Terms of ServicePrivacy PolicyAcceptable UseCookie Notice

Cookie Notice

Last updated April 27, 2026

We try to use as few cookies as possible. Here's every one we set, what it does, and how long it lasts. This list reflects what's actually deployed; we'll update it when we add or remove a cookie.

1. Strictly necessary — your session

These keep you signed in. They don't require consent because the Service can't function without them.

  • session — HttpOnly customer auth cookie. JWT, 7-day expiry. Set on.ureferrals.com so app and api subdomains share it. SameSite=Lax, Secure.
  • admin_session — HttpOnly admin auth cookie. JWT, 4-hour expiry. Same scoping as session.
  • csrf — CSRF token (not HttpOnly so the app can read and reflect it as a header on mutating requests). Random 32-byte hex, expires when the session does.

2. Sign-in flow

Set briefly during the Google OAuth round-trip; cleared on completion (success or failure).

  • oauth_state — random anti-CSRF state for OAuth. ~10 minutes.
  • oauth_verifier — PKCE code verifier. ~10 minutes.
  • oauth_meta — encoded sign-in intent (e.g. plan to upgrade after auth). ~10 minutes.

3. Affiliate attribution (set on Builder sites, not ours)

When a Builder installs our tracker on their site, the script sets a first-party cookie on the Builder's domain to remember which affiliate sent the visitor.

  • ur_ref — referral code attribution cookie set by the tracker. The Builder configures the duration (default 30 days, max 365). Used solely to credit the right affiliate when a sale completes. Not used for advertising.

4. Product analytics (only inside the dashboard)

We run PostHog on our app and admin dashboards (not on the marketing site, not on Builder sites). PostHog assigns each browser an anonymous distinct ID so we can measure which features get used.

  • ph_* — PostHog distinct ID and session ID cookies. Lifetime varies by cookie; longest is 365 days.

5. What we don't do

  • We don't set advertising cookies.
  • We don't share cookie identifiers with ad networks.
  • We don't use third-party analytics on the marketing site or on Builder sites — only inside the logged-in app.
  • We don't use any “tracking pixel” from Meta, X, TikTok, or similar.

6. Controlling cookies

You can clear or block cookies in your browser settings. Blocking the strictly-necessary cookies will sign you out and prevent CSRF protection from working — the app will refuse mutating requests, which is the correct behavior. Blocking ur_ref on a Builder's site will simply prevent affiliate attribution for your visit; you can still buy normally.

7. Changes

If we add a cookie, we'll update this page first. Material changes affecting all users get a notice in the dashboard.

8. Contact

Questions? hello@ureferrals.com.