Cookie Policy

1. What is a cookie

A cookie is a small text file placed on your device by a website you visit. Cookies are widely used to make websites work efficiently and to provide information to the site owner. Some cookies are essential for the website to work at all (such as the session cookie that keeps you signed in); others are optional and are used for analytics or personalisation.

2. Our legal basis

Cookies in the United Kingdom are regulated by the Privacy and Electronic Communications Regulations 2003 ("PECR") and, where a cookie also involves processing personal data, by the UK GDPR and the Data Protection Act 2018. Under Regulation 6 of PECR we must obtain your consent before setting any cookie that is not strictly necessary for the provision of the service you have requested. Strictly necessary cookies do not require consent.

3. Cookies we set

Name	Domain	Purpose	Category	Lifetime
mbsess	.mando.network	Session cookie that keeps you signed in across the apex and app subdomains. HttpOnly, Secure, SameSite=Lax.	Strictly necessary	Session (cleared on logout)
mbadmin	admin.mando.network	Separate session cookie for the admin console, scoped to the admin subdomain only so that a compromise of the customer session cannot reach admin.	Strictly necessary	Session
csrf	mando.network	Cross-site request forgery token bound to your session. Protects against hostile sites submitting forms on your behalf.	Strictly necessary	Session
theme	mando.network	Remembers which theme (gold-dark, gold-light, blue-dark) you chose in Settings. No personal data.	Functional	12 months
_scope_upgraded	.mando.network	Technical flag used once to migrate legacy host-only sessions to the new wildcard scope. No personal data.	Strictly necessary	Session

We do not set any advertising, profiling or cross-site tracking cookies. We do not embed third-party advertising pixels. We do not use Google Analytics, Facebook Pixel, or any similar tracker.

4. Third-party cookies

A small number of pages that intentionally load external services may cause the service provider to set its own cookies under the provider's own privacy policy. These are:

• Web Fonts — the Fraunces and Manrope web fonts are self-hosted on our own servers. No third-party requests are made to load fonts.
• Google Identity Services — when you click "Continue with Google" on the login page, you are redirected to Google's OAuth flow, which sets cookies under Google's privacy policy. See policies.google.com/privacy.
• Cloudflare Turnstile — on the signup form, the anti-bot CAPTCHA loads challenges.cloudflare.com/turnstile/v0/api.js, which may set cookies under Cloudflare's privacy policy. See cloudflare.com/privacypolicy.
• postcodes.io — the UK postcode lookup used on signup and the account page runs server-side only through our backend proxy; no cookies are set in your browser.

5. Managing cookies

Most browsers allow you to review, control and delete cookies through their settings:

• Chrome — Settings → Privacy and Security → Cookies and other site data
• Safari — Preferences → Privacy → Manage Website Data
• Firefox — Settings → Privacy & Security → Cookies and Site Data
• Edge — Settings → Cookies and site permissions → Manage and delete cookies

If you block or delete our strictly necessary cookies you will not be able to sign in to the Mando Network dashboard. Functional cookies can be blocked without preventing sign-in; you will simply lose the theme preference.

6. Do Not Track

We honour the "Do Not Track" header sent by some browsers to the extent that we do not set any optional analytics or tracking cookies. Because our baseline cookie posture is already the minimum required, the Do Not Track header does not change our behaviour in a material way.

7. Changes to this policy

We will update this policy whenever we change the set of cookies we use. Material changes will be highlighted to you on your next visit to the website.

8. Contact

Questions about this Cookie Policy can be directed to dpo@mando.network.