Cookie & Tracking Policy

Cookies are small text files placed on your device (computer, tablet, or smartphone) when you visit a website. They allow websites to recognise your device and store certain information about your preferences or activity.

In addition to traditional HTTP cookies, PolicifyAI uses the following browser storage technologies:

• HTTP cookies — set by our servers and stored by your browser. Used for session management, authentication, analytics, and fraud prevention.
• localStorage — persistent browser storage used to remember your preferences (e.g. dark/light mode, cookie consent status) across sessions. Not transmitted to servers automatically.
• sessionStorage — browser storage that persists for the duration of your browser session only. Used to temporarily hold UI state during your active session.

We use these technologies to: (i) keep you logged in during your session; (ii) protect against cross-site request forgery (CSRF) and other security threats; (iii) remember your preferences; and (iv) understand how users interact with the platform so we can improve it.

The use of cookies on policifyai.com is governed by the following legal frameworks:

• UK PECR (Privacy and Electronic Communications Regulations 2003) — requires us to obtain your informed consent before placing non-essential cookies on your device. Strictly necessary cookies are exempt from this consent requirement.
• EU ePrivacy Directive (Directive 2002/58/EC) — as implemented in the laws of applicable EU member states. Requires equivalent consent for non-essential cookies placed on devices in EU member states.
• UK GDPR / EU GDPR — analytics cookies process personal data (pseudonymous identifiers) and are subject to data protection law requirements, including the right to withdraw consent at any time.

We obtain your consent via a cookie consent banner displayed on your first visit. You may change your preferences at any time. We do not use a "cookie wall" — you can use the Service without accepting non-essential cookies, though some analytics features may be unavailable.

These cookies are required for the platform to function and cannot be disabled. They are set automatically when you access authenticated areas of the Service. Disabling them via browser settings will prevent you from logging in or using core platform features.

We do not obtain consent for strictly necessary cookies as they are exempt from consent requirements under UK PECR and the EU ePrivacy Directive.

We use two analytics services to understand how users interact with PolicifyAI. Both are only activated after you have given explicit consent via our cookie consent banner.

We use Google Analytics 4 (GA4) with measurement ID G-HJZPJ8BDC5, operated by Google LLC (US). GA4 collects pseudonymous data about pages visited, events triggered, session duration, and referral sources. IP addresses are anonymised before processing — we have enabled IP anonymisation in our GA4 configuration. No personally identifiable information is sent to Google Analytics.

Data collected by GA4 is processed by Google in the United States. Transfers are governed by the EU Standard Contractual Clauses (SCCs) and UK IDTA. Google Analytics data is retained for 26 months (the maximum allowed under our current configuration).

We use PostHog for product analytics, hosted on PostHog's EU Cloud (Frankfurt, Germany) to keep analytics data within the EEA. PostHog collects pseudonymous data about feature usage, click events, and UI interactions to help us understand how users navigate the product and where improvements are needed.

PostHog session recording is not enabled. We do not record individual user sessions or capture keystrokes. Data is retained in PostHog for up to 12 months.

You can opt out of analytics cookies at any time by updating your cookie preferences via the cookie settings link in the footer, or by emailing [email protected]. You may also use Google's browser opt-out add-on at tools.google.com/dlpage/gaoptout.

These items are stored in your browser's localStorage (not as HTTP cookies) and are used to personalise your experience. They do not transmit data to any server and do not require consent under UK PECR, but we disclose them here for full transparency.

• policify-theme — stores your Dark/Light mode preference. Persists until you clear localStorage or change the setting. Never transmitted to our servers.
• policify-cookie-consent — records whether you have accepted or declined non-essential cookies. Used to prevent the consent banner from re-appearing on every page load. Stored as localStorage. Clears when localStorage is cleared.
• seenTooltips — records which onboarding tooltips and guided tours you have already seen, to prevent them from being shown again unnecessarily.
• NEXT_LOCALE — stores your preferred language setting where locale-specific content is served. Currently English-only; reserved for future international expansion.

The following third-party scripts are loaded on policifyai.com and may set their own cookies or tracking mechanisms:

• Stripe.js — loaded on billing and payment pages. Sets __stripe_mid and __stripe_sid (see section 3). Stripe's privacy policy: stripe.com/privacy.
• Google Analytics 4 (gtag.js)— loaded only with your consent (see section 4). Data processed by Google LLC under SCCs. Google's privacy policy: policies.google.com/privacy.
• PostHog (posthog.js)— loaded only with your consent (see section 4). Hosted on EU Cloud. PostHog's privacy policy: posthog.com/privacy.
• Vercel Analytics & Speed Insights— Vercel's built-in analytics collect aggregate performance metrics (Core Web Vitals) without setting cookies or collecting personally identifiable information. Data is aggregated and not linked to individual users. Vercel's privacy policy: vercel.com/legal/privacy-policy.

We do not load any social media tracking pixels (Facebook, TikTok, LinkedIn, etc.), advertising retargeting scripts, or affiliate tracking cookies. We do not use any third-party advertising networks.

For the avoidance of doubt, PolicifyAI does not use any of the following:

• Facebook / Meta Pixel or any other social media tracking pixels
• Advertising retargeting cookies or scripts
• Cross-site tracking or third-party advertising networks
• Fingerprinting techniques to track users without cookies
• Session recording tools that capture keystrokes, mouse movements, or screen content
• Email tracking pixels in transactional emails (we do use standard email open tracking in some marketing emails — see our Anti-Spam Policy)
• Behavioural advertising or ad personalisation profiles

We do not sell, share, or disclose cookie data or analytics data to advertising networks or data brokers.

On your first visit to policifyai.com, we display a cookie consent banner. You can accept all cookies, decline non-essential cookies, or customise your preferences. Your choice is saved in localStorage as policify-cookie-consent. You can change your preferences at any time via the cookie settings link in the page footer.

Most browsers allow you to view, block, and delete cookies through your browser settings. Instructions for common browsers:

• Chrome: Settings → Privacy and security → Cookies and other site data
• Firefox: Settings → Privacy & Security → Cookies and Site Data
• Safari: Preferences → Privacy → Manage Website Data
• Edge: Settings → Cookies and site permissions → Manage and delete cookies and site data

Please note: blocking strictly necessary cookies (Supabase auth tokens) will prevent you from logging in to your PolicifyAI account.

In addition to our cookie banner, you can opt out of Google Analytics using Google's browser opt-out add-on: tools.google.com/dlpage/gaoptout. You can opt out of PostHog by declining analytics cookies via our cookie banner.

We respect the Global Privacy Control (GPC) signal. If your browser sends a GPC signal (Sec-GPC: 1 header), we will automatically treat this as a request to decline all non-essential cookies and tracking, including analytics cookies. GPC is supported by browsers such as Firefox, Brave, and Chrome with appropriate extensions.

We also recognise the Do Not Track (DNT) browser signal (DNT: 1). Although DNT is not currently legally mandated in the UK or EU, we honour it by disabling non-essential analytics tracking for browsers that send this signal.

GPC and DNT signals are evaluated on each page load. If you clear cookies or localStorage, our system will re-evaluate the signal on your next visit. You do not need to re-interact with the cookie banner if a valid GPC signal is detected.

We may update this Cookie & Tracking Policy from time to time to reflect changes in the cookies we use, applicable law, or supervisory authority guidance. We will notify you of material changes by:

• Sending an email notice to the address on your account at least 30 days before changes take effect.
• Displaying a notice within the Service or updating our cookie consent banner to re-request consent where required by law.
• Updating the "Last updated" date at the top of this page.

For questions about this Cookie Policy or our cookie practices: [email protected]

To reset your cookie preferences: use the cookie settings link in the footer of any page, or email [email protected].

To exercise your data protection rights in relation to analytics data: visit our DSAR page or email [email protected].