Cookie Policy
How we use cookies and similar technologies
Introduction
This Cookie Policy explains how Bath Arts Collective CIC and POLYMATHIC Ltd ("we", "us", or "our"), who have partnered to develop and manage the Culture Key prototype platform, use cookies and similar technologies on the Culture Key website at www.culturekey.co.uk (the "Website").
Culture Key is a non-commercial, data-driven platform designed to empower arts and cultural organisations in Bath and North East Somerset, UK, to better understand and evidence their social and economic impact.
We are committed to transparency and protecting your privacy in line with applicable laws, including the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA), the Data Use and Access Act, and the Privacy and Electronic Communications Regulations 2003 (PECR). This policy details the cookies we use, why we use them, and your options for managing them.
By using our Website, you acknowledge that you have read and understood this Cookie Policy. This policy should be read alongside our Privacy Policy, Terms and Conditions of Use, and Frequently Asked Questions.
This Cookie Policy was last updated on 05 August 2025. We may update it from time to time; any significant changes will be posted on the Website or communicated directly where appropriate.
What Are Cookies?
Cookies are small text files placed on your device (e.g., computer, smartphone, or tablet) when you visit a website. They store limited information about your browsing activity and help websites remember preferences, maintain sessions, or improve functionality. Cookies can be "session" (temporary, deleted when you close your browser) or "persistent" (remain until expired or deleted). They can also be "first-party" (set by the website you're visiting) or "third-party" (set by external domains).
Similar technologies include web beacons, pixels, local storage, or device identifiers, which may serve comparable purposes. For simplicity, we refer to all these as "cookies" in this policy.
Cookies do not typically contain personal data on their own but may be linked to it if combined with other information. We do not use cookies to collect personally identifiable information unless it is strictly necessary for the platform's core functionality.
Why Do We Use Cookies?
Our use of cookies is limited and aligns with the prototype nature of Culture Key. We do not use cookies for advertising, tracking user behavior across sites, or any commercial monetisation. Cookies on our Website are used exclusively for essential purposes, such as authentication and session management, to ensure the platform functions securely and efficiently.
Under PECR, strictly necessary cookies (those essential for providing the service you request) do not require consent. We do not display a cookie consent banner because all our cookies fall into this category. However, we provide this policy to inform you fully, and you can manage cookies via your browser settings at any time.
We do not use cookies for statistical analysis, marketing, or performance tracking at this stage of development. If future enhancements introduce non-essential cookies (e.g., for optional analytics), we will update this policy, seek consent where required, and notify users.
Types of Cookies We Use
We only use first-party, strictly necessary cookies managed by our platform and our authentication provider. These are essential for the Website's core operations and cannot be disabled without affecting functionality (e.g., you would not be able to log in or access protected areas).
Below is a comprehensive list of the cookies we use:
| Cookie Name | Provider | Purpose | Type | Duration | Data Stored |
|---|---|---|---|---|---|
| sb-access-token | Supabase | Stores a JSON Web Token (JWT) for authenticating your session and granting access to protected routes (e.g., dashboards and data uploads). Essential for maintaining login state across requests. | First-party, Strictly Necessary (Authentication) | Session-based (expires on token validity, typically 1 hour) | Encrypted JWT containing session identifiers (no direct personal data like names or emails). HTTP-only (not accessible via JavaScript). |
| sb-refresh-token | Supabase | Used to refresh the access token automatically when it expires, ensuring seamless session continuity without requiring re-login. Essential for secure, ongoing access. | First-party, Strictly Necessary (Authentication) | Persistent (expires on token validity, typically longer than access token, e.g., several hours to days) | Encrypted refresh token (no direct personal data). HTTP-only. |
| sb-provider-token | Supabase | (Optional/Conditional) Stores provider-specific tokens if third-party authentication (e.g., email OTP) is used. Helps manage secure authentication flows. Only set if relevant to your login method. | First-party, Strictly Necessary (Authentication) | Session-based (expires on session end or token validity) | Provider-specific token data (no direct personal data). HTTP-only. |
Key Details:
- Domain and Scope: These cookies are set on our application's domain. They are not shared with third parties.
- Security Features: All cookies are HTTP-only, meaning they cannot be accessed or modified by client-side scripts, reducing risks like cross-site scripting (XSS) attacks. They are transmitted securely over HTTPS.
- No Third-Party Cookies: We do not use cookies from external services like Google Analytics, social media plugins, or advertising networks. All cookies are first-party and directly controlled by us.
- No Tracking or Analytics Cookies: As a prototype focused on sector insights rather than user tracking, we do not deploy cookies for performance monitoring, user profiling, or A/B testing.
- No Personal Data Collection via Cookies: These cookies store technical session data (e.g., tokens) but not personally identifiable information like your name, email, or IP address. Any linkage to personal data occurs only server-side for authentication purposes, as detailed in our Privacy Policy.
- Device and Browser Impact: Cookies are stored per browser and device. If you use multiple devices or browsers, separate cookies will be set for each.
How We Manage Cookies
Cookies are handled server-side. We do not set, read, or manage cookies directly via client-side JavaScript. This enhances security by minimising exposure to client-side vulnerabilities.
Cookies are set during key user flows, such as:
- Sign-up and login
- Session refresh
- Logout (cookies are cleared to terminate the session)
They are read server-side to verify authentication before granting access to APIs or pages.
How to Control and Manage Cookies
Although our cookies are strictly necessary, you have full control over them through your browser settings. Note that blocking or deleting these cookies may prevent you from logging in, uploading data, or accessing dashboards, as they are essential for the platform's operation.
Steps to Manage Cookies:
Most browsers allow you to view, block, or delete cookies. Instructions vary by browser:
- Google Chrome: Go to Settings > Privacy and security > Cookies and other site data.
- Mozilla Firefox: Go to Options > Privacy & Security > Cookies and Site Data.
- Microsoft Edge: Go to Settings > Cookies and site permissions > Manage and delete cookies and site data.
- Safari: Go to Preferences > Privacy > Manage Website Data.
For more guidance, visit your browser's help section.
Private Browsing Modes: Using "Incognito" or "Private" mode will prevent persistent cookies from being stored beyond the session.
Do Not Track (DNT) Signals: We respect DNT browser signals. If enabled, we do not set non-essential cookies (though, as noted, we only use essential ones).
Clearing Cookies: Deleting cookies will log you out and require re-authentication. Historical session data may be lost, but this does not affect your uploaded organisational data.
If you restrict cookies and encounter issues, please contact us for support, we can guide you on alternatives or troubleshooting.
Cookies and Children
Culture Key is not intended for use by individuals under 18. We do not knowingly collect data from children, and our cookies do not target or track minors.
International Transfers
All cookies are processed within the UK, using UK-based servers. No cookie data is transferred outside the UK or EEA. If this changes, we will update this policy and ensure adequate safeguards (e.g., standard contractual clauses) are in place.
Changes to This Cookie Policy
We may revise this policy to reflect platform updates, legal changes, or enhancements. Changes will be posted on the Website with the updated date. If changes introduce non-essential cookies, we will seek consent as required by law. We recommend reviewing this policy periodically.
Contact Us
If you have questions about this Cookie Policy, our use of cookies, or wish to exercise your rights (e.g., access or deletion requests related to any linked data), please contact:
- Data Controller: Bath Arts Collective CIC & POLYMATHIC Ltd
- Address: 9 Upper Hedgemead Road, Bath, England, BA1 5NE
- Email: nigel@polymathic.agency
For complaints, you can also contact the Information Commissioner's Office (ICO) at www.ico.org.uk or by calling 0303 123 1113.
Thank you for using Culture Key. We value your trust and are committed to handling data responsibly to support Bath's vibrant arts and cultural community.