Cookie Policy
Last updated 5 July 2026
This Cookie Policy explains how Newborn Photography Art uses cookies and similar technologies such as pixels, local storage and session storage.
Cookies are small files placed on your device. Similar technologies can store or read information in your browser or app environment. Some are needed for the website to work. Others help us understand how the website is used or measure advertising performance.
You can change your choices at any time by opening the privacy choices panel.
Our Cookie Approach
We ask for consent before running optional analytics, heatmaps, session replay or advertising pixels. Necessary cookies stay on because they are needed for security, bookings, accounts, payments and privacy choices.
Saying no to optional cookies will not stop you using the website, booking a session, signing documents, paying securely or using your customer account.
Cookie Categories
| Category | Status | What it does |
|---|---|---|
| Strictly necessary | always on | keeps the site secure, remembers privacy choices, supports forms, bookings, payments, contracts, app handoff and account login |
| Functional | on when needed | supports customer account features such as one-time links, temporary sign-in, passkeys, social-login return flow and remembering safe interface choices |
| Analytics | optional | records page and journey statistics so we can improve the website and spot broken steps |
| Heatmaps and replay | optional | records masked behaviour events, such as clicks and scroll depth, to see where visitors get stuck |
| Marketing tracking | optional | loads configured Google Ads or Meta Pixel scripts and reports booking/payment conversions after consent |
Technologies We Use
| Name/provider | Type | Purpose | Typical duration |
|---|---|---|---|
laravel_session |
strictly necessary | keeps your secure website session, booking flow, login state, app handoff and form security working | normally 120 minutes of inactivity, unless site settings change |
XSRF-TOKEN |
strictly necessary | helps protect forms against cross-site request forgery | session/browser duration |
npa_consent |
strictly necessary | stores your privacy choices, policy version and update time | up to 12 months |
npa_visitor |
strictly necessary for consent records | stores a random visitor ID used to connect consent choices; if you allow analytics/replay it is also used as the pseudonymous visitor ID | up to 12 months |
npa_device |
security | remembers a trusted admin/staff device where that protection is enabled | up to 5 years unless revoked |
npa_sid and npa_session_started_at |
optional session storage | created only when analytics or replay is allowed; helps group page events into one visit | browser session |
| First-party analytics endpoint | optional analytics/replay | receives page paths, viewport sizes, clicks, scroll depth and masked element selectors; it does not read form values, private messages, photos or typed text | see retention table in Privacy Policy |
| Google reCAPTCHA | security | may check protected forms for spam or abuse if configured; Google may process device/browser data | controlled by Google |
| Stripe | payment | used if you choose card payment or Stripe Checkout; Stripe may set its own security/payment cookies | controlled by Stripe |
| Apple, Facebook and Google login | account login | used only if you choose a social-login provider and that provider is configured | controlled by the provider |
| Dropbox/gallery links | gallery delivery | used if a gallery or client folder opens through Dropbox or another configured provider | controlled by the provider |
| Google Maps or Apple Maps | travel help | used if you choose to open directions or location features | controlled by the provider |
| Google Ads and Meta Pixel | optional marketing tracking | loads only if configured and you consent to marketing tracking; measures adverts and booking/payment conversions | controlled by Google/Meta |
What Analytics And Replay Do Not Capture
Our first-party analytics script is content-free by design. It does not read form field values, message content, payment details, passwords, passkeys, selected text, typed text, documents or private gallery image contents. Sensitive form fields are masked and not described.
Referral And Campaign Parameters
If you arrive through an advert, campaign link or referral link, the URL may contain values such as utm_source, a click ID, campaign name or ref. The site may store those values in the server session and attach them to a resulting enquiry, booking or payment so we can understand which campaigns and referrals led to a client. This is separate from optional behavioural analytics.
Social Login, Payments And External Services
When you choose to sign in with Apple, Facebook or Google, use Stripe, open Dropbox/gallery links, open map directions or interact with other third-party services, those services may set their own cookies or read device/browser information. Their own privacy and cookie policies apply.
Managing Cookies
You can use the privacy choices panel to accept, reject or customise optional cookies. You can also block or delete cookies in your browser. If you block necessary cookies, some features such as booking, login, payments, contract signing, gallery access or privacy preference storage may not work properly.
The iOS app uses secure tokens and app storage rather than normal browser cookies for most signed-in customer features. If the app opens a web page for payment, contract signing, social login or account setup, the website cookie rules above may apply to that web session.