This Cookie Policy describes how the Treffio platform uses cookies and similar local-storage technologies. It is part of, and should be read together with, the Privacy Policy.
The platform consists of four web surfaces, each of which we audit periodically and disclose individually below:
admin.treffio.com — admin dashboard*.treffio.com — public guest registration sites for individual eventsapp.treffio.com — guest web appIn addition, Treffio publishes native applications for iOS and Android. Native apps do not use HTTP cookies; the data they store on the device is described in the Privacy Policy.
Under the Danish Cookie Order (Cookiebekendtgørelsen), Section 3 of the ePrivacy Directive, and corresponding provisions in other EU Member States, prior, opt-in consent is required before storing or accessing information on a user’s device that is not strictly necessary to deliver a service the user has requested. Strictly-necessary cookies are exempt from the consent requirement, but they must still be disclosed.
Across all four web surfaces, we have made a deliberate choice to use only strictly-necessary technologies. We do not run analytics tools, marketing pixels, embedded social media, session-replay tools, advertising tags, or any other consent-required technology. Because there are no consent-required cookies to ask about, we do not display a cookie banner.
If we ever start using non-essential cookies, we will introduce a proper consent banner (with a “Reject all” option that is no harder to use than “Accept all”) and we will update this Cookie Policy first.
The admin dashboard, registration pages, and the guest web app store an authentication session token in the browser’s localStorage. This is not a cookie — it is a key-value entry stored client-side that is read by the application code when needed.
| Surface | Storage key | Purpose | Lifetime |
|---|---|---|---|
admin.treffio.com | Supabase auth session token | Keep the Administrator signed in across page reloads. Strictly necessary for the admin dashboard to function. | Until sign-out, expiry, or the user clears storage. |
*.treffio.com (registration) | Supabase auth session token | Keep a Guest signed in to manage their registration. Strictly necessary. | Until sign-out, expiry, or the user clears storage. |
app.treffio.com | Supabase auth session token | Keep a Guest signed in to the web app. Strictly necessary. | Until sign-out, expiry, or the user clears storage. |
You can clear localStorage at any time through your browser settings. Doing so will sign you out and require you to authenticate again.
When a Guest enters the payment step of a paid event registration, the page loads the Stripe payment SDK (js.stripe.com). Stripe sets two cookies that are widely accepted as strictly necessary for fraud detection in regulated payment processing under the EU Payment Services Directive 2 (PSD2) and Strong Customer Authentication (SCA):
| Cookie | Domain | Purpose | Lifetime |
|---|---|---|---|
__stripe_mid | .stripe.com | Fraud prevention during a payment session. Stripe correlates the device across the payment flow. | One year. |
__stripe_sid | .stripe.com | Fraud prevention during a single payment session. | 30 minutes from the last payment-related activity. |
These cookies are set by Stripe, not by Treffio, and are documented in Stripe’s cookie policy. They are not used for advertising or analytics. Stripe is listed as a subprocessor in the Subprocessor List.
We are working on a refactor that will load the Stripe SDK only on pages that actually present a payment step, instead of preloading it across the dashboard and registration sites. Until that refactor lands, Stripe’s SDK is loaded on those surfaces, but it does not set cookies until a Guest interacts with a payment element.
We do not currently set any first-party HTTP cookies on treffio.com, admin.treffio.com, registration sites, or app.treffio.com.
Although the surfaces above do not set non-essential cookies, the pages do load some third-party assets. Loading an asset from a third-party domain transmits the user’s IP address to that domain even if no cookie is set. We disclose these here for transparency:
| Surface | Third-party host | Purpose | Notes |
|---|---|---|---|
treffio.com | fonts.googleapis.com, fonts.gstatic.com | Web font delivery (Google Fonts) | Transmits IP to Google in the United States. We are migrating to self-hosted fonts. |
treffio.com | unpkg.com (Cloudflare-fronted) | Single JavaScript library | We are migrating to bundle this library locally. |
admin.treffio.com | js.stripe.com, m.stripe.com, m.stripe.network, r.stripe.com | Stripe payment SDK | Loaded globally today; will be lazy-loaded only on payment pages. |
*.treffio.com (registration) | js.stripe.com, m.stripe.com, m.stripe.network, r.stripe.com | Stripe payment SDK | Same as above. |
app.treffio.com | fonts.googleapis.com | Web font delivery (Google Fonts) | See note on treffio.com. |
The Treffio backend at supabase.treffio.com and the REST API at api.treffio.com are first-party from the user’s perspective; they are operated on Supabase and Digital Ocean infrastructure respectively. See the Subprocessor List.
The iOS and Android applications do not use HTTP cookies. They store an authentication token, push-notification token, and a small amount of operational state on-device. Push notifications use Apple Push Notification service (APNs) on iOS and Firebase Cloud Messaging (FCM) on Android. Crash reports, when enabled, are sent through Firebase Crashlytics. See the Privacy Policy, Section 6.
You can:
localStorage) at any time. Doing so will sign you out of any active session.js.stripe.com will, however, break paid ticket purchases.If you experience any issue caused by your browser configuration interacting with our Service, please contact [email protected].
If we change which cookies or storage technologies the Service uses, we will update this Cookie Policy and bump its version. Material changes — particularly any introduction of consent-required cookies — will be communicated through the admin dashboard, on treffio.com, and (where appropriate) by a re-prompt to admins via our standard policy-acceptance flow.
For questions about this Cookie Policy:
Treffio ApS Niels Ebbesens Vej 16 1911 Frederiksberg C Denmark Email: [email protected]