Almost none. On purpose.

A cookie is a small text file stored by your browser when you visit a website. We also group browser localStorage and server-issued session tokens under this policy, because privacy-wise they do the same thing.

The marketing site sets no cookies. No analytics, no ad pixels, no A/B testing, no session storage. You can confirm this in your browser dev tools. If we ever add a strictly necessary cookie (for example, to remember a banner dismissal), we’ll update this page first.

The marketing site and the public scanner set no cookies. CSRF protection on the scan form is enforced by a request-origin check, not by a cookie. Scan results are stored server-side, indexed by a short random ID — that ID lives in the URL, not in a cookie.

For product analytics we use Plausible (EU, cookieless). No cookies are set, no cross-site tracking is performed, no IP addresses are stored. Per ADR 0013.

The embedded Shopify app relies on Shopify’s own session token (issued by Shopify Admin) to authenticate requests. This is scoped to the Shopify admin and is not accessible from our marketing or scanner surfaces.

• No Google Analytics, Google Tag Manager, or Google Ads pixels
• No Meta / Facebook pixel
• No LinkedIn, TikTok, X, or Reddit pixels
• No A/B testing or session-replay tools on the marketing site or scanner
• No third-party chat widgets that set cookies
• No fingerprinting or “cookieless” tracking workarounds

We set no cookies on the marketing site or scanner today, so there is nothing to block. For any future non-essential cookie (we have none today), we will present a consent banner and honour GPC (Global Privacy Control) signals.

Send a message via our contact form (Privacy topic) if you find a cookie not listed here — it would be a bug.