
- Google Analytics cookies (_ga, _ga_[ID]) are retained for up to 2 years from the date of last activity, in accordance with Google's default retention settings for GA4. The _gid cookie expires after 24 hours.
- Analytics data collected via Google Analytics is retained within Brantelo's GA4 property for 14 months at signal level, after which it is automatically deleted or aggregated beyond re-identification.
11. Changes to This Cookie Policy
Brantelo reviews this Policy at least annually and following any material change to the Platform's technology stack or cookie usage. When we make material changes — such as introducing a new category of cookies or a new third-party service — we will:
- update the "Effective Date" at the top of this page;
- display a refreshed Cookie Consent Banner to all visitors, requiring fresh consent where new consent-based cookies are introduced;
- where required by applicable law, notify registered Users by email of material changes to this Policy.
The current version of this Policy is always available at brantelo.com/cookies. We encourage you to review this Policy periodically to stay informed about how we use cookies.
12. Contact
For any questions, concerns, or requests relating to this Cookie Policy or Brantelo's use of cookies:
Email: sales@brantelo.com (subject: "Cookie Policy Enquiry")
Post: BRANTELO OÜ · Tornimäe tn 5, 10145 Tallinn, Estonia
Registry Code: 17282632
We aim to respond to all cookie-related correspondence within 5 business days.
BRANTELO OÜ · Registry Code: 17282632 · Tornimäe tn 5, 10145 Tallinn, Estonia
This Policy was last reviewed and updated on 25 May 2026.