Cookie Policy · SQUIZITO

· 01 · what is a cookie

small files,
big consequences.

A cookie is a small text fragment that a website asks your browser to store on your device, so the site can recognise that device on a subsequent request. Cookies were invented to keep shopping carts working across page loads; they are now also routinely used to track users across sites and build advertising profiles. The legal regime treats the two cases very differently.

For the purposes of this policy, the term cookie includes equivalent client-side storage mechanisms that perform the same function: localStorage, sessionStorage, IndexedDB entries, browser cache used as a tracking mechanism, ETags used as a tracking mechanism, and any other technology that stores identifiers on your device. The Italian Garante and the European Data Protection Board both treat these mechanisms as functionally equivalent to cookies when they are used to track or identify users.

Cookies set by the site you are visiting are called first-party. Cookies set by a different domain whose script is loaded inside the page (analytics scripts, social-network buttons, embedded video players, advertising networks) are called third-party. The legal treatment is identical · what differs is who the controller is and where the data flows.

· 02 · legal framework

the rules
we follow.

The rules that govern cookies on this site are the following, in order of specificity:

art. 5(3) Directive 2002/58/EC (the ePrivacy Directive, "ePrivacy"). The base European rule: storing or accessing information on a user's device requires prior informed consent, except where strictly necessary for a service the user has explicitly requested.
art. 122 D.Lgs. 30 giugno 2003, n. 196 (Italian Codice Privacy, as updated by D.Lgs. 101/2018). The Italian transposition of art. 5(3) ePrivacy: same rule, same exception for strictly-necessary cookies, harmonised with GDPR.
Garante Guidelines of 10 June 2021 (Linee guida cookie e altri strumenti di tracciamento, Provv. 231/2021). The operational reading of art. 122: cookie walls are unlawful; the X-close button cannot count as consent; continued navigation does not count as consent; consent must be granular per category; consent must be re-prompted after no more than six (6) months for users who refused; rejecting must be as easy as accepting; technical cookies need no banner.
Regulation (EU) 2016/679 (GDPR), especially art. 4 (definitions), art. 6 (lawful basis), art. 7 (consent), art. 12 (transparency), art. 13 (information notice), and art. 21 (right to object). The cookie consent under art. 122 must meet the GDPR consent standard at art. 7 · freely given, specific, informed, unambiguous, demonstrable, withdrawable.
Garante guidance on automated consent signals (2024). Browsers' Global Privacy Control (GPC) signal is recognised as a valid opt-out from non-essential cookies; we honour it.

The combined effect of these rules, applied to a site like SQUIZITO that today uses no cookies requiring consent, is the following: we are not legally required to display a consent banner today. We display one anyway as a transparency choice and to make the no-tracking baseline visible to first-time visitors. The day we add a cookie that does require consent, the banner is already in place and switches from informational to granular-opt-in mode.

· 03 · categories

four buckets,
two legal regimes.

The Italian Garante recognises four conceptual categories of cookies. Two of them require prior consent; two do not. Today SQUIZITO sets cookies only in the categories that do not require consent.

(a) Strictly-necessary cookies (cookie tecnici). Required for a service explicitly requested by the user · authentication, cart state, load balancing, security checks against CSRF, language preference, and the like. Lawful under art. 122 D.Lgs. 196/2003 without prior consent · the user is informed via this policy but no opt-in is needed. SQUIZITO uses cookies in this category.
(b) Functional cookies (a subset of technical · sometimes called cookie funzionali). Improve the user experience without tracking · remembering display preferences, font size, theme. The Garante treats these as technical when they do not profile the user, so they do not require consent. SQUIZITO does not currently use cookies in this sub-category.
(c) Analytics cookies (cookie analitici). Measure how visitors use the site · which pages are popular, how long people stay, conversion funnels. They are technical and consent-exempt ONLY if (i) they are first-party, (ii) IP addresses are anonymised before storage, (iii) data is not enriched with other sources and not shared with third parties, and (iv) the analytics provider is contractually bound to a strict data-use scope. Otherwise they require opt-in consent. SQUIZITO does not currently use analytics cookies of any kind.
(d) Profiling / marketing cookies (cookie di profilazione). Build a profile of the user to serve targeted advertising, retargeting, lookalike audiences, cross-site tracking. Always require prior opt-in consent under art. 122 D.Lgs. 196/2003 + art. 7 GDPR. SQUIZITO does not use profiling cookies and commits not to use them without first deploying a granular opt-in banner.

The result: today, no part of the SQUIZITO site sets a cookie that would require your consent. The banner you see on first visit acknowledges the strictly-necessary cookies described below, records that we have informed you, and records your preference about future · non-essential · cookies should we ever introduce them.

· 04 · inventory

every cookie
we set, today.

The following is the exhaustive list of cookies and equivalent client-side storage that the SQUIZITO site sets on your device. Every entry is first-party unless noted. Every entry is strictly-necessary unless noted. If a future cookie is added, this table is updated before the cookie is set for the first time.

Name / key	Type	Purpose	Duration	Legal basis
`sqz_cookie_consent` · localStorage	Strictly-necessary · first-party	Records that you have seen the consent banner and your choice (acknowledged · rejected non-essentials). Used to suppress the banner on subsequent visits and to re-prompt after six (6) months.	Six (6) months from the recorded timestamp, then re-prompt.	art. 122 D.Lgs. 196/2003 · the consent record itself is the evidence the Garante requires us to keep.
`sqz_cart` · localStorage	Strictly-necessary · first-party	Holds the current selection on the buy modal (drop slug, size, voter-code claim if any) so the checkout can rebuild the line item without a server round-trip. Cleared after a successful checkout.	Until manually cleared by the user or replaced by a new selection.	art. 122 D.Lgs. 196/2003 · cart-state is the textbook example of a strictly-necessary technical cookie.
`sqz_voter_claim` · localStorage	Strictly-necessary · first-party	Remembers, for the duration of the pre-order window, the voter-reward code the user pasted into the buy modal, so refreshing the page does not lose the code. The code itself is hashed (SHA-256) on the server side at redemption time and the raw code is never stored on the Order row.	Cleared when the pre-order window ends, when the code is redeemed, or after 90 days, whichever is earlier.	art. 122 D.Lgs. 196/2003 · functional / strictly-necessary for the redemption flow the user has explicitly initiated.
`sqz_stw_marker` · cookie	Strictly-necessary · first-party	An opaque per-browser identifier set when you ask for a spread-the-word discount code. Used only to cap how many codes can be created per browser per drop (one of the anti-abuse limits). It carries no profile, is never shared, and is never used to track you across other sites. See the privacy notice section 04-bis.	One (1) year, or until you clear it.	art. 122 D.Lgs. 196/2003 · strictly necessary to enforce the fair-use cap of the discount service the user has explicitly initiated (Garante cookie guidelines, 10 June 2021).
`sqz_country_override` · localStorage	Strictly-necessary · first-party	Remembers a manual override of the auto-detected billing country when the user changes it on the pricing chip (overrides the MaxMind GeoIP-based default for the multi-currency display). Set only if the user clicks the override.	Six (6) months or until cleared.	art. 122 D.Lgs. 196/2003 · preference cookie · technical under the Garante 2021 guidelines.
Stripe Checkout session cookies	Strictly-necessary · third-party · set by `checkout.stripe.com`	Maintain the Stripe Checkout session you are on (NOT on the SQUIZITO domain). Stripe is the data controller for these cookies; their cookie policy is the authoritative source and is linked from the Stripe Checkout footer.	Per Stripe's policy (typically session-scoped).	art. 122 D.Lgs. 196/2003 · strictly necessary for the payment service the user has explicitly initiated. Stripe cookie policy ↗.
CloudFront load-balancing identifiers	Strictly-necessary · first-party	Amazon CloudFront (our CDN) may set short-lived identifiers to route your request to the closest edge location and to mitigate abuse. They contain no personal data beyond the routing tag.	Session-scoped or short rolling TTL set by AWS.	art. 122 D.Lgs. 196/2003 · operational security and delivery.

What is NOT in this table · and why. SQUIZITO does not set Google Analytics, Google Tag Manager, Meta Pixel, TikTok Pixel, LinkedIn Insight Tag, Hotjar, Microsoft Clarity, Pinterest Tag, X Pixel, Reddit Pixel, or any other analytics / marketing tracker. We do not embed YouTube, Vimeo, Spotify, Instagram, or X widgets that drop cookies on the user's device. We do not load fonts in a way that exposes IP addresses to third-party providers · our web fonts (Montserrat and JetBrains Mono) are self-hosted on squizito.me and served from our own CDN, so no font request reaches Google or any other third party and no visitor IP is exposed to a font provider. We do not run A/B testing tools, session-replay tools, heatmap tools, or fingerprinting libraries.

· 05 · third-party

cookies set
off our domain.

The only third-party cookie surface the user encounters via a SQUIZITO touchpoint is Stripe Checkout. Stripe is the data controller for those cookies, not Vora S.r.l. We disclose this here for transparency:

Stripe Checkout · the payment page lives on checkout.stripe.com · a different origin from squizito.me. Stripe sets its own strictly-necessary cookies to maintain the payment session and to run its fraud-prevention engine (Stripe Radar). The legal basis is art. 122 D.Lgs. 196/2003 + Stripe's own consent management on its hosted page. Authoritative reference: Stripe cookies policy ↗.

Stripe is itself a separate processor and, for fraud-prevention purposes, a separate controller. Our use of Stripe is described in detail in section 05 of the privacy notice. The cross-border-transfer chain (Stripe Payments Europe Ltd in Ireland + Stripe, Inc. in the United States) is documented in section 06 of the privacy notice.

Other third parties we use server-side · AWS, Resend, MaxMind, Alchemy, Cathedral S.R.L.S. (Vora) · do not run scripts on the user's browser via the SQUIZITO domain and therefore do not set cookies on the user's device through us. They appear in the privacy notice as processors, not in this cookie policy.

· 06 · consent banner

how the banner
actually works.

On your first visit, an informational bar appears at the bottom of the page. It says, in substance: "SQUIZITO uses strictly-necessary cookies only · no analytics, no marketing · here is the cookie policy". It offers three actions and does not include an X-close button (the Garante's 10 June 2021 guidelines explicitly say the X cannot count as consent or as refusal, so we omit it entirely to remove ambiguity).

Accept · acknowledges that you have read the disclosure and pre-authorises any future non-essential cookie only after we update this page AND re-prompt you with a granular dialog. Today the button records nothing more than the acknowledgement, because today there is nothing else to authorise.
Reject non-essential · records a binding refusal of any future non-essential cookie. If we later add analytics or marketing cookies, your refusal is honoured automatically and the granular dialog re-asks you only after a material change in scope.
Cookie policy · links to this page. You can read everything and return to the banner.

Your choice is stored in sqz_cookie_consent as a small JSON record (decision, timestamp, version). It expires after six (6) months per the Garante's re-prompt rule. You can clear it at any time, or change your choice via the change your cookie choices button below (or in the footer of every page); doing so re-opens the banner.

What the banner does not do. The banner does not block the site behind a wall · cookie walls are unlawful under the Garante guidelines, EDPB Guidelines 5/2020 on consent, and art. 7(4) GDPR. The banner does not interpret continued navigation as consent · continued navigation is just continued navigation. The banner does not pre-tick any opt-in box · GDPR-compliant consent requires an affirmative act. Rejecting is exactly as easy as accepting · same button hierarchy, same step count.

· 07 · manage in browser

your browser,
your control.

Independently of the SQUIZITO consent banner, every modern browser lets you view, restrict, and delete cookies and equivalent storage. The links below point at the official documentation pages from each browser vendor; we do not control these pages and the URLs may change.

Google Chrome · support.google.com/chrome/answer/95647 ↗
Apple Safari (macOS) · support.apple.com/guide/safari/manage-cookies-sfri11471/mac ↗
Apple Safari (iOS) · support.apple.com/en-us/HT201265 ↗
Mozilla Firefox · support.mozilla.org/en-US/kb/clear-cookies-and-site-data-firefox ↗
Microsoft Edge · support.microsoft.com · delete cookies in Edge ↗
Brave · support.brave.com · How Do I Manage Cookies In Brave ↗
Opera · help.opera.com/en/latest/web-preferences ↗

Most browsers also let you block third-party cookies entirely, run in private / incognito mode, and use container or partitioning features (Firefox Total Cookie Protection, Safari Intelligent Tracking Prevention) that prevent cross-site identification by default. We design SQUIZITO to work fully with these protections active; blocking third-party cookies does not affect the SQUIZITO site itself, only the embedded Stripe Checkout page (whose strictly-necessary cookies it needs to function).

· 08 · dnt & gpc

automated signals,
honoured.

If your browser sends a Global Privacy Control (GPC) signal (Brave, Firefox via the privacy.sec_gpc setting, DuckDuckGo, and others), the SQUIZITO consent banner treats it as a binding refusal of any non-essential cookie. The Italian Garante recognised GPC as a valid opt-out mechanism in its 2024 guidance on automated consent signals; the European Data Protection Board has expressed compatible views on browser-emitted signals.

We also respect the older Do Not Track (DNT) header. Modern browsers have largely deprecated DNT in favour of GPC; on the SQUIZITO site the effect is the same: where present, no non-essential cookie is set, regardless of any banner click.

These signals do not affect the strictly-necessary cookies listed in the inventory above · those are required for the site to function and are exempt from consent under art. 122 D.Lgs. 196/2003.

· 09 · future cookies

what changes
if we add one.

The commitment in section 10 of the privacy notice applies. Before we ever set a cookie that requires consent · analytics, marketing, profiling, third-party social trackers, embedded video players that drop cookies, or any other technology that requires consent under art. 122 D.Lgs. 196/2003 · we will:

Update this cookie policy to list the new cookie, the third party (if any), the purpose, the duration, and the legal basis.
Switch the banner from informational to granular-opt-in mode, with a separate toggle per category (analytics · marketing · functional-non-essential, as applicable).
Refuse to load the corresponding script until the user has actively opted in via the granular dialog. No script is pre-loaded on consent assumption.
Honour every existing refusal record (sqz_cookie_consent.decision === "rejected") without re-prompting the user automatically; the user must explicitly re-open the banner to grant new consent.
Honour the GPC signal as an automatic opt-out from the new category.

If we ever change processor for the strictly-necessary side (for example: move from AWS to another provider, change CDN), we update the inventory table above and the privacy notice processor list. Strictly-necessary cookies do not require fresh consent on a processor change, but transparency does require disclosure.

· 10 · changes

version log
and notice.

v 1.0 20 May 2026 First publication. Establishes the strictly-necessary-only baseline; lists the four first-party cookies (sqz_cookie_consent, sqz_cart, sqz_voter_claim, sqz_country_override) plus the Stripe Checkout third-party session cookies and CloudFront load-balancing identifiers; documents the consent banner (informational mode), the six-month re-prompt rule, the rejection of cookie walls and X-close-as-consent, and the commitment to switch to granular opt-in before adding any non-essential cookie. Effective from publication.

Material changes are notified per the same mechanism described in section 14 of the privacy notice · in-page version log, thirty (30) days' prior email notice for affected data subjects where reasonably practicable, fresh consent where the change requires it. Cosmetic changes (typo fixes, link updates, document reformatting) are published silently and tagged in the version log as cosmetic.

· 11 · contact

questions,
complaints.

For any question about this cookie policy, the cookies the site sets, or to exercise any data-subject right related to the strictly-necessary cookies (typically access, rectification, erasure on session-scoped storage), write to:

Email · privacy · privacy@squizito.me
Email · general · hello@squizito.me
Postal · Vora S.r.l. · Via Tortona 27 · 20144 Milan, Italy

You also have the right to lodge a complaint with the Italian supervisory authority, the Garante per la protezione dei dati personali, at Piazza Venezia 11, 00187 Roma, via PEC at protocollo@pec.gpdp.it, or via the online complaint portal at www.gpdp.it ↗. We invite informal resolution first · most cookie-related issues can be addressed via the email above within the thirty-day window committed in the privacy notice.

change your cookie choices →

· closing card

strictly-necessary today.
opt-in tomorrow if we ever add more.

Read the full privacy notice for the broader picture · the cookie state described here is one chapter of a larger compliance position covering every personal-data flow through SQUIZITO.