// COOKIE POLICY
How we eat cookies.
This policy explains how we use cookies and similar technologies on our website.
Effective date: 17 April 2026 Last updated: 17 April 2026
This policy explains what cookies Four Hearts Studio sets on fourhearts.studio, why, and how you can control them. It sits alongside our Privacy Policy, which covers how we handle personal data more broadly.
What cookies are
Cookies are small text files a website saves on your device so it can remember things about your visit. They're one of several similar technologies (local storage, pixels, tags) used on modern sites. We use the word "cookies" throughout this policy to refer to all of them.
Cookies are either:
- First-party — set by Four Hearts Studio directly.
- Third-party — set by a service we use (for example, Google Analytics or Microsoft Clarity).
They're also either:
- Session cookies — deleted when you close your browser.
- Persistent cookies — kept for a set period unless you delete them yourself.
How we use cookies
We use cookies for four things:
- Essentials — so the website works (logging you in, keeping your cookie choices, preventing cross-site request forgery).
- Analytics — so we can understand which pages people actually find useful.
- Session replays and heatmaps — so we can see where the site is confusing and fix it.
- Email attribution — so when you click a link in one of our emails, we can credit your visit to the right campaign.
No non-essential cookies are set until you accept them. When you first visit the site you'll see a banner asking what you're comfortable with. You can accept all, reject all, or go into the preferences panel and toggle individual categories.
How to manage your preferences
You can change your mind at any time.
- On this site: click the Cookie preferences link in the footer of any page to re-open the preferences panel.
- In your browser: every major browser lets you block or delete cookies through its settings. All About Cookies has simple instructions for each one. Blocking essential cookies will break parts of the site.
- For Google Analytics specifically: you can install the Google Analytics opt-out browser add-on.
Categories we use
We group cookies into five categories, matching the controls in the preferences panel.
1. Strictly necessary (always on)
These keep the website working. They can't be turned off because the site would break without them. They don't track you across other websites or contain anything identifying beyond what's needed to run a browsing session.
| Name | Set by | Purpose | Expiration |
|---|---|---|---|
four-hearts-studio-session |
Four Hearts Studio | Laravel session cookie — identifies your browser session across page loads. | 2 hours |
XSRF-TOKEN |
Four Hearts Studio | Protects form submissions against cross-site request forgery. | 2 hours |
cc_cookie |
Four Hearts Studio | Remembers your cookie preferences so this banner doesn't show on every visit. | 6 months |
2. Analytics (with consent)
Analytics cookies help us understand which pages people read, which ones they bounce off, and where the site is confusing. We use three providers for this: Google Analytics 4, Google Tag Manager (which loads the other tags), and Microsoft Clarity. None of these are set unless you accept them in the banner.
Google Analytics 4 and Google Tag Manager
| Name | Set by | Purpose | Expiration |
|---|---|---|---|
_ga |
Google Analytics | Distinguishes unique users by assigning a randomly generated client ID. | 2 years |
_ga_<container-id> |
Google Analytics | Persists session state for GA4. The <container-id> portion matches our GA4 property. |
2 years |
_gid |
Google Analytics | Distinguishes users (legacy). | 24 hours |
_gat_gtag_<property-id> |
Google Analytics | Throttles the rate of requests to reduce load on Google's servers. | 1 minute |
Google's advertising and analytics cookie policies are documented at business.safety.google/adscookies.
Google Tag Manager itself does not set cookies on your device — it only decides which other tags (and therefore which cookies) get loaded once you've given consent.
Microsoft Clarity
Microsoft Clarity produces session recordings and heatmaps so we can see where people hover, click and get stuck. Microsoft's full cookie list is in their Clarity cookies documentation.
| Name | Set by | Purpose | Expiration |
|---|---|---|---|
_clck |
Microsoft Clarity (first-party) | Persists the Clarity user ID and preferences. | 1 year |
_clsk |
Microsoft Clarity (first-party) | Connects multiple page views into a single Clarity session recording. | 1 day |
CLID |
clarity.ms (third-party) |
Identifies the first time Clarity saw this user on any Clarity-enabled site. | 1 year |
ANONCHK |
c.clarity.ms (third-party) |
Flag used by Microsoft's ad platform. Clarity sets it to 0 because Clarity does not use it for advertising. |
10 minutes |
MR |
c.clarity.ms (third-party) |
Indicates whether to refresh the MUID cookie. | 7 days |
MUID |
clarity.ms (third-party) |
Identifies unique browsers visiting Microsoft sites. Used for analytics and operational purposes. | 1 year |
SM |
c.clarity.ms (third-party) |
Synchronises the MUID cookie across Microsoft domains. | Session |
Bento
Bento is our email provider. It sets a cookie and stores supporting data in your browser's local storage so it can attribute page views and events to the right subscriber when you arrive from one of our emails (or after you've subscribed).
| Name | Set by | Purpose | Expiration |
|---|---|---|---|
_bento_session |
Bento | Tracks the current visitor session and links page views to a subscriber. | Session |
Bento also writes the following to your browser's local storage (these are not cookies, but are treated the same way for consent purposes). They're cleared when you withdraw analytics consent in the preferences panel:
| Name | Storage | Purpose |
|---|---|---|
bento_visitor_id |
localStorage | Long-lived anonymous visitor identifier. |
bento_visit_id |
localStorage | Identifier for the current visit. |
bento_events |
localStorage | Queue of pending events (e.g. page views) not yet sent to Bento's servers. |
Stripe
When Stripe.js is loaded on a page — currently as a side-effect of our email provider, and in future during payment checkout — Stripe sets the following fraud-prevention cookie:
| Name | Set by | Purpose | Expiration |
|---|---|---|---|
__stripe_mid |
Stripe | Machine identifier used by Stripe to detect fraudulent behaviour. See Stripe's cookie policy. | 1 year |
Once checkout goes live at Christmas 2026, this cookie will be essential for preventing payment fraud and will be reclassified as strictly necessary during the purchase flow.
3. Advertising
We don't currently run ads or set any advertising cookies. The category is kept in the preferences panel so that, if we add paid advertising in future, the controls are already in place and we can't enable it without your consent.
4. Functionality
We don't currently set any functionality cookies (for example, language preferences). If that changes, we'll list them here and the preferences panel will ask for consent before they're set.
5. Security
We don't currently set any security-specific cookies beyond the essentials listed under "Strictly necessary" above. This category exists so that, if we add features like fraud prevention tooling in future, the controls are ready.
Google Consent Mode v2
Our site uses Google Consent Mode v2. This means Google services receive signals about your cookie choices and adjust their behaviour accordingly. If you reject analytics, Google Analytics runs in a cookieless "pinged" mode that gives us aggregated, anonymous data without placing cookies or processing your personal data. You can read more about consent mode at support.google.com/tagmanager.
Do Not Track
Most browsers offer a "Do Not Track" (DNT) setting. There is no agreed industry standard for how websites should respond to it, so we don't rely on DNT alone. We respect your choices through our cookie banner and the preferences panel instead, both of which apply regardless of your DNT setting.
Changes to this policy
When we add, remove or change a cookie we'll update the tables above and change the "Last updated" date. The cookie banner will re-prompt you for consent whenever we add a new non-essential category.
Contact
Questions about cookies — or anything else — go to [email protected].
You can also reach us by post at: Mathew Baxter, 5 Bacchus Gardens, Leighton Buzzard, Bedfordshire, LU7 9SA, United Kingdom.