This notice is the long form behind the cookie banner. The banner gives you the headline choice; this page gives you the receipts.
01What a cookie is
A cookie is a small text file a website asks your browser to keep, and to send back on later visits. We use the word here to cover the wider family of similar technologies too: HTML5 localStorage and sessionStorage, web beacons (1×1 pixel images), browser fingerprints derived from device characteristics, and the small bits of state set by service workers. Whatever the mechanism, the law in the UK is the same: under regulation 6 of the Privacy and Electronic Communications Regulations (PECR) we need your informed consent before we set anything that is not strictly necessary for a service you have asked for.
02The four categories we use
- Strictly-necessary. These are needed to make the site work and to keep it secure. The law lets us set them without asking. Examples: a session token that keeps you signed in, a CSRF token that stops a malicious site forging requests on your behalf.
- Functional. These remember choices you have made — for example which cookie categories you accepted, your reading-list state in Insights, or that you dismissed the cookie banner. Off by default; we set them only after you say yes.
- Analytics. These tell us, in aggregate, which pages people land on, where they leave, and which broken pages we should fix. We use a privacy-respecting analytics tool that does not build cross-site profiles. Off by default.
- Marketing. Used for measuring which campaigns brought visitors to the site, and for showing you our ads on third-party platforms in a privacy-respecting way. Off by default.
03How we ask for consent
On your first visit, you see a banner with three buttons: Accept all, Reject all, and Manage. Reject all is offered with the same prominence as Accept all, and the banner does not block you from reading the page. Your choice is stored in a single first-party cookie called opn_cc, and you can change it at any time from the Cookie settings link in the website footer, or from the button at the top of this page.
We re-ask for consent every twelve months, or sooner if we add a new category of cookie. We log the timestamp, the version of this notice that was in force and the categories you accepted; that is the audit trail we keep to evidence consent under the UK GDPR.
04Strictly-necessary inventory
These fire automatically. You cannot switch them off in our preference centre; you can block them in your browser settings, but doing so will break parts of the site.
| Name | Type | Duration | Purpose |
|---|---|---|---|
| opn_cc Strictly-necessary |
First-party | 12 months | Records your cookie preferences and the version of this notice in force when you set them. The presence of this cookie is what stops the banner reappearing on every visit. |
| opn_sid Strictly-necessary |
First-party (HttpOnly, Secure) | Session | Authenticated session token for signed-in surfaces. Deleted when you close your browser, or earlier when you sign out. |
| opn_csrf Strictly-necessary |
First-party (SameSite=Strict) | Session | Cross-site request-forgery token used on form submissions. Stops a malicious site posting forged requests against your session. |
| __cf_bm Strictly-necessary |
Third-party (Cloudflare) | 30 minutes | Bot-management heuristic used by our infrastructure provider to distinguish humans from automated traffic. Required to keep the site available. |
| opn_lb Strictly-necessary |
First-party | 15 minutes | Sticks your requests to the application server that holds your in-flight session, so an application form does not lose its state mid-submission. |
05Functional inventory
These remember preferences you have set. They fire only after you have agreed to the Functional category in the banner.
| Name | Type | Duration | Purpose |
|---|---|---|---|
| opn_pref_locale Functional |
First-party | 12 months | Remembers your preferred locale (en-GB by default) for date and currency formatting on the site. |
| opn_pref_theme Functional |
First-party | 12 months | Stores your light or dark theme choice, and any text-size override you have set. |
| opn_ix_recent Functional |
First-party (localStorage) | 6 months | Holds the last five Insights articles you opened so the page can show you a "Recently read" rail. |
| opn_form_draft Functional |
First-party (localStorage) | 30 days | Stores a draft of any unsaved demo-booking or contact form, so a refreshed tab does not lose your typing. Cleared when you submit or when the timer expires. |
06Analytics inventory
We use a single privacy-respecting analytics tool to understand which content people read and to debug broken pages. It does not build a cross-site profile of you and we do not pass identifiers to advertisers. The category is off by default.
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _pk_id.opndoor Analytics |
First-party (Matomo, self-hosted, EU/UK) | 13 months | An anonymous visitor ID used to count returning vs new visitors. The IP address feeding this ID is truncated by two octets before storage. |
| _pk_ses.opndoor Analytics |
First-party (Matomo) | 30 minutes | Session identifier used to group page views into a single visit. |
| opn_perf_sample Analytics |
First-party | 24 hours | Decides whether your visit is included in our 1-in-100 real-user-monitoring sample. Stores only the sampling flag, no identifier. |
07Marketing inventory
Used only to measure the effectiveness of campaigns aimed at our professional audience (letting agents, BTR operators, PBSA teams). We do not target advertising at individual tenants based on your interactions with this site. Off by default.
| Name | Type | Duration | Purpose |
|---|---|---|---|
| li_fat_id Marketing |
Third-party (LinkedIn Insight Tag) | 30 days | Conversion measurement for our LinkedIn campaigns aimed at professional audiences. Loaded only after consent. |
| _uetsid / _uetvid Marketing |
Third-party (Microsoft UET) | 24h / 13 months | Conversion measurement for Bing/Microsoft Advertising campaigns. Loaded only after consent. |
| opn_utm Marketing |
First-party | 30 days | Stores the utm_* parameters that brought you to the site, so we can attribute a later demo booking to the right campaign. Loaded only after consent. |
08Third-party services that may set cookies
The cookies above tell only part of the story. The third parties below may set their own cookies when their content loads on our site, and they have their own privacy notices. We list them so you know who is in the picture.
- Cloudflare — DDoS protection and bot management. Strictly-necessary; cannot be switched off without breaking the site.
- Google Fonts — serves the Sora and Manrope fonts referenced in our stylesheet. We use the privacy-improved
fonts.googleapis.comendpoint and we do not pass tracking parameters. - Matomo (self-hosted in the UK) — analytics. Loaded only after consent in the Analytics category.
- LinkedIn Insight Tag — campaign measurement. Loaded only after consent in the Marketing category.
- Microsoft Universal Event Tracking — campaign measurement. Loaded only after consent in the Marketing category.
- Vimeo / YouTube — embedded videos in Insights, where used. We embed these in their privacy-enhanced mode and they load only after you click the play button.
If we add a new material third party we will update this list and ask for fresh consent where the new tag falls into a non-essential category.
09How to switch them off
Three routes are open to you:
- Our preference centre — open Cookie settings from the website footer (or from the button at the top of this page). Toggle each category off. Your choice is saved in
opn_ccand applies on the next page load. - Your browser — every modern browser lets you clear existing cookies, block all cookies for a particular site, or block all third-party cookies. The route differs per browser; the support pages of Chrome, Firefox, Safari and Edge are a good starting point.
- A privacy signal at the browser level — sending a Global Privacy Control (GPC) header is treated by us as a binding opt-out from non-essential cookies, even if you have previously clicked Accept all. Some browsers send this signal automatically when private-browsing mode is enabled.
Switching off the strictly-necessary category is not possible from our side and will, if you do it at the browser level, stop the site working as intended (sign-in fails, forms cannot submit, the cookie banner re-appears every visit).
10Changes to this notice
We review this notice at least every six months and whenever we add or remove a tag. The version number and effective date in the document header always reflect the latest version. Where we add a non-essential category, we re-ask for consent before any tags in that new category fire.
11Contact & complaints
For anything to do with cookies on our site, write to privacy@opndoor.co. If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office at ico.org.uk or on 0303 123 1113.
Change your choices
The preference centre updates the opn_cc cookie immediately. Tags in disabled categories stop firing on the next page view.
Read alongside
Privacy Policy — the wider data-protection picture.
Terms of Service — the contract for using the site and the service.