Cookie Policy
We currently use only first-party essential cookies and local storage to run the platform. We do not run third-party analytics, advertising or tracking pixels. Google Analytics 4 and Google AdSense are planned for the future and will be enabled only after we update this policy and ask for your consent through the cookie banner.
1. What Are Cookies?
A cookie is a small data file placed on your device when you visit a website. Cookies allow a site to recognise your device and remember information about your visit — such as whether you are logged in or which preferences you have set.
This policy also covers similar technologies that serve the same purpose, including browser localStorage, which we use instead of traditional cookies for session management. Under Article 5(3) of the ePrivacy Directive 2002/58/EC and the related guidelines of the European Data Protection Board, the consent rules described below apply to any storage of or access to information on your device, regardless of the technical mechanism used.
2. Strictly Necessary Storage (no consent required)
These are required for the platform to function and are set regardless of your cookie preferences. They are all first-party and contain no advertising or cross-site tracking data.
| Key / Name | Purpose | Duration | Type |
|---|---|---|---|
bit_jwt |
Your authentication token (JWT). Keeps you logged in between sessions. Signed and expiring — cannot be forged. | 24 hours, then invalidated server-side | localStorage — First party |
bit_user |
Cached profile data (alias, role, avatar) to avoid re-fetching on each page load. | Cleared on logout | localStorage — First party |
bit_support |
Local record of events you have supported, used to prevent duplicate support actions within the same session. | Persistent, cleared on logout | localStorage — First party |
bit_consent |
Stores your cookie preference (accepted / declined) so the banner does not reappear on every visit. | Persistent (until you clear browser data or manage preferences) | localStorage — First party |
| CSRF token | Protects forms from cross-site request forgery attacks. Contains no personal data. | Session (deleted when browser closes) | Session cookie — First party |
PHP session cookiebit_admin_session |
Maintains the admin panel session for authenticated administrators only. Never set for regular users. | Session (deleted when browser closes or on logout) | Session cookie — First party |
| Map style preference | Remembers whether you last used the dark or light map style. | Persistent (until you clear browser data) | localStorage — First party |
3. Planned Future Services (not yet active)
We intend to introduce the following third-party services in the future. They are not currently loaded on the Platform and no data is sent to any third-party provider through them at this time.
3.1 Google Analytics 4 (planned)
When activated, Google Analytics 4 will help us understand how visitors use the platform in aggregate — pages visited, session duration, traffic sources. Google Analytics will set third-party cookies on your device and send anonymised usage data to Google's servers (Google Ireland Ltd., acting as joint controller / processor depending on configuration). See Google's Privacy Policy.
Before activation, we will update this Cookie Policy, present a renewed consent banner, and load Google Analytics 4 only after explicit "Accept all" consent. IP anonymisation and the strictest available data-retention settings will be enabled by default.
3.2 Google AdSense (planned)
When activated, Google AdSense will display contextual advertising on the platform. Advertising will be shown only to non-paying users — Pro Members will see no ads. Google AdSense may use cookies to serve ads based on your interests and prior visits to other websites. See Google's advertising policies.
Before activation, we will update this Cookie Policy, present a renewed consent banner, and load Google AdSense only after explicit consent. In accordance with Articles 26 and 28 DSA, we will not use sensitive categories of personal data for ad targeting and will not display targeted advertising to users we know to be minors. Declining advertising cookies will not affect your access to any platform feature.
3.3 Stripe (planned)
Stripe will be used for processing Pro Membership and Event Boost payments when paid services are activated. Stripe may set its own cookies for fraud prevention and session integrity on the checkout pages. These are considered strictly necessary to complete a payment you have initiated and will be set only on the relevant checkout pages.
4. Legal Basis for Processing
- Essential storage (JWT, CSRF, session, bit_user, bit_support, map preference, bit_consent): contract performance (GDPR Art. 6.1.b) and, where applicable, legitimate interest (Art. 6.1.f). Exempt from consent under Article 5(3) of the ePrivacy Directive ("strictly necessary" exception).
- Future analytics and advertising cookies (GA4, AdSense): will require your explicit prior consent (Art. 6.1.a GDPR and Art. 5(3) ePrivacy), which you will be able to withdraw at any time via the "Manage cookie preferences" button above.
- Future payment cookies (Stripe): strictly necessary to complete a payment you have initiated, exempt from consent on the checkout pages only.
5. Managing Your Preferences
You can change your cookie preferences at any time:
- On this page — click "Manage cookie preferences" above to reopen the consent banner.
- Via browser settings — clear site data for bandintour.com. This resets all preferences including your login session.
- Via browser developer tools — open Developer Tools (F12) → Application → Local Storage → delete
bit_consentto reset only the cookie preference.
Withdrawing consent stops any future data collection but does not affect data already collected prior to withdrawal. Accepting or refusing non-essential cookies is equally easy: the consent banner shows "Accept" and "Reject" buttons of equivalent prominence.
6. Third-Party Content
Profiles may contain links to external platforms (social media, streaming services, ticket vendors). If you follow those links, those platforms may set their own cookies independently of your choices here.
If a profile contains a video trailer link (e.g. a YouTube embed), it is loaded only when you explicitly open that profile. YouTube may set cookies when the embed loads; we use the privacy-enhanced embed mode where available.
7. Changes to This Policy
We will update this Cookie Policy when we introduce new cookies or storage technologies, and in particular before activating Google Analytics 4, Google AdSense or Stripe payments. The version date at the top reflects the last update. Material changes will be notified to registered users by email and will be subject to a renewed consent request where required by law.
8. Contact
Questions about our use of cookies? Contact us at privacy@bandintour.com. Data controller: IOCOS di G.C., Via F. Baracca traversa De Salvo 158, 89123 Reggio Calabria, Italy (P.IVA 02758080804).