Cookie Policy
How Woodspring Travel, LLC uses cookies, JWT authentication cookies, analytics tools, marketing technologies, and similar browser/device storage.
Overview
This Cookie Policy explains how Woodspring Travel, LLC (“Woodspring Travel,” “we,” “us,” or “our”) uses cookies and similar technologies on our websites, travel-deal pages, calendar pages, inquiry forms, account/login areas, booking links, newsletters, and related online services. This policy should be read together with our Privacy Policy and Terms and Conditions.
Our public website is primarily a static website hosted on Amazon Web Services S3 and related AWS infrastructure. A static page does not necessarily require cookies to display public content. However, some features may use cookies or similar technologies when they are needed for security, authentication, user preferences, analytics, marketing measurement, fraud prevention, or third-party services.
1. What cookies and similar technologies are
Cookies are small text files placed on your browser or device when you visit a website. They allow a website or service provider to recognize a browser or device, remember information, maintain security, support logins, measure website performance, and provide other online functionality.
This policy also covers similar technologies, including local storage, session storage, pixels, tags, software development kits, web beacons, embedded content, device identifiers, and scripts that store information on your device or read information from your device.
2. The main categories of cookies we may use
A. Strictly necessary cookies and similar technologies
These technologies are required for our website or requested services to work securely. They may be set without separate opt-in consent where permitted by law because they are necessary to provide the service you request.
Examples may include authentication cookies used to keep a logged-in user signed in; JSON Web Token (“JWT”) cookies or session cookies used for account access; security cookies used for fraud prevention, bot prevention, abuse prevention, rate limiting, or unauthorized-access detection; CSRF protection tokens or other security tokens; cookies or local storage entries that remember your cookie-consent choice; load-balancing, availability, diagnostic, or infrastructure-related cookies if our service providers use them; and temporary cookies that determine whether your browser supports cookies.
If Woodspring Travel uses a JWT or other authentication token for logged-in users, we expect that token to be treated as a strictly necessary authentication technology. For security, authentication cookies should be configured using secure settings whenever technically possible, including Secure, HttpOnly, and an appropriate SameSite value, and should be limited to the minimum useful duration. Authentication tokens should not be used for advertising or analytics purposes.
You may be able to block necessary cookies in your browser, but doing so may break login, security, or account features.
B. Preference and functionality cookies
These technologies help remember choices or improve convenience. They may include language, region, display preferences, filter preferences, recently viewed deal preferences, accessibility preferences, or whether a banner has already been dismissed.
Some preference technologies may be necessary to provide a feature that you requested. Others may be optional depending on how they are used.
C. Analytics and performance cookies
We may use analytics tools, such as Google Analytics or Google Tag Manager, to understand how visitors use our website, which pages are popular, which links are clicked, how users arrive at the website, whether pages load correctly, and how we can improve the user experience.
Analytics cookies may collect or process information such as IP address or approximate location derived from IP address; browser type and device information; pages viewed; referring pages and campaign links; time spent on pages; link clicks and navigation behavior; and event information, such as form starts, form completions, or outbound link clicks.
Google Analytics 4 may use first-party cookies such as _ga and _ga_<container-id> to distinguish users and maintain session state. Google’s cookie names, expiration periods, and collection practices may change, so our actual cookie table should be reviewed after analytics tools are installed.
Where legally required, analytics cookies should not be loaded until the user has given consent. Where opt-out rather than opt-in is permitted, users should still be given clear notice and a practical way to opt out.
D. Advertising, retargeting, and marketing cookies
We may use advertising or marketing technologies in the future, such as Google Ads, Meta Pixel, TikTok Pixel, Pinterest tags, LinkedIn Insight Tag, affiliate tracking, or similar tools. These tools may help us measure ad performance, understand referrals, prevent repeated ads, build audiences, or show relevant ads on other websites or platforms.
These technologies may be considered “targeted advertising,” “cross-context behavioral advertising,” “sharing,” or “sale” under some privacy laws even when Woodspring Travel does not receive money for personal information. If we use these tools, we should provide a clear opt-out mechanism and, where legally required, obtain consent before setting them.
E. Third-party booking, supplier, social media, and embedded-content cookies
Our website may link to or embed content from third parties, including cruise lines, tour operators, booking platforms, payment processors, map providers, video platforms, social media platforms, review widgets, travel suppliers, host-agency resources, or affiliate/referral platforms.
When you click an outbound booking link, open an embedded video, interact with a social share button, or visit a third-party supplier page, that third party may set its own cookies or similar technologies. Woodspring Travel does not control all third-party cookies. You should review the privacy and cookie policies of those third parties.
3. Cookie examples and expected use
The following table describes cookie categories that Woodspring Travel may use or may add. The exact cookies should be confirmed by a technical scan after deployment and whenever analytics, login, booking, or advertising tools change.
| Category | Example names or technologies | Purpose | Expected duration | Consent approach |
|---|---|---|---|---|
| Strictly necessary | ws_auth, ws_refresh, csrf_token, cookie_consent, cookie_preferences, session storage, local storage | Login, JWT/session authentication, CSRF protection, security, consent-choice storage | Session to 12 months, depending on function | No opt-in required where essential, but disclose |
| Security | AWS, CDN, WAF, rate-limit, bot-protection, or abuse-prevention tokens if used | Protect site, APIs, users, and accounts | Session to limited persistent duration | No opt-in required where essential |
| Preferences | ws_lang, ws_region, ws_filters, local storage preferences | Remember language, region, display choices, filters, or user-selected preferences | Session to 12 months | Consent or legitimate preference use depending on law and implementation |
| Analytics | _ga, _ga_*, _gid, Google Tag Manager/GA4 identifiers | Measure usage, traffic, campaigns, and page performance | As configured by analytics provider; GA4 defaults may be up to 2 years | Obtain consent where required; otherwise provide notice and opt-out |
| Marketing/retargeting | Google Ads, Meta, TikTok, Pinterest, LinkedIn, affiliate tags | Ad measurement, retargeting, audience building, campaign attribution | Set by vendor and configuration | Consent or opt-out required depending on jurisdiction and use |
| Third-party supplier/booking | Supplier, booking engine, payment, social media, map, video, or embedded content cookies | Booking, payments, social sharing, embedded content, supplier functionality | Controlled by third party | Governed by third-party policy; obtain consent before embedding optional trackers where required |
4. Authentication and JWT cookies
If our login system uses a JWT cookie, the cookie is used to authenticate the user and protect account access. This is different from an analytics or advertising cookie. Because a logged-in user is requesting account access, authentication cookies are generally treated as necessary.
Recommended security controls for authentication cookies include HTTPS only; Secure; HttpOnly; SameSite=Lax or SameSite=Strict unless cross-site authentication requires a different configuration; short-lived access tokens; controlled refresh tokens; refresh-token rotation where appropriate; avoiding JWT storage in local storage where practical; avoiding sensitive personal information inside JWT payloads unless encrypted and necessary; narrow domain/path scope; suspicious-event logging without logging full token values; and logout functionality that invalidates the server-side session or refresh token where applicable.
5. Cookie consent and preference storage
If we show a cookie banner, we may use a small necessary cookie or local storage entry to remember whether you accepted, rejected, or customized optional cookies. This prevents the banner from appearing repeatedly and records your preference.
This consent-preference technology is itself considered necessary for privacy compliance and user choice. If you delete cookies or local storage, use a different browser, use a different device, or browse in private mode, you may need to make your choice again.
6. How we use Google Analytics and similar tools
If we deploy Google Analytics or Google Tag Manager, we should configure them so that optional analytics storage is denied by default in locations where consent is required, and updated only after the user gives consent.
If Google advertising tools are used, Google Consent Mode settings may include controls such as analytics_storage, ad_storage, ad_user_data, and ad_personalization. These settings should be reviewed before launch and whenever tags change.
We should not load Google Analytics, Meta Pixel, TikTok Pixel, or other nonessential trackers before the user has made a choice in jurisdictions that require prior consent.
7. Your choices
You can manage cookies and similar technologies by using our cookie banner or “Cookie Settings” link, adjusting browser controls, adjusting device advertising controls, using analytics or advertising opt-out tools, or enabling Global Privacy Control where available.
Blocking cookies may affect site functionality. Necessary cookies cannot be disabled through our preference tool because they are required for security, login, or requested services.
8. Do Not Track
Some browsers offer a “Do Not Track” signal. There is no uniform industry standard for responding to Do Not Track signals. Where legally required, we should honor legally recognized opt-out preference signals such as Global Privacy Control. We may not respond to older Do Not Track signals unless required by law or unless our website technology is configured to do so.
9. Children
Our website and travel services are intended for adults and are not directed to children under 13. We do not knowingly use cookies to collect personal information from children under 13. Travel bookings involving minors should be handled by a parent, guardian, or authorized adult.
10. Changes to this Cookie Policy
We may update this Cookie Policy from time to time to reflect changes in our technology, third-party vendors, legal requirements, or business operations. The updated version will be posted on our website with a revised effective date. If we materially change how we use optional analytics, advertising, or tracking technologies, we should refresh user consent where required.
11. Contact us
For questions about this Cookie Policy or our privacy practices, contact:
Woodspring Travel, LLC
Email: contact@woodspringtravel.com
