Cookie Policy

The cookies and similar technologies CiteFlow uses, and how to control them.

Last updated:

This Cookie Policy explains how CiteFlow uses cookies and similar technologies. Read it together with our Privacy Policy, which describes how we process the data we collect.

1. What is a cookie

A cookie is a small text file stored on your device when you visit a website. Cookies allow a site to remember your preferences, keep you signed in, and measure how the site is being used. Similar technologies, such as local storage, pixels, and browser signals, work in comparable ways and are covered by this policy.

2. Cookies we use

The table below reflects our current expected cookie inventory. Exact names, lifetimes, and third-party behavior can vary by browser, region, provider configuration, and future product changes, so we review this inventory when scripts or checkout/authentication tooling changes.

2.1 Strictly necessary

These cookies are required to operate CiteFlow and cannot be turned off without breaking core functionality. They do not require consent under most cookie laws.

Name / sourcePurposeLifetime
Better Auth session cookieKeeps you signed in across pages and protects against CSRFSession / up to 30 days
Consent preference (cf_consent)Stores your cookie consent decision1 year
CSRF / nonce tokensPrevents cross-site request forgery on form submissionsSession
Security and rate-limit storageProtects scan, sign-in, and checkout flows from abuseShort-lived / provider configured

2.2 Analytics

We use Google Analytics 4 (GA4) and Google Tag Manager (GTM) to understand how visitors discover CiteFlow, complete a scan, sign in, and convert to a paid tier. These cookies are loaded only after you click "Accept all" or enable Analytics in Cookie Preferences. If you reject analytics, close the banner without accepting, or send a Global Privacy Control signal, analytics scripts are not loaded.

Name / sourcePurposeLifetime
_gaGoogle Analytics - distinguishes unique visitors2 years
_ga_<container-id>Google Analytics - session state for GA4 property2 years
_gidGoogle Analytics - distinguishes users within a 24h window24 hours
_gatGoogle Analytics - throttles request rate1 minute
_gcl_auGoogle Tag Manager / Google Ads conversion linker, set only if that GTM configuration is active3 months

2.3 Payment

When you subscribe or buy an add-on, Stripe sets cookies inside the checkout flow to process the payment securely, detect fraud, and manage recurring billing. These cookies are set by Stripe directly. See Stripe's cookie policy for details.

2.4 Sign-in and abuse prevention

If you sign in with Google, Google may set cookies as part of the OAuth handshake. These cookies are governed by Google's privacy policy, not ours, and we do not control them.

If CAPTCHA or abuse-prevention checks are enabled, Cloudflare Turnstile may use cookies or similar browser signals to verify that a request is legitimate. See Cloudflare's privacy policy for details.

3. How to control cookies

  • Cookie banner.On your first visit you see a banner where you can accept all cookies or reject non-essential cookies. No analytics cookies are set unless you click "Accept all" or later enable Analytics in Cookie Preferences.
  • Manage preferences. Use the Cookie Preferences link in the footer to reopen the consent dialog and update your decision at any time. Your preference is stored for one year.
  • Browser controls. All major browsers let you block or delete cookies through settings. Blocking strictly necessary cookies will break sign-in, checkout, consent storage, and other core features.
  • Global Privacy Control. If your browser sends a GPC signal, we automatically treat it as a rejection of analytics cookies. The banner is not shown and analytics scripts are not loaded.

4. Changes to this policy

We will update this Cookie Policy when our cookie usage changes. The "Last updated" date at the top reflects the most recent revision.

5. Contact

Questions about cookies? Contact us at support@citeflow.io.