Skip to main content
BambooPaper.in
Policies

Cookie Policy

What cookies BambooPaper.in stores in your browser, why we store them, and how to opt out — drafted to the Digital Personal Data Protection Act, 2023 consent standard.

Last updated:

1. What this policy covers

This Cookie Policy explains how BambooPaper.in uses cookies and similar browser-storage technologies (localStorage, sessionStorage, pixel tags). It is read together with our Privacy Policy — the broader picture of how we handle your personal data under the Digital Personal Data Protection Act, 2023 (DPDP Act).

2. What is a cookie?

A cookie is a small text file a website saves in your browser. On a later visit the same file can be read again. Cookies let us remember your cart between page-loads, keep you logged in to your account, and understand which products and articles people read most so we can improve them.

3. Our consent model

The DPDP Act, 2023 requires consent to be free, specific, informed, unconditional, unambiguous and given through clear affirmative action (§6). We apply that standard to non-essential cookies:

  • Strictly necessary cookies (§4.1 below) are set without consent — they are technically required to load a cart, complete checkout, or stay logged in. Consent isn't needed for these under DPDP §7 (legitimate uses).
  • Analytics and marketing cookies (§4.2 and §4.3) load only after you tick "Accept" on the cookie banner. Default is "off". Closing the banner without choosing is treated as no-consent — we don't load them.
  • Withdrawal is one-click: re-open the cookie banner from the "Cookie settings" link in the footer at any time and uncheck analytics. We will then stop loading those scripts on subsequent page-views and clear our stored consent flag (existing third-party cookies need to be cleared from your browser — see §6).

4. Cookies we use

4.1 Strictly necessary (always on)

Required for the Site to function. The cart, checkout, and login flow will not work without these.

  • bp_cart_id — links your shopping cart to your browser. localStorage, 30 days from last use.
  • medusa_session — keeps you logged in to your account. HttpOnly cookie, 14 days from last activity.
  • bp_consent — remembers your cookie-banner choice so we don't ask again. localStorage, 6 months.
  • bp_bypass — set only on staging / maintenance-bypass; never on production for end-users.
  • CSRF tokens — short-lived per-session, used to protect form submissions from cross-site forgery.

4.2 Analytics (consent-gated)

Loaded only after you accept on the cookie banner. Used to measure which pages perform best and where visitors get stuck.

  • Google Analytics 4_ga, _ga_*. Anonymised page-views, session metrics and conversion events. IP anonymisation enabled. Retention 14 months (GA4 default).
  • Microsoft Clarity_clck, _clsk. Aggregate heatmaps and session replays; keystrokes inside password fields are masked at source. Retention 12 months rolling.

4.3 Marketing (consent-gated)

These cookies are reserved for the future — we may add them when we start paid marketing campaigns. They will be disclosed here and gated by the same banner consent flow before any go live.

4.4 Functional / preferences

  • bp_wishlist — your saved-products list. localStorage.
  • bp_recent_pin — last PIN code you checked for serviceability, prefilled on the next product page.
  • bp_subscribe_intent — your last cadence picker selection on the PDP toggle, so the subscribe button stays consistent across pages.

4.5 Third-party cookies set when you use those features

  • Razorpay sets payment-session cookies during checkout and on the hosted Payment Link page. Razorpay's cookie policy lives at razorpay.com/privacy.
  • Cloudflare sets cf_* cookies as part of its CDN and Web Application Firewall protection. These are bot-mitigation, not analytics.
  • YouTube embeds (if used in blog posts) set Google cookies inside the player iframe. We use the youtube-nocookie.com domain where possible to defer cookie-setting until you press play.

5. How to manage your cookies

You have three independent controls:

  1. The cookie banner on first visit lets you accept or decline non-essential cookies. Decline keeps only the strictly-necessary ones. You can re-open the banner from the "Cookie settings" link in the footer to change your mind.
  2. Your browser settings can block or delete all cookies. Vendor instructions: Chrome, Firefox, Safari, Edge. Note: blocking all cookies will break the cart and login.
  3. DNT (Do Not Track) — when your browser sends a DNT header, we treat that as a no-consent signal and suppress analytics even if you previously accepted on the banner.

6. Clearing third-party cookies after consent withdrawal

When you withdraw consent, we stop loading the analytics scripts going forward. Cookies that were already set by the third party (Google, Microsoft) remain in your browser until they expire or until you clear them manually. To clear them now, use your browser's "Clear cookies for this site" option in the address bar (the padlock icon).

7. Retention

  • bp_cart_id — 30 days from last use.
  • medusa_session — 14 days from last activity.
  • bp_consent — 6 months, then re-prompt.
  • bp_wishlist, bp_recent_pin, bp_subscribe_intent — until you clear browser storage.
  • Google Analytics — 14 months (default).
  • Microsoft Clarity — 12 months rolling.
  • Razorpay / Cloudflare — controlled by those providers.

8. Changes

We update this policy whenever the set of cookies we use changes. The "Last updated" date at the top reflects the most recent revision. Material changes are announced via the cookie banner (so any prior consent is re-confirmed).

9. Contact

Questions about cookies or your stored data: hello@bamboopaper.in. For broader DPDP Act rights and the Grievance Officer, see our Privacy Policy §8 & §11.