Cookie Policy

Vinculum uses cookies sparingly and only for the purpose of running the service. No advertising cookies, no cross-site tracking, no sale of browsing data.

What we use

Authentication session cookie

When you sign in, we set one cookie:

• Name: session
• Type: HTTP-only, Secure, SameSite=Lax
• Contents: A signed JWT containing your user ID and session expiry. It is not readable by JavaScript.
• Lifetime: 30 days from sign-in, or until you sign out.
• Purpose: Knowing who you are so you can see your own data.

That is the only cookie we set on our domain.

Analytics — Umami (no cookies, no PII)

We run Umami, a privacy-friendly, self-hosted analytics tool, to measure aggregate traffic and conversion on the public marketing site and the signed-in product surface.

• No cookies. Umami does not set any cookies — it identifies sessions via an in-memory hash of domain + IP + user agent that rotates daily and is never stored as-is.
• No PII. No email, no name, no user ID, no IP address is persisted on the analytics server. The hash is one-way and rotated.
• No cross-site tracking. The Umami beacon is hosted on data.innervate.agency (a sister domain we control). It does not load any third-party advertising, fingerprinting, or marketing SDKs.
• What we measure: page views, referrer (without query strings), broad device class (mobile/desktop), country (derived from IP at request time and immediately discarded), and a small set of named events on CTAs (e.g. which pricing tier did you click, did the magic-link form succeed). Event names are listed in frontend/src/lib/analytics.ts.
• Do Not Track is honored. If your browser sends DNT: 1 and Umami is configured to honor it, no events are recorded.

You can block the analytics beacon at any time with any standard content-blocker — the product continues to work identically with or without it.

What we don't use

• We do not use Google Analytics, Mixpanel, Segment, Amplitude, PostHog, or any other ad-funded analytics service.
• We do not use advertising cookies or third-party tracking pixels.
• We do not use fingerprinting to follow users across sites.
• We do not sell data derived from your browsing to any third party.

Third-party cookies

Cloudflare handles TLS termination and may set a short-lived __cf_bm bot-management cookie on some requests. This is a security cookie set by our CDN provider, not by us. It does not track you across sites and expires within 30 minutes.

Stripe may set cookies on the billing page (Settings → Billing). These are scoped to Stripe's hosted iframe and governed by Stripe's privacy policy.

Sentry is used for error tracking on the product surface. Errors and stack traces are reported with sensitive headers and fields scrubbed before send; Sentry's browser SDK uses localStorage (not cookies) for session-replay deduplication.

Changing your preferences

The only cookie we set ourselves (session) is strictly necessary for the service to function. The analytics beacon does not use cookies.

If you want to delete the session cookie, signing out does that. You can also clear cookies for vinculum.run in your browser settings — you will be signed out.

If you want to opt out of analytics specifically, enable Do Not Track in your browser, or block the data.innervate.agency domain in a content-blocker. The product is unaffected either way.

Contact

Questions: privacy@vinculum.run