Cookies, plainly explained.
We've tried to write this the way we'd want to read it — short, specific, named. Below is every cookie and storage key we touch, why it's there, and how to switch off the optional ones. Companion to our Privacy Policy and Terms.
1. The short version
- We use the minimum set of cookies that lets sign-in, payment, and your cart work. No tracking those.
- We default to analytics off until you accept the banner.
- We don't sell your data, run ad-retargeting, or load any third-party tracker that you haven't opted into.
- You can flip your choice anytime, even after accepting — controls are at the bottom of this page.
2. What a cookie actually is
A cookie is a small piece of text your browser stores when you visit a site and sends back on later visits. They were invented to keep you logged in between page loads. They've been used since to do almost everything else, with varying degrees of consent. The same logic applies to localStorage and sessionStorage, which we use a lot more than actual cookies — and which are covered by this policy too even though browsers technically distinguish them.
3. The four categories
The industry sorts cookies into four buckets. Here's how we apply them:
- Strictly necessary
- Sign-in session, payment session, cart contents. Without these the site doesn't function. We don't ask for consent because there's nothing meaningful to opt out of — declining means you can't use the product. (Note: you can still delete them via your browser at any time.)
- Functional
- Local-only UI state (your preferred skin, accordions open/closed). These never leave your browser. We treat them as essential too — no consent gate.
- Analytics
- Aggregated counts of which pages get visited, which features get used, where errors fire. Off by default. Turns on only after you click "Accept all" on the banner. You can revoke at any time.
- Marketing / advertising
- We don't use any. No retargeting pixels, no ad networks, no third-party tracker shared with marketing platforms. If that changes, this policy gets a banner update before it ships.
4. What we set, by category
Grouped by what they do for you, not by implementation detail. The categories map cleanly onto the four buckets above.
| What it does | Category | Lifespan |
|---|---|---|
| Keeps you signed in across page loads. | Strictly necessary | Up to ~1 hour; refreshes automatically while you're active. |
| Remembers your shopping cart contents between visits. | Strictly necessary | Until you check out or clear it. |
| Records your cookie-banner choice so we don't re-ask. | Strictly necessary | Until you clear browser data. |
| Stripe's payment session + fraud prevention (set on stripe.com when you reach checkout). | Strictly necessary | Stripe-controlled (typically session-scoped). |
| Local UI preferences (skin pick, accordion state, etc.) — never leaves your browser. | Functional | Until you clear browser data. |
| Aggregate page-view counts via Google Analytics — no individual identifiers. | Analytics (opt-in) | Up to 2 years on a rolling basis. |
| Our own anonymous session IDs for funnel and error analytics. | Analytics (opt-in) | Anonymous ID: persistent. Session ID: per-session. |
We don't list internal storage keys here because they're implementation detail that can change without changing what we collect. If you need the technical names for a data-subject request, email support@ratewithai.co and we'll send the current list.
5. Third parties we let in
- Supabase — auth + database. Sets a session cookie/localStorage entry. Strictly necessary.
- Stripe — payment processing. Loads only on the checkout page. Sets its own cookies on stripe.com domains. Strictly necessary.
- Google Analytics 4 — aggregate site analytics. Loads with consent denied by default; only sets cookies after you click Accept.
- SendGrid (server-side only) — transactional email delivery. No browser cookies.
- Vercel — hosting. Sets short-lived security cookies on the deployment domain. Strictly necessary.
We don't use Facebook Pixel, TikTok Pixel, Google Ads, AdSense, Hotjar, FullStory, or any other tracker not listed above. If a new third party gets added, this list gets updated before the integration ships.
6. Your consent + how to change it
Your current decision:
Changes take effect immediately. Rejecting will also tell Google Analytics not to set any cookies on subsequent page loads (via Google's Consent Mode v2).
7. Doing it from the browser
Browsers can purge cookies + localStorage independently of any in-app control:
- Chrome: Settings → Privacy and security → Site settings → View permissions and data stored across sites
- Safari: Preferences → Privacy → Manage Website Data
- Firefox: Settings → Privacy & Security → Cookies and Site Data → Manage Data
- Mobile browsers: equivalent menus under "Settings → Site data"
8. Your rights (GDPR / CCPA)
If you're in the EU/UK/EEA you have rights under GDPR and PECR: access, rectification, erasure, restriction, portability, objection. If you're in California you have comparable rights under CCPA: know, delete, opt-out of sale (we don't sell), correct. Both are documented in detail in the Privacy Policy. To exercise any of them, email support@ratewithai.co — we respond within 30 days.
9. Changes to this policy
If we materially change what cookies we set or who we share with, we'll bump the policy version and re-show the banner so you can re-confirm your choice. Minor wording or formatting changes don't trigger a re-prompt. The effective date in the sidebar is the date of the most recent change of any kind.
10. Contact
Questions, corrections, or DPO matters: email support@ratewithai.co. We read everything that lands there.