Cookie Notice

This Cookie Notice explains how Layer Zero Studios ("Layer Zero",

"we", "us") uses cookies and similar storage technologies on

layerzerostudios.com,

dashboard.layerzerostudios.com,

admin.layerzerostudios.com, and any

other Layer Zero property that loads in your browser.

This notice supplements our Privacy Policy. It is

written to satisfy the UK **Privacy and Electronic Communications Regulations

(PECR) Reg. 6, the EU ePrivacy Directive 2002/58/EC** as amended, the EU

GDPR Art. 7 consent standard, and the SA **Protection of Personal

Information Act, 2013 (POPIA) s69** direct-marketing limitations.

Lawyer review required before publication.

Primary-source references:

• UK PECR — legislation.gov.uk/uksi/2003/2426
• ePrivacy Directive — Directive 2002/58/EC
• GDPR — Regulation (EU) 2016/679
• POPIA — Act No. 4 of 2013

1. What cookies are

A cookie is a small text file that a website stores in your browser

when you visit. The site can read that file the next time you visit, which

is how you stay logged in, how preferences persist, and how some

analytics work. The same rules in this notice apply to similar

technologies — localStorage, sessionStorage, web beacons, and

fingerprinting signals — when they are used to store or read information

on your device.

2. Categories we use

We classify cookies into four standard categories. **Today, only

Strictly Necessary cookies are set by Layer Zero.** We commit to updating

this notice before we add a cookie in any other category.

2.1 Strictly necessary

Required for the Service to work. No consent is required under PECR

Reg. 6(4) for cookies in this category, but we still disclose them.

| Cookie | Set by | Purpose | Lifetime |

|---|---|---|---|

| sb--auth-token | Supabase (first-party on dashboard + admin) | Maintains your authenticated session after login | Session + refresh window (typically up to 60 days, refreshed on use) |

| sb--auth-token-code-verifier | Supabase (first-party) | OAuth PKCE flow during login | Cleared on login completion |

| CSRF / signed-state tokens (in-memory or session storage) | Layer Zero (first-party) | Cross-site request forgery protection on form submissions | Per request |

2.2 Functional

Save preferences (e.g. dark/light theme, dismissed banners). **Layer Zero

does not currently set functional cookies.** If we add any, they will be

listed here before deployment.

2.3 Analytics

Aggregate, anonymised usage analytics. **Layer Zero does not run Google

Analytics, Mixpanel, Amplitude, Segment, Heap, Plausible, Pirsch, Fathom,

PostHog, or any other product-analytics tool today.** This is a

deliberate privacy-respecting default; we will update this notice before

any analytics tool is added.

2.4 Marketing / advertising

Cross-site targeting, retargeting, conversion attribution. **Layer Zero

does not run the Meta Pixel, the Google Ads tag, the LinkedIn Insight

Tag, the X (Twitter) tag, TikTok Pixel, or any other ad-tech tracker

today.** We do not currently run paid advertising that would set these.

3. Third-party services that may set cookies

When you visit our properties, the following third parties may set or

read cookies on the page. Each is listed in our

Subprocessor List with the same role and

location.

| Service | What it does | Where to learn more |

|---|---|---|

| Cloudflare | DDoS protection, edge routing, and the Turnstile captcha during signup. May set the __cf_bm bot-management cookie and short-lived Turnstile challenge cookies. | Cloudflare cookie policy |

| Supabase | Authentication and session management on the dashboard and admin surfaces (cookies listed in §2.1 are first-party from your browser's perspective but issued by Supabase as our processor). | Supabase Privacy |

We deliberately keep this list short. If we add a third-party that sets

cookies, this page is updated before deployment and you are notified

through our customer email channel for material changes.

4. How to control or delete cookies

You can clear cookies and configure consent at any time through your

browser. Vendor-maintained guides:

• Google Chrome
• Mozilla Firefox
• Apple Safari (macOS / iOS)
• Microsoft Edge
• Brave

If you clear or block the cookies in §2.1, the dashboard cannot keep

you logged in and the Service may not function.

For server-side controls (e.g. revoking an active session), use

Dashboard → Account → Sign out of all devices.

5. Consent and your rights

Under GDPR Art. 7 and PECR Reg. 6, consent must be **freely given,

specific, informed, and unambiguous**. Because we set only Strictly

Necessary cookies today, no opt-in banner is required for ordinary

browsing. If we add any cookie outside §2.1 in the future, we will

display a granular consent control before that cookie is set.

You have the right to:

• Withdraw consent at any time, with the same ease as it was given

(GDPR Art. 7(3))

• Object to direct marketing that is delivered or measured via

cookies (POPIA s69; GDPR Art. 21(2))

• Access, correct, delete, or export the personal information

associated with cookie identifiers, per the Privacy Policy §8

To exercise any of these rights, email

privacy@layerzerostudios.com.

We respond within 30 calendar days.

6. Changes to this notice

We will update this page before any new cookie or tracking technology is

deployed. Material changes are emailed to active customers at least

14 days before they take effect. The date at the top of this notice

is the most recent revision.

7. Contact

Questions about cookies, consent, or this notice:

• privacy@layerzerostudios.com — privacy queries
• hello@layerzerostudios.com — general
• Information Regulator (SA) · inforeg@justice.gov.za
• ICO (UK) · ico.org.uk
• Your EU supervisory authority — the one in your country