Effective April 22, 2026
This Cookie Policy explains what cookies and similar technologies we use on thecaliconnection.com, why we use them, and how you can manage them. It supplements our Privacy Policy.
Cookies are small text files stored on your device by your web browser. Similar technologies include local storage and session storage(used for short-lived preferences that never leave your browser). Cookies can be “first-party” (set by our site) or “third-party” (set by a service we use, such as our payment processor).
Strictly necessary
Required for core functionality: age attestation, shopping cart, login session, and the payment iframe. These cannot be disabled without breaking the site.
Security
Admin-panel session cookies and two-factor authentication markers. Only set for administrators — never for shoppers.
Functional
Remembers small preferences like dismissed banners. No personal data, and cleared when you close the tab.
Analytics
We use Google Analytics 4 to count visits, page views, and basic events like add-to-cart and purchase. IP addresses are anonymized. We do not run advertising or remarketing features. You can turn this off below.
We do not use advertising cookies, cross-site tracking pixels, or third-party social-media share trackers on this site.
The full list of cookies and similar storage used on this site:
| Name | Type | Retention | Scope |
|---|---|---|---|
| tcc-age-verified | Cookie | 30 days | First-party |
| tcc-cart | Local storage | Persists until cleared | First-party |
| payload-token | Cookie | Up to 30 days | First-party |
| tcc-signed-in | Cookie | Up to 30 days | First-party |
| CardConnect iframe cookies | Cookie | Set by Fiserv | Third-party |
| tcc-age-verified: Remembers that you have confirmed you are 21 or older so the age gate does not interrupt every visit. | |||
| tcc-cart: Holds the items in your shopping cart for guest sessions. Never sent to our server; only used by your browser. | |||
| payload-token: Signed authentication token set after you log in, so you stay signed in between page loads. HTTP-only. | |||
| tcc-signed-in: Non-sensitive marker read by the UI to decide whether to show logged-in vs. logged-out menus. Contains no personal data. | |||
| CardConnect iframe cookies: Cookies set by CardConnect/Fiserv inside the payment iframe during checkout. Required to tokenize your card securely. See Fiserv’s own privacy policy for details. | |||
| Name | Type | Retention | Scope |
|---|---|---|---|
| payload-token | Cookie | Session | First-party |
| tcc-2fa-ok / tcc-totp-pending | Cookie | Up to 8 hours | First-party |
| payload-token: Admin-panel session token for site administrators only. Never set for regular shoppers. HTTP-only. | |||
| tcc-2fa-ok / tcc-totp-pending: Admin-only. Records that an administrator has completed two-factor authentication this session, or that an enrollment is in progress. | |||
| Name | Type | Retention | Scope |
|---|---|---|---|
| tcc-analytics-consent | Local storage | Persists until cleared | First-party |
| tcc-2fa-nudge-dismissed | Session storage | Tab close | First-party |
| tcc-analytics-consent: Stores your analytics on/off choice from the toggle above. We default to on for US visitors (no GPC signal); your choice always wins. | |||
| tcc-2fa-nudge-dismissed: Admin-only. Remembers that you dismissed the "set up two-factor authentication" prompt so it does not reappear until next sign-in. | |||
| Name | Type | Retention | Scope |
|---|---|---|---|
| _ga / _ga_<id> / _gid | Cookie | Up to 2 years (Google managed) | Third-party |
| _ga / _ga_<id> / _gid: Set by Google Analytics 4 to count unique visitors and page views. We do not use them for ads. Toggle analytics off above to keep these from being set. | |||
Toggle analytics on or off below. Strictly necessary cookies (auth, cart, age-gate) cannot be disabled — they would break core site features.
You can manage or delete cookies through your browser settings. Most browsers also let you block or delete local storage. Blocking strictly necessary cookies will break features such as cart, login, and checkout.
Browser-specific instructions:
We do not sell or share personal information for cross-context behavioral advertising. We do honor the Global Privacy Control (GPC) signal — if your browser sends it, analytics defaults to off without you having to flip the toggle above. Browsers that support GPC include Brave, Firefox (with the setting enabled), and DuckDuckGo's browser. The Do-Not-Track header is also treated as an analytics opt-out.
We may update this Cookie Policy from time to time. The current version is the one posted on this page, and any material changes to what we store will be reflected in Section 3.