Almost none. On purpose.

A cookie is a small text file stored by your browser when you visit a website. We also group browser localStorage and server-issued session tokens under this policy, because privacy-wise they do the same thing.

The marketing site and the public scanner set no cookies. No analytics cookies, no ad pixels, and nothing written to localStorage or sessionStorage. You can confirm this in your browser dev tools.

CSRF protection on the scan form is enforced by a request-origin check, not by a cookie. Scan results are stored server-side, indexed by a short random ID — that ID lives in the URL, not in a cookie.

For product analytics we use PostHog (EU-hosted, configured cookieless). Our PostHog configuration stores no cookies and no browser-storage identifiers — analytics state lives in page memory only. No cross-site tracking is performed. Per ADR 0025.

The embedded Shopify app relies on Shopify’s own session token (issued by Shopify Admin) to authenticate requests. This is scoped to the Shopify admin and is not accessible from our marketing or scanner surfaces.

• No Google Analytics, Google Tag Manager, or Google Ads pixels
• No Meta / Facebook pixel
• No LinkedIn, TikTok, X, or Reddit pixels
• No third-party chat widgets that set cookies
• No device fingerprinting, hidden ID regeneration, or ETag / cache tracking workarounds

We set no cookies on the marketing site or scanner today, so there is nothing to block. For any future non-essential cookie (we have none today), we will present a consent banner and honour GPC (Global Privacy Control) signals.

Send a message via our contact form (Privacy topic) if you find a cookie not listed here — it would be a bug.