This Cookie Policy explains how CiteFlow uses cookies and similar technologies. Read it together with our Privacy Policy, which describes how we process the data we collect.
1. What is a cookie
A cookie is a small text file stored on your device when you visit a website. Cookies allow a site to remember your preferences, keep you signed in, and measure how the site is being used. Similar technologies, such as local storage, pixels, and browser signals, work in comparable ways and are covered by this policy.
2. Cookies we use
The table below reflects our current expected cookie inventory. Exact names, lifetimes, and third-party behavior can vary by browser, region, provider configuration, and future product changes, so we review this inventory when scripts or checkout/authentication tooling changes.
2.1 Strictly necessary
These cookies are required to operate CiteFlow and cannot be turned off without breaking core functionality. They do not require consent under most cookie laws.
| Name / source | Purpose | Lifetime |
|---|---|---|
| Better Auth session cookie | Keeps you signed in across pages and protects against CSRF | Session / up to 30 days |
Consent preference (cf_consent) | Stores your cookie consent decision | 1 year |
| CSRF / nonce tokens | Prevents cross-site request forgery on form submissions | Session |
| Security and rate-limit storage | Protects scan, sign-in, and checkout flows from abuse | Short-lived / provider configured |
2.2 Analytics
We use Google Analytics 4 (GA4) and Google Tag Manager (GTM) to understand how visitors discover CiteFlow, complete a scan, sign in, and convert to a paid tier. These cookies are loaded only after you click "Accept all" or enable Analytics in Cookie Preferences. If you reject analytics, close the banner without accepting, or send a Global Privacy Control signal, analytics scripts are not loaded.
| Name / source | Purpose | Lifetime |
|---|---|---|
| _ga | Google Analytics - distinguishes unique visitors | 2 years |
| _ga_<container-id> | Google Analytics - session state for GA4 property | 2 years |
| _gid | Google Analytics - distinguishes users within a 24h window | 24 hours |
| _gat | Google Analytics - throttles request rate | 1 minute |
| _gcl_au | Google Tag Manager / Google Ads conversion linker, set only if that GTM configuration is active | 3 months |
2.3 Payment
When you subscribe or buy an add-on, Stripe sets cookies inside the checkout flow to process the payment securely, detect fraud, and manage recurring billing. These cookies are set by Stripe directly. See Stripe's cookie policy for details.
2.4 Sign-in and abuse prevention
If you sign in with Google, Google may set cookies as part of the OAuth handshake. These cookies are governed by Google's privacy policy, not ours, and we do not control them.
If CAPTCHA or abuse-prevention checks are enabled, Cloudflare Turnstile may use cookies or similar browser signals to verify that a request is legitimate. See Cloudflare's privacy policy for details.
3. How to control cookies
- Cookie banner.On your first visit you see a banner where you can accept all cookies or reject non-essential cookies. No analytics cookies are set unless you click "Accept all" or later enable Analytics in Cookie Preferences.
- Manage preferences. Use the Cookie Preferences link in the footer to reopen the consent dialog and update your decision at any time. Your preference is stored for one year.
- Browser controls. All major browsers let you block or delete cookies through settings. Blocking strictly necessary cookies will break sign-in, checkout, consent storage, and other core features.
- Global Privacy Control. If your browser sends a GPC signal, we automatically treat it as a rejection of analytics cookies. The banner is not shown and analytics scripts are not loaded.
4. Changes to this policy
We will update this Cookie Policy when our cookie usage changes. The "Last updated" date at the top reflects the most recent revision.
5. Contact
Questions about cookies? Contact us at support@citeflow.io.