Legal
Cookie Policy
Last updated: 28 May 2026 · Effective immediately
FlashBill's approach to cookies is simple: we use only what is strictly necessary for the Service to function. We do not use advertising cookies, analytics cookies, or any technology that tracks you across other websites. This policy explains exactly what we set, why we set it, and what your choices are.
1. Introduction & Legal Framework
This Cookie Policy explains how FlashBill uses cookies and similar technologies on our website (flashbill.co.uk) and within the FlashBill web application. It should be read alongside our Privacy Policy, which provides the broader context for how we collect and use your personal data.
Our use of cookies is governed by two primary pieces of UK legislation:
- The Privacy and Electronic Communications Regulations 2003 (PECR) — which require us to obtain informed consent before setting non-essential cookies, and which permit us to set strictly necessary cookies without consent;
- The UK General Data Protection Regulation (UK GDPR) — which applies where cookies collect or process personal data, and which requires us to have a lawful basis for that processing and to be transparent about how we use any personal data collected via cookies.
FlashBill is committed to full compliance with both PECR and UK GDPR in its use of cookies. We do not use any cookie or tracking technology for which PECR consent would be required — every cookie we set is strictly necessary for the Service to function and falls within the PECR exemption in Regulation 6(2).
2. What Are Cookies?
A cookie is a small text file that a website or web application stores on your computer, tablet, or mobile device when you visit or use it. Cookies are sent by a server to your web browser and stored on your device. When you return to the same website, the browser sends the cookie back to the server, allowing the site to recognise you, remember your preferences, and maintain continuity between pages and sessions.
Cookies cannot carry viruses, harm your device, access other files stored on your computer, or execute code. They are a standard and widely used part of how the modern web operates.
There are several ways to classify cookies:
- Session cookies are temporary and are deleted automatically when you close your browser. They exist only for the duration of your current browsing session.
- Persistent cookies remain on your device after you close your browser, until they either expire (reach their set expiry date) or are deleted by you. Persistent cookies allow a website to remember you on your next visit.
- First-party cookies are set directly by the website or application you are visiting (in FlashBill's case, flashbill.co.uk).
- Third-party cookies are set by a different domain from the one you are currently visiting, typically through content or services embedded by the website (in FlashBill's case, cookies set by Stripe when you access payment features).
3. Cookies We Set
FlashBill sets the following cookies. All of them are strictly necessary for the Service to function correctly and securely. None of them are used for advertising, analytics, or tracking purposes.
| Cookie Name | Type | Purpose | Duration | Party |
|---|---|---|---|---|
| session | Required | Server-side session identifier. This cookie contains an encrypted token that links your browser to your logged-in Account on the FlashBill server. Without this cookie, you cannot stay logged in as you navigate between pages. | Session (deleted on browser close) | First-party |
| remember_token | Required | Persistent login token. Set only when you tick "Remember me" on the login page. Contains an encrypted token that allows FlashBill to recognise you when you return after closing your browser, so you do not need to log in again. Stored in encrypted form. | 30 days | First-party |
| csrf_token | Required | Cross-Site Request Forgery (CSRF) protection token. This is a security cookie containing a unique, unpredictable value that is validated by the server on every form submission. It prevents malicious third-party websites from making unauthorised requests on your behalf. Removing or altering this cookie would break form functionality across the entire application. | Session (deleted on browser close) | First-party |
| cookie_consent | Required | Stores your cookie consent preference (accepted or necessary-only) and the date on which you made your choice. This cookie is set after you interact with the cookie consent banner and is required to prevent the banner from appearing on every page visit. It also allows FlashBill to demonstrate its compliance with PECR consent obligations. | 1 year | First-party |
| __stripe_mid | Required | Stripe machine identifier. Set by Stripe when you access billing or payment-related sections of FlashBill. Used by Stripe for fraud prevention and payment security — specifically, to recognise the device being used to make a payment and detect anomalous payment patterns that might indicate fraud. | 1 year | Third-party (Stripe) |
| __stripe_sid | Required | Stripe session identifier. Set by Stripe during payment flows to maintain session state within the Stripe checkout and payment verification process. Without this cookie, secure payment processing by Stripe may not function correctly. | 30 minutes | Third-party (Stripe) |
We review this table whenever we make changes to the Service and update this policy promptly if any new cookies are introduced. If you see a cookie on flashbill.co.uk that is not listed in this table, please contact us at admin@flashbill.co.uk so we can investigate and update our records.
4. Local Storage & Session Storage
In addition to cookies, FlashBill may use your browser's localStorage to remember certain user interface preferences between sessions — for example, whether you have collapsed the sidebar, or which view you last used in the application. This data is stored entirely within your own browser and is never transmitted to FlashBill's servers, included in any analytics, or shared with any third party.
Browser localStorage is technically distinct from cookies and falls outside the strict scope of the UK PECR cookie rules (which apply to cookies and similar technologies used to gain access to or store information on a device, with specific reference to network-transmitted identifiers). However, we disclose its use here in the spirit of full transparency.
You can view, clear, or delete localStorage data at any time through your browser's developer tools (typically accessible via F12 or right-click → Inspect → Application → Local Storage). Clearing localStorage will reset any saved interface preferences but will not affect your Account data, invoices, or any data stored on FlashBill's servers.
FlashBill does not use sessionStorage for any persistent preference or tracking purpose. SessionStorage is only used transiently within single-page interactions and is cleared automatically when you close your browser tab.
5. What We Do Not Use
We want to be explicitly clear about the tracking and cookie technologies we have chosen not to use. FlashBill does not set or permit the setting of:
- Analytics cookies (such as Google Analytics, Mixpanel, Amplitude, or equivalent) — we do not track your navigation through the site or app for analytical purposes via third-party scripts;
- Advertising or retargeting cookies (such as Google Ads, Meta Pixel / Facebook Pixel, LinkedIn Insight Tag, or equivalent) — we do not use cookies to serve you targeted advertisements on other websites;
- Social media tracking buttons or pixels — we do not embed social media share buttons or follow buttons that set tracking cookies on our pages;
- A/B testing cookies (such as Optimizely or Google Optimize) — we do not run behavioural experiments using cookies;
- Heatmap or session recording tools (such as Hotjar, FullStory, or Microsoft Clarity) — we do not record or replay your sessions;
- Cross-site tracking cookies — none of the first-party cookies we set are shared with or accessible by other websites. We do not participate in advertising networks or data broker relationships that depend on cross-site tracking.
This approach reflects our belief that invasive tracking is incompatible with the trust our users place in us to handle their business and financial data responsibly.
6. Strictly Necessary Cookies & PECR Compliance
Under Regulation 6(2) of the Privacy and Electronic Communications Regulations 2003 (PECR), a provider of an electronic communications service may store information on, or access information from, a subscriber's or user's terminal equipment without obtaining consent, provided that the storage or access is strictly necessary for the provision of an information society service explicitly requested by the subscriber or user.
All first-party cookies set by FlashBill — session, remember_token, csrf_token, and cookie_consent — meet this "strictly necessary" criterion. Specifically:
- The
sessionandremember_tokencookies are strictly necessary because without them the platform cannot maintain your authenticated login state, making the application functionally unusable; - The
csrf_tokenis strictly necessary because it is a core security mechanism that prevents CSRF attacks — a class of attack that would expose users to serious harm if not mitigated; - The
cookie_consentcookie is strictly necessary to prevent the consent banner from appearing on every single page view once you have made your choice — repeatedly presenting the banner would degrade the user experience and serve no additional compliance purpose.
Because all FlashBill first-party cookies are strictly necessary, they do not require your prior consent under PECR. We display the cookie consent banner and offer choices as a matter of transparency and best practice, not as a legal requirement for our own cookies. You may choose "Necessary Only" and "Accept All" with equal legal effect, since in practice both options set the same cookies.
7. Stripe's Cookies
When you access any billing or payment-related feature within FlashBill — such as the subscription upgrade page, the billing portal, or payment confirmation screens — Stripe sets its own cookies (__stripe_mid and __stripe_sid) on your device as a necessary part of the payment processing flow.
These Stripe cookies are set under Stripe's own domain and are subject to Stripe's privacy and cookie policies, not FlashBill's. FlashBill has no control over the content, duration, or behaviour of cookies set by Stripe, and we cannot view or access the data they contain. They are categorised as strictly necessary because secure payment processing — specifically, Stripe's fraud prevention and session security mechanisms — requires them to function.
You can review Stripe's cookie and privacy practices at: stripe.com/gb/privacy
If you are not accessing any payment features (for example, if you are using the Free Plan and only creating invoices), Stripe's cookies may not be set at all, or may already have expired from a previous session.
8. How to Manage, Control & Delete Cookies
You have the right to manage cookies through your browser settings. Most modern browsers allow you to: view all cookies currently stored by websites you have visited; delete individual cookies or all cookies at once; block cookies from specific websites; block all third-party cookies; and set preferences for how cookies should be handled on a site-by-site basis.
Important: If you delete or block FlashBill's first-party cookies, the following consequences will occur:
- Deleting the
sessioncookie will immediately log you out of the FlashBill application; - Deleting the
remember_tokencookie will mean you need to log in manually next time you visit; - Blocking the
csrf_tokencookie will prevent most forms in the application from working, including login, invoice creation, and account settings — the application will display security errors; - Deleting the
cookie_consentcookie will cause the cookie consent banner to appear again on your next visit.
In summary: deleting or blocking FlashBill's required cookies will prevent you from logging in and using the Service. The marketing and informational pages of flashbill.co.uk can still be browsed without cookies, but you cannot create an Account or access the application.
To manage cookies in your browser, consult the relevant guide for your browser:
- Google Chrome — Managing cookies
- Mozilla Firefox — Managing cookies
- Apple Safari — Managing cookies
- Microsoft Edge — Managing cookies
To manage Stripe's cookies specifically, you would need to clear cookies from Stripe's domain within your browser settings. This will not affect your FlashBill Account data, which is stored on our servers, not in cookies.
9. Changes to This Cookie Policy & Contact
We will update this Cookie Policy if we change the cookies we use or if the legal framework governing cookie use in the UK changes in a way that requires us to update our disclosures. The "Last updated" date at the top of this page indicates when the policy was most recently revised.
If we introduce any new cookie — even a strictly necessary one — we will update this policy before or at the same time as the cookie is deployed. We will not introduce any non-essential cookies (such as analytics or advertising cookies) without first updating this policy and, where required by law, obtaining your prior consent.
For material changes to this policy, we will provide at least 14 days' notice by email to your registered address. Non-material changes (such as updated cookie durations or clarificatory text) take effect immediately upon posting.
If you have any questions about cookies, their use on FlashBill, or the information in this policy, please contact us:
Email: admin@flashbill.co.uk
Please include "Cookie Query" in the subject line. We aim to respond to all cookie-related enquiries within 5 business days.