Cookie Policy

Last updated: 23 April 2026

Brooksby Medical keeps cookies to an absolute minimum. This page explains exactly what we use, why, and how we record your consent.

Our position on cookies

We use essential cookies only. We don't run Google Analytics, Facebook Pixel, or any cross-site tracking. We don't sell your browsing activity to third parties. We don't personalise what you see based on what you've clicked elsewhere.

What we use

Essential cookies (always on)

These are required for the site to work. Without them, you can't log in, your cart doesn't persist, and security features like two-factor authentication stop working.

• brooksby_id — your login session (set by Cognito after you log in). httpOnly, secure, sameSite=lax. Expires when your session ends.
• brooksby_refresh — securely refreshes your login without requiring you to log in again. Same security properties. 30-day lifetime.
• brooksby-cookie-consent-v1 — records your cookie banner decision (see below) so we don't re-show the banner on every page.
• brooksby-session — anonymous session identifier, used to correlate cookie-consent records. No personal data.

Analytics cookies (opt-in only)

We don't currently run any analytics cookies. If we introduce them in the future (e.g. for anonymised page-view counts to improve the site), the banner will ask you explicitly before anything is set.

Marketing cookies

We don't use marketing cookies. We have no plans to.

How we record your consent

When you click "Accept essential" (or adjust your preferences) on the cookie banner, we record:

• Your decision ("essential only" or "all")
• The cookie categories you accepted
• The exact policy version you were agreeing to (the date at the top of our privacy policy)
• The timestamp (ISO 8601, UTC)
• The page you were on when you accepted
• Your browser's user agent string
• The first two octets of your IP address (e.g. "82.45.x.x") — enough for a rough country signal, not enough to identify you

This record is stored in our AWS DynamoDB brooksby-staging-consent-log table in the UK (London region, eu-west-2), encrypted at rest. We keep consent records for the duration required by GDPR Article 7(1), typically the lifetime of your account plus 6 years.

A copy is also stored in your browser's localStorage so the banner knows not to re-show until our privacy policy materially changes.

Changing your mind

You can withdraw consent at any time by clearing your browser's cookies for this site (Settings → Privacy → Clear site data). We'll show the banner again on your next visit.

To request deletion of all consent records we hold for you, email enquiries@brooksbymedical.com — we'll respond within one calendar month as per GDPR.

Related policies

• Privacy Policy — what data we collect beyond cookies and why
• Terms of Service — the contract between you and Brooksby Medical
• Complaints Procedure — if you think we're handling your data badly