COOKIE POLICY
Last Updated: May 7, 2026
This page lists the cookies and similar technologies (local storage, pixels, session storage) used on xposeddesigns.com and shop.xposeddesigns.com. It supplements our Privacy Policy with specifics: name, purpose, who sets it, type, and how long it lasts.
You can change your choices at any time through the “Your Privacy Choices” link in the footer, or by enabling Global Privacy Control in your browser.
What is a cookie?
A cookie is a small text file a website stores in your browser. We also use related technologies — local storage, session storage, and tracking pixels — that work similarly. We refer to all of them as “cookies” on this page for simplicity.
Categories
We group cookies into four categories. Only Strictly Necessary cookies are set without your consent. Analytics and Marketing cookies are loaded only after you accept them (or, in certain regions, only with explicit opt-in).
1. Strictly Necessary
These are required for the Site to function: cart, checkout, login, security. They cannot be disabled.
| Cookie | Set by | Purpose | Expiry |
|---|---|---|---|
| cart | Shopify | Your shopping cart contents | 14 days |
| _shopify_y | Shopify | Customer recognition for checkout/orders | 1 year |
| _shopify_s | Shopify | Session continuity for the storefront | Session |
| _shopify_sa_p | Shopify | Marketing-attribution session ID (storefront) | 30 minutes |
| _shopify_sa_t | Shopify | Marketing-attribution timestamp (storefront) | 30 minutes |
| _secure_session_id | Shopify | Authenticated session token | Session |
| _orig_referrer | Shopify | Original referrer for the session | 14 days |
| _landing_page | Shopify | First page of the session | 14 days |
| xpd_consent | Xposed Designs | Stores your cookie-banner choice (which categories you accepted) | 1 year |
| xpd-sentry-fp (localStorage) | Xposed Designs | Anonymous per-browser fingerprint used to group error reports without storing PII | Until cleared |
| __cf_bm | Cloudflare / Shopify | Bot management | 30 minutes |
2. Functional
Remember preferences and improve your experience. Loaded by default; can be disabled.
| Cookie | Set by | Purpose | Expiry |
|---|---|---|---|
| xpd:theme (localStorage) | Xposed Designs | Light/dark theme preference | Until cleared |
| xpd:recently-viewed (localStorage) | Xposed Designs | Products you've recently viewed | Until cleared |
| xpd:klaviyo_anon_id (localStorage) | Xposed Designs | Anonymous browser ID used to merge marketing engagement once you provide an email or phone number. Set when you interact with marketing forms. | Until cleared |
3. Analytics
Help us understand how the Site is used. Loaded only with your consent. When consent is denied, Google Analytics still receives privacy-preserving aggregate signals via Google Consent Mode v2, but no cookies are set and no individual identifiers are collected.
| Cookie | Set by | Purpose | Expiry |
|---|---|---|---|
| _ga | Google Analytics | Distinguishes users | 2 years |
| _ga_<container-id> | Google Analytics | Persists session state | 2 years |
| _gid | Google Analytics | Distinguishes users (24-hour) | 24 hours |
| Vercel Speed Insights ping | Vercel | Anonymous Core Web Vitals beacon. No cookies, no identifiers | n/a (no storage) |
4. Marketing / Advertising
Used to measure ad effectiveness and personalize advertising on other platforms. Loaded only with your consent. With marketing consent denied, the Meta Pixel script is not loaded at all and no Klaviyo behavioral events are sent.
| Cookie | Set by | Purpose | Expiry |
|---|---|---|---|
| _fbp | Meta Pixel | Identifies the browser for ad measurement and retargeting | 90 days |
| fr | Meta Pixel | Cross-site tracking for advertising | 90 days |
| Klaviyo __kla_id (when used) | Klaviyo | Identifies the visitor for marketing personalization | 2 years |
| Klaviyo behavioral events | Klaviyo | "Viewed Product" / "Added to Cart" events posted to Klaviyo from your browser | n/a (no cookie; events only) |
How to manage cookies
- In our cookie banner: click “Customize” or use the footer link “Your Privacy Choices” at any time to change which categories you accept.
- In your browser: most browsers let you block all cookies, block third-party cookies, or delete existing cookies. See: Chrome, Firefox, Safari, Edge.
- Global Privacy Control: if your browser sends a GPC signal, we treat it as an opt-out from Marketing automatically. No further action needed.
- Opt out at the source: GA Opt-out Browser Add-on; Meta Ads preferences.
Disabling cookies in Strictly Necessary will break parts of the Site (cart, checkout). Disabling other categories will not.
Changes to this page
We update this list when we add or remove tools. The date at the top reflects the most recent material change. The Privacy Policy change log records the same updates.
Contact
Questions? Email privacy@xposeddesigns.com or use our contact page.