Cookie Policy / GDPR Notice
This Cookie Policy explains what cookies and similar technologies (collectively "cookies") Tenerife World Tickets uses on tenerifeworldtickets.org, why we use them, how the Customer can control them, and how this practice complies with Regulation (EU) 2016/679 (GDPR) and Directive 2002/58/EC as amended by Directive 2009/136/EC (the ePrivacy Directive) — together with the guidance issued by the European Data Protection Board (EDPB) on consent and on cookies.
1. What is a cookie?
1.1. A cookie is a small text file that a website saves on the user's device (computer, tablet, phone) the first time the user visits, and that the browser sends back to the same website on subsequent visits. The file holds a small amount of data — typically an opaque session identifier or a preference setting — and allows the website to recognise the device.
1.2. The same legal regime applies to other client-side storage technologies — localStorage, sessionStorage, IndexedDB, the HTML5 Application Cache, browser-fingerprinting techniques and pixel tags — whenever they are used to read information from, or write information to, the user's terminal equipment. References in this Policy to "cookies" cover all such technologies.
2. Categories of cookies and the legal basis we rely on
European law recognises a binary distinction: cookies that are strictly necessary for the service requested by the user are exempt from the consent requirement (Art. 5(3) ePrivacy Directive, second sentence), while all other cookies require prior, informed, freely given, specific and unambiguous consent. Below we map our cookies to the relevant legal basis.
| Category | Purpose | Legal basis | Default state |
|---|---|---|---|
| Strictly necessary | Maintain the user's session, remember the cart contents, balance load across the back-end pool, issue an anti-CSRF token, detect bot/fraud activity at sign-up. | Art. 5(3) ePrivacy — exemption / Art. 6(1)(b) GDPR — performance of the contract | Active by default (cannot be disabled) |
| Functional / preference | Remember the user's language choice, the currency, accessibility settings (font size, high-contrast mode), and whether the cookie banner has been answered. | Art. 6(1)(a) GDPR — consent (a soft consent expressed by interaction with the banner is sufficient where the user actively chooses the preference) | Active only after consent |
| Analytics | Aggregated, pseudonymised statistics about how visitors navigate the site, which pages convert, which user-flows lead to errors. We use Microsoft Clarity with IP anonymisation. | Art. 6(1)(a) GDPR — explicit consent | Off by default; activated only on click of "Accept" in the banner |
| Marketing / advertising | Tenerife World Tickets does not currently run any retargeting, behavioural advertising or audience-sharing cookie. The category is mentioned for the sake of completeness. | Art. 6(1)(a) GDPR — explicit consent (would be required if used) | Not deployed |
3. Inventory of the cookies set on tenerifeworldtickets.org
The list below is published in good faith and updated whenever we onboard or off-board a tool. Names of strictly-necessary cookies set by our infrastructure provider may vary slightly without re-publication of this Policy.
| Name | Provider | Lifetime | Category |
|---|---|---|---|
| __park_sub | tenerifeworldtickets.org (first-party) | session | Strictly necessary (routes the assets of the SPA to the correct upstream) |
| session_id / sid | tenerifeworldtickets.org (first-party) | session | Strictly necessary (holds the cart and the lead-guest contact data during checkout) |
| csrf_token | tenerifeworldtickets.org (first-party) | session | Strictly necessary (prevents cross-site request forgery on the payment form) |
| didomi_token / euconsent-v2 | tenerifeworldtickets.org (first-party) | 6 months | Strictly necessary (records the user's consent choice required by ePrivacy) |
| locale / currency | tenerifeworldtickets.org (first-party) | 12 months | Functional |
| _clck / _clsk / CLID | Microsoft Clarity (third-party, EU/EEA hosting) | 12 months / 1 day / 1 year | Analytics — consent required |
4. Consent — how we collect it
4.1. On the first visit a layered cookie banner is displayed at the bottom of the screen with three equally-prominent options: "Accept all", "Reject non-essential" and "Customise". The "Reject" button is presented with the same visual weight as "Accept", in line with the EDPB Guidelines 03/2022 on deceptive design patterns ("dark patterns").
4.2. No non-essential cookie is written to the device until the user has clicked one of the three options. Continuing to scroll, navigate to a sub-page, or close the banner does not constitute consent.
4.3. The user's choice is stored in a cookie of category strictly necessary
(didomi_token) for 6 months, after which the banner is displayed again.
4.4. The user can withdraw consent at any moment through the persistent "Cookie settings" link in the footer of every page; the withdrawal takes effect immediately for any subsequent processing.
5. Browser-level controls
5.1. All modern browsers allow the user to view the cookies set by a website, to delete them, or to block all cookies in advance. The procedure depends on the browser:
- Chrome: Settings → Privacy and security → Cookies and other site data.
- Firefox: Preferences → Privacy & Security → Cookies and Site Data.
- Safari (macOS): Preferences → Privacy → Manage Website Data.
- Edge: Settings → Cookies and site permissions → Cookies and site data.
5.2. Blocking strictly-necessary cookies will prevent the cart, the checkout flow and the language switcher from working. Blocking analytics cookies has no effect on the functioning of the Service.
6. Do Not Track and Global Privacy Control
6.1. The Customer's browser may send a DNT: 1 header (Do Not Track) or the
Sec-GPC: 1 header (Global Privacy Control). When such a header is detected and the
Customer has not yet made a choice in our banner, we treat the absence of consent as a refusal of
non-essential cookies — analytics cookies are not set.
6.2. Where the Customer has actively clicked "Accept all" in our banner, the explicit consent overrides any header signal, on the basis that an explicit choice expressed on the site is more specific than a global browser default.
7. Cookies set by third parties
7.1. Microsoft Clarity is the only third-party tool that may write cookies on tenerifeworldtickets.org. Microsoft processes the data as a processor on our behalf under a Data Processing Agreement that implements Art. 28 GDPR. IP addresses are anonymised before storage, and the data is hosted in EU data centres.
7.2. We do not embed Facebook Pixel, Google Ads tag, TikTok Pixel, Pinterest Tag, LinkedIn Insight Tag or any equivalent ad-tracking pixel.
8. Children
The Service is not directed to children under the age of 16. Where the user is under 16 and the consent of the holder of parental responsibility is required (Art. 8 GDPR), we rely on the adult who actually placed the order.
9. Modifications to this Cookie Policy
9.1. We may modify this Policy when we add or remove a tool, or when guidance from supervisory authorities changes. The "Last updated" date below shows the date of the most recent revision.
9.2. Material modifications (introduction of a new analytics tool, change of a sub-processor) trigger a fresh display of the cookie banner so the Customer can make an informed choice.
10. Contact
Questions on this Policy or on the cookies set on tenerifeworldtickets.org: support@tenerifeworldtickets.org with subject line "Cookies".