Venue & Settings
Cookie Consent & Privacy Pages
Last updated 19 May 2026
Cookie Consent & Privacy Pages
Storefront cookie consent banner gates analytics scripts so nothing fires before the customer agrees. Auto-generated Privacy and Terms pages — built from your venue details — give you compliance-ready legal pages without writing them from scratch.
Where to find them — Web (operator config): Storefront → Legal. Customer-facing: cookie banner appears on every storefront page; privacy at
/your-slug/privacy; terms at/your-slug/terms.
TL;DR
- Single Accept/Reject cookie banner — appears only when you have tracking configured.
- Auto-generated Privacy and Terms pages localised for AU, NZ, GB.
- Owner can override contact email and append custom cookies / terms clauses.
- All plans. Auto-generated pages are
noindex, follow(legal pages, not SEO).
The cookie consent banner
When at least one tracking ID (GA4, Meta Pixel, GTM) is configured on your venue, every storefront page shows a cookie consent banner 2 seconds after load:
- Single tier: Accept or Reject (not a multi-category banner with necessary/analytics/marketing checkboxes — the model is binary)
- Persists for 12 months via the
oc-consentcookie - Mirrors to localStorage so the choice survives cookie clearing in some browsers
- Suppressed entirely when no tracking is configured (nothing to gate)
- Suppressed in embed mode (the parent site handles its own consent)
- Customers can re-consent any time via the privacy page footer link
Accept
- All configured tracking scripts load (GA4, Meta Pixel, GTM)
- Page reloads once so SSR can inject
<Script>tags
Reject
- No tracking scripts load for this session
- Cookie set to
rejectfor 12 months - Customers can still book, pay, use the storefront fully
The privacy page
Auto-generated at /your-slug/privacy. Built from a template that takes:
- Venue name (from venue settings)
- City (from venue address)
- Contact email (override or fall back to venue email)
- Additional cookies disclosure (your free-text addition, optional)
- Tracking vendors actually configured (GA4 / Meta Pixel / GTM are listed automatically)
Template is locale-locked to AU, NZ, GB. Other-country venues don't render the page (it would 404), and the storefront footer hides the privacy link.
Page is noindex, follow — legal pages shouldn't compete with your storefront for ranking, but their outbound links (to your business) are followed.
The terms page
Auto-generated at /your-slug/terms. Same template approach, with optional termsAdditional free-text addendum (up to 4,000 characters).
Use the addendum for venue-specific terms — "Refunds processed within 5 business days", "Late arrivals over 15 minutes may forfeit deposit", etc.
Configuring overrides
Open Storefront → Legal. Three fields:
| Field | Default | Override use case |
|---|---|---|
| Contact email for data requests | Your venue email | Separate privacy mailbox (e.g. privacy@yourdomain.com) |
| Additional cookies disclosure | None | Document cookies beyond GA4/Meta/GTM (e.g. third-party widgets you've added) |
| Additional terms clauses | None | Venue-specific T&Cs you want appended |
Save. Changes take effect on the next storefront page load.
How the consent gate ties to your tracking
The flow on a fresh visitor:
- Visitor opens your storefront
- SSR renders the page; tracking scripts are NOT injected yet
- Banner shows 2 seconds in
- Visitor taps Accept
- Cookie sets to
accept, page reloads - SSR renders again; this time the tracking scripts are injected
- GA4 / Meta Pixel / GTM load and fire
PageView - Subsequent navigation within the session keeps scripts loaded — no further consent prompts
If they hit Reject instead, the cookie sets to reject and scripts stay out forever (until they re-consent or the cookie expires after 12 months).
See Conversion Tracking for details on what events fire after consent.
What the customer sees on the privacy page
The auto-generated page includes:
- Who you are — venue name and contact details
- What data you collect — booking details, payment info (via Stripe), photos if applicable
- Why you collect it — fulfilling the booking, processing payment
- Who you share it with — service providers (Stripe, Twilio, etc.), legal requirements
- Cookies — what's set and why (only the vendors you've actually configured)
- Customer rights — access, correction, deletion (AU APP, NZ Privacy Act, UK GDPR/Data Protection Act)
- Last updated date
Customers can request data deletion via the contact email. See Privacy & Data Requests for the operator-side handling (Wave 6).
Custom domain compatibility
Privacy and Terms pages are served from the storefront layout, so they work on custom domains too. URL is /{slug}/{privacy|terms} on the canonical openchairpro.com path; on a custom domain like salonsmith.com, the pages render at salonsmith.com/privacy and salonsmith.com/terms.
Locale support
| Country | Auto-generated pages? |
|---|---|
| Australia | Yes (AU Privacy Act references) |
| New Zealand | Yes (NZ Privacy Act references) |
| United Kingdom | Yes (UK GDPR / Data Protection Act references) |
| Other | No — pages return 404; footer hides links |
If you operate in a country outside this list and need legal pages, contact support — we can scope the locale.
Tier
All plans. Cookie banner, auto-generated pages, and operator overrides all work on FREE and PRO.
Role access
| Action | Owner | Manager | Stylist |
|---|---|---|---|
| View Legal settings | Yes | Yes | No |
| Edit Legal settings | Yes | Yes | No |
Common mistakes
| Problem | What to check |
|---|---|
| No cookie banner appears | Confirm at least one tracking ID is configured under Storefront → Tracking. Without tracking, no banner. |
| Privacy page 404s | Your venue's country isn't in the supported locale list (AU/NZ/GB only). Contact support if you need other locales. |
| Customer says they were tracked without consent | Check the cookie value in their browser — oc-consent should be accept. If it's missing or reject, scripts shouldn't have fired. Inspect the page source to confirm scripts aren't loaded. |
| Want to remove the banner entirely | Remove all tracking IDs. Banner suppresses automatically when there's nothing to gate. |
| Need a custom-built privacy page (e.g. multi-language) | Not supported in the auto template. Contact support; for now, you'd need to host your own privacy page externally and update your venue's privacy URL accordingly. |
| Additional cookies disclosure too long | Cap is 2,000 characters; additional terms is 4,000. Trim to fit. |
FAQ
Does my storefront have a cookie banner?
Only when you've configured tracking (GA4, Meta Pixel, or GTM). Without tracking, there's nothing to consent to, so no banner shows. With tracking, a single Accept/Reject banner appears 2 seconds after load and stores the choice for 12 months.
Where do my Privacy and Terms pages come from?
Auto-generated from your venue details — name, city, contact email, and any tracking vendors you've configured. Available at /your-slug/privacy and /your-slug/terms. Locale-locked to AU, NZ, GB (other countries don't render them).
Can I customise the privacy and terms?
Yes, additively. Add your own privacy contact email (overrides venue email), extra cookies disclosure (up to 2,000 chars), and extra terms clauses (up to 4,000 chars) under Storefront → Legal. Your additions append to the auto-generated template.
What's the difference between the cookie banner and the privacy page?
The cookie banner is the live opt-in/out (Accept or Reject scripts loading). The privacy page is the static disclosure page describing what data you collect, why, and how it's used. The banner links to the privacy page so customers can read before deciding.
Do I need to use OpenChair's auto-generated pages?
You don't have to, but most salons benefit from them — they're free, compliance-ready, and update when you change your venue details. If you have a legal team that's drafted custom pages, you can host those externally and link to them in your storefront footer (manual override — contact support).
Is OpenChair my data controller or processor?
OpenChair is the data processor acting on your behalf. You're the data controller for your customers' data. The auto-generated privacy page reflects this — it names your venue as the responsible party for handling customer data requests.