COOKIE POLICY

Effective date: April 29, 2026 Last updated: April 29, 2026 Version: 1.1

1. Introduction

This Cookie Policy describes the cookies and similar technologies used by the 1booq online booking management platform (operated by WaveOne Technologies Kft., hereinafter: the "Service Provider") in the course of operating the website and the Service.

This Policy should be read in conjunction with the Privacy Policy and the Terms of Service.

2. What Are Cookies and Similar Technologies?

Cookies are small text files placed on your device by the website that enable the site to identify the User, remember preferences, or serve security and authentication purposes.

In addition, the Service uses localStorage and sessionStorage technologies to preserve certain settings and application state (e.g. cookie preferences, language settings, UI preferences).

2.1. By Duration

• Session cookies: deleted when the browser is closed.
• Persistent cookies: remain on the device for a defined period (up to 12 months).

2.2. By Origin

• First-party cookies: set by the Service Provider (e.g. login session).
• Third-party cookies: set by external service providers (e.g. Paddle, Vercel) as necessary for the operation of the Service.

3. Cookie Categories and Purposes

The Service may use cookies grouped into four categories via the Cookie Banner.

3.1. Essential Cookies

Legal basis: Article 6(1)(b) and (f) GDPR – performance of a contract and legitimate interest Consent: not required (based on the "strictly necessary" exemption under the ePrivacy Directive)

These cookies are indispensable for the basic operation of the Service. Without them, the User cannot log in, create a Booking, or communicate securely with the platform.

Purposes:

• authentication and login session management,
• protection against CSRF attacks,
• preserving the transient state of the multi-factor (2FA) authentication flow,
• logging security and abuse-prevention events,
• storing the mandatory cookie-preference setting.

Examples (NextAuth.js, proprietary):

• __Secure-next-auth.session-token – login token
• __Secure-next-auth.csrf-token – CSRF protection
• __Secure-next-auth.callback-url – redirect URL
• cookie-preferences (localStorage) – preserving the User's cookie consent choices

Retention: session or up to 30 days (login session); cookie preferences 12 months.

3.2. Functional Cookies

Legal basis: Article 6(1)(a) GDPR – consent Consent: required

These cookies enhance the User experience of the Service and remember User settings.

Purposes:

• preserving language settings (en/hu/de),
• calendar and interface preferences (e.g. first day of the week, view type, time zone preference),
• last selected Provider/Site/Slot context.

Retention: up to 12 months.

3.3. Analytics Cookies

Legal basis: Article 6(1)(a) GDPR – consent Consent: required

The Service Provider does not currently use any analytics cookies.

Should the Service Provider introduce an analytics solution in the future (e.g. Plausible, Matomo, Google Analytics), Users will be notified through an update to this Policy, and such cookies will only be placed with the User's express prior consent.

3.4. Marketing Cookies

Legal basis: Article 6(1)(a) GDPR – consent Consent: required

The Service Provider does not currently use any marketing or retargeting cookies.

The Service does not currently integrate with any advertising networks (e.g. Google Ads, Facebook Pixel, TikTok Pixel). Such cookies may only be placed in the future with the User's express prior consent.

4. Cookies Used by Third-Party Providers

4.1. Paddle – Payment Processing

The Service Provider uses the Paddle (Merchant of Record model) payment solution. Paddle may deploy technical cookies necessary for processing payment transactions (e.g. fraud prevention, 3D Secure, session management during the payment flow). These qualify as essential cookies for the duration of the payment. Details: https://www.paddle.com/legal/cookie-notice

4.2. Vercel – Hosting

Vercel may use technical cookies to ensure the availability of the Service (e.g. edge routing, load balancing). These qualify as essential cookies.

4.3. OpenStreetMap / Leaflet – Maps

Map tiles are loaded from the OpenStreetMap infrastructure. Beyond its own technical service logging, OpenStreetMap does not place independent cookies.

4.4. GeoNames – City Search

The Service calls the GeoNames API via server-side requests for city and locality auto-completion. GeoNames does not install its own cookies on the User's device.

5. Managing Cookie Settings

5.1. Cookie Banner

Using the banner displayed on your first visit, you can:

• "Accept All" – accept all cookies,
• "Reject All" – reject all non-essential cookies,
• "Customise" – enable or disable cookies individually by category (functional, analytics, marketing).

Settings are stored using localStorage (key: cookie-preferences). Preferences can be changed at any time by clicking the cookie icon located in the bottom-left corner of any page of the Service.

5.2. Browser Settings

Most browsers allow you to view, delete, or block cookies:

• Chrome: https://support.google.com/chrome/answer/95647
• Firefox: https://support.mozilla.org/kb/cookies-information-websites-store-on-your-computer
• Safari: https://support.apple.com/guide/safari/manage-cookies-sfri11471
• Edge: https://support.microsoft.com/microsoft-edge

Blocking essential cookies will impair the operation of the Service (e.g. you will not be able to log in).

5.3. "Do Not Track" Signal

The Service does not currently interpret browser "Do Not Track" signals, as no industry standard exists for these. You may enforce your preferred settings through the cookie banner.

6. Similar Technologies

6.1. Local Storage and Session Storage

The Service uses the browser's localStorage/sessionStorage for the following purposes:

• recording cookie preferences (cookie-preferences),
• transient application state (e.g. data in an in-progress booking form, last view type).

These technologies operate exclusively within your browser; the Service Provider's servers do not read them directly. They are not suitable for independent tracking.

6.2. Email Tracking Pixels

Delivery and bounce events for transactional emails (e.g. booking confirmation, reminders, invoice notifications) are automatically logged by our email delivery sub-processor (MailerSend) as part of the standard operation of email infrastructure, in order to ensure deliverability and reliability. Open-tracking pixels are disabled by default and may be enabled only temporarily for targeted deliverability troubleshooting — without marketing profiling or advertising use. The Service Provider does not use email tracking for marketing purposes and does not combine open/click events with personal profiles for advertising.

Legal basis: legitimate interest under Article 6(1)(f) GDPR (transactional operations, delivery-failure detection, debugging email-related issues).

6.3. Webhooks and Server-Side Integrations

Paddle and other Data Processors communicate with the Service Provider via server-side webhook calls (e.g. payment confirmation, invoice issuance). These do not run in the User's browser and therefore do not involve cookies.

7. International Data Transfers

Cookie and technical data may be transferred to countries outside the EEA (in particular the United States), given that certain sub-processors of the Service Provider (Paddle, Vercel, MailerSend) operate there. The Service Provider ensures an adequate level of protection by means of:

• EU-US Data Privacy Framework (DPF) certification and/or
• Standard Contractual Clauses (SCCs), and
• supplementary technical and organisational measures (e.g. encryption, access controls).

8. Protection of Minors

Registered use of the Service is available exclusively to persons who have reached 18 years of age. The Service Provider does not knowingly collect cookie or localStorage data from persons under 18.

The non-registered (public) booking interface may only be used by persons under 18 under the supervision of a legal guardian; in such cases, the legal guardian is responsible for managing cookie settings.

9. Your Rights

You are entitled to:

• withdraw your consent to non-essential cookies at any time — as easily as you gave it (via the cookie icon, GDPR Article 7(3)),
• lodge a data-protection complaint with the competent supervisory authority,
• exercise the other data-protection rights detailed in the Privacy Policy.

Supervisory authority: Hungarian National Authority for Data Protection and Freedom of Information (NAIH) 1055 Budapest, Falk Miksa u. 9–11., Hungary Email: ugyfelszolgalat@naih.hu Website: https://naih.hu

10. Amendments to This Policy

The Service Provider reserves the right to amend this Cookie Policy unilaterally — in particular in the event of legislative changes, new features, or the engagement of a new Data Processor. In the case of material changes, the Service Provider will place a notice on the website and, where necessary, re-display the cookie banner.

11. Contact

If you have any questions or comments regarding this Cookie Policy:

Email: privacy@1booq.com Subject: "Cookie Policy inquiry"

Acknowledgement: By using the Service and making your selection via the cookie banner, you acknowledge the use of cookies and similar technologies as described in this Policy.