If you only read one thing on this page, read this.
- We use 5 categories of cookies: essential (required), analytics (anonymous), affiliate-attribution, ad-mediation (Ezoic — for site monetization), and a small number of third-party cookies set by sub-processors.
- We do not run direct advertising trackers — no Meta Pixel, no Google Ads tag, no LinkedIn Insight Tag, no TikTok Pixel, no third-party DSP. We use Ezoic as an ad-mediation partner, which sets advertising cookies for ad delivery, frequency capping, and consent. See §7.
- Essential cookies (auth, session, CSRF) are required for the site to work — there is no way to opt out without breaking login + checkout.
- Analytics + affiliate cookies are subject to consent for visitors in the EU/UK and to opt-out under CCPA. We respect Global Privacy Control (GPC) as an opt-out signal.
- You can clear all cookies via your browser settings any time. We don’t fingerprint or use any other persistent identifier to bypass cookie controls.
- Cookie lifetime: essential cookies are session-only or 1 day; affiliate-attribution cookies up to 60 days; analytics cookies up to 1 year (PostHog default).
- For the full table of every cookie we set, including names and durations, see section 8.
Table of contents (15 sections)
1What cookies are
Cookies are small text files stored on your device by your browser when you visit a website. They are used for many things — keeping you logged in, remembering your preferences, measuring how a site is used, attributing referrals, and (in many cases) tracking you across the web for advertising. We use cookies for the first four; we do not use them for advertising.
This policy also covers similar technologies — local storage, session storage, server-set tokens, and pixels — to the extent they perform the same function as cookies.
2The 4 cookie categories we use
The Service uses 4 categories of cookies. Each is described in detail below.
- Essential / strictly-necessary — required for the Service to function (login, checkout, CSRF protection, session). No consent required under GDPR/ePrivacy.
- Analytics — measure how the Service is used, in aggregate. Consent required in the EU/UK.
- Affiliate-attribution — record which affiliate link you clicked so we (and the partner) can attribute commissions. Consent required in the EU/UK.
- Ad-mediation — set by Ezoic and its certified partners to serve relevant ads, measure performance, apply frequency caps, and manage consent. Consent required in the EU/UK (handled via the Gatekeeper CMP).
- Third-party — set by our other sub-processors (Cloudflare for security, Sentry for error tracking, PostHog for analytics, Impact for affiliate transformation). Each is listed below.
3Essential / strictly-necessary cookies
Essential cookies make the Service work. Without them, you cannot log in, the checkout cannot validate a payment, and form submissions cannot prevent CSRF attacks. Examples:
- Authentication tokens (Supabase Auth) — keep you logged in across page navigations.
- Session ID — links your browser session to your activity on the Service.
- CSRF token — prevents cross-site request forgery on form submissions.
- Cookie-banner-state — remembers whether you’ve already responded to the cookie banner so we don’t re-prompt.
4Analytics cookies
Analytics cookies measure how the Service is used so we can improve it. We use PostHog (product analytics) and Sentry (error tracking + Web Vitals). Both are configured to:
- Anonymize IP addresses before they reach the analytics provider (where supported).
- Mask all input fields by default in any session-replay capture (your form input is never sent to PostHog).
- Avoid cross-site fingerprinting — we use first-party cookies on the thepharmwcg.com domain, not third-party trackers.
Specific events we collect include: page views, click events, web vitals (LCP/INP/CLS), error stack traces, and (with sampling) a session replay if a JavaScript error occurs.
5Affiliate-attribution cookies
If you click an affiliate link on the Service, an attribution cookie may be set so the partner can credit your subsequent sign-up to The Pharm. We use a 30-minute rolling bucket hash for our internal click tracking; partner cookies follow the partner’s own program rules (typically 24 hours to 60 days, on the partner’s domain — not on ours).
See Affiliate Disclosure for the full list of partners and their commission models.
6Third-party cookies set by sub-processors
The following sub-processors set cookies when you visit the Service. Each is contractually bound by our data-processing agreements; cookie behavior is governed by the sub-processor’s own privacy policy.
| Provider | Purpose | Cookie name(s) | Lifetime |
|---|---|---|---|
| Cloudflare | DDoS / bot protection | __cf_bm, __cflb | 30 min — 1 day |
| Supabase | Auth session | sb-access-token, sb-refresh-token | 1 hour — 30 days |
| PostHog | Product analytics | ph_* | 1 year |
| Sentry | Error monitoring | (none — uses local storage) | session |
| Impact | Affiliate link transform + impression | impact_* | 30 days |
| PayPal (checkout only) | Checkout fraud-prevention | paypal-* | session |
7Advertising / behavioral tracking
The Pharm uses Ezoic (ezoic.com) — a Google Certified Publishing Partner — for site monetization. Ezoic runs real-time header bidding across multiple demand sources, applies frequency caps so you don’t see the same ad repeatedly, and manages consent state via the Gatekeeper CMP for visitors in the EEA, UK, and Switzerland (TCF 2.3 + Google Consent Mode v2).
Ezoic and its mediation partners set the following cookies on this site:
ezovuuid— anonymous visitor identifier (Ezoic; 1 year).ezovuuidtime— visitor identifier timing (Ezoic; 1 year).ez_cmpccpa— CCPA opt-out state (Ezoic; 1 year).__ezas— anonymous session (Ezoic; session).__gads,__gpi— Google ad measurement and frequency capping when AdSense is included in mediation (Google; 13 months).IDE— ad personalization (Google DoubleClick; 13 months).- Gatekeeper CMP consent-state cookies — record your TCF 2.3 / CCPA preferences (Gatekeeper; 1 year).
To opt out: visit our Do Not Sell or Share My Personal Information page, or use the Ezoic privacy controls at ezoic.com/privacy-policy. We also honor the Global Privacy Control (GPC) browser signal automatically (see §12).
We may, in the future, add additional ad-network partners (such as Google AdSense directly or other certified mediation partners). If we do, this Cookie Policy will be updated with at least 30 days’ notice and visitors in the EU/UK will be re-prompted for consent.
8Full cookie table
This is the comprehensive cookie inventory. The cookie banner you see on first visit reflects this list; toggling categories on or off in the banner changes what is set during your session.
| Name | Category | Set by | Purpose | Lifetime |
|---|---|---|---|---|
cookie-consent | Essential | The Pharm | Records consent state | 1 year |
sb-access-token | Essential | Supabase | Auth — keeps you logged in | 1 hour |
sb-refresh-token | Essential | Supabase | Auth — refreshes the access token | 30 days |
__cf_bm | Essential | Cloudflare | Bot protection | 30 minutes |
__cflb | Essential | Cloudflare | Load balancer affinity | 1 day |
ph_*_posthog | Analytics | PostHog | Page views, events, web vitals | 1 year |
impact_irclickid | Affiliate | Impact | Affiliate click attribution | 30 days |
ezovuuid | Ad-mediation | Ezoic | Anonymous visitor identifier | 1 year |
ezovuuidtime | Ad-mediation | Ezoic | Visitor identifier timing | 1 year |
ez_cmpccpa | Ad-mediation | Ezoic | CCPA opt-out state | 1 year |
__ezas | Ad-mediation | Ezoic | Anonymous session | session |
__gads, __gpi | Ad-mediation | Google (via Ezoic) | Ad measurement + frequency cap | 13 months |
IDE | Ad-mediation | Google DoubleClick (via Ezoic) | Ad personalization | 13 months |
| Gatekeeper consent cookies | Essential (consent) | Gatekeeper CMP | TCF 2.3 + CCPA preferences | 1 year |
paypal-* | Essential (during checkout) | PayPal | Checkout flow + fraud prevention | session |
9Consent and EU/UK ePrivacy compliance
For users in the European Economic Area, the United Kingdom, and Switzerland, we follow the GDPR + ePrivacy Directive cookie-consent framework:
- Essential cookies are set without consent (legal basis: necessary to deliver the Service).
- Analytics, affiliate, and any future marketing cookies require opt-in consent via the cookie banner shown on first visit.
- You may withdraw consent at any time by clearing the banner state from your browser, then re-loading the Service.
- Refusing non-essential cookies does not reduce the functionality of the Service for you.
For users in the United States, we comply with the consumer-rights frameworks listed in Privacy Policy §13 — including the right to opt out of any sale or sharing of personal information for cross-context behavioral advertising (we don’t do that, so the right is moot, but we honor the signal regardless).
10Your controls
- Consent banner — on your first visit (and after a year, or after we materially change this policy) you’ll see a cookie banner with category-level toggles for analytics and affiliate cookies.
- Withdraw consent — clear your browser cookies for thepharmwcg.com, then reload the site. The banner will re-appear.
- Opt out of analytics — declining the analytics category in the banner stops PostHog from setting its cookies and stops Web Vitals events from being sent.
- Opt out of affiliate attribution — declining the affiliate category in the banner means our internal click-tracker still records the impression count (anonymized) but the partner’s third-party cookie may not be set; you may still navigate to the partner’s site directly without our link.
11Browser-level settings
Modern browsers let you block cookies, clear them, or restrict third-party cookies entirely. Helpful pages:
If you block all cookies the Service will not work — login, checkout, and form submissions all rely on essential cookies. Blocking only third-party cookies is a less-disruptive alternative.
12Global Privacy Control and Do Not Track
We honor the Global Privacy Control (GPC) signal as a CCPA opt-out request. If your browser sends GPC, we treat that as: (a) opt out of any sale or sharing of personal information for cross-context behavioral advertising (which we don’t do anyway), and (b) opt out of analytics + affiliate cookies for that browser, regardless of the cookie banner state.
We do not currently respond to legacy “Do Not Track” (DNT) headers — there is no industry consensus on what DNT requires, and GPC is the modern, more interpretable signal. If your browser sends both, GPC takes precedence.
13Mobile devices and similar technologies
The Service does not currently offer a native mobile application. If we add one in the future, this policy will be updated to cover mobile-specific identifiers (IDFA on iOS, AAID on Android) and SDK behavior.
14Changes to this policy
We may update this Cookie Policy as our cookie usage evolves. The “Last updated” date at the top reflects the most recent revision. For material changes (adding a new cookie category, adding an advertising tracker, etc.) we will provide at least 30 days’ notice on the homepage and re-prompt the cookie banner for visitors in the EU/UK. Continued use of the Service after the effective date constitutes acceptance of the updated policy.
15Contact
Questions, concerns, or notices regarding this policy should be directed to:
Cookie / privacy questions: [email protected]
General contact: [email protected]
Email is not a confidential channel. Do not include sensitive personal data (Social Security numbers, full bank-account numbers, etc.) in your correspondence.