Legal

Cookie Policy

The cookies and similar technologies we use, and why.

Last updated: 13 May 2026

This Cookie Policy explains what cookies and similar technologies TrueBooks uses, what they do, and the choices you have. It supplements our Privacy Notice and forms part of our Terms of Service.

We comply with the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”) as amended, and with the UK GDPR. We use only strictly-necessary cookies. Under PECR Regulation 6(4), strictly-necessary cookies do not require your consent. We do not use advertising, behavioural-tracking, or third-party analytics cookies, so no cookie banner is presented.

1. What is a cookie?

A cookie is a small text file that a website places on your device when you visit. Cookies are widely used to make websites work efficiently, to remember preferences and to keep users signed in securely. Some technologies that are not strictly cookies — such as local storage and session storage — have similar effects and are covered by the same rules. For brevity we refer to all of them as “cookies” below.

2. Categories of cookie under PECR

  • Strictly necessary — required for the service you are using; no consent needed under PECR Regulation 6(4). All cookies we set fall into this category.
  • Functional — remember preferences (e.g. dark/light theme). We use one functional cookie, which we treat as strictly necessary for an essential preference you have actively chosen.
  • Analytics — statistical insights into how the site is used. We collect anonymous, server-side aggregate analytics on public marketing pages only; this uses no cookies and writes only a hashed IP server-side. See the Privacy Notice Section 2.2.
  • Marketing / advertising — tracking across sites for targeted advertising. We do not use these.

3. The cookies we set

The following cookies may be set in your browser when you use TrueBooks.

CookiePurposeLifetimeCategory
__Secure-next-auth.session-token (or next-auth.session-token on http localhost)Keeps you signed in. Set after a successful login; cleared on sign-out.30 daysStrictly necessary
__Host-next-auth.csrf-tokenCross-site-request-forgery (CSRF) protection on auth requests.SessionStrictly necessary
__Secure-next-auth.callback-urlStores the URL to return to after sign-in.SessionStrictly necessary
__Host-next-auth.pkce.code_verifier / __Host-next-auth.stateSecurely completes OAuth sign-in (Xero, Google).15 minutesStrictly necessary
__Host-tb-2fa-trustOptional. Remembers a trusted device so you do not have to re-enter a two-factor code each time you sign in from it. Set only if you tick “Remember this device for 30 days” at the 2FA prompt; can be revoked from Settings → Security at any time.30 daysStrictly necessary (security)
__Host-tb-impSet only when a TrueBooks administrator is viewing your account in read-only support mode (impersonation). Time-limited to 15 minutes. Has no effect on, and is never set by, a regular user.15 minutesStrictly necessary
tb_themeRemembers your dark/light theme preference so the page renders without a flash of the wrong colour on the next visit.1 yearStrictly necessary (functional)
Amazon / Xero / Alibaba / eBay OAuth state cookiesShort-lived state values used during the OAuth handshake when you connect a third-party platform.10–15 minutesStrictly necessary

4. Local / session storage

We use the browser’s localStorage and sessionStorage to keep small, non-sensitive UI state on your device, such as:

  • The result of the last integrity-check / duplicate-scan you ran, so it survives page reload;
  • The state of the multi-step signup wizard (24-hour TTL, password never saved);
  • Filter, sort and column-visibility preferences on data tables.

These values are stored only on your device, are not transmitted to our servers, and are cleared when you sign out or clear site data.

5. Cookies set by third parties on our pages

We do not embed third-party scripts that set their own cookies on TrueBooks pages, with one exception:

  • Stripe.js — loaded only on the billing checkout and update-card surfaces. Stripe.js may set strictly-necessary cookies inside its own js.stripe.com iframe for security and fraud prevention. Those cookies are governed by Stripe’s cookie policy.
  • Chatwoot — the live-chat widget is loaded only when you elect to open it. It may set strictly-necessary cookies on its own app.chatwoot.com origin to maintain the conversation state. Those cookies are governed by Chatwoot’s own policy.

6. Controlling cookies

Because all cookies we set are strictly necessary for the Service to function, blocking them may prevent you from signing in or completing key actions. You can nevertheless control cookies through your browser settings:

To revoke the optional “Remember this device for 30 days” trust cookie, sign in and go to Settings → Security → Trusted Devices and click Revoke Trust on the device you want to remove.

7. Do Not Track

Our servers honour the meaning of the Do-Not-Track (DNT) header in the sense that we do not track you for advertising regardless of the header value. Because we do not perform cross-site behavioural tracking at all, DNT does not change our behaviour.

8. Changes to this policy

If we add a new cookie or change how existing cookies are used, we will update this page with the new “Last updated” date and, where the change is material, notify signed-in users by email or in-app banner.

9. Contact

Questions about cookies should be addressed to support@truebooks.co.uk.

Trademarks and non-affiliation

TrueBooks is an independent third-party solution. TrueBooks is not affiliated with, endorsed by, sponsored by, or otherwise associated with Amazon.com, Inc. or any of its subsidiaries. Amazon, Amazon Seller Central, Selling Partner API, FBA, and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates. Xero is a registered trademark of Xero Limited. All other trademarks are the property of their respective owners. See our Amazon disclaimer for more detail.

Cookie Policy — TrueBooks | TrueBooks