Skip to content

Cookie Policy

Last updated 5 July 2026

This Cookie Policy explains how Newborn Photography Art uses cookies and similar technologies such as pixels, local storage and session storage.

Cookies are small files placed on your device. Similar technologies can store or read information in your browser or app environment. Some are needed for the website to work. Others help us understand how the website is used or measure advertising performance.

You can change your choices at any time by opening the privacy choices panel.

Our Cookie Approach

We ask for consent before running optional analytics, heatmaps, session replay or advertising pixels. Necessary cookies stay on because they are needed for security, bookings, accounts, payments and privacy choices.

Saying no to optional cookies will not stop you using the website, booking a session, signing documents, paying securely or using your customer account.

Cookie Categories

Category Status What it does
Strictly necessary always on keeps the site secure, remembers privacy choices, supports forms, bookings, payments, contracts, app handoff and account login
Functional on when needed supports customer account features such as one-time links, temporary sign-in, passkeys, social-login return flow and remembering safe interface choices
Analytics optional records page and journey statistics so we can improve the website and spot broken steps
Heatmaps and replay optional records masked behaviour events, such as clicks and scroll depth, to see where visitors get stuck
Marketing tracking optional loads configured Google Ads or Meta Pixel scripts and reports booking/payment conversions after consent

Technologies We Use

Name/provider Type Purpose Typical duration
laravel_session strictly necessary keeps your secure website session, booking flow, login state, app handoff and form security working normally 120 minutes of inactivity, unless site settings change
XSRF-TOKEN strictly necessary helps protect forms against cross-site request forgery session/browser duration
npa_consent strictly necessary stores your privacy choices, policy version and update time up to 12 months
npa_visitor strictly necessary for consent records stores a random visitor ID used to connect consent choices; if you allow analytics/replay it is also used as the pseudonymous visitor ID up to 12 months
npa_device security remembers a trusted admin/staff device where that protection is enabled up to 5 years unless revoked
npa_sid and npa_session_started_at optional session storage created only when analytics or replay is allowed; helps group page events into one visit browser session
First-party analytics endpoint optional analytics/replay receives page paths, viewport sizes, clicks, scroll depth and masked element selectors; it does not read form values, private messages, photos or typed text see retention table in Privacy Policy
Google reCAPTCHA security may check protected forms for spam or abuse if configured; Google may process device/browser data controlled by Google
Stripe payment used if you choose card payment or Stripe Checkout; Stripe may set its own security/payment cookies controlled by Stripe
Apple, Facebook and Google login account login used only if you choose a social-login provider and that provider is configured controlled by the provider
Dropbox/gallery links gallery delivery used if a gallery or client folder opens through Dropbox or another configured provider controlled by the provider
Google Maps or Apple Maps travel help used if you choose to open directions or location features controlled by the provider
Google Ads and Meta Pixel optional marketing tracking loads only if configured and you consent to marketing tracking; measures adverts and booking/payment conversions controlled by Google/Meta

What Analytics And Replay Do Not Capture

Our first-party analytics script is content-free by design. It does not read form field values, message content, payment details, passwords, passkeys, selected text, typed text, documents or private gallery image contents. Sensitive form fields are masked and not described.

Referral And Campaign Parameters

If you arrive through an advert, campaign link or referral link, the URL may contain values such as utm_source, a click ID, campaign name or ref. The site may store those values in the server session and attach them to a resulting enquiry, booking or payment so we can understand which campaigns and referrals led to a client. This is separate from optional behavioural analytics.

Social Login, Payments And External Services

When you choose to sign in with Apple, Facebook or Google, use Stripe, open Dropbox/gallery links, open map directions or interact with other third-party services, those services may set their own cookies or read device/browser information. Their own privacy and cookie policies apply.

Managing Cookies

You can use the privacy choices panel to accept, reject or customise optional cookies. You can also block or delete cookies in your browser. If you block necessary cookies, some features such as booking, login, payments, contract signing, gallery access or privacy preference storage may not work properly.

The iOS app uses secure tokens and app storage rather than normal browser cookies for most signed-in customer features. If the app opens a web page for payment, contract signing, social login or account setup, the website cookie rules above may apply to that web session.